Ubuntu Security Notice 6439-2 - It was discovered that the IPv6 implementation in the Linux kernel contained a high rate of hash collisions in connection lookup table. A remote attacker could use this to cause a denial of service. Yu Hao and Weiteng Chen discovered that the Bluetooth HCI UART driver in the Linux kernel contained a race condition, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6439-2  
October 23, 2023

linux-aws vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems

Details:

It was discovered that the IPv6 implementation in the Linux kernel  
contained a high rate of hash collisions in connection lookup table. A  
remote attacker could use this to cause a denial of service (excessive CPU  
consumption). (CVE-2023-1206)

Yu Hao and Weiteng Chen discovered that the Bluetooth HCI UART driver in  
the Linux kernel contained a race condition, leading to a null pointer  
dereference vulnerability. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2023-31083)

Ross Lagerwall discovered that the Xen netback backend driver in the Linux  
kernel did not properly handle certain unusual packets from a  
paravirtualized network frontend, leading to a buffer overflow. An attacker  
in a guest VM could use this to cause a denial of service (host system  
crash) or possibly execute arbitrary code. (CVE-2023-34319)

Lin Ma discovered that the Netlink Transformation (XFRM) subsystem in the  
Linux kernel contained a null pointer dereference vulnerability in some  
situations. A local privileged attacker could use this to cause a denial of  
service (system crash). (CVE-2023-3772)

Kyle Zeng discovered that the networking stack implementation in the Linux  
kernel did not properly validate skb object size in certain conditions. An  
attacker could use this cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-42752)

Kyle Zeng discovered that the netfiler subsystem in the Linux kernel did  
not properly calculate array offsets, leading to a out-of-bounds write  
vulnerability. A local user could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-42753)

Kyle Zeng discovered that the IPv4 Resource Reservation Protocol (RSVP)  
classifier implementation in the Linux kernel contained an out-of-bounds  
read vulnerability. A local attacker could use this to cause a denial of  
service (system crash). Please note that kernel packet classifier support  
for RSVP has been removed to resolve this vulnerability. (CVE-2023-42755)

Bing-Jhong Billy Jheng discovered that the Unix domain socket  
implementation in the Linux kernel contained a race condition in certain  
situations, leading to a use-after-free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-4622)

Budimir Markovic discovered that the qdisc implementation in the Linux  
kernel did not properly validate inner classes, leading to a use-after-free  
vulnerability. A local user could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-4623)

Alex Birnberg discovered that the netfilter subsystem in the Linux kernel  
did not properly validate register length, leading to an out-of- bounds  
write vulnerability. A local attacker could possibly use this to cause a  
denial of service (system crash). (CVE-2023-4881)

It was discovered that the Quick Fair Queueing scheduler implementation in  
the Linux kernel did not properly handle network packets in certain  
conditions, leading to a use after free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-4921)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
   linux-image-4.4.0-1124-aws      4.4.0-1124.130  
   linux-image-aws                 4.4.0.1124.121

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6439-2  
   https://ubuntu.com/security/notices/USN-6439-1  
   CVE-2023-1206, CVE-2023-31083, CVE-2023-34319, CVE-2023-3772,  
   CVE-2023-42752, CVE-2023-42753, CVE-2023-42755, CVE-2023-4622,  
   CVE-2023-4623, CVE-2023-4881, CVE-2023-4921

Ubuntu Security Notice USN-6439-2

Red Hat Security Advisory 2023-6077-01 - An updated rhel9/toolbox container image is now available in the Red Hat container registry.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6077.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: toolbox security update  
Advisory ID:        RHSA-2023:6077-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6077  
Issue date:         2023-10-24  
Revision:           01  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

An updated rhel9/toolbox container image is now available in the Red Hat container registry.

Description:

The rhel9/toolbox container image can be used with Toolbox to obtain RHEL based containerized command line environments to aid with development and software testing. Toolbox is built on top of Podman and other standard container technologies from OCI.

This updates the rhel9/toolbox image in the Red Hat container registry.

