OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6adb1e.

CVE-2022-35037

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e1fc8.

CVE-2022-35036

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6b064d.

CVE-2022-35038

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e20a0.

CVE-2022-35039

OTFCC commit 617837b was discovered to contain a global buffer overflow via /release-x64/otfccdump+0x718693.

**Product Link**

https://github.com/caryll/otfcc

**POC file**

https://github.com/Cvjark/Poc/files/9059942/id20\_global-buffer-overflow\_sample\_1.zip

**Command to reproduce**

./otfccbuild --pretty [sample file] -o /dev/null

**Product name & version**

last github commit code : 617837b

**Problem Type**

global-buffer-overflow

**Crash Detail**

    ==15097==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000075fb88 at pc 0x000000718694 bp 0x7fffd615d380 sp 0x7fffd615d378
    READ of size 4 at 0x00000075fb88 thread T0
        #0 0x718693  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x718693)
        #1 0x6f835d  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6f835d)
        #2 0x4f5ad3  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4f5ad3)
        #3 0x7f69023d2c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #4 0x41c549  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x41c549)
    
    0x00000075fb88 is located 56 bytes to the left of global variable 'cDigitsLut' defined in '../../dep/extern/emyg-dtoa/emyg-dtoa.c:345:20' (0x75fbc0) of size 200
    0x00000075fb88 is located 0 bytes to the right of global variable 'kPow10' defined in '../../dep/extern/emyg-dtoa/emyg-dtoa.c:244:24' (0x75fb60) of size 40
    SUMMARY: AddressSanitizer: global-buffer-overflow (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x718693) 
    Shadow bytes around the buggy address:
      0x0000800e3f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800e3f30: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9
      0x0000800e3f40: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000800e3f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800e3f60: 00 00 00 00 00 06 f9 f9 f9 f9 f9 f9 00 00 00 00
    =>0x0000800e3f70: 00[f9]f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
      0x0000800e3f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800e3f90: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
      0x0000800e3fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800e3fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800e3fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==15097==ABORTING
    

**Crash summary**

    SUMMARY: AddressSanitizer: global-buffer-overflow (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x718693)

CVE-2022-35021: Poc/CVE-2022-35021.md at main · Cvjark/Poc

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver in UsbLegacyControlSmm leads to possible arbitrary code execution in SMM and escalation of privileges. An attacker could overwrite the function pointers in the EFI_BOOT_SERVICES table before the USB SMI handler triggers. (This is not exploitable from code running in the operating system.)

**Common Vulnerabilities and Exposures (CVE)**

**CVSS v3 Vulnerability Severity**

**Description**

**Intel Security Advisory (SA)**

**Original Date**

**Last Revised**

CVE-2019-0170

8.2

Buffer overflow in subsystem in Intel(R) Dynamic Application Loader before \[12.0.35\] may allow privileged user to potentially enable escalation of privilege via local access.

INTEL-SA-00213

05/14/2019

04/14/2020

CVE-2019-0153

9.0

Buffer overflow in subsystem in Intel(R) CSME before 12.0.35 may allow unauthenticated user to potentially enable escalation of privilege via network access.

INTEL-SA-00213

05/14/2019

04/14/2020

CVE-2019-0126

7.2

Insufficient access control in Silicon Reference firmware for Intel (R) Xeon (R) Scalable Processor, Intel (R) Xeon (R) Processor D Family may allow privileged user to potentially enable escalation of privilege or denial of service via local access

INTEL-SA-00223

05/14/2019

05/14/2019

CVE-2019-0120

5.3

Insufficient key protection vulnerability in Silicon Reference firmware for Intel(R) Pentium(R) Processor J Series, Intel(R) Pentium(R) Processor N Series, Intel(R) Celeron(R) J Series, Intel(R) Celeron(R) N Series, Intel(R) Atom(R) Processor A Series, Intel(R) Atom(R) Processor E3900 Series, Intel(R) Pentium(R) Processor Silver Series may allow privileged user to potentially enable denial of service via local access.

INTEL-SA-00223

05/14/2019

05/14/2019

CVE-2019-0119

5.7

Buffer overflow vulnerability in system firmware for Intel (R) Xeon (R) Processor D Family, Intel (R) Xeon (R) Scalable Processor, Intel(R) Server Board, Intel(R) Server System and Intel(R) Compute Module may allow privileged user to potentially enable escalation of privilege or denial of service via local access.

INTEL-SA-00223

05/14/2019

05/14/2019

CVE-2019-0098

5.7

Logic bug vulnerability in subsystem for Intel(R) CSME before version 12.0.35, Intel(R) TXE before 3.1.65, 4.0.15may allow unauthenticated user to potentially enable escalation of privilege via physical access.

