A race condition was found in the Linux kernel's RxRPC network protocol, within the processing of RxRPC bundles. This issue results from the lack of proper locking when performing operations on an object. This may allow an attacker to escalate privileges and execute arbitrary code in the context of the kernel.

Permalink

Browse files

rxrpc: Fix race between conn bundle lookup and bundle removal \[ZDI-CA…

…N-15975\]

After rxrpc\_unbundle\_conn() has removed a connection from a bundle, it
checks to see if there are any conns with available channels and, if not,
removes and attempts to destroy the bundle.

Whilst it does check after grabbing client\_bundles\_lock that there are no
connections attached, this races with rxrpc\_look\_up\_bundle() retrieving the
bundle, but not attaching a connection for the connection to be attached
later.

There is therefore a window in which the bundle can get destroyed before we
manage to attach a new connection to it.

Fix this by adding an "active" counter to struct rxrpc\_bundle:

 (1) rxrpc\_connect\_call() obtains an active count by prepping/looking up a
     bundle and ditches it before returning.

 (2) If, during rxrpc\_connect\_call(), a connection is added to the bundle,
     this obtains an active count, which is held until the connection is
     discarded.

 (3) rxrpc\_deactivate\_bundle() is created to drop an active count on a
     bundle and destroy it when the active count reaches 0.  The active
     count is checked inside client\_bundles\_lock() to prevent a race with
     rxrpc\_look\_up\_bundle().

 (4) rxrpc\_unbundle\_conn() then calls rxrpc\_deactivate\_bundle().

Fixes: 245500d ("rxrpc: Rewrite the client connection manager")
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-15975
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: zdi-disclosures@trendmicro.com
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
Signed-off-by: David S. Miller <davem@davemloft.net>

*   Loading branch information

CVE-2023-2006: rxrpc: Fix race between conn bundle lookup and bundle removal [ZDI-CA… · torvalds/linux@3bcd6c7

A flaw was found in the Linux kernel's netdevsim device driver, within the scheduling of events. This issue results from the improper management of a reference count. This may allow an attacker to create a denial of service condition on the system.

Permalink

Browse files

netdevsim: fib: Fix reference count leak on route deletion failure

As part of FIB offload simulation, netdevsim stores IPv4 and IPv6 routes
and holds a reference on FIB info structures that in turn hold a
reference on the associated nexthop device(s).

In the unlikely case where we are unable to allocate memory to process a
route deletion request, netdevsim will not release the reference from
the associated FIB info structure, thereby preventing the associated
nexthop device(s) from ever being removed \[1\].

Fix this by scheduling a work item that will flush netdevsim's FIB table
upon route deletion failure. This will cause netdevsim to release its
reference from all the FIB info structures in its table.

Reported by Lucas Leong of Trend Micro Zero Day Initiative.

Fixes: 0ae3eb7 ("netdevsim: fib: Perform the route programming in a non-atomic context")
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Amit Cohen <amcohen@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

*   Loading branch information

CVE-2023-2019: netdevsim: fib: Fix reference count leak on route deletion failure · torvalds/linux@180a6a3

Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.

**Impact**

Frederic Linn (@FredericLinn) has reported a series of vulnerabilities that can result in directory traversal, file write, and potential remote code execution on Jellyfin instances. The general process involves chaining several exploits including a stored XSS vulnerability and can be used by an unprivileged user.

The general process is (using the example of setting an intro video as the payload):

*   Create a session as a low-priviledged user with a crafted authorization header
*   Upload an executable that contains a malicious plugin inline via /ClientLog/Document
*   (Admin hovers over our device in dashboard -> XSS payload gets triggered)
*   XSS Payload tries to set encoder path to our uploaded "log" file via /System/MediaEncoder/Path
*   The request fails, but in the process our executable actually runs (I guess for verifying if the path points to a valid ffmpeg version)
*   The executable will create a plugin folder and place the inlined plugin DLL inside it
*   The XSS payload shuts down the server via /System/Shutdown (separate CVE in jellyfin-web)
*   After (manually) starting the server, the plugin gets loaded and will:
    *   write a new video into the Jellyfin temp folder and register it
    *   register this video as the new intro
    *   and finally provide a malicious endpoint that simply executes system commands and sends back the results

The ability to write arbitrary content to log files was added in #5918 to allow flexibility to client logging.

The following two sections detail Frederic's exact determinations regarding the two vulnerabilities.

**Directory traversal and file write**

I've been reading the codebase here and there for a couple of days and found a directory traversal inside the ClientLogController, specifically /ClientLog/Document.

The GetRequestInformation method retrieves the name and version of the client from the HttpContext.User object.

Those values are attacker controlled when authenticating against the API. Both values are interpolated into a string, which ultimately ends up as an argument to Path.Combine().

Setting a client name to the relative path "........\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\test" will write a file with completely attacker controlled content to the executing user's autostart directory.

However, because the attacker only partially controls the filename, exploitation proves to be tricky. That's because the resulting file will always end in ".log", which means putting something in the autostart directory is only going to open notepad on startup. I mean, we can at least insult the user :^).

Anyway, the next logical step would be to write into Jellyfin's plugins directory, but the sub-directories there (of which the already existing configurations directory conveniently counts as one!) are only getting scanned for ".dll" files.

This stops an attacker from providing malicious DLLs that implement the correct interfaces in order to be recognized as legitimate plugins.