To pull this container image, run one of the following commands:

    podman pull registry.redhat.io/rhel9/toolbox (authenticated)  
    podman pull registry.access.redhat.com/ubi9/toolbox (unauthenticated)

Solution:

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://catalog.redhat.com/software/containers/search

Red Hat Security Advisory 2023-6077-01

Red Hat Security Advisory 2023-6069-01 - An update for the python39:3.9 and python39-devel:3.9 modules is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a bypass vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6069.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python39:3.9 and python39-devel:3.9 security updateAdvisory ID:        RHSA-2023:6069-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6069Issue date:         2023-10-24Revision:           01CVE Names:          CVE-2023-40217====================================================================Summary: An update for the python39:3.9 and python39-devel:3.9 modules is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.Security Fix(es):* python: TLS handshake bypass (CVE-2023-40217)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-40217References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-6069-01

Red Hat Security Advisory 2023-6068-01 - An update for the python39:3.9 and python39-devel:3.9 modules is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a bypass vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6068.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python39:3.9 and python39-devel:3.9 security updateAdvisory ID:        RHSA-2023:6068-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6068Issue date:         2023-10-24Revision:           01CVE Names:          CVE-2023-40217====================================================================Summary: An update for the python39:3.9 and python39-devel:3.9 modules is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.Security Fix(es):* python: TLS handshake bypass (CVE-2023-40217)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-40217References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-6068-01

Red Hat Security Advisory 2023-6059-01 - Red Hat OpenShift Pipelines Client tkn for 1.12.1 has been released. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6059.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenShift Pipelines Client tkn for 1.12.1 release and security updateAdvisory ID:        RHSA-2023:6059-01Product:            Red Hat OpenShift PipelinesAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6059Issue date:         2023-10-23Revision:           01CVE Names:          CVE-2023-39325====================================================================Summary: Red Hat OpenShift Pipelines Client tkn for 1.12.1 has been released.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift Pipelines Client, tkn for the 1.12.1 release, provides a CLI  tool to interact with the Pipelines and Triggers components provided by Red Hat OpenShift Pipelines 1.12.1The tkn CLI tool is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms.Security Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325)* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-39325References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003https://docs.openshift.com/container-platform/4.13/cli_reference/tkn_cli/installing-tkn.html

Red Hat Security Advisory 2023-6059-01

Red Hat Security Advisory 2023-6057-01 - An update for toolbox is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6057.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Critical: toolbox security updateAdvisory ID:        RHSA-2023:6057-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6057Issue date:         2023-10-23Revision:           01CVE Names:          CVE-2023-39325====================================================================Summary: An update for toolbox is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Toolbox is a tool for Linux operating systems, which allows the use of containerized command line environments. It is built on top of Podman and other standard container technologies from OCI.Security Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-39325References:https://access.redhat.com/security/updates/classification/#criticalhttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6057-01

WebAssembly wabt 1.0.33 has an Out-of-Bound Memory Read in in DataSegment::IsValidRange(), which lead to segmentation fault.

**Environment**

OS               : Linux 5.10.16.3-microsoft-standard-WSL2 #1 SMP Fri Apr 2 22:23:49 UTC 2021 x86\_64 x86\_64 x86\_64 GNU/Linux
Commit           : 0e78c24fd231d5ee67ccd271bfa317faa963281c
Version          : 1.0.33 (git~1.0.33-35-gdddc03d3)
Clang Verison    : 12.0.1
Build            : mkdir build && cd build && export CC=clang CXX=clang++ CFLAGS="\-fsanitize=address -g" CXXFLAGS="\-fsanitize=address -g" && cmake .. && cmake --build .
Affected Tool    : wasm-interp
Enabled Features : None
Impact           : Out-of-Bound Memory Read Access

**Proof of Concept**

poc-wasm-interp-01.zip

**Stack Trace Provide By AddressSanitizer**

$  ~/wabt\_asan/bin/wasm-interp poc.wasm
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3549==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000064a0fe bp 0x7ffcceb61670 sp 0x7ffcceb61640 T0)
==3549==The signal is caused by a READ memory access.
==3549==Hint: address points to the zero page.
    #0 0x64a0fe in wabt::interp::DataSegment::IsValidRange(unsigned long, unsigned long) const /home/lain/wabt\_asan/src/interp/interp.cc:734:19
    #1 0x649cd7 in wabt::interp::Memory::Init(unsigned long, wabt::interp::DataSegment const&, unsigned long, unsigned long) /home/lain/wabt\_asan/src/interp/interp.cc:617:11
    #2 0x666cb4 in wabt::interp::Thread::DoMemoryInit(wabt::interp::Instr, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:2075:3
    #3 0x65b199 in wabt::interp::Thread::StepInternal(wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1510:32
    #4 0x65352b in wabt::interp::Thread::Run(int, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1086:19
    #5 0x645a70 in wabt::interp::Thread::Run(wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1078:14
    #6 0x644caf in wabt::interp::DefinedFunc::DoCall(wabt::interp::Thread&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:428:19
    #7 0x64417d in wabt::interp::Func::Call(wabt::interp::Store&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>\*, wabt::Stream\*) /home/lain/wabt\_asan/src/interp/interp.cc:394:10
    #8 0x6512e6 in wabt::interp::Instance::Instantiate(wabt::interp::Store&, wabt::interp::Ref, std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> > const&, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:944:22
    #9 0x5693e5 in InstantiateModule(std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> >&, wabt::interp::RefPtr<wabt::interp::Module> const&, wabt::interp::RefPtr<wabt::interp::Instance>\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:340:19
    #10 0x562e82 in ReadAndRunModule(char const\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:423:3
    #11 0x561f67 in ProgramMain(int, char\*\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:450:25
    #12 0x563191 in main /home/lain/wabt\_asan/src/tools/wasm-interp.cc:456:10
    #13 0x7f9f8fa00082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #14 0x4845ed in \_start (/home/lain/wabt\_asan/bin/wasm-interp+0x4845ed)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lain/wabt\_asan/src/interp/interp.cc:734:19 in wabt::interp::DataSegment::IsValidRange(unsigned long, unsigned long) const
==3549==ABORTING

CVE-2023-46331: Out-of-Bound Memory Read in DataSegment::IsValidRange() · Issue #2310 · WebAssembly/wabt

WebAssembly wabt 1.0.33 contains an Out-of-Bound Memory Write in DataSegment::Drop(), which lead to segmentation fault.

**Environment**

OS               : Linux 5.10.16.3-microsoft-standard-WSL2 #1 SMP Fri Apr 2 22:23:49 UTC 2021 x86\_64 x86\_64 x86\_64 GNU/Linux
Commit           : 0e78c24fd231d5ee67ccd271bfa317faa963281c
Version          : 1.0.33 (git~1.0.33-35-gdddc03d3)
Clang Verison    : 12.0.1
Build            : mkdir build && cd build && export CC=clang CXX=clang++ CFLAGS="\-fsanitize=address -g" CXXFLAGS="\-fsanitize=address -g" && cmake .. && cmake --build .
Affected Tool    : wasm-interp
Enabled Features : None
Impact           : Out-of-Bound Memory Write Access

**Proof of Concept**

poc-wasm-interp-02.zip

**Stack Trace Provide By AddressSanitizer**

$  ~/wabt\_asan/bin/wasm-interp poc.wasm
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3641==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000067f426 bp 0x7ffd04e28310 sp 0x7ffd04e28300 T0)
==3641==The signal is caused by a WRITE memory access.
==3641==Hint: address points to the zero page.
    #0 0x67f426 in wabt::interp::DataSegment::Drop() /home/lain/wabt\_asan/include/wabt/interp/interp-inl.h:906:9
    #1 0x6670be in wabt::interp::Thread::DoDataDrop(wabt::interp::Instr) /home/lain/wabt\_asan/src/interp/interp.cc:2081:33
    #2 0x65b29a in wabt::interp::Thread::StepInternal(wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1511:32
    #3 0x65352b in wabt::interp::Thread::Run(int, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1086:19
    #4 0x645a70 in wabt::interp::Thread::Run(wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1078:14
    #5 0x644caf in wabt::interp::DefinedFunc::DoCall(wabt::interp::Thread&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:428:19
    #6 0x64417d in wabt::interp::Func::Call(wabt::interp::Store&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>\*, wabt::Stream\*) /home/lain/wabt\_asan/src/interp/interp.cc:394:10
    #7 0x6512e6 in wabt::interp::Instance::Instantiate(wabt::interp::Store&, wabt::interp::Ref, std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> > const&, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:944:22
    #8 0x5693e5 in InstantiateModule(std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> >&, wabt::interp::RefPtr<wabt::interp::Module> const&, wabt::interp::RefPtr<wabt::interp::Instance>\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:340:19
    #9 0x562e82 in ReadAndRunModule(char const\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:423:3
    #10 0x561f67 in ProgramMain(int, char\*\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:450:25
    #11 0x563191 in main /home/lain/wabt\_asan/src/tools/wasm-interp.cc:456:10
    #12 0x7f77c7bdc082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #13 0x4845ed in \_start (/home/lain/wabt\_asan/bin/wasm-interp+0x4845ed)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lain/wabt\_asan/include/wabt/interp/interp-inl.h:906:9 in wabt::interp::DataSegment::Drop()
==3641==ABORTING

CVE-2023-46332: Out-of-Bound Memory Write in DataSegment::Drop() · Issue #2311 · WebAssembly/wabt


Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server.



