Red Hat Security Advisory 2023-0095-01 - The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Issues addressed include buffer overflow, denial of service, double free, and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: libtiff security update  
Advisory ID:       RHSA-2023:0095-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0095  
Issue date:        2023-01-12  
CVE Names:         CVE-2022-2056 CVE-2022-2057 CVE-2022-2058   
                   CVE-2022-2519 CVE-2022-2520 CVE-2022-2521   
                   CVE-2022-2867 CVE-2022-2868 CVE-2022-2869   
                   CVE-2022-2953   
=====================================================================

1. Summary:

An update for libtiff is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The libtiff packages contain a library of functions for manipulating Tagged  
Image File Format (TIFF) files.

Security Fix(es):

* LibTiff: DoS from Divide By Zero Error (CVE-2022-2056, CVE-2022-2057,  
CVE-2022-2058)

* libtiff: Double free or corruption in rotateImage() function at  
tiffcrop.c (CVE-2022-2519)

* libtiff: uint32_t underflow leads to out of bounds read and write in  
tiffcrop.c (CVE-2022-2867)

* libtiff: tiffcrop.c has uint32_t underflow which leads to out of bounds  
read and write in extractContigSamples8bits() (CVE-2022-2869)

* libtiff: tiffcrop: heap-buffer-overflow in extractImageSection in  
tiffcrop.c (CVE-2022-2953)

* libtiff: Assertion fail in rotateImage() function at tiffcrop.c  
(CVE-2022-2520)

* libtiff: Invalid pointer free operation in TIFFClose() at tif_close.c  
(CVE-2022-2521)

* libtiff: Invalid crop_width and/or crop_length could cause an  
out-of-bounds read in reverseSamples16bits() (CVE-2022-2868)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running applications linked against libtiff must be restarted for this  
update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2103222 - LibTiff: DoS from Divide By Zero Error  
2118847 - CVE-2022-2867 libtiff: uint32_t underflow leads to out of bounds read and write in tiffcrop.c  
2118863 - CVE-2022-2868 libtiff: Invalid crop_width and/or crop_length could cause an out-of-bounds read in reverseSamples16bits()  
2118869 - CVE-2022-2869 libtiff: tiffcrop.c has uint32_t underflow which leads to out of bounds read and write in extractContigSamples8bits()  
2122789 - CVE-2022-2519 libtiff: Double free or corruption in rotateImage() function at tiffcrop.c  
2122792 - CVE-2022-2520 libtiff: Assertion fail in rotateImage() function at tiffcrop.c  
2122799 - CVE-2022-2521 libtiff: Invalid pointer free operation in TIFFClose() at tif_close.c  
2134432 - CVE-2022-2953 libtiff: tiffcrop: heap-buffer-overflow in extractImageSection in tiffcrop.c

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
libtiff-4.0.9-26.el8_7.src.rpm

aarch64:  
libtiff-4.0.9-26.el8_7.aarch64.rpm  
libtiff-debuginfo-4.0.9-26.el8_7.aarch64.rpm  
libtiff-debugsource-4.0.9-26.el8_7.aarch64.rpm  
libtiff-devel-4.0.9-26.el8_7.aarch64.rpm  
libtiff-tools-debuginfo-4.0.9-26.el8_7.aarch64.rpm

ppc64le:  
libtiff-4.0.9-26.el8_7.ppc64le.rpm  
libtiff-debuginfo-4.0.9-26.el8_7.ppc64le.rpm  
libtiff-debugsource-4.0.9-26.el8_7.ppc64le.rpm  
libtiff-devel-4.0.9-26.el8_7.ppc64le.rpm  
libtiff-tools-debuginfo-4.0.9-26.el8_7.ppc64le.rpm

s390x:  
libtiff-4.0.9-26.el8_7.s390x.rpm  
libtiff-debuginfo-4.0.9-26.el8_7.s390x.rpm  
libtiff-debugsource-4.0.9-26.el8_7.s390x.rpm  
libtiff-devel-4.0.9-26.el8_7.s390x.rpm  
libtiff-tools-debuginfo-4.0.9-26.el8_7.s390x.rpm

x86_64:  
libtiff-4.0.9-26.el8_7.i686.rpm  
libtiff-4.0.9-26.el8_7.x86_64.rpm  
libtiff-debuginfo-4.0.9-26.el8_7.i686.rpm  
libtiff-debuginfo-4.0.9-26.el8_7.x86_64.rpm  
libtiff-debugsource-4.0.9-26.el8_7.i686.rpm  
libtiff-debugsource-4.0.9-26.el8_7.x86_64.rpm  
libtiff-devel-4.0.9-26.el8_7.i686.rpm  
libtiff-devel-4.0.9-26.el8_7.x86_64.rpm  
libtiff-tools-debuginfo-4.0.9-26.el8_7.i686.rpm  
libtiff-tools-debuginfo-4.0.9-26.el8_7.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
libtiff-debuginfo-4.0.9-26.el8_7.aarch64.rpm  
libtiff-debugsource-4.0.9-26.el8_7.aarch64.rpm  
libtiff-tools-4.0.9-26.el8_7.aarch64.rpm  
libtiff-tools-debuginfo-4.0.9-26.el8_7.aarch64.rpm

ppc64le:  
libtiff-debuginfo-4.0.9-26.el8_7.ppc64le.rpm  
libtiff-debugsource-4.0.9-26.el8_7.ppc64le.rpm  
libtiff-tools-4.0.9-26.el8_7.ppc64le.rpm  
libtiff-tools-debuginfo-4.0.9-26.el8_7.ppc64le.rpm

s390x:  
libtiff-debuginfo-4.0.9-26.el8_7.s390x.rpm  
libtiff-debugsource-4.0.9-26.el8_7.s390x.rpm  
libtiff-tools-4.0.9-26.el8_7.s390x.rpm  
libtiff-tools-debuginfo-4.0.9-26.el8_7.s390x.rpm