On Linux, there might be more options. Running as the standard root user inside a container, an attacker could of course write anywhere. There's the very interesting "/etc/cron.d" directory, where an attacker can place cron jobs that get picked up automatically. Those files, however, can't contain a dot. Moreover, inside the container the cronjobs are probably not being executed, as the Jellyfin process should be only one running.

For the stored XSS component, see GHSA-89hp-h43h-r5pq

**Patches**

10.8.10

**Workarounds**

N/A

**References**

N/A

CVE-2023-30626: Directory traversal + file write causing arbitrary code execution

broccoli-compass v0.2.4 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.

**Vulnerability in broccoli-compass**

This report details an ACI vulnerability affecting broccoli-compass@0.2.4.

**Package source**

*   https://www.npmjs.com/broccoli-compass
*   https://github.com/g13013/broccoli-compass

**Package description**

"Sass-compass plugin for Broccoli"

**Vulnerability Overview**

Affected versions of this package are vulnerable to arbitrary command injection (CWE-77 \[1\]).

If an attacker-controlled filename is included in the list of files passed to "broccoli-compass" via its "files" option, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.

This vulnerability is due to use of the child_process exec function without input sanitization. The Node.js API documentation states that unsanitized user input should never be passed to exec \[2\].

\[1\] https://cwe.mitre.org/data/definitions/77.html

\[2\] https://nodejs.org/api/child\_process.html#child\_process\_child\_process\_exec\_command\_options\_callback

**Reproduction**

A filename that contains a bash exploit payload must be provided in the list of files that "broccoli-compass" accepts as an argument. This can occur if another Node.js application includes "broccoli-compass" as a dependency and allows user-influenced filenames to reach the files list passed to "broccoli-compass".

The proof-of-concept (PoC) program below illustrates the issue. Executing this code will cause the command touch success to be executed, leading to the creation of a file called success.

var compileSass \= require('broccoli-compass');
var user\_provided\_filename \= '$(touch success);#';
compileSass({}, {
    'files': \[user\_provided\_filename\]
}).write('.', '.');

Environment: Node.js v15.5.1 on Linux

Steps to reproduce:

1.  npm i broccoli-compass@0.2.4
2.  Create a file, e.g., poc0.js, containing the PoC code.
3.  Execute the file: node poc0.js

A file called success will be created as a result of the execution of the PoC.

CVE-2023-27848: Vulnerability-Reports/report.md at 9d65add2bca71ed6d6b2e281ee6790a12504ff8e · omnitaint/Vulnerability-Reports

Debian Linux Security Advisory 5393-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5393-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffApril 22, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-2133 CVE-2023-2134 CVE-2023-2135 CVE-2023-2136                  CVE-2023-2137Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 112.0.5615.138-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmREBtkACgkQEMKTtsN8TjZHjA//Xt54GrjHMIT1eis48gYiXhfhUxNl1MiA4eeSYFJuidwGLoZbG8AGmT+2OHUvwjOCiJ4RHV06fnpPuftn95Q9Ehz79WkNeeZSIKCuZPeNK6u6c2LZv3enU3ojFejG5y6k/L6kwBx7VUPNnvraZVZcB0zwbL/f9B5wXgAwluxqynyX3vZBPRjTsJATLQs/PMhx7wWVFXspQjIm6+9bVySuNEsIUTIsDNnRlLnSVler3THdcmlHLBVDU1Qb3CIN6bAzDDnJSOUQIHWKIPLSr84ygeT6n0/eeC7qzqJ4WvG7TKhsyXrH1z+XzRdMFajVDrOhYmofmRG4WgyXibcOfi0eR7aEahNVG4aLZlP+hZvKDlDrSJ5kzI8IH4NaXZid9IGZaOXvxKaTOsKaBuC3uHDlWny1aU5MBb/itSeYbXmNVzIip7BJ10wG9rjaQ4d6VEbrMDEEWy5rqP1PUexW5wNDAwNhMHhV2pgPHnDzkC3ScQM6uN4X2vxs58oGMaSsjqjYpR5MOIEoh2SnNdz4NDXxjP8+bdpOu7MOIh4nYBC/zcWf84DgeMq1tv3RR2LDXfwdMZyxlZc7thPvtZhXfUsDJRX38LD0S0B4JR1ERRqYerpj3ixAuOk6OyyJA0CcdiI1Yave1rFGzjzitxYkpgYG+uRYa/GWgDOuG1Ebbk6R2cE==vqQn-----END PGP SIGNATURE-----

Debian Security Advisory 5393-1

Debian Linux Security Advisory 5392-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5392-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
April 22, 2023                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : thunderbird  
CVE ID         : CVE-2023-0547 CVE-2023-1945 CVE-2023-28427 CVE-2023-29479   
                 CVE-2023-29533 CVE-2023-29535 CVE-2023-29536 CVE-2023-29539   
                 CVE-2023-29541 CVE-2023-29548 CVE-2023-29550

Multiple security issues were discovered in Thunderbird, which could  
result in denial of service or the execution of arbitrary code.

For the stable distribution (bullseye), these problems have been fixed in  
version 1:102.10.0-1~deb11u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmREBsEACgkQEMKTtsN8  
TjZX4w/+OuttNpDWu8m7daY/USfgb3U7pVI+wbMrqMKxSjQ6BRCUaCcXN1VXZpXn  
cOGTqSoFB+qBgYrSjJ0buH9L1yWAQXfaw43wF9eDