An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in cedrus_remove in drivers/staging/media/sunxi/cedrus/cedrus.c.

CVE-2023-35826

\* **\[PATCH\] media: cedrus: fix use after free bug in cedrus\_remove due to race condition**
**@ 2023-03-08  3:23 Zheng Wang**
  0 siblings, 0 replies; only message in thread
From: Zheng Wang @ 2023-03-08  3:23 UTC (permalink / raw)
  To: mchehab
  Cc: wens, jernej.skrabec, samuel, linux-media, linux-staging,
	linux-arm-kernel, linux-sunxi, linux-kernel, hackerzheng666,
	1395428693sheep, alex000young, Zheng Wang

In cedrus\_probe, dev->watchdog\_work is bound with cedrus\_watchdog function.
In cedrus\_device\_run, it will started by schedule\_delayed\_work. If there is
unfinished work in cedrus\_remove, there may be a race condition and trigger
UAF bug.

CPU0                  CPU1

                    |cedrus\_watchdog
cedrus\_remove       |
  v4l2\_m2m\_release  |
  kfree(m2m\_dev)    |
                    |
                    | v4l2\_m2m\_get\_curr\_priv
                    |   m2m\_dev //use

Fix it by canceling the worker in cedrus\_remove.

Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
 drivers/staging/media/sunxi/cedrus/cedrus.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/media/sunxi/cedrus/cedrus.c b/drivers/staging/media/sunxi/cedrus/cedrus.c
index a43d5ff66716..c95d011c0817 100644
--- a/drivers/staging/media/sunxi/cedrus/cedrus.c
+++ b/drivers/staging/media/sunxi/cedrus/cedrus.c
@@ -546,7 +546,7 @@ static int cedrus\_probe(struct platform\_device \*pdev)
 static int cedrus\_remove(struct platform\_device \*pdev)
 {
 	struct cedrus\_dev \*dev = platform\_get\_drvdata(pdev);
\-
+	cancel\_delayed\_work(&dev->watchdog\_work);
 	if (media\_devnode\_is\_registered(dev->mdev.devnode)) {
 		media\_device\_unregister(&dev->mdev);
 		v4l2\_m2m\_unregister\_media\_controller(dev->m2m\_dev);
-- 
2.25.1


\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply related	\[**flat**|nested\] only message in thread

only message in thread, other threads:\[~2023-03-08  3:24 UTC | newest\]

**Thread overview:** (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-08  3:23 \[PATCH\] media: cedrus: fix use after free bug in cedrus\_remove due to race condition Zheng Wang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2023-35826: fix use after free bug in cedrus_remove due to race condition

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c.

\* **\[PATCH v7\] usb: gadget: udc: renesas\_usb3: Fix use after free bug in  renesas\_usb3\_remove due to race condition**
**@ 2023-03-16 18:08 Zheng Wang**
  2023-03-16 19:07 \` Greg KH
  0 siblings, 1 reply; 3+ messages in thread
From: Zheng Wang @ 2023-03-16 18:08 UTC (permalink / raw)
  To: gregkh
  Cc: skhan, p.zabel, biju.das.jz, phil.edworthy, linux-usb,
	linux-kernel, hackerzheng666, 1395428693sheep, alex000young,
	yoshihiro.shimoda.uh, Zheng Wang

In renesas\_usb3\_probe, role\_work is bound with renesas\_usb3\_role\_work.
renesas\_usb3\_start will be called to start the work.

If we remove the driver which will call usbhs\_remove, there may be
an unfinished work. The possible sequence is as follows:

Fix it by canceling the work before cleanup in the renesas\_usb3\_remove.

Note that removing a driver is a root-only operation, and should never
happen.

CPU0                  			CPU1

                    			| renesas\_usb3\_role\_work
renesas\_usb3\_remove 			|
usb\_role\_switch\_unregister|
device\_unregister   			|
kfree(sw)  	     					|
free usb3->role\_sw  			|
                    			| usb\_role\_switch\_set\_role
                    			| //use usb3->role\_sw

This bug was found by static analysis.

Fixes: 39facfa01c9f ("usb: gadget: udc: renesas\_usb3: Add register of usb role switch")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
---
v7:
- add more details about how the bug was found suggested by Shuah
v6:
- beautify the format and add note suggested by Greg KH
v5:
- fix typo
v4:
- add Reviewed-by label and resubmit v4 suggested by Greg KH
v3:
- modify the commit message to make it clearer suggested by Yoshihiro Shimoda
v2:
- fix typo, use clearer commit message and only cancel the UAF-related work suggested by Yoshihiro Shimoda
---
 drivers/usb/gadget/udc/renesas\_usb3.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/gadget/udc/renesas\_usb3.c b/drivers/usb/gadget/udc/renesas\_usb3.c
index bee6bceafc4f..a301af66bd91 100644
--- a/drivers/usb/gadget/udc/renesas\_usb3.c
+++ b/drivers/usb/gadget/udc/renesas\_usb3.c
@@ -2661,6 +2661,7 @@ static int renesas\_usb3\_remove(struct platform\_device \*pdev)
 	debugfs\_remove\_recursive(usb3->dentry);
 	device\_remove\_file(&pdev->dev, &dev\_attr\_role);
 