**Impact**

Critical

**Details**

Third-party Component

CVEs

More information

open-vm-tools

CVE-2022-31676

https://www.suse.com/security/cve/CVE-2022-31676.html

postgresql-jdbc

CVE-2022-41946

https://www.suse.com/security/cve/CVE-2022-41946.html

bind

CVE-2021-25220

https://www.suse.com/security/cve/CVE-2021-25220.html

libstdc

CVE-2020-13844, CVE-2019-15847, CVE-2019-14250

https://www.suse.com/security/cve/CVE-2020-13844.html, https://www.suse.com/security/cve/CVE-2019-15847.html, https://www.suse.com/security/cve/CVE-2019-14250.html

ntp

CVE-2020-15025, CVE-2020-13817, CVE-2018-8956, CVE-2020-11868

https://www.suse.com/security/cve/CVE-2020-15025.html, https://www.suse.com/security/cve/CVE-2020-13817.html, https://www.suse.com/security/cve/CVE-2018-8956.html, https://www.suse.com/security/cve/CVE-2020-11868.html

runc

CVE-2022-31030, CVE-2022-29162

https://www.suse.com/security/cve/CVE-2022-31030.html, https://www.suse.com/security/cve/CVE-2022-29162.html

sysstat

CVE-2019-16167, CVE-2018-19517, CVE-2018-19416

https://www.suse.com/security/cve/CVE-2019-16167.html, https://www.suse.com/security/cve/CVE-2018-19517.html, https://www.suse.com/security/cve/CVE-2018-19416.html

cpio

CVE-2021-38185

https://www.suse.com/security/cve/CVE-2021-38185.html

dnsmasq

CVE-2020-25687, CVE-2020-25686, CVE-2020-25682, CVE-2020-25681, CVE-2020-25685, CVE-2020-25684, CVE-2020-25683, CVE-2022-0934, CVE-2021-3448

https://www.suse.com/security/cve/CVE-2020-25687.html, https://www.suse.com/security/cve/CVE-2020-25686.html, https://www.suse.com/security/cve/CVE-2020-25682.html, https://www.suse.com/security/cve/CVE-2020-25681.html, https://www.suse.com/security/cve/CVE-2020-25685.html, https://www.suse.com/security/cve/CVE-2020-25684.html, https://www.suse.com/security/cve/CVE-2020-25683.html, https://www.suse.com/security/cve/CVE-2022-0934.html, https://www.suse.com/security/cve/CVE-2021-3448.html

git

CVE-2022-29187, CVE-2022-24765

https://www.suse.com/security/cve/CVE-2022-29187.html, https://www.suse.com/security/cve/CVE-2022-24765.html

krb5

CVE-2021-3672

https://www.suse.com/security/cve/CVE-2021-3672.html

Dbus

CVE-2020-35512, CVE-2020-12049

https://www.suse.com/security/cve/CVE-2020-35512.html, https://www.suse.com/security/cve/CVE-2020-12049.html

mozilla

CVE-2022-31741, CVE-2015-20107, CVE-2021-3572, CVE-2020-26116, CVE-2019-11324, CVE-2019-11236, CVE-2019-9740, CVE-2018-20060, CVE-2018-18074

https://www.suse.com/security/cve/CVE-2022-31741.html, https://www.suse.com/security/cve/CVE-2015-20107.html, https://www.suse.com/security/cve/CVE-2021-3572.html, https://www.suse.com/security/cve/CVE-2020-26116.html, https://www.suse.com/security/cve/CVE-2019-11324.html, https://www.suse.com/security/cve/CVE-2019-11236.html, https://www.suse.com/security/cve/CVE-2019-9740.html, https://www.suse.com/security/cve/CVE-2018-20060.html, https://www.suse.com/security/cve/CVE-2018-18074.html