INTEL-SA-00213

05/14/2019

04/14/2020

CVE-2019-0097

4.9

Insufficient input validation vulnerability in subsystem for Intel(R) Active Management Technology (Intel(R) AMT) before version 12.0.35 may allow privileged user to potentially enable denial of service via network access.

INTEL-SA-00213

05/14/2019

04/14/2020

CVE-2019-0096

6.7

Out of bound write vulnerability in subsystem for Intel(R) Active Management Technology (Intel(R) AMT) before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 may allow authenticated user to potentially enable escalation of privilege via adjacent network access.

INTEL-SA-00213

05/14/2019

04/14/2020

CVE-2019-0094

4.3

Insufficient input validation vulnerability in subsystem for Intel(R) Active Management Technology (Intel(R) AMT) before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 may allow unauthenticated user to potentially enable denial of service via adjacent network access

INTEL-SA-00213

05/14/2019

04/14/2020

CVE-2019-0093

2.3

Insufficient data sanitization vulnerability in HECI subsystem for Intel(R) CSME before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35, Intel(R) Server Platform Services before version SPS\_E3\_05.00.04.027.0 may allow privileged user to potentially enable information disclosure via local access

INTEL-SA-00213

05/14/2019

04/14/2020

CVE-2019-0092

6.8

Insufficient input validation vulnerability in subsystem for Intel(R) Active Management Technology (Intel(R) AMT) before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 may allow unauthenticated user to potentially enable escalation of privilege via physical access

INTEL-SA-00213

05/14/2019

04/14/2020

CVE-2019-0091

6.6

Code injection vulnerability in installer for Intel(R) CSME before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 and Intel(R) TXE 3.1.65, 4.0.15 may allow unprivileged user to potentially enable escalation of privilege via local access.

INTEL-SA-00213

05/14/2019

04/14/2020

CVE-2019-0086

7.8

Insufficient access control vulnerability in Dynamic Application Loader software for Intel(R) CSME before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 and Intel(R) TXE 3.1.65, 4.0.15 may allow unprivileged user to potentially enable escalation of privilege via local access

INTEL-SA-00213

05/14/2019

04/14/2020

CVE-2019-0090

7.1

Insufficient access control vulnerability in subsystem for Intel(R) CSME before version 12.0.35, Intel(R) Server Platform Services before version SPS\_E3\_05.00.04.027.0 may allow unauthenticated user to potentially enable escalation of privilege via physical access

INTEL-SA-00213

05/14/2019

04/14/2020

CVE-2019-0089

8.1

Improper data sanitization vulnerability in subsystem in Intel(R) Server Platform Services before versions SPS\_E5\_04.00.04.381.0, SPS\_E3\_04.01.04.054.0, SPS\_SoC-A\_04.00.04.181.0, and SPS\_SoC-X\_04.00.04.086.0 may allow privileged user to potentially enable escalation of privilege via local access

INTEL-SA-00213

05/14/2019

04/14/2020

N/A

4.3

Type confusion in HECI service for Intel(R) Server Platform Services Tools may allow authenticated user to potentially enable escalation of privilege via local access.

N/A

03/04/2019

\-

CVE-2018-11091

3.8

Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access

INTEL-SA-00233

05/14/2019

07/14/2020

CVE-2018-12130

6.5

Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.

INTEL-SA-00233

05/14/2019

07/14/2020

CVE-2018-12127

6.5

Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.

INTEL-SA-00233

05/14/2019

07/14/2020

CVE-2022-35408: Insyde's Security Pledge | Insyde Software

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

CVE-2022-1941: Security Bulletins  |  Customer Care  |  Google Cloud

Categories: Exploits and vulnerabilities
Categories: News
Tags: CVE-2022-40959

Tags:  CVE-2022-40960

Tags:  CVE-2022-40962

Tags:  CVE-2022-3033

Tags:  Mozilla

Tags:  Firefox

Tags:  Thunderbird

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird which could be exploited to take control of a system.



(Read more...)




The post Update Firefox and Thunderbird now! Mozilla patches several high risk vulnerabilities appeared first on Malwarebytes Labs.

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.

In Firefox 105 a total of seven vulnerabilities were patched, three of which received the security risk rating "high". In Thunderbird three security vulnerabilities were patched. One with the rating “high” risk.