+	cancel\_work\_sync(&usb3->role\_work);
 	usb\_role\_switch\_unregister(usb3->role\_sw);
 
 	usb\_del\_gadget\_udc(&usb3->gadget);
-- 
2.25.1

^ permalink raw reply related	\[**flat**|nested\] 3+ messages in thread

\* **Re: \[PATCH v7\] usb: gadget: udc: renesas\_usb3: Fix use after free bug in  renesas\_usb3\_remove due to race condition**
  2023-03-16 18:08 \[PATCH v7\] usb: gadget: udc: renesas\_usb3: Fix use after free bug in renesas\_usb3\_remove due to race condition Zheng Wang
**@ 2023-03-16 19:07 \` Greg KH**
  2023-03-17  3:59   \` Zheng Hacker
  0 siblings, 1 reply; 3+ messages in thread
From: Greg KH @ 2023-03-16 19:07 UTC (permalink / raw)
  To: Zheng Wang
  Cc: skhan, p.zabel, biju.das.jz, phil.edworthy, linux-usb,
	linux-kernel, hackerzheng666, 1395428693sheep, alex000young,
	yoshihiro.shimoda.uh

On Fri, Mar 17, 2023 at 02:08:50AM +0800, Zheng Wang wrote:
\> In renesas\_usb3\_probe, role\_work is bound with renesas\_usb3\_role\_work.
> renesas\_usb3\_start will be called to start the work.
> 
> If we remove the driver which will call usbhs\_remove, there may be
> an unfinished work. The possible sequence is as follows:
> 
> Fix it by canceling the work before cleanup in the renesas\_usb3\_remove.
> 
> Note that removing a driver is a root-only operation, and should never
> happen.
> 
> CPU0                  			CPU1
> 
>                     			| renesas\_usb3\_role\_work
> renesas\_usb3\_remove 			|
> usb\_role\_switch\_unregister|
> device\_unregister   			|
> kfree(sw)  	     					|
> free usb3->role\_sw  			|
>                     			| usb\_role\_switch\_set\_role
>                     			| //use usb3->role\_sw
This still isn't working :(

^ permalink raw reply	\[**flat**|nested\] 3+ messages in thread

\* **Re: \[PATCH v7\] usb: gadget: udc: renesas\_usb3: Fix use after free bug in renesas\_usb3\_remove due to race condition**
  2023-03-16 19:07 \` Greg KH
**@ 2023-03-17  3:59   \` Zheng Hacker**
  0 siblings, 0 replies; 3+ messages in thread
From: Zheng Hacker @ 2023-03-17  3:59 UTC (permalink / raw)
  To: Greg KH
  Cc: Zheng Wang, skhan, p.zabel, biju.das.jz, phil.edworthy,
	linux-usb, linux-kernel, 1395428693sheep, alex000young,
	yoshihiro.shimoda.uh

Greg KH <gregkh@linuxfoundation.org> 于2023年3月17日周五 03:07写道：
\>
> On Fri, Mar 17, 2023 at 02:08:50AM +0800, Zheng Wang wrote:
> > In renesas\_usb3\_probe, role\_work is bound with renesas\_usb3\_role\_work.
> > renesas\_usb3\_start will be called to start the work.
> >
> > If we remove the driver which will call usbhs\_remove, there may be
> > an unfinished work. The possible sequence is as follows:
> >
> > Fix it by canceling the work before cleanup in the renesas\_usb3\_remove.
> >
> > Note that removing a driver is a root-only operation, and should never
> > happen.
> >
> > CPU0                                          CPU1
> >
> >                                       | renesas\_usb3\_role\_work
> > renesas\_usb3\_remove                   |
> > usb\_role\_switch\_unregister|
> > device\_unregister                     |
> > kfree(sw)                                             |
> > free usb3->role\_sw                    |
> >                                       | usb\_role\_switch\_set\_role
> >                                       | //use usb3->role\_sw
>
> This still isn't working :(
>
Sorry I haven't read your advice when submiting this version of patch.

Best Regards,
Zheng

^ permalink raw reply	\[**flat**|nested\] 3+ messages in thread

end of thread, other threads:\[~2023-03-17  4:00 UTC | newest\]

**Thread overview:** 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-16 18:08 \[PATCH v7\] usb: gadget: udc: renesas\_usb3: Fix use after free bug in renesas\_usb3\_remove due to race condition Zheng Wang
2023-03-16 19:07 \` Greg KH
2023-03-17  3:59   \` Zheng Hacker

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2023-35828: Fix use after free bug in renesas_usb3_remove due to race condition

CVE-2023-35828

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in rkvdec_remove in drivers/staging/media/rkvdec/rkvdec.c.

\* **\[PATCH\] media: rkvdec: fix use after free bug in rkvdec\_remove**
**@ 2023-03-07 17:39 Zheng Wang**
  0 siblings, 0 replies; only message in thread
From: Zheng Wang @ 2023-03-07 17:39 UTC (permalink / raw)
  To: ezequiel
  Cc: mchehab, gregkh, linux-media, linux-rockchip, linux-staging,
	linux-kernel, hackerzheng666, 1395428693sheep, alex000young,
	Zheng Wang

In rkvdec\_probe, rkvdec->watchdog\_work is bound with
rkvdec\_watchdog\_func. Then rkvdec\_vp9\_run may
be called to start the work.

If we remove the module which will call rkvdec\_remove
 to make cleanup, there may be a unfinished work.
 The possible sequence is as follows, which will
 cause a typical UAF bug.

Fix it by canceling the work before cleanup in rkvdec\_remove.

CPU0                  CPU1

                    |rkvdec\_watchdog\_func
rkvdec\_remove       |
 rkvdec\_v4l2\_cleanup|
  v4l2\_m2m\_release  |
    kfree(m2m\_dev); |
                    |
                    | v4l2\_m2m\_get\_curr\_priv
                    |   m2m\_dev->curr\_ctx //use

Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
 drivers/staging/media/rkvdec/rkvdec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/staging/media/rkvdec/rkvdec.c b/drivers/staging/media/rkvdec/rkvdec.c
index 7bab7586918c..6b14655a8e2c 100644
--- a/drivers/staging/media/rkvdec/rkvdec.c
+++ b/drivers/staging/media/rkvdec/rkvdec.c
@@ -1066,6 +1066,7 @@ static int rkvdec\_remove(struct platform\_device \*pdev)
 {
 	struct rkvdec\_dev \*rkvdec = platform\_get\_drvdata(pdev);
 
+	cancel\_delayed\_work(&rkvdec->watchdog\_work);
 	rkvdec\_v4l2\_cleanup(rkvdec);
 	pm\_runtime\_disable(&pdev->dev);
 	pm\_runtime\_dont\_use\_autosuspend(&pdev->dev);
-- 
2.25.1

^ permalink raw reply related	\[**flat**|nested\] only message in thread

only message in thread, other threads:\[~2023-03-07 17:46 UTC | newest\]

**Thread overview:** (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-07 17:39 \[PATCH\] media: rkvdec: fix use after free bug in rkvdec\_remove Zheng Wang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2023-35829: fix use after free bug in rkvdec_remove

By Waqas
According to researchers, these fake accounts on GitHub and Twitter are spreading malware that infects both Windows- and Linux-based systems.
This is a post from HackRead.com Read the original post: Warning: Fake GitHub Repos Delivering Malware as PoCs

Around half a dozen fake accounts were discovered on GitHub, and several were found on Twitter. All of them used headshots of renowned security researchers and hosted zero-day exploits.

Supply chain attacks could be highly destructive if the target is as high-profile and widely used as GitHub. Cybersecurity researchers at VulnCheck have discovered a supply chain attack targeting GitHub and Twitter.

According to their report, multiple accounts on GitHub and Twitter claim to distribute PoC (proof-of-concept) exploits for zero-day exploits in popular software. However, these are fake accounts, and the PoCs deliver malware.

****Campaign Discovery****

VulnCheck discovered this campaign in May 2023 when it checked a GitHub repository hosting code that the author claimed was a zero-day for the Signal app. The next day, they discovered another account offering a WhatsApp zero-day.

Researchers kept finding bogus accounts throughout May 2023, all offering zero-day exploits for apps such as Google Chrome, Signal, Microsoft Exchange Server, and Discord. Later in May, researchers came across similar accounts on Twitter.

Around half a dozen fake accounts were discovered on GitHub, and several were found on Twitter. All of them used headshots of renowned security researchers and hosted zero-day exploits.

****Beware of Fake Accounts on GitHub, Twitter****

According to VulnCheck, unidentified threat actors have created a network of fake accounts on GitHub and Twitter that appear to be associated with cybersecurity researchers. To generate credibility for these accounts, the threat actors have used profile pictures of actual security researchers.

Researchers have noted that these fake repositories are promoted as part of a non-existent firm called High Sierra Cyber Security. Each account features a headshot, Twitter handle, associated organization, followers, a link to the company’s website, and a hidden, malicious repository.

Greg and 6 other fake profiles on GitHub (Left) – Fake account on Twitter (Right) – VulnCheck

****Malicious Objectives Behind Fake Accounts****

These fake accounts distribute a Python script through which a malicious binary is downloaded and executed on the device. It is worth noting that the malware can work on both Windows and Linux-based systems. GitHub accounts have been suspended, but Twitter accounts remain online.

****What are the Dangers?****

Researchers believe that this supply chain attack is very elaborate and can have serious consequences. The SolarWinds attack is one of the most devastating supply chain attacks, affecting many public and private sector agencies and causing extensive damage. A malware-infected software was responsible for this attack.

Considering that GitHub is the world’s largest open-source code repository, the consequences of this particular supply chain attack could be even more drastic. Injecting malicious code into a repository or compromising it can impact various software used by countless endpoints. Attackers can deploy malware to steal sensitive data, perform identity theft, or launch ransomware attacks and wire frauds.

Researchers are unclear whether this is an experiment or a campaign. Nevertheless, it is essential to be cautious when accessing untrusted sources for executing code. Check the full list of fake accounts here.

**RELATED ARTICLES**

1.  Portion of Twitter’s proprietary source code leaked on GitHub
2.  Commit metadata spoofed to create false GitHub repositories
3.  SolarWinds Hackers Use Post-Exploitation Backdoor ‘MagicWeb’

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Warning: Fake GitHub Repos Delivering Malware as PoCs

Cybersecurity researchers have discovered previously undocumented payloads associated with a Romanian threat actor named Diicot, revealing its potential for launching distributed denial-of-service (DDoS) attacks.
"The Diicot name is significant, as it's also the name of the Romanian organized crime and anti-terrorism policing unit," Cado Security said in a technical report. "In addition,

Cryptojacking / Network Security

Cybersecurity researchers have discovered previously undocumented payloads associated with a Romanian threat actor named **Diicot**, revealing its potential for launching distributed denial-of-service (DDoS) attacks.

"The Diicot name is significant, as it's also the name of the Romanian organized crime and anti-terrorism policing unit," Cado Security said in a technical report. "In addition, artifacts from the group's campaigns contain messaging and imagery related to this organization."

Diicot (née Mexals) was first documented by Bitdefender in July 2021, uncovering the actor's use of a Go-based SSH brute-forcer tool called Diicot Brute to breach Linux hosts as part of a cryptojacking campaign.