root user

CVE-2019-5021

https://www.suse.com/security/cve/CVE-2019-5021.html

xstream

CVE-2021-21342

https://www.suse.com/security/cve/CVE-2021-21342.html

dom4j

CVE-2020-10683

https://www.suse.com/security/cve/CVE-2020-10683.html

vim

CVE-2021-3973

https://www.suse.com/security/cve/CVE-2021-3973.html

tomcat

CVE-2022-25762, CVE-2022-23181

https://www.suse.com/security/cve/CVE-2022-25762.html, https://www.suse.com/security/cve/CVE-2022-23181.html

apache2

CVE-2022-26373, CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-31813, CVE-2022-30556

https://www.suse.com/security/cve/CVE-2022-26373.html, https://www.suse.com/security/cve/CVE-2022-26377.html, https://www.suse.com/security/cve/CVE-2022-28614.html, https://www.suse.com/security/cve/CVE-2022-28615.html, https://www.suse.com/security/cve/CVE-2022-29404.html, https://www.suse.com/security/cve/CVE-2022-30522.html, https://www.suse.com/security/cve/CVE-2022-31813.html, https://www.suse.com/security/cve/CVE-2022-30556.html

libopenssl-1\_1

CVE-2022-1292

https://www.suse.com/security/cve/CVE-2022-1292.html

avahi

CVE-2021-26720, CVE-2021-3468

https://www.suse.com/security/cve/CVE-2021-26720.html   , https://www.suse.com/security/cve/CVE-2021-3468.html

Libgcrypt

CVE-2021-33560

https://www.suse.com/security/cve/CVE-2021-33560.html

Libnettle

CVE-2021-3580

https://www.suse.com/security/cve/CVE-2021-3580.html

pcre2

CVE-2022-1587, CVE-2019-20454

https://www.suse.com/security/cve/CVE-2022-1587.html, https://www.suse.com/security/cve/CVE-2019-20454.html

Cyrus

CVE-2022-24407

https://www.suse.com/security/cve/CVE-2022-24407.html

libopenssl-1\_1

CVE-2022-2097, CVE-2022-2068

https://www.suse.com/security/cve/CVE-2022-2097.html, https://www.suse.com/security/cve/CVE-2022-2068.html

apache-commons-httpclient

CVE-2020-13956

https://www.suse.com/security/cve/CVE-2020-13956.html

openssh

CVE-2021-41617

https://www.suse.com/security/cve/CVE-2021-41617.html

e2fsprogs

CVE-2022-1304

https://www.suse.com/security/cve/CVE-2022-1304.html

containerd, docker

CVE-2021-43565, CVE-2022-27191, CVE-2022-24769, CVE-2022-23648

https://www.suse.com/security/cve/CVE-2021-43565.html, https://www.suse.com/security/cve/CVE-2022-27191.html, https://www.suse.com/security/cve/CVE-2022-24769.html, https://www.suse.com/security/cve/CVE-2022-23648.html

ucode-intel

CVE-2022-21151  

https://www.suse.com/security/cve/CVE-2022-21151.html

openjdk

CVE-2022-21476, CVE-2022-21426, CVE-2022-21496, CVE-2022-21496, CVE-2022-21434, CVE-2022-21443

https://www.suse.com/security/cve/CVE-2022-21476.html, https://www.suse.com/security/cve/CVE-2022-21426.html, https://www.suse.com/security/cve/CVE-2022-21496.html, https://www.suse.com/security/cve/CVE-2022-21496.html, https://www.suse.com/security/cve/CVE-2022-21434.html, https://www.suse.com/security/cve/CVE-2022-21443.html

tiff

CVE-2022-0909, CVE-2022-0908, CVE-2022-0562, CVE-2022-0561, CVE-2022-0891, CVE-2022-0865, CVE-2022-1056, CVE-2022-0924

https://www.suse.com/security/cve/CVE-2022-0909.html, https://www.suse.com/security/cve/CVE-2022-0908.html, https://www.suse.com/security/cve/CVE-2022-0562.html, https://www.suse.com/security/cve/CVE-2022-0561.html, https://www.suse.com/security/cve/CVE-2022-0891.html, https://www.suse.com/security/cve/CVE-2022-0865.html, https://www.suse.com/security/cve/CVE-2022-1056.html, https://www.suse.com/security/cve/CVE-2022-0924.html