x86_64:  
libtiff-debuginfo-4.0.9-26.el8_7.x86_64.rpm  
libtiff-debugsource-4.0.9-26.el8_7.x86_64.rpm  
libtiff-tools-4.0.9-26.el8_7.x86_64.rpm  
libtiff-tools-debuginfo-4.0.9-26.el8_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2056  
https://access.redhat.com/security/cve/CVE-2022-2057  
https://access.redhat.com/security/cve/CVE-2022-2058  
https://access.redhat.com/security/cve/CVE-2022-2519  
https://access.redhat.com/security/cve/CVE-2022-2520  
https://access.redhat.com/security/cve/CVE-2022-2521  
https://access.redhat.com/security/cve/CVE-2022-2867  
https://access.redhat.com/security/cve/CVE-2022-2868  
https://access.redhat.com/security/cve/CVE-2022-2869  
https://access.redhat.com/security/cve/CVE-2022-2953  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7/i4dzjgjWX9erEAQi6RA//droyz+qXJ+bdUQ60K5/OeC+E2U/kI6Pk  
lxgJsODCf8QoH/VPIoMs3Tk2/30BqqqZLXP5AYzdwrAB4t3qk3Mxtm9U6zsY1ciM  
9JByBpgBtOFa5O9TuPvn5rH6TnHOCDJlTrGbS02/NLM6OOQVBw9T9n13lOs/iLpD  
zibztSpQnrH28UVqU4cDCYEvamKY0ieS2JYVjM0M8ADzN/KsVccfgZX/lwLip9Cp  
/5x69N0lxcqbKMj18VEy2qpPA0yxkzhR9WwnB4o6N/OjN9rNOklO7ojBTo57H5eo  
HanmM2UyKytlkFvhQdLcY/lS7Hiw4w7Asd0tIRhHCaxFweP/3tVNq5JWYkx1Nd7k  
NHRxs+W64jWzdk+rDVEvQLaCphFEIljR0yXjEfibG8LfxXPxxsKOsqWXKavx8SFl  
uh2Kh/SQgK6sblHJMXtgmPHcby80evvJ4iE2WFDIxrC4Oj60yLnOWDoPTA/9Ea/M  
kqptk0UEWCkt7zVV4/dOkt1azJdSTonQTVcIPy9Tt6pLpduTnfttwJoeg4WOKEt2  
9PEZ0PU/UpiFyvIpwClz/bu9JhtTDVrtL8NssB3DfMTpyA4bgewEqb5ZPsxuS7Ok  
St3gQOfORxrSTdH5JoxvyOnkiEfMDRBpLhoH2UuPllwjVh7qF+i66d1A4sjY0bWj  
id8NMxaF/LI=  
=0UoC  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0095-01

Red Hat Security Advisory 2023-0096-01 - D-Bus is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: dbus security update  
Advisory ID:       RHSA-2023:0096-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0096  
Issue date:        2023-01-12  
CVE Names:         CVE-2022-42010 CVE-2022-42011 CVE-2022-42012   
=====================================================================

1. Summary:

An update for dbus is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

D-Bus is a system for sending messages between applications. It is used  
both for the system-wide message bus service, and as a  
per-user-login-session messaging facility.

Security Fix(es):

* dbus: dbus-daemon crashes when receiving message with incorrectly nested  
parentheses and curly brackets (CVE-2022-42010)

* dbus: dbus-daemon can be crashed by messages with array length  
inconsistent with element type (CVE-2022-42011)

* dbus: `_dbus_marshal_byteswap` doesn't process fds in messages with  
"foreign" endianness correctly (CVE-2022-42012)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all running instances of dbus-daemon and all  
running applications using the libdbus library must be restarted, or the  
system rebooted.

5. Bugs fixed (https://bugzilla.redhat.com/):

2133616 - CVE-2022-42010 dbus: dbus-daemon crashes when receiving message with incorrectly nested parentheses and curly brackets  
2133617 - CVE-2022-42011 dbus: dbus-daemon can be crashed by messages with array length inconsistent with element type  
2133618 - CVE-2022-42012 dbus: `_dbus_marshal_byteswap` doesn't process fds in messages with "foreign" endianness correctly

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

aarch64:  
dbus-daemon-debuginfo-1.12.8-23.el8_7.1.aarch64.rpm  
dbus-debuginfo-1.12.8-23.el8_7.1.aarch64.rpm  
dbus-debugsource-1.12.8-23.el8_7.1.aarch64.rpm  
dbus-devel-1.12.8-23.el8_7.1.aarch64.rpm  
dbus-libs-debuginfo-1.12.8-23.el8_7.1.aarch64.rpm  
dbus-tests-debuginfo-1.12.8-23.el8_7.1.aarch64.rpm  
dbus-tools-debuginfo-1.12.8-23.el8_7.1.aarch64.rpm  
dbus-x11-1.12.8-23.el8_7.1.aarch64.rpm  
dbus-x11-debuginfo-1.12.8-23.el8_7.1.aarch64.rpm

ppc64le:  
dbus-daemon-debuginfo-1.12.8-23.el8_7.1.ppc64le.rpm  
dbus-debuginfo-1.12.8-23.el8_7.1.ppc64le.rpm  
dbus-debugsource-1.12.8-23.el8_7.1.ppc64le.rpm  
dbus-devel-1.12.8-23.el8_7.1.ppc64le.rpm  
dbus-libs-debuginfo-1.12.8-23.el8_7.1.ppc64le.rpm  
dbus-tests-debuginfo-1.12.8-23.el8_7.1.ppc64le.rpm  
dbus-tools-debuginfo-1.12.8-23.el8_7.1.ppc64le.rpm  
dbus-x11-1.12.8-23.el8_7.1.ppc64le.rpm  
dbus-x11-debuginfo-1.12.8-23.el8_7.1.ppc64le.rpm

s390x:  
dbus-daemon-debuginfo-1.12.8-23.el8_7.1.s390x.rpm  
dbus-debuginfo-1.12.8-23.el8_7.1.s390x.rpm  
dbus-debugsource-1.12.8-23.el8_7.1.s390x.rpm  
dbus-devel-1.12.8-23.el8_7.1.s390x.rpm  
dbus-libs-debuginfo-1.12.8-23.el8_7.1.s390x.rpm  
dbus-tests-debuginfo-1.12.8-23.el8_7.1.s390x.rpm  
dbus-tools-debuginfo-1.12.8-23.el8_7.1.s390x.rpm  
dbus-x11-1.12.8-23.el8_7.1.s390x.rpm  
dbus-x11-debuginfo-1.12.8-23.el8_7.1.s390x.rpm

x86_64:  
dbus-daemon-debuginfo-1.12.8-23.el8_7.1.i686.rpm  
dbus-daemon-debuginfo-1.12.8-23.el8_7.1.x86_64.rpm  
dbus-debuginfo-1.12.8-23.el8_7.1.i686.rpm  
dbus-debuginfo-1.12.8-23.el8_7.1.x86_64.rpm  
dbus-debugsource-1.12.8-23.el8_7.1.i686.rpm  
dbus-debugsource-1.12.8-23.el8_7.1.x86_64.rpm  
dbus-devel-1.12.8-23.el8_7.1.i686.rpm  
dbus-devel-1.12.8-23.el8_7.1.x86_64.rpm  
dbus-libs-debuginfo-1.12.8-23.el8_7.1.i686.rpm  
dbus-libs-debuginfo-1.12.8-23.el8_7.1.x86_64.rpm  
dbus-tests-debuginfo-1.12.8-23.el8_7.1.i686.rpm  
dbus-tests-debuginfo-1.12.8-23.el8_7.1.x86_64.rpm  
dbus-tools-debuginfo-1.12.8-23.el8_7.1.i686.rpm  
dbus-tools-debuginfo-1.12.8-23.el8_7.1.x86_64.rpm  
dbus-x11-1.12.8-23.el8_7.1.x86_64.rpm  
dbus-x11-debuginfo-1.12.8-23.el8_7.1.i686.rpm  
dbus-x11-debuginfo-1.12.8-23.el8_7.1.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
dbus-1.12.8-23.el8_7.1.src.rpm

aarch64:  
dbus-1.12.8-23.el8_7.1.aarch64.rpm  
dbus-daemon-1.12.8-23.el8_7.1.aarch64.rpm  
dbus-daemon-debuginfo-1.12.8-23.el8_7.1.aarch64.rpm  
dbus-debuginfo-1.12.8-23.el8_7.1.aarch64.rpm  
dbus-debugsource-1.12.8-23.el8_7.1.aarch64.rpm  
dbus-libs-1.12.8-23.el8_7.1.aarch64.rpm  
dbus-libs-debuginfo-1.12.8-23.el8_7.1.aarch64.rpm  
dbus-tests-debuginfo-1.12.8-23.el8_7.1.aarch64.rpm  
dbus-tools-1.12.8-23.el8_7.1.aarch64.rpm  
dbus-tools-debuginfo-1.12.8-23.el8_7.1.aarch64.rpm  
dbus-x11-debuginfo-1.12.8-23.el8_7.1.aarch64.rpm

noarch:  
dbus-common-1.12.8-23.el8_7.1.noarch.rpm

ppc64le:  
dbus-1.12.8-23.el8_7.1.ppc64le.rpm  
dbus-daemon-1.12.8-23.el8_7.1.ppc64le.rpm  
dbus-daemon-debuginfo-1.12.8-23.el8_7.1.ppc64le.rpm  
dbus-debuginfo-1.12.8-23.el8_7.1.ppc64le.rpm  
dbus-debugsource-1.12.8-23.el8_7.1.ppc64le.rpm  
dbus-libs-1.12.8-23.el8_7.1.ppc64le.rpm  
dbus-libs-debuginfo-1.12.8-23.el8_7.1.ppc64le.rpm  
dbus-tests-debuginfo-1.12.8-23.el8_7.1.ppc64le.rpm  
dbus-tools-1.12.8-23.el8_7.1.ppc64le.rpm  
dbus-tools-debuginfo-1.12.8-23.el8_7.1.ppc64le.rpm  
dbus-x11-debuginfo-1.12.8-23.el8_7.1.ppc64le.rpm

s390x:  
dbus-1.12.8-23.el8_7.1.s390x.rpm  
dbus-daemon-1.12.8-23.el8_7.1.s390x.rpm  
dbus-daemon-debuginfo-1.12.8-23.el8_7.1.s390x.rpm  
dbus-debuginfo-1.12.8-23.el8_7.1.s390x.rpm  
dbus-debugsource-1.12.8-23.el8_7.1.s390x.rpm  
dbus-libs-1.12.8-23.el8_7.1.s390x.rpm  
dbus-libs-debuginfo-1.12.8-23.el8_7.1.s390x.rpm  
dbus-tests-debuginfo-1.12.8-23.el8_7.1.s390x.rpm  
dbus-tools-1.12.8-23.el8_7.1.s390x.rpm  
dbus-tools-debuginfo-1.12.8-23.el8_7.1.s390x.rpm  
dbus-x11-debuginfo-1.12.8-23.el8_7.1.s390x.rpm

x86_64:  
dbus-1.12.8-23.el8_7.1.x86_64.rpm  
dbus-daemon-1.12.8-23.el8_7.1.x86_64.rpm  
dbus-daemon-debuginfo-1.12.8-23.el8_7.1.i686.rpm  
dbus-daemon-debuginfo-1.12.8-23.el8_7.1.x86_64.rpm  
dbus-debuginfo-1.12.8-23.el8_7.1.i686.rpm  
dbus-debuginfo-1.12.8-23.el8_7.1.x86_64.rpm  
dbus-debugsource-1.12.8-23.el8_7.1.i686.rpm  
dbus-debugsource-1.12.8-23.el8_7.1.x86_64.rpm  
dbus-libs-1.12.8-23.el8_7.1.i686.rpm  
dbus-libs-1.12.8-23.el8_7.1.x86_64.rpm  
dbus-libs-debuginfo-1.12.8-23.el8_7.1.i686.rpm  
dbus-libs-debuginfo-1.12.8-23.el8_7.1.x86_64.rpm  
dbus-tests-debuginfo-1.12.8-23.el8_7.1.i686.rpm  
dbus-tests-debuginfo-1.12.8-23.el8_7.1.x86_64.rpm  
dbus-tools-1.12.8-23.el8_7.1.x86_64.rpm  
dbus-tools-debuginfo-1.12.8-23.el8_7.1.i686.rpm  
dbus-tools-debuginfo-1.12.8-23.el8_7.1.x86_64.rpm  
dbus-x11-debuginfo-1.12.8-23.el8_7.1.i686.rpm  
dbus-x11-debuginfo-1.12.8-23.el8_7.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-42010  
https://access.redhat.com/security/cve/CVE-2022-42011  
https://access.redhat.com/security/cve/CVE-2022-42012  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7/i3dzjgjWX9erEAQjvgQ//amTIwzga07Gm+tHjXgqVgNbqz2eJYJFV  
uyFUL7QnCdlP9NnYTe9hXKgMnpJgc+vfl1BQCbeH7Np1X77tIXO9oWrCJtAH6mNp  
aaIEOBrq3hGiNbgjG2SWnwVSPtnBn4RQZSiUhZn6CdlSCEdEsfBHppUrUCO6gFrE  
n+7/abMkcmsPSFtIJNFN17/92OaLChPLm7PdzJ/EmbhmTznG8mevz0DspbDyPAE/  
R/Z5h4QXyvad/ZDVg/3euFC/ny/6FaXJW3PoUReFQ3luCA8rgpoNmh1m/glninC9  
KMrfn/o87iaTI71k70+M7OwkHw3xo6NmWsaQ2HEq/j1tzjsRD6sjx0eYoowbWL2A  
pVY5mxrNXcDegtOZ/Aa/X44Hd9KWRZ9Fse+ye85yeakaTRjFaijYe6URrFs/tDaO  
R3XVtlKqXyS9yStF6jZLaBdZhGBAxAEM/IOKV38dSIat0dzQ2SQr5+GaCtVhaN+t  
iQG3CF67hYkDIylX0F7fZVrbtFOQXbsvkCcL7qwRCXAS3aAYRHLZpPwDex26uw4Q  
aGTs3eBYhVQ1VAPjJdkVAROqBa31T9RBn/UuUzvadbY6J0gWeNYB45OvEHpJ2Zkg  
eW1YYrrU/si+mSwZsXOYniNTfY0AVaCgRndyIAl0NL1jRFvi6MU66V2LW5Zcqwq6  
Cu/RYePhzYs=  
=iJ9Z  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0096-01

Red Hat Security Advisory 2023-0087-01 - The USBGuard software framework provides system protection against intrusive USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. To enforce a user-defined policy, USBGuard uses the Linux kernel USB device authorization feature.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: usbguard security update  
Advisory ID:       RHSA-2023:0087-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0087  
Issue date:        2023-01-12  
CVE Names:         CVE-2019-25058   
=====================================================================

1. Summary:

An update for usbguard is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The USBGuard software framework provides system protection against  
intrusive USB devices by implementing basic whitelisting and blacklisting  
capabilities based on device attributes. To enforce a user-defined policy,  
USBGuard uses the Linux kernel USB device authorization feature.

Security Fix(es):

* usbguard: Fix unauthorized access via D-Bus (CVE-2019-25058)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2058465 - CVE-2019-25058 usbguard: Fix unauthorized access via D-Bus

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
usbguard-1.0.0-8.el8_7.2.src.rpm

aarch64:  
usbguard-1.0.0-8.el8_7.2.aarch64.rpm  
usbguard-dbus-1.0.0-8.el8_7.2.aarch64.rpm  
usbguard-dbus-debuginfo-1.0.0-8.el8_7.2.aarch64.rpm  
usbguard-debuginfo-1.0.0-8.el8_7.2.aarch64.rpm  
usbguard-debugsource-1.0.0-8.el8_7.2.aarch64.rpm  
usbguard-notifier-1.0.0-8.el8_7.2.aarch64.rpm  
usbguard-notifier-debuginfo-1.0.0-8.el8_7.2.aarch64.rpm  
usbguard-tools-1.0.0-8.el8_7.2.aarch64.rpm  
usbguard-tools-debuginfo-1.0.0-8.el8_7.2.aarch64.rpm

noarch:  
usbguard-selinux-1.0.0-8.el8_7.2.noarch.rpm

ppc64le:  
usbguard-1.0.0-8.el8_7.2.ppc64le.rpm  
usbguard-dbus-1.0.0-8.el8_7.2.ppc64le.rpm  
usbguard-dbus-debuginfo-1.0.0-8.el8_7.2.ppc64le.rpm  
usbguard-debuginfo-1.0.0-8.el8_7.2.ppc64le.rpm  
usbguard-debugsource-1.0.0-8.el8_7.2.ppc64le.rpm  
usbguard-notifier-1.0.0-8.el8_7.2.ppc64le.rpm  
usbguard-notifier-debuginfo-1.0.0-8.el8_7.2.ppc64le.rpm  
usbguard-tools-1.0.0-8.el8_7.2.ppc64le.rpm  
usbguard-tools-debuginfo-1.0.0-8.el8_7.2.ppc64le.rpm

s390x:  
usbguard-1.0.0-8.el8_7.2.s390x.rpm  
usbguard-dbus-1.0.0-8.el8_7.2.s390x.rpm  
usbguard-dbus-debuginfo-1.0.0-8.el8_7.2.s390x.rpm  
usbguard-debuginfo-1.0.0-8.el8_7.2.s390x.rpm  
usbguard-debugsource-1.0.0-8.el8_7.2.s390x.rpm  
usbguard-notifier-1.0.0-8.el8_7.2.s390x.rpm  
usbguard-notifier-debuginfo-1.0.0-8.el8_7.2.s390x.rpm  
usbguard-tools-1.0.0-8.el8_7.2.s390x.rpm  
usbguard-tools-debuginfo-1.0.0-8.el8_7.2.s390x.rpm

x86_64:  
usbguard-1.0.0-8.el8_7.2.i686.rpm  
usbguard-1.0.0-8.el8_7.2.x86_64.rpm  
usbguard-dbus-1.0.0-8.el8_7.2.x86_64.rpm  
usbguard-dbus-debuginfo-1.0.0-8.el8_7.2.i686.rpm  
usbguard-dbus-debuginfo-1.0.0-8.el8_7.2.x86_64.rpm  
usbguard-debuginfo-1.0.0-8.el8_7.2.i686.rpm  
usbguard-debuginfo-1.0.0-8.el8_7.2.x86_64.rpm  
usbguard-debugsource-1.0.0-8.el8_7.2.i686.rpm  
usbguard-debugsource-1.0.0-8.el8_7.2.x86_64.rpm  
usbguard-notifier-1.0.0-8.el8_7.2.x86_64.rpm  
usbguard-notifier-debuginfo-1.0.0-8.el8_7.2.i686.rpm  
usbguard-notifier-debuginfo-1.0.0-8.el8_7.2.x86_64.rpm  
usbguard-tools-1.0.0-8.el8_7.2.x86_64.rpm  
usbguard-tools-debuginfo-1.0.0-8.el8_7.2.i686.rpm  
usbguard-tools-debuginfo-1.0.0-8.el8_7.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-25058  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7/i2tzjgjWX9erEAQhLZg/9EezWfPlWIbBiHutx0JhwylMY4T3OqiWW  
1gTipQUolrsTWSGjTOmep+1QclnkXWS1rO3RTlu/5tuT/b1kIC7rictgE07KBYIc  
Z7KXbSF65t5saQV/QkQx+IrPuIJBLr6M+8+jbzn+tXHvfawNBZQmesVSkwX0BvsA  
X/Rjjy4y1aAJL3+IgreVvDAg8a/SdkckdPhHHTsFXHXUfN5u/mz+3f37XSbzo7Vf  
ZzIBkI/Vh4NU+6rxZDpeDCDAeEeYrMlWCdF4FwmanLO4Lud+7vkvL1bfEb86GJ+j  
5bs9U1dLAdBuFop/VF3tuC0WSnFu1S3jAhboR+ZM95AUpIMzAWjr45Ub/tXE+eeM  
uXrgZd7RUpYVzzmo3aErJ2HC0iAzaLlhllikoCfplIDC0w6IquKfsucNXy4KJD+z  
2uxfHYNa/y8Z9eARXJyN7K29hlNwHA9z3SXY9ou0mj0+Ga4iqEmFJ6k62eR9B2jo  
HmfQOraQ5prhXJQcoIhjh5o71gmy4aYsQqODA4TtQa1PGR/GkHYGuxFnYqAodthH  
1SJmjA6D+RKivEdE4A7OtlbrIs/924YcLYeZWwgdJWt+kOv4o8j/gtgqx6oPySuw  
y2qOKQB6o0HNBAmNZ9CrSTyhaJ5eD1C05mlRtschBfOzcn73VhFDobvmOgpRGe70  
ZUy8WiES6EE=  
=jYT+  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0087-01

Gentoo Linux Security Advisory 202301-9 - A vulnerability has been discovered in protobuf-java which could result in denial of service. Versions less than 3.20.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202301-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: protobuf-java: Denial of Service  
     Date: January 11, 2023  
     Bugs: #876903  
       ID: 202301-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in protobuf-java which could result  
in denial of service.

Background  
==========

protobuf-java contains the Java bindings for Google's Protocol Buffers.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-java/protobuf-java     < 3.20.3                    >= 3.20.3

Description  
===========

Inputs containing multiple instances of non-repeated embedded messages  
with repeated or unknown fields causes objects to be converted back and  
forth between mutable and immutable forms, resulting in potentially long  
garbage collection pauses.

Impact  
======

Crafted input can trigger a denial of service via long garbage  
collection pauses.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All protobuf-java users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-java/protobuf-java-3.20.3"

References  
==========

[ 1 ] CVE-2022-3171  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3171  
[ 2 ] CVE-2022-3509  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3509  
[ 3 ] CVE-2022-3510  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3510