Then earlier this April, Akamai disclosed what it described as a "resurgence" of the 2021 activity that's believed to have started around October 2022, netting the actor about $10,000 in illicit profits.

"The attackers use a long chain of payloads before eventually dropping a Monero cryptominer," Akamai researcher Stiv Kupchik said at the time. "New capabilities include usage of a Secure Shell Protocol (SSH) worm module, increased reporting, better payload obfuscation, and a new LAN spreader module."

The latest analysis from Cado Security shows that the group is also deploying an off-the-shelf botnet referred to as Cayosin, a malware family that shares characteristics with Qbot and Mirai.

The development is a sign that the threat actor now possesses the ability to mount DDoS attacks. Other activities carried out by the group include doxxing of rival hacking groups and its reliance on Discord for command-and-control and data exfiltration.

"Deployment of this agent was targeted at routers running the Linux-based embedded devices operating system, OpenWrt," the cybersecurity company said. "The use of Cayosin demonstrates Diicot's willingness to conduct a variety of attacks (not just cryptojacking) depending on the type of targets they encounter."

Diicot's compromise chains have remained largely consistent, leveraging the custom SSH brute-forcing utility to gain a foothold and drop additional malware such as the Mirai variant and the crypto miner.

Some of the other tools used by the actor are as follows -

*   **Chrome** - An internet scanner based on Zmap that can write the results of the operation to a text file ("bios.txt").
*   **Update** - An executable that fetches and executes the SSH brute-forcer and Chrome if they don't exist in the system.
*   **History** - A shell script that's designed to run Update

The SSH brute-forcer tool (aka aliases), for its part, parses the text file output of Chrome to break into each of the identified IP addresses, and if successful, establishes remote connection to the IP address.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

This is then followed by running a series of commands to profile the infected host and using it to either deploy a cryptominer or make it act as a spreader if the machine's CPU has less than four cores.

To mitigate such attacks, organizations are recommended to implement SSH hardening and firewall rules to limit SSH access to specific IP addresses.

"This campaign specifically targets SSH servers exposed to the internet with password authentication enabled," Cado Security said. "The username/password list they use is relatively limited and includes default and easily-guessed credential pairs."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

 From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet

An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 7 Jun 2023 11:32:31 +0800
From: Hangyu Hua <hbh25y@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: off-by-one in fl\_set\_geneve\_opt

Hi guys,

I find a off-by-one bug in linux kernel's Flower
classifier(NET\_CLS\_FLOWER). It can cause denial-of-service and privilege 
escalation.

# Details:

static int fl\_set\_geneve\_opt(const struct nlattr \*nla, struct 
fl\_flow\_key \*key,
      int depth, int option\_len,
      struct netlink\_ext\_ack \*extack)
{
struct nlattr \*tb\[TCA\_FLOWER\_KEY\_ENC\_OPT\_GENEVE\_MAX + 1\];
struct nlattr \*class = NULL, \*type = NULL, \*data = NULL;
struct geneve\_opt \*opt;
int err, data\_len = 0;

if (option\_len > sizeof(struct geneve\_opt))
data\_len = option\_len - sizeof(struct geneve\_opt);

opt = (struct geneve\_opt \*)&key->enc\_opts.data\[key->enc\_opts.len\]; <--- \[1\]
memset(opt, 0xff, option\_len);
opt->length = data\_len / 4;
opt->r1 = 0;
opt->r2 = 0;
opt->r3 = 0;

...
if (tb\[TCA\_FLOWER\_KEY\_ENC\_OPT\_GENEVE\_DATA\]) {
int new\_len = key->enc\_opts.len;

data = tb\[TCA\_FLOWER\_KEY\_ENC\_OPT\_GENEVE\_DATA\];
data\_len = nla\_len(data);
if (data\_len < 4) {
NL\_SET\_ERR\_MSG(extack, "Tunnel key geneve option data is less than 4
bytes long");
return -ERANGE;
}
if (data\_len % 4) {
NL\_SET\_ERR\_MSG(extack, "Tunnel key geneve option data is not a
multiple of 4 bytes long");
return -ERANGE;
}

new\_len += sizeof(struct geneve\_opt) + data\_len;
BUILD\_BUG\_ON(FLOW\_DIS\_TUN\_OPTS\_MAX != IP\_TUNNEL\_OPTS\_MAX);
if (new\_len > FLOW\_DIS\_TUN\_OPTS\_MAX) { <--- \[2\]
NL\_SET\_ERR\_MSG(extack, "Tunnel options exceeds max size");
return -ERANGE;
}
opt->length = data\_len / 4;
memcpy(opt->opt\_data, nla\_data(data), data\_len); <--- \[3\]
}
...
}

We can see that opt use key->enc\_opts.len to get its pointer from
key->enc\_opts.data\[\] in \[1\]. Then length will be set to "data\_len /
4". The bug is that if we send two TCA\_FLOWER\_KEY\_ENC\_OPTS\_GENEVE
packets and their total size is 252 bytes(key->enc\_opts.len = 252)
then key->enc\_opts.len = opt->length = data\_len / 4 when the third
TCA\_FLOWER\_KEY\_ENC\_OPTS\_GENEVE packet enters fl\_set\_geneve\_opt. This
can bypass the check in \[2\] and cause out of bound write in
\[3\](opt->opt\_data = key->enc\_opts.data\[257\]).

# Patch

I already contacted the linux security team and made a patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/sched?id=4d56304e5827c8cc8cc18c75343d283af7c4825c

# CVE

Pending

# EXP

In order to avoid confusion i will publish it after I get CVE.

Thanks,
Hangyu

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2023-35788: security - Linux kernel: off-by-one in fl_set_geneve_opt

An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.

\* **\[PATCH\] relayfs: fix out-of-bounds access in relay\_file\_read**
**@ 2023-04-19  4:02 zhangzhengming**
  2023-04-19 21:03 \` Andrew Morton
  0 siblings, 1 reply; 4+ messages in thread
From: zhangzhengming @ 2023-04-19  4:02 UTC (permalink / raw)
  To: akpm, surenb, wuchi.zero, Ilia.Gavrilov, xu.panda, colin.i.king
  Cc: linux-kernel, zhou.kete, Zhang Zhengming

From: Zhang Zhengming <zhang.zhengming@h3c.com>

There is a crash in relay\_file\_read, as the var from 
point to the end of last subbuf.
The oops looks something like:
pc : \_\_arch\_copy\_to\_user+0x180/0x310
lr : relay\_file\_read+0x20c/0x2c8
Call trace:
 \_\_arch\_copy\_to\_user+0x180/0x310
 full\_proxy\_read+0x68/0x98
 vfs\_read+0xb0/0x1d0
 ksys\_read+0x6c/0xf0
 \_\_arm64\_sys\_read+0x20/0x28
 el0\_svc\_common.constprop.3+0x84/0x108
 do\_el0\_svc+0x74/0x90
 el0\_svc+0x1c/0x28
 el0\_sync\_handler+0x88/0xb0
 el0\_sync+0x148/0x180

We get the condition by analyzing the vmcore:
1). The last produced byte and last consumed byte
    both at the end of the last subbuf
2). A softirq who will call function(e.g \_\_blk\_add\_trace)
    to write relay buffer occurs when an program calling
    function relay\_file\_read\_avail.
        relay\_file\_read
                relay\_file\_read\_avail
                        relay\_file\_read\_consume(buf, 0, 0);
                        //interrupted by softirq who will write subbuf
                        ....
                        return 1;
                //read\_start point to the end of the last subbuf
                read\_start = relay\_file\_read\_start\_pos
                //avail is equal to subsize
                avail = relay\_file\_read\_subbuf\_avail
                //from  points to an invalid memory address             
                from = buf->start + read\_start
                //system is crashed
                copy\_to\_user(buffer, from, avail)

Signed-off-by: Zhang Zhengming <zhang.zhengming@h3c.com>
Reviewed-by: Zhao Lei <zhao\_lei1@hoperun.com>
Reviewed-by: Zhou Kete <zhou.kete@h3c.com>
---
 kernel/relay.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/relay.c b/kernel/relay.c
index 9aa70ae..a80fa01 100644
--- a/kernel/relay.c
+++ b/kernel/relay.c
@@ -989,7 +989,8 @@ static size\_t relay\_file\_read\_start\_pos(struct rchan\_buf \*buf)
 	size\_t subbuf\_size = buf->chan->subbuf\_size;
 	size\_t n\_subbufs = buf->chan->n\_subbufs;
 	size\_t consumed = buf->subbufs\_consumed % n\_subbufs;
\-	size\_t read\_pos = consumed \* subbuf\_size + buf->bytes\_consumed;
+	size\_t read\_pos = (consumed \* subbuf\_size + buf->bytes\_consumed)
+			% (n\_subbufs \* subbuf\_size);
 
 	read\_subbuf = read\_pos / subbuf\_size;
 	padding = buf->padding\[read\_subbuf\];
-- 
2.17.1

^ permalink raw reply related	\[**flat**|nested\] 4+ messages in thread

\* **Re: \[PATCH\] relayfs: fix out-of-bounds access in relay\_file\_read**
  2023-04-19  4:02 \[PATCH\] relayfs: fix out-of-bounds access in relay\_file\_read zhangzhengming
**@ 2023-04-19 21:03 \` Andrew Morton**
  2023-04-19 21:07   \` Jens Axboe
  2023-04-23  8:28   \` Pengcheng Yang
  0 siblings, 2 replies; 4+ messages in thread
From: Andrew Morton @ 2023-04-19 21:03 UTC (permalink / raw)
  To: zhangzhengming
  Cc: surenb, wuchi.zero, Ilia.Gavrilov, xu.panda, colin.i.king,
	linux-kernel, zhou.kete, Pengcheng Yang, Jens Axboe

On Wed, 19 Apr 2023 12:02:03 +0800 zhangzhengming <zhang.zhengming@h3c.com> wrote:

\> From: Zhang Zhengming <zhang.zhengming@h3c.com>
> 
> There is a crash in relay\_file\_read, as the var from 
> point to the end of last subbuf.
> The oops looks something like:
> pc : \_\_arch\_copy\_to\_user+0x180/0x310
> lr : relay\_file\_read+0x20c/0x2c8
> Call trace:
>  \_\_arch\_copy\_to\_user+0x180/0x310
>  full\_proxy\_read+0x68/0x98
>  vfs\_read+0xb0/0x1d0
>  ksys\_read+0x6c/0xf0
>  \_\_arm64\_sys\_read+0x20/0x28
>  el0\_svc\_common.constprop.3+0x84/0x108
>  do\_el0\_svc+0x74/0x90
>  el0\_svc+0x1c/0x28
>  el0\_sync\_handler+0x88/0xb0
>  el0\_sync+0x148/0x180
> 
> We get the condition by analyzing the vmcore:
> 1). The last produced byte and last consumed byte
>     both at the end of the last subbuf
> 2). A softirq who will call function(e.g \_\_blk\_add\_trace)
>     to write relay buffer occurs when an program calling
>     function relay\_file\_read\_avail.
>         relay\_file\_read
>                 relay\_file\_read\_avail
>                         relay\_file\_read\_consume(buf, 0, 0);
>                         //interrupted by softirq who will write subbuf
>                         ....
>                         return 1;
>                 //read\_start point to the end of the last subbuf
>                 read\_start = relay\_file\_read\_start\_pos
>                 //avail is equal to subsize
>                 avail = relay\_file\_read\_subbuf\_avail
>                 //from  points to an invalid memory address             
>                 from = buf->start + read\_start
>                 //system is crashed
>                 copy\_to\_user(buffer, from, avail)
Thanks.  Hopefully Pengcheng Yang and Jens Axboe can comment.

\> --- a/kernel/relay.c
> +++ b/kernel/relay.c
> @@ -989,7 +989,8 @@ static size\_t relay\_file\_read\_start\_pos(struct rchan\_buf \*buf)
>  	size\_t subbuf\_size = buf->chan->subbuf\_size;
>  	size\_t n\_subbufs = buf->chan->n\_subbufs;
>  	size\_t consumed = buf->subbufs\_consumed % n\_subbufs;
> -	size\_t read\_pos = consumed \* subbuf\_size + buf->bytes\_consumed;
> +	size\_t read\_pos = (consumed \* subbuf\_size + buf->bytes\_consumed)
> +			% (n\_subbufs \* subbuf\_size);
>  
>  	read\_subbuf = read\_pos / subbuf\_size;
>  	padding = buf->padding\[read\_subbuf\];
I'm thinking we should backport this into earlier kernels and that the
commit we're fixing is

Fixes: 341a7213e5c1 ("kernel/relay.c: fix read\_pos error when multiple readers")

^ permalink raw reply	\[**flat**|nested\] 4+ messages in thread

\* **Re: \[PATCH\] relayfs: fix out-of-bounds access in relay\_file\_read**
  2023-04-19 21:03 \` Andrew Morton
**@ 2023-04-19 21:07   \` Jens Axboe**
  2023-04-23  8:28   \` Pengcheng Yang
  1 sibling, 0 replies; 4+ messages in thread
From: Jens Axboe @ 2023-04-19 21:07 UTC (permalink / raw)
  To: Andrew Morton, zhangzhengming
  Cc: surenb, wuchi.zero, Ilia.Gavrilov, xu.panda, colin.i.king,
	linux-kernel, zhou.kete, Pengcheng Yang

On 4/19/23 3:03?PM, Andrew Morton wrote:
\> On Wed, 19 Apr 2023 12:02:03 +0800 zhangzhengming <zhang.zhengming@h3c.com> wrote:
> 
>> From: Zhang Zhengming <zhang.zhengming@h3c.com>
>>
>> There is a crash in relay\_file\_read, as the var from 
>> point to the end of last subbuf.
>> The oops looks something like:
>> pc : \_\_arch\_copy\_to\_user+0x180/0x310
>> lr : relay\_file\_read+0x20c/0x2c8
>> Call trace:
>>  \_\_arch\_copy\_to\_user+0x180/0x310
>>  full\_proxy\_read+0x68/0x98
>>  vfs\_read+0xb0/0x1d0
>>  ksys\_read+0x6c/0xf0
>>  \_\_arm64\_sys\_read+0x20/0x28
>>  el0\_svc\_common.constprop.3+0x84/0x108
>>  do\_el0\_svc+0x74/0x90
>>  el0\_svc+0x1c/0x28
>>  el0\_sync\_handler+0x88/0xb0
>>  el0\_sync+0x148/0x180
>>
>> We get the condition by analyzing the vmcore:
>> 1). The last produced byte and last consumed byte
>>     both at the end of the last subbuf
>> 2). A softirq who will call function(e.g \_\_blk\_add\_trace)
>>     to write relay buffer occurs when an program calling
>>     function relay\_file\_read\_avail.
>>         relay\_file\_read
>>                 relay\_file\_read\_avail
>>                         relay\_file\_read\_consume(buf, 0, 0);
>>                         //interrupted by softirq who will write subbuf
>>                         ....
>>                         return 1;
>>                 //read\_start point to the end of the last subbuf
>>                 read\_start = relay\_file\_read\_start\_pos
>>                 //avail is equal to subsize
>>                 avail = relay\_file\_read\_subbuf\_avail
>>                 //from  points to an invalid memory address             
>>                 from = buf->start + read\_start
>>                 //system is crashed
>>                 copy\_to\_user(buffer, from, avail)
> 
> Thanks.  Hopefully Pengcheng Yang and Jens Axboe can comment.
Patch looks good to me, but that doesn't necessarily say much. I never
did much relayfs hacking, and the bits I did was probably almost 20
years ago at this point when I wrote blktrace...

-- 
Jens Axboe

^ permalink raw reply	\[**flat**|nested\] 4+ messages in thread

\* **Re: \[PATCH\] relayfs: fix out-of-bounds access in relay\_file\_read**
  2023-04-19 21:03 \` Andrew Morton
  2023-04-19 21:07   \` Jens Axboe
**@ 2023-04-23  8:28   \` Pengcheng Yang**
  1 sibling, 0 replies; 4+ messages in thread
From: Pengcheng Yang @ 2023-04-23  8:28 UTC (permalink / raw)
  To: akpm
  Cc: Ilia.Gavrilov, axboe, colin.i.king, linux-kernel, surenb,
	wuchi.zero, xu.panda, yangpc, zhang.zhengming, zhou.kete,
	dwilder

On April 20, 2023 5:04 AM, Andrew Morton wrote:
\> On Wed, 19 Apr 2023 12:02:03 +0800 zhangzhengming <zhang.zhengming@h3c.com> wrote:
>
>> From: Zhang Zhengming <zhang.zhengming@h3c.com>
>> 
>> There is a crash in relay\_file\_read, as the var from 
>> point to the end of last subbuf.
>> The oops looks something like:
>> pc : \_\_arch\_copy\_to\_user+0x180/0x310
>> lr : relay\_file\_read+0x20c/0x2c8
>> Call trace:
>>  \_\_arch\_copy\_to\_user+0x180/0x310
>>  full\_proxy\_read+0x68/0x98
>>  vfs\_read+0xb0/0x1d0
>>  ksys\_read+0x6c/0xf0
>>  \_\_arm64\_sys\_read+0x20/0x28
>>  el0\_svc\_common.constprop.3+0x84/0x108
>>  do\_el0\_svc+0x74/0x90
>>  el0\_svc+0x1c/0x28
>>  el0\_sync\_handler+0x88/0xb0
>>  el0\_sync+0x148/0x180
>> 
>> We get the condition by analyzing the vmcore:
>> 1). The last produced byte and last consumed byte
>>     both at the end of the last subbuf
>> 2). A softirq who will call function(e.g \_\_blk\_add\_trace)
>>     to write relay buffer occurs when an program calling
>>     function relay\_file\_read\_avail.
>>         relay\_file\_read
>>                 relay\_file\_read\_avail
>>                         relay\_file\_read\_consume(buf, 0, 0);
>>                         //interrupted by softirq who will write subbuf
>>                         ....
>>                         return 1;
>>                 //read\_start point to the end of the last subbuf
>>                 read\_start = relay\_file\_read\_start\_pos
>>                 //avail is equal to subsize
>>                 avail = relay\_file\_read\_subbuf\_avail
>>                 //from  points to an invalid memory address             
>>                 from = buf->start + read\_start
>>                 //system is crashed
>>                 copy\_to\_user(buffer, from, avail)
>
> Thanks.  Hopefully Pengcheng Yang and Jens Axboe can comment.
This patch looks good to me.

Reviewed-by: Pengcheng Yang <yangpc@wangsu.com>

\>
> I'm thinking we should backport this into earlier kernels and that the
> commit we're fixing is
>
> Fixes: 341a7213e5c1 ("kernel/relay.c: fix read\_pos error when multiple readers")
I suggest starting backport with this tag:

Fixes: 8d62fdebdaf9 ("relay file read: start-pos fix")

^ permalink raw reply	\[**flat**|nested\] 4+ messages in thread

end of thread, other threads:\[~2023-04-23  8:34 UTC | newest\]

**Thread overview:** 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-04-19  4:02 \[PATCH\] relayfs: fix out-of-bounds access in relay\_file\_read zhangzhengming
2023-04-19 21:03 \` Andrew Morton
2023-04-19 21:07   \` Jens Axboe
2023-04-23  8:28   \` Pengcheng Yang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2023-3268: fix out-of-bounds access in relay_file_read

A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to send crafted TCP packets containing requests to perform arbitrary actions.

TP-Link Archer AX10(EU)\_V1.2\_230220 Buffer Overflow

Posted Jun 16, 2023

Authored by Giuseppe Compare

TP-Link Archer version AX10(EU)\_V1.2\_230220 suffers from a buffer overflow vulnerability.

tags | advisory, overflow

Download | Favorite | View

QuickJob Portal 6.1 Cross Site Scripting

Posted Jun 16, 2023

Authored by CraCkEr

QuickJob Portal version 6.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

Download | Favorite | View

Quicklancer Freelance Marketplace 2.4 Cross Site Scripting

Posted Jun 16, 2023

Authored by CraCkEr

Quicklancer Freelance Marketplace version 2.4 suffers from a cross site scripting vulnerability.

tags | exploit, xss

Download | Favorite | View

QuickHomes Real Estate CMS 1.3 Cross Site Scripting

Posted Jun 16, 2023

Authored by CraCkEr

QuickHomes Real Estate CMS version 1.3 suffers from a cross site scripting vulnerability.

tags | exploit, xss

Download | Favorite | View

Debian Security Advisory 5431-1

Posted Jun 16, 2023

Authored by Debian | Site debian.org

Debian Linux Security Advisory 5431-1 - Xu Biang discovered that missing input sanitizing in Sofia-SIP, a SIP User-Agent library could result in denial of service.

tags | advisory, denial of service

systems | linux, debian

Download | Favorite | View

Ubuntu Security Notice USN-6156-2

Posted Jun 16, 2023

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6156-2 - USN-6156-1 fixed a vulnerability in SSSD. In certain environments, not all packages ended up being upgraded at the same time, resulting in authentication failures when the PAM module was being used. This update fixes the problem. It was discovered that SSSD incorrectly sanitized certificate data used in LDAP filters. When using this issue in combination with FreeIPA, a remote attacker could possibly use this issue to escalate privileges.

tags | advisory, remote

systems | linux, ubuntu

Download | Favorite | View

Debian Security Advisory 5430-1

Posted Jun 16, 2023

Authored by Debian | Site debian.org

Debian Linux Security Advisory 5430-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, information disclosure or bypass of sandbox restrictions.