gzip, xz

CVE-2022-1271

https://www.suse.com/security/cve/CVE-2022-1271.html

mozilla-nss

CVE-2022-1097

https://www.suse.com/security/cve/CVE-2022-1097.html

util-linux

CVE-2021-37600

https://www.suse.com/security/cve/CVE-2021-37600.html

OpenSSL

CVE-2022-0778

https://www.suse.com/security/cve/CVE-2022-0778.html

fbindglibc

CVE-2021-3999, CVE-2022-23218, CVE-2022-23219, CVE-2015-8985

https://www.suse.com/security/cve/CVE-2021-3999.html, https://www.suse.com/security/cve/CVE-2022-23218.html, https://www.suse.com/security/cve/CVE-2022-23219.html, https://www.suse.com/security/cve/CVE-2015-8985.html

libxml2

CVE-2022-23308

https://www.suse.com/security/cve/CVE-2022-23308.html

binutils

CVE-2020-16591, CVE-2020-16599, CVE-2020-16598, CVE-2020-16592, CVE-2020-16593, CVE-2020-16590, CVE-2020-35448, CVE-2020-35496, CVE-2020-35493, CVE-2020-35507, CVE-2021-20197, CVE-2021-20284, CVE-2021-3487, CVE-2021-20294

https://www.suse.com/security/cve/CVE-2020-16591.html, https://www.suse.com/security/cve/CVE-2020-16599.html, https://www.suse.com/security/cve/CVE-2020-16598.html, https://www.suse.com/security/cve/CVE-2020-16592.html, https://www.suse.com/security/cve/CVE-2020-16593.html, https://www.suse.com/security/cve/CVE-2020-16590.html, https://www.suse.com/security/cve/CVE-2020-35448.html, https://www.suse.com/security/cve/CVE-2020-35496.html, https://www.suse.com/security/cve/CVE-2020-35493.html, https://www.suse.com/security/cve/CVE-2020-35507.html, https://www.suse.com/security/cve/CVE-2021-20197.html, https://www.suse.com/security/cve/CVE-2021-20284.html, https://www.suse.com/security/cve/CVE-2021-3487.html, https://www.suse.com/security/cve/CVE-2021-20294.html

pcre

CVE-2020-14155, CVE-2019-20838

https://www.suse.com/security/cve/CVE-2020-14155.html, https://www.suse.com/security/cve/CVE-2019-20838.html

kernel

CVE-2021-4149, CVE-2021-4197, CVE-2021-4202, CVE-2022-0322, CVE-2022-0330, CVE-2022-0435, CVE-2021-44879, CVE-2022-0001, CVE-2022-0002, CVE-2022-0487, CVE-2022-0492, CVE-2022-0617, CVE-2022-0644, CVE-2022-24448, CVE-2022-24959

https://www.suse.com/security/cve/CVE-2021-4149.html, https://www.suse.com/security/cve/CVE-2021-4197.html, https://www.suse.com/security/cve/CVE-2021-4202.html, https://www.suse.com/security/cve/CVE-2022-0322.html, https://www.suse.com/security/cve/CVE-2022-0330.html, https://www.suse.com/security/cve/CVE-2022-0435.html, https://www.suse.com/security/cve/CVE-2021-44879.html, https://www.suse.com/security/cve/CVE-2022-0001.html, https://www.suse.com/security/cve/CVE-2022-0002.html, https://www.suse.com/security/cve/CVE-2022-0487.html, https://www.suse.com/security/cve/CVE-2022-0492.html, https://www.suse.com/security/cve/CVE-2022-0617.html, https://www.suse.com/security/cve/CVE-2022-0644.html, https://www.suse.com/security/cve/CVE-2022-24448.html, https://www.suse.com/security/cve/CVE-2022-24959.html

libcroco

CVE-2020-12825

https://www.suse.com/security/cve/CVE-2020-12825.html

postgresql12

CVE-2021-23222, CVE-2021-23214

https://www.suse.com/security/cve/CVE-2021-23222.html, https://www.suse.com/security/cve/CVE-2021-23214.html

git

CVE-2021-40330

https://www.suse.com/security/cve/CVE-2021-40330.html

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

   

Product

Affected Versions

Remediated Versions

Link

Dell Unity Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers 

Dell UnityVSA Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers

Dell Unity XT Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers

   

Product

Affected Versions

Remediated Versions

Link

Dell Unity Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers 

Dell UnityVSA Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers

Dell Unity XT Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers

**Revision History**

Revision

Date

Description

1.0

2023-05-08

Initial Release

2.0

2023-09-01

Updated for enhanced presentation with no changes to content.