Security advisories were published for Firefox 105, Firefox ESR 102.3, and Thunderbird 91.13.1. Firefox 105 is the browser most Mozilla users will have on their system. Firefox Extended Support Release (ESR) is an official version of Firefox developed for large organizations that need to set up and maintain Firefox on a large scale. Thunderbird is Mozilla’s free email application.

**How to update**

To find out which version you are using on a Windows machine, open the application menu and click on **Help > About**. On a Mac, look at the top menu and click **Firefox > About Firefox**. This will show which version you currently have and whether an update is available. On Android use the **My apps & games** item in the PlayStore side-menu and find **Firefox Browser** in the list. Use the **Update** button next to it.

_Downloading available update screen Firefox_

The screens and the way to access them are largely the same for all Mozilla programs, including Thunderbird.

Once you've updated, you're protected against these vulnerabilities.

Stay safe everyone!

**The technical details****Firefox vulnerabilities**

CVE-2022-40959: (High) Bypassing FeaturePolicy restrictions on transient pages. During iframe navigation, certain pages didn't have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. The HTTP Feature-Policy header provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any iframe elements in the document.

CVE-2022-40960: (High) Data-race when parsing non-UTF-8 URLs in threads. Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash. UTF-8 is an encoding system for Unicode characters. It can translate any Unicode character into a matching unique binary string. A non-UTF-8 character is a sequence of bytes that is not a valid UTF-8 character. Since UTF-8 as character encoding was introduced in 2005, there may be still some URLs which use a different encoding. Or they could be constructed to exploit this vulnerability.

CVE-2022-40962: (High )Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3. These bugs were found by Mozilla developers and the Mozilla Fuzzing Team. Some of these bugs showed evidence of memory corruption and it is likely that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2022-40958: (Moderate) Bypassing Secure Context restriction for cookies with \_\_Host and \_\_Secure prefix. By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks. In a session fixation attack, the attacker already has access to a valid session and tries to force the victim to use that particular session for his or her own purposes. In such a case the attack is initiated before the user logs in and the session fixation attack fixes an established session on the victim's browser.

CVE-2022-40961: (Moderate) Stack-buffer overflow when initializing Graphics. During startup, a graphics driver with an unexpected name could lead to a stack-buffer overflow causing a potentially exploitable crash. This issue only affects Firefox for Android. Other operating systems are not affected.

CVE-2022-40956: (Low) Content-Security-Policy (CSP) base-uri bypass. When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead. The HTTP CSP base-uri directive restricts the URLs which can be used in a document's <base> element.

CVE-2022-40957: (Low) Incoherent instruction cache when building WASM on ARM64. Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash. Wasm is designed as a portable compilation target for programming languages, enabling deployment on the web for client and server applications. This bug only affects Firefox on ARM64 platforms. ARM64 is the architecture used by newer Macs built on Apple Silicon, shipped in late 2020 and beyond.

**Thunderbird**

CVE-2022-3033: (High) Leaking of sensitive information when composing a response to an HTML email with a META refresh tag. If a Thunderbird user replied to a crafted HTML email containing a meta tag, with the meta tag having the http-equiv="refresh" attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. This bug doesn't affect Thunderbird users who have changed the default Message Body display setting to 'simple html' or 'plain text'.

CVE-2022-3032: (Moderate) When receiving an HTML email that contained an iframe element, which used a srcdoc attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed.

CVE-2022-3034: (Moderate) An iframe element in an HTML email could trigger a network request. When receiving an HTML email that specified to load an iframe element from a remote location, a request to the remote document was sent. However, Thunderbird didn't display the document.

Update Firefox and Thunderbird now! Mozilla patches several high risk vulnerabilities

Red Hat Security Advisory 2022-6582-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include buffer overflow and heap overflow vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2022:6582-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6582  
Issue date:        2022-09-20  
CVE Names:         CVE-2022-2078 CVE-2022-34918  
====================================================================  
1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Real Time (v. 9) - x86_64  
Red Hat Enterprise Linux Real Time for NFV (v. 9) - x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: heap overflow in nft_set_elem_init() (CVE-2022-34918)

* kernel: vulnerability of buffer overflow in nft_set_desc_concat_parse()  
(CVE-2022-2078)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* kernel-rt: update RT source tree to the latest RHEL-9.0.z3 Batch  
(BZ#2119577)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2096178 - CVE-2022-2078 kernel: Vulnerability of buffer overflow in nft_set_desc_concat_parse()  
2104423 - CVE-2022-34918 kernel: heap overflow in nft_set_elem_init()

6. Package List:

Red Hat Enterprise Linux Real Time for NFV (v. 9):

Source:  
kernel-rt-5.14.0-70.26.1.rt21.98.el9_0.src.rpm

x86_64:  
kernel-rt-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-core-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-debug-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-debug-core-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-debug-debuginfo-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-debug-devel-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-debug-kvm-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-debug-modules-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-debug-modules-extra-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-debuginfo-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-devel-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-kvm-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-modules-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-modules-extra-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm

Red Hat Enterprise Linux Real Time (v. 9):

Source:  
kernel-rt-5.14.0-70.26.1.rt21.98.el9_0.src.rpm

x86_64:  
kernel-rt-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-core-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-debug-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-debug-core-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-debug-debuginfo-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-debug-devel-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-debug-modules-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-debug-modules-extra-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-debuginfo-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-devel-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-modules-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm  
kernel-rt-modules-extra-5.14.0-70.26.1.rt21.98.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2078  
https://access.redhat.com/security/cve/CVE-2022-34918  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYypfyNzjgjWX9erEAQiaCQ/+LSCk2xopPqZvOEHYJI/HwMLQDUfTVExJ  
65aJpi03W1V91Aw5KXKDOMkSnUOUf+lnf7+dhR1xT+pFPcc/i0jrMUO8EexTIlnL  
W4grQyJYcTJWd9fR7RpjzRBN9i5uFYYOPlwShkoMVYdTu4A5U5xGdq5idMdJ9738  
WKAtcOkKW2AshVcC7HiDyG1UB8Mi8+RmO/vUbZyRifiXVyGAer5dr8jM5c7pJ4la  
vl+tv9JeqC0Sl47WjsBg4mSZEIFTVFzqDnWjg/TfrHxEQ2rdLfPU5C3EaWbaCTaC  
LidSXKu04a+y6lgh9FGgbdfZR7hSR086TIdwOx5EViTSvo7f0MtpajPZ89odijYt  
gOluS1yrdE8xsqUz7sFRtBL4+y/ymYlDueWNHBfnjUOaDM5MEh4fEut8ByZ4kW3P  
TNVtz1C/2baHMV0yhW53qW2Z5eQLCOb5Z9HmorIPxBTTmzpMjdo4IWqgijacg8QC  
0gjHgIFtmqnHuTe25kHdHCacbcuVTQedVeIhJsXp42T5i0tfCzaDc/sKiAWEHYzQ  
M7OWft1ti4n6Tr8t7JHU2dAaBBBvCZTAI744H8T7I2x7lYOHtOvybZ9hMwvm4U+i  
bHerMnYkRZe9IGUHLBVbk+r9kSiX3XUlPNmJmuQDYajhXyKbOzSsNCF839eNSzas  
JO23i7scm2U=KHwA  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6582-01

Red Hat Security Advisory 2022-6610-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include buffer overflow and heap overflow vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:6610-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6610  
Issue date:        2022-09-20  
CVE Names:         CVE-2022-2078 CVE-2022-34918   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: heap overflow in nft_set_elem_init() (CVE-2022-34918)

* kernel: vulnerability of buffer overflow in nft_set_desc_concat_parse()  
(CVE-2022-2078)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* RDMA/mlx5: Fix number of allocated XLT entries (BZ#2092270)

* mlx5, Setup hanged when run test-route-nexthop-object.sh (BZ#2092535)

* many call traces from unchecked MSR access error: WRMSR to 0x199 in  
amazon i4.32xlarge instance (BZ#2099417)

* X86/platform/UV: Kernel Support Fixes for UV5 platform (BZ#2107732)

* block layer: fixes for md sync slow and softlockup at  
blk_mq_sched_dispatch_requests [9.0.0.z] (BZ#2111395)

* Fixes for NVMe/TCP dereferences an invalid, non-canonical pointer, kernel  
panic (BZ#2117755)

* Adding missing nvme fix to RHEL-9.1 (BZ#2117756)

* nvme/tcp mistakenly uses blk_mq_tag_to_rq(nvme_tcp_tagset(queue)  
(BZ#2118698)

* Important ice bug fixes (BZ#2119290)

* Power 9/ppc64le Incorrect Socket(s) & "Core(s) per socket" reported by  
lscpu command. (BZ#2121719)

Enhancement(s):

* lscpu does not show all of the support AMX flags (amx_int8, amx_bf16)   
(BZ#2108203)

* ice: Driver Update (BZ#2108204)

* iavf: Driver Update (BZ#2119477)

* i40e: Driver Update (BZ#2119479)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2096178 - CVE-2022-2078 kernel: Vulnerability of buffer overflow in nft_set_desc_concat_parse()  
2104423 - CVE-2022-34918 kernel: heap overflow in nft_set_elem_init()