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202301-09

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202301-09

Ubuntu Security Notice 5799-1 - Kyle Zeng discovered that the sysctl implementation in the Linux kernel contained a stack-based buffer overflow. A local attacker could use this to cause a denial of service or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5799-1January 11, 2023linux-oem-5.17, linux-oem-6.0 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:The system could be made to crash or run programs as an administrator.Software Description:- linux-oem-5.17: Linux kernel for OEM systems- linux-oem-6.0: Linux kernel for OEM systemsDetails:Kyle Zeng discovered that the sysctl implementation in the Linux kernelcontained a stack-based buffer overflow. A local attacker could use this tocause a denial of service (system crash) or execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.17.0-1026-oem     5.17.0-1026.27   linux-image-6.0.0-1010-oem      6.0.0-1010.10   linux-image-oem-22.04           5.17.0.1026.24   linux-image-oem-22.04a          5.17.0.1026.24   linux-image-oem-22.04b          6.0.0.1010.10After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5799-1   CVE-2022-4378Package Information:   https://launchpad.net/ubuntu/+source/linux-oem-5.17/5.17.0-1026.27   https://launchpad.net/ubuntu/+source/linux-oem-6.0/6.0.0-1010.10

Ubuntu Security Notice USN-5799-1

Debian Linux Security Advisory 5313-1 - It was found that those using java.sql.Statement or java.sql.PreparedStatement in hsqldb, a Java SQL database, to process untrusted input may be vulnerable to a remote code execution attack.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5313-1                   security@debian.orghttps://www.debian.org/security/                          Markus KoschanyJanuary 11, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : hsqldbCVE ID         : CVE-2022-41853Debian Bug     : 1023573It was found that those using java.sql.Statement or java.sql.PreparedStatementin hsqldb, a Java SQL database, to process untrusted input may be vulnerable toa remote code execution attack. By default it is allowed to call any staticmethod of any Java class in the classpath resulting in code execution. Theissue can be prevented by updating to 2.5.1-1+deb11u1 or by setting the systemproperty "hsqldb.method_class_names" to classes which are allowed to be called.For example, System.setProperty("hsqldb.method_class_names","abc") or Javaargument -Dhsqldb.method_class_names="abc" can be used. From version2.5.1-1+deb11u1 all classes by default are not accessible except those injava.lang.Math and need to be manually enabled.For the stable distribution (bullseye), this problem has been fixed inversion 2.5.1-1+deb11u1.We recommend that you upgrade your hsqldb packages.For the detailed security status of hsqldb please refer toits security tracker page at:https://security-tracker.debian.org/tracker/hsqldbFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmO98RdfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFDRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7UeTvExAAr/PkL7dghDuiVOzcE6Imt2Z1p+qeOIQf/UbvwSZw/fb5zt9QrDmM/fp3d9GhWOoxzspsmNJ6LieCMeN4pih+q1DXaD6HE9o+X90FjYXaJSnfRZMCjbYor6dtN7CnzJnBnr/5iJ6XTS9lSmntpPdLlpXpdicivSeEtLkDgYH3LnZ/YKPVWPnDD6gusce8t3yttfzgZkGL7h6jhS5aWZwD4bbvUVEeb0uzGlYALP3yv4znbwS1483jUPwB0bfUu2mYgR6+byHMoud+aqbqZXkKL4nr+FkwYIRyXkXn5riME+jkM8LegU0kF3A5CkwylkbUdLk4D7glskpuwWbxTjdAmuiqLoHpNbBPyqHd8w4GcOr/ZlcZIXEqownSNv3pGDjqA3KLWzTKmfIAidSLbnKhqQkWpvRlv34kb8jgqDHmYR3wORaHW6jOGGysBqx4igyLLgYGQukk8pHahoR8VF6hiHihkVjjylqnx6m5hAt4CpQCtCzG9IKqTKjSApT8qM8JNvfzgu0Fa3hiY4O3lbr6W5elSnAjeh49tRaRmT/nT6n4sng0MOCPeBsXXRhr8UuwZhh4SU9XAGJ3O6yVRoouAb/IIM6ALwFlMDRwHU+lB3YJhciXj1yMFJqWUKleG3lajnEDXYhlF50W26LKXRE7KAUmkt7H3wQxkgHAKRqPrbc==3k8R-----END PGP SIGNATURE-----

Debian Security Advisory 5313-1

I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties. This is the source code release version.

I2P 2.1.0

Gentoo Linux Security Advisory 202301-8 - Multiple vulnerabilities have been discovered in Mbed TLS, the worst of which could result in arbitrary code execution. Versions less than 2.28.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202301-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Mbed TLS: Multiple Vulnerabilities  
     Date: January 11, 2023  
     Bugs: #857813, #829660, #801376, #778254, #764317, #740108, #730752  
       ID: 202301-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Mbed TLS, the worst of  
which could result in arbitrary code execution.

Background  
==========

Mbed TLS (previously PolarSSL) is an “easy to understand, use, integrate  
and expand” implementation of the TLS and SSL protocols and the  
respective cryptographic algorithms and support code required.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-libs/mbedtls           < 2.28.1                    >= 2.28.1

Description  
===========

Multiple vulnerabilities have been discovered in Mbed TLS. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Mbed TLS users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-libs/mbedtls-2.28.1"

References  
==========

[ 1 ] CVE-2020-16150  
      https://nvd.nist.gov/vuln/detail/CVE-2020-16150  
[ 2 ] CVE-2020-36421  
      https://nvd.nist.gov/vuln/detail/CVE-2020-36421  
[ 3 ] CVE-2020-36422  
      https://nvd.nist.gov/vuln/detail/CVE-2020-36422  
[ 4 ] CVE-2020-36423  
      https://nvd.nist.gov/vuln/detail/CVE-2020-36423  
[ 5 ] CVE-2020-36424  
      https://nvd.nist.gov/vuln/detail/CVE-2020-36424  
[ 6 ] CVE-2020-36425  
      https://nvd.nist.gov/vuln/detail/CVE-2020-36425  
[ 7 ] CVE-2020-36426  
      https://nvd.nist.gov/vuln/detail/CVE-2020-36426  
[ 8 ] CVE-2020-36475  
      https://nvd.nist.gov/vuln/detail/CVE-2020-36475  
[ 9 ] CVE-2020-36476  
      https://nvd.nist.gov/vuln/detail/CVE-2020-36476  
[ 10 ] CVE-2020-36477  
      https://nvd.nist.gov/vuln/detail/CVE-2020-36477  
[ 11 ] CVE-2020-36478  
      https://nvd.nist.gov/vuln/detail/CVE-2020-36478  
[ 12 ] CVE-2021-43666  
      https://nvd.nist.gov/vuln/detail/CVE-2021-43666  
[ 13 ] CVE-2021-44732  
      https://nvd.nist.gov/vuln/detail/CVE-2021-44732  
[ 14 ] CVE-2021-45450  
      https://nvd.nist.gov/vuln/detail/CVE-2021-45450  
[ 15 ] CVE-2022-35409  
      https://nvd.nist.gov/vuln/detail/CVE-2022-35409

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202301-08

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202301-08

Ubuntu Security Notice 5793-3 - It was discovered that the io_uring subsystem in the Linux kernel did not properly perform reference counting in some situations, leading to a use- after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the Android Binder IPC subsystem in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5793-3  
January 10, 2023

linux-gcp, linux-oracle vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-oracle: Linux kernel for Oracle Cloud systems

Details:

It was discovered that the io_uring subsystem in the Linux kernel did not  
properly perform reference counting in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-3910)

It was discovered that a race condition existed in the Android Binder IPC  
subsystem in the Linux kernel, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-20421)

David Leadbeater discovered that the netfilter IRC protocol tracking  
implementation in the Linux Kernel incorrectly handled certain message  
payloads in some situations. A remote attacker could possibly use this to  
cause a denial of service or bypass firewall filtering. (CVE-2022-2663)

It was discovered that the sound subsystem in the Linux kernel contained a  
race condition in some situations. A local attacker could use this to cause  
a denial of service (system crash). (CVE-2022-3303)

It was discovered that the Sunplus Ethernet driver in the Linux kernel  
contained a read-after-free vulnerability. An attacker could possibly use  
this to expose sensitive information (kernel memory) (CVE-2022-3541)

It was discovered that a memory leak existed in the Unix domain socket  
implementation of the Linux kernel. A local attacker could use this to  
cause a denial of service (memory exhaustion). (CVE-2022-3543)

It was discovered that the NILFS2 file system implementation in the Linux  
kernel did not properly deallocate memory in certain error conditions. An  
attacker could use this to cause a denial of service (memory exhaustion).  
(CVE-2022-3544, CVE-2022-3646)

Gwnaun Jung discovered that the SFB packet scheduling implementation in the  
Linux kernel contained a use-after-free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2022-3586)

It was discovered that the hugetlb implementation in the Linux kernel  
contained a race condition in some situations. A local attacker could use  
this to cause a denial of service (system crash) or expose sensitive  
information (kernel memory). (CVE-2022-3623)

Khalid Masum discovered that the NILFS2 file system implementation in the  
Linux kernel did not properly handle certain error conditions, leading to a  
use-after-free vulnerability. A local attacker could use this to cause a  
denial of service or possibly execute arbitrary code. (CVE-2022-3649)

It was discovered that a race condition existed in the MCTP implementation  
in the Linux kernel, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-3977)

It was discovered that a race condition existed in the EFI capsule loader  
driver in the Linux kernel, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-40307)

Zheng Wang and Zhuorao Yang discovered that the RealTek RTL8712U wireless  
driver in the Linux kernel contained a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-4095)

It was discovered that a race condition existed in the SMSC UFX USB driver  
implementation in the Linux kernel, leading to a use-after-free  
vulnerability. A physically proximate attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41849)

It was discovered that a race condition existed in the Roccat HID driver in  
the Linux kernel, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-41850)

It was discovered that the USB monitoring (usbmon) component in the Linux  
kernel did not properly set permissions on memory mapped in to user space  
processes. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2022-43750)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   linux-image-5.19.0-1014-gcp     5.19.0-1014.15  
   linux-image-5.19.0-1014-oracle  5.19.0-1014.16  
   linux-image-gcp                 5.19.0.1014.11  
   linux-image-oracle              5.19.0.1014.11

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5793-3  
   https://ubuntu.com/security/notices/USN-5793-1  
   CVE-2022-20421, CVE-2022-2663, CVE-2022-3303, CVE-2022-3541,  
   CVE-2022-3543, CVE-2022-3544, CVE-2022-3586, CVE-2022-3623,  
   CVE-2022-3646, CVE-2022-3649, CVE-2022-3910, CVE-2022-3977,  
   CVE-2022-40307, CVE-2022-4095, CVE-2022-41849, CVE-2022-41850,  
   CVE-2022-43750

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gcp/5.19.0-1014.15  
   https://launchpad.net/ubuntu/+source/linux-oracle/5.19.0-1014.16

Ubuntu Security Notice USN-5793-3

WordPress Royal Elementor add-ons versions 1.3.59 and below suffer from cross site request forgery, insufficient access control, cross site scripting vulnerabilities.

On December 23, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of 11 vulnerabilities in Royal Elementor Addons, a WordPress plugin with over 100,000 installations. The plugin developers responded on December 26, and we sent over the full disclosure that day.

We released a firewall rule protecting against these vulnerabilities to Wordfence Premium, Care, and Response customers on December 23, 2022. Sites still running the free version of Wordfence will receive the same protection 30 days later, on January 22, 2023.

While none of the vulnerabilities were critical, several of them could have been used by any authenticated user to modify content, disable plugins, or even temporarily take down the site in some circumstances. Additionally one of the patched vulnerabilities was a Reflected Cross-Site Scripting vulnerability which could have been used to take over the site if an attacker was able to trick an administrator into performing an action, such as clicking a link.

This email content has also been published on our blog and you're welcome to post a comment there if you'd like to join the conversation.  Or you can read the full post in this email.

Vulnerability Details

The primary set of issues we found with Royal Elementor Addons was due to a lack of access control and nonce checks on various AJAX actions in the plugin.

Description: Insufficient Access Control to Theme Activation

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4700

CVSS Score: 5.4 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Royal Elementor Addons has an option to quickly activate the recommended Royal Elementor Kit theme. Unfortunately, this is performed via an AJAX function, wpr_activate_required_theme, which did not perform capability or nonce checks, or even check if the theme was installed on the site. This meant that any logged-in user, such as a subscriber, could change a vulnerable site’s theme. If the Royal Elementor Kit theme was not installed on the site, this would result in a loss of availability as the site would fail to load and instead display an error message.

Description: Insufficient Access Control to Plugin Deactivation 

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4702

CVSS Score: 5.4 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Royal Elementor Addons has an option to revert the site to a “compatible” state for imported templates via the wpr_fix_royal_compatibility AJAX function. This involves deactivating all but a short list of hard-coded plugins. As the function did not use capability or nonce checks, this means that any authenticated user could deactivate plugins necessary for site functionality as well as any security plugins that do not specifically block this action. This could cause the site to become unavailable or vulnerable to additional exploits.

Description: Insufficient Access Control to Template Import

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4704

CVSS Score: 5.4 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Royal Elementor Addons allows importing preset templates via the wpr_import_templates_kit AJAX function. Vulnerable versions of the plugin do not include capability or nonce check for this function, so any authenticated user could import templates, potentially overwriting any existing templates.

Description: Insufficient Access Control to Plugin Activation

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4701

CVSS Score: 4.3 (Low)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Royal Elementor Addons has an option to activate the 'contact-form-7', 'media-library-assistant', or 'woocommerce' plugins if they are installed on the site via the wpr_activate_required_plugins AJAX action, and this functionality was available to any logged-in user. Fortunately the impact of this vulnerability is quite minimal as it would only allow an attacker to activate three select plugins.

Description: Insufficient Access Control to Import Deletion

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4703

CVSS Score: 4.3 (Low)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Royal Elementor Addons has an AJAX action, wpr_reset_previous_import, used to delete previously imported content when importing new content. However, since it is accessible to any authenticated user, this could be used to delete imported content without importing new content, potentially resulting in site availability issues.

Description: Insufficient Access Control to Template Activation

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4705

CVSS Score: 4.3 (Low)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Royal Elementor Addons uses the wpr_final_settings_setup AJAX action to finalize activation of preset site configuration templates, which can be chosen and imported via a separate action. As with the other vulnerabilities recorded here, any authenticated user could access this functionality, though the impact of this vulnerability was lower.

Description: Insufficient Access Control to Menu Settings Update

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4711

CVSS Score: 4.3 (Low)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Royal Elementor Addons uses the wpr_save_mega_menu_settings AJAX action to update mega menu settings. As with the other vulnerabilities we found, this action called a function that did not include a capability check or a nonce check, so any authenticated user could update menu settings.

Description: Insufficient Access Control to Template Conditions Modification

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4708

CVSS Score: 4.3 (Low)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Royal Elementor Addons uses the wpr_save_template_conditions AJAX action to save template conditions, determining when a given template will be displayed and used. The action called a function that was accessible to any authenticated user.

Description: Insufficient Access Control to Template Kit Import

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4709

CVSS Score: 4.3 (Low)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Royal Elementor Addons uses the wpr_import_library_template AJAX action to import and activate templates from the plugin developers’ template library. As with other vulnerabilities reported here, the action called a function that did not include a capability or nonce check, allowing any authenticated user to access it.

The final vulnerabilities we found did not exactly fit the pattern of the others - one was a lower-severity Cross-Site Request Forgery(CSRF) and the other, a higher-severity reflected Cross-Site Scripting(XSS).

Description: Cross-Site Request Forgery to Menu Template creation

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4707

CVSS Score: 4.3 (Low)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Unlike the other AJAX actions we’ve mentioned so far, wpr_create_mega_menu_template, which is used to create new menu templates, did include access control. It was, however, still lacking a nonce check, so an attacker could trick a logged-in administrator into performing an action that would result in a menu template being created.

Description: Reflected Cross-Site Scripting

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4710

CVSS Score: 6.1 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Unlike all of the other vulnerabilities mentioned above, reflected cross-site scripting(XSS) can be used by an attacker to completely take over a website if they can trick a logged-in administrator into performing an action, such as clicking a link, by performing actions as that administrator, such as adding a new malicious administrator, or inserting a backdoor into a plugin or theme file.

Additionally, unauthenticated users could also be targeted by this to redirect them to a malicious website or perform actions in their browsers. In this case, the data_fetch function failed to escape the wpr_ajax_search_link_target parameter used to return search results. Note that all Wordfence users, including Wordfence free users, are protected against exploits targeting this rule by the Wordfence firewall’s built-in Cross-Site Scripting protection.

Timeline

December 23, 2022 - We release a firewall rule protecting Wordfence Premium, Care, and Response customers and reach out to the plugin developer

December 26, 2023 - The plugin developer responds

December 29, 2023 - A patched version, 1.3.60, is released

January 22, 2023 - Firewall rule becomes available to Wordfence Free users

Conclusion

In today’s article, we covered a set of 11 vulnerabilities in the Royal Elementor Addons plugin. While none are critical, several can have severe consequences under certain circumstances.

The Wordfence firewall protects Wordfence Premium, Care, and Response users from these vulnerabilities and Wordfence Free users will receive protection on January 22, 2023 Nonetheless, we strongly recommend updating to the latest version of the plugin, which is 1.3.60 at the time of this writing, as soon as possible.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. 

If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Royal Elementor Addons as soon as possible.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence Community Edition leaderboard.

Source

Packet Storm