3.0

2023-01-23

Added 4 new CVEs, CVE-2023-43074, CVE-2023-43065, CVE-2023-43066, CVE-2023-43067 under "PROPRIERTARY CODE" section 

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

Dell EMC Unity, Dell Unity 300, Dell EMC Unity 300F, Dell EMC Unity 350F, Dell EMC Unity 400, Dell EMC Unity 400F, Dell Unity Operating Environment (OE), Dell EMC UnityVSA (Virtual Storage Appliance) , Dell EMC UnityVSA Professional Edition/Unity Cloud Edition ...

CVE-2023-43074: DSA-2023-141: Dell Unity, Unity VSA and Unity XT Security Update for Multiple Vulnerability

An issue in OpenImageIO oiio v.2.4.12.0 allows a remote attacker to execute arbitrary code and cause a denial of service via the read_rle_image function of file bifs/unquantize.c

Describe the bug:  
Hi, I found runtime error: signed integer overflow in file src/bmp.imageio/bmpinput.cpp:302

To Reproduce:  
Steps to reproduce the behavior:

1.  CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address" cmake .. -DCMAKE\_CXX\_STANDARD=17
2.  make && make install
3.  iconvert --inplace poc.bmp  
    poc file:  
    poc.bmp.zip

Evidence:  
src/bmp.imageio/bmpinput.cpp:302:41: runtime error: signed integer overflow: 10240 \* 276095 cannot be represented in type 'int'  
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /root/fuzz/fuzz\_oiio/oiio/src/bmp.imageio/bmpinput.cpp:302:41 in  
terminate called after throwing an instance of 'std::length\_error'  
what(): vector::\_M\_default\_append  
0# OpenImageIO\_v2\_5\_2::Sysutil::stacktraceabi:cxx11 in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO\_Util.so.2.5.2  
1# 0x00007F5AA4E8B5CC in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO\_Util.so.2.5.2  
2# 0x00007F5AA4532520 in /lib/x86\_64-linux-gnu/libc.so.6  
3# pthread\_kill in /lib/x86\_64-linux-gnu/libc.so.6  
4# raise in /lib/x86\_64-linux-gnu/libc.so.6  
5# abort in /lib/x86\_64-linux-gnu/libc.so.6  
6# 0x00007F5AA48C1B9E in /lib/x86\_64-linux-gnu/libstdc++.so.6  
7# 0x00007F5AA48CD20C in /lib/x86\_64-linux-gnu/libstdc++.so.6  
8# 0x00007F5AA48CD277 in /lib/x86\_64-linux-gnu/libstdc++.so.6  
9# 0x00007F5AA48CD4D8 in /lib/x86\_64-linux-gnu/libstdc++.so.6  
10# std::\_\_throw\_length\_error(char const\*) in /lib/x86\_64-linux-gnu/libstdc++.so.6  
11# 0x00007F5AA64A29AC in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
12# 0x00007F5AA64A2281 in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
13# 0x00007F5AA733A3BB in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
14# 0x00007F5AA73355FE in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
15# 0x00007F5AA7332396 in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
16# OpenImageIO\_v2\_5\_2::ImageInput::create(OpenImageIO\_v2\_5\_2::basic\_string\_view<char, std::char\_traits >, bool, OpenImageIO\_v2\_5\_2::ImageSpec const\*, OpenImageIO\_v2\_5\_2::Filesystem::IOProxy\*, OpenImageIO\_v2\_5\_2::basic\_string\_view<char, std::char\_traits >) in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
17# OpenImageIO\_v2\_5\_2::ImageInput::open(std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&, OpenImageIO\_v2\_5\_2::ImageSpec const\*, OpenImageIO\_v2\_5\_2::Filesystem::IOProxy\*) in /root/fuzz/fuzz\_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2  
18# 0x000055E91B20C502 in ../../../oiio/build/bin/iconvert  
19# 0x000055E91B2133A1 in ../../../oiio/build/bin/iconvert  
20# 0x00007F5AA4519D90 in /lib/x86\_64-linux-gnu/libc.so.6  
21# \_\_libc\_start\_main in /lib/x86\_64-linux-gnu/libc.so.6  
22# 0x000055E91B14BC55 in ../../../oiio/build/bin/iconvert  
Aborted

Platform information:  
OIIO branch/version: 2.4.14.0  
OS: Linux  
C++ compiler: clang-14.0.6

Tag

#linux