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

aarch64:  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debug-devel-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debug-devel-matched-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-devel-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-devel-matched-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-headers-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
perf-5.14.0-70.26.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm

noarch:  
kernel-doc-5.14.0-70.26.1.el9_0.noarch.rpm

ppc64le:  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debug-devel-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debug-devel-matched-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-devel-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-devel-matched-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-headers-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
perf-5.14.0-70.26.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm

s390x:  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debug-devel-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debug-devel-matched-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-devel-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-devel-matched-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-headers-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-zfcpdump-devel-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-zfcpdump-devel-matched-5.14.0-70.26.1.el9_0.s390x.rpm  
perf-5.14.0-70.26.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm

x86_64:  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debug-devel-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debug-devel-matched-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-devel-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-devel-matched-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-headers-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
perf-5.14.0-70.26.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
kernel-5.14.0-70.26.1.el9_0.src.rpm

aarch64:  
bpftool-5.14.0-70.26.1.el9_0.aarch64.rpm  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-core-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debug-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debug-core-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debug-modules-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debug-modules-extra-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-modules-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-modules-extra-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-tools-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-tools-libs-5.14.0-70.26.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
python3-perf-5.14.0-70.26.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm

noarch:  
kernel-abi-stablelists-5.14.0-70.26.1.el9_0.noarch.rpm

ppc64le:  
bpftool-5.14.0-70.26.1.el9_0.ppc64le.rpm  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-core-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debug-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debug-core-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debug-modules-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debug-modules-extra-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-modules-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-modules-extra-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-tools-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-tools-libs-5.14.0-70.26.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
python3-perf-5.14.0-70.26.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm

s390x:  
bpftool-5.14.0-70.26.1.el9_0.s390x.rpm  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-core-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debug-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debug-core-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debug-modules-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debug-modules-extra-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-modules-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-modules-extra-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-tools-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-zfcpdump-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-zfcpdump-core-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-zfcpdump-modules-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-zfcpdump-modules-extra-5.14.0-70.26.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
python3-perf-5.14.0-70.26.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm

x86_64:  
bpftool-5.14.0-70.26.1.el9_0.x86_64.rpm  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-core-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debug-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debug-core-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debug-modules-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debug-modules-extra-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-modules-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-modules-extra-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-tools-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-tools-libs-5.14.0-70.26.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
python3-perf-5.14.0-70.26.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-cross-headers-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-tools-libs-devel-5.14.0-70.26.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm

ppc64le:  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-cross-headers-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-tools-libs-devel-5.14.0-70.26.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm

s390x:  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-cross-headers-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm

x86_64:  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-cross-headers-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-tools-libs-devel-5.14.0-70.26.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2078  
https://access.redhat.com/security/cve/CVE-2022-34918  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYypfhdzjgjWX9erEAQjSpg//Y3ak+k0a3QlbNSwSEH9F0GLE0KOV9tk+  
xPp+xXuUzNJ7iQ3+UhgksBs1faIBtvNgpURFZ2xsvIY3Z1TtuK0G7bBLffd0yO9J  
6fTDVZmeeCrlmwrWtKCT/2rm10tAk/zQA2BftzG6M/1fcFjfKB1N/k+KXwp9Jt/n  
1WC19sEAZWAUGW2Fxe7500HvN6Q/24EWPn2OcYGdXzS/XNqJwdK148OYg0A6pBtT  
hk7NOXMJr8fTABdg3BPnEXly1udTUgJnF0gvOl0tB6WNLxnHxc/61XnWIAk9/OYp  
DchPL+f7G/lH+5O2EgJG5OaFaUrznkbu8U1zEGOS1rZCdP9kMrX552P60jD4br4/  
K1YASzwh6bp9UqJKtBEW6O2hX+s89o8Hzuyrdnz8Cy2AMD8Q0ceqnu8bTWhKHf/l  
daeLjh2vLXNRMeQZEpaYtiOOQNIGmVA1n/Zd1A+GoNcFmvGbQ4+G8l18GSvXc09V  
A0o5vL6fwssDeLCkuQi+pw5YBgvPC083Q9tQH9TS2Fr13unk5H3bj3duMzI4t0Ao  
g0E+jKR7VaVCA2B0syXr5XyWqKZ4pFIQZKq547LpdjivCLnvuD3WsTNwGxTkSm2u  
Aq0jQvXi2A2bZwd+PrsfWqAqVr9i7G3+vElmsPD9p6tajT4z/1iCbhC0YMqncE7P  
aCsumFjp/qg=  
=bwiS  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#buffer_overflow