tags | advisory, java, denial of service, vulnerability, info disclosure

systems | linux, debian

Download | Favorite | View

Red Hat Security Advisory 2023-3644-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3644-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.

tags | advisory

systems | linux, redhat

Download | Favorite | View

Red Hat Security Advisory 2023-3645-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3645-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a denial of service vulnerability.

tags | advisory, denial of service

systems | linux, redhat

Download | Favorite | View

Ubuntu Security Notice USN-6169-1

Posted Jun 16, 2023

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6169-1 - It was discovered that GNU SASL's GSSAPI server could make an out-of-bounds reads if given specially crafted GSS-API authentication data. A remote attacker could possibly use this issue to cause a denial of service or to expose sensitive information.

tags | advisory, remote, denial of service

systems | linux, ubuntu

Download | Favorite | View

Red Hat Security Advisory 2023-3641-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3641-01 - This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. Issues addressed include denial of service, deserialization, resource exhaustion, and server-side request forgery vulnerabilities.

tags | advisory, denial of service, vulnerability

systems | linux, redhat

Download | Favorite | View

Red Hat Security Advisory 2023-3642-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3642-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. This new container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, denial of service, information leakage, spoofing, and traversal vulnerabilities.

tags | advisory, denial of service, spoof, vulnerability, xss

systems | linux, redhat

Download | Favorite | View

Debian Security Advisory 5429-1

Posted Jun 16, 2023

Authored by Debian | Site debian.org

Debian Linux Security Advisory 5429-1 - Multiple vulnerabilities have been discovered in Wireshark, a network protocol analyzer which could result in denial of service or the execution of arbitrary code.

tags | advisory, denial of service, arbitrary, vulnerability, protocol

systems | linux, debian

Download | Favorite | View

Ubuntu Security Notice USN-6168-1

Posted Jun 16, 2023

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6168-1 - Gregory James Duck discovered that libx11 incorrectly handled certain Request, Event, or Error IDs. If a user were tricked into connecting to a malicious X Server, a remote attacker could possibly use this issue to cause libx11 to crash, resulting in a denial of service.

tags | advisory, remote, denial of service

systems | linux, ubuntu

Download | Favorite | View

Debian Security Advisory 5428-1

Posted Jun 16, 2023

Authored by Debian | Site debian.org

Debian Linux Security Advisory 5428-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

tags | advisory, denial of service, arbitrary, info disclosure

systems | linux, debian

Download | Favorite | View

Red Hat Security Advisory 2023-3622-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3622-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, code execution, cross site request forgery, denial of service, information leakage, insecure permissions, and resource exhaustion vulnerabilities.

tags | advisory, denial of service, vulnerability, code execution, csrf

systems | linux, redhat

Download | Favorite | View

Red Hat Security Advisory 2023-3624-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3624-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.

tags | advisory, web, denial of service

systems | linux, redhat

Download | Favorite | View

Red Hat Security Advisory 2023-3623-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3623-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. These new packages include numerous enhancements and bug fixes. Issues addressed include cross site scripting and denial of service vulnerabilities.

tags | advisory, denial of service, vulnerability, xss

systems | linux, redhat

Download | Favorite | View

Ubuntu Security Notice USN-6155-2

Posted Jun 16, 2023

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6155-2 - USN-6155-1 fixed a vulnerability in Requests. This update provides the corresponding update for Ubuntu 16.04 ESM and 18.04 ESM. Dennis Brinkrolf and Tobias Funke discovered that Requests incorrectly leaked Proxy-Authorization headers. A remote attacker could possibly use this issue to obtain sensitive information.

tags | advisory, remote

systems | linux, ubuntu

Download | Favorite | View

Suricata IDPE 6.0.13

Posted Jun 16, 2023

Site suricata.io

Suricata is a network intrusion detection and prevention engine developed by the Open Information Security Foundation and its supporting vendors. The engine is multi-threaded and has native IPv6 support. It's capable of loading existing Snort rules and signatures and supports the Barnyard and Barnyard2 tools.

Changes: 1 security fix, 11 bug fixes, 1 task, and 2 documentation updates.

tags | tool, intrusion detection

systems | unix

Download | Favorite | View

Debian Security Advisory 5427-1

Posted Jun 16, 2023

Authored by Debian | Site debian.org

Debian Linux Security Advisory 5427-1 - An anonymous researcher discovered that processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited. An anonymous researcher discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

tags | advisory, web, arbitrary, code execution

systems | linux, debian, apple

Download | Favorite | View

Red Hat Security Advisory 2023-3610-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3610-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, memory exhaustion, and resource exhaustion vulnerabilities.

tags | advisory, denial of service, vulnerability, code execution, xss, csrf

systems | linux, redhat

Download | Favorite | View

Textpattern CMS 4.8.8 Command Injection

Posted Jun 16, 2023

Authored by tmrswrr

Textpattern CMS version 4.8.8 suffers from a command injection vulnerability.

tags | exploit

Download | Favorite | View

WordPress Abandoned Cart Lite For WooCommerce 5.14.2 Authentication Bypass

Posted Jun 16, 2023

Authored by ayantaker | Site github.com

WordPress Abandoned Cart Lite for WooCommerce plugin versions 5.14.2 and below proof of concept authentication bypass exploit.

tags | exploit, proof of concept, bypass

Download | Favorite | View

Red Hat Security Advisory 2023-3609-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3609-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.

tags | advisory

systems | linux, redhat

Download | Favorite | View

Tag

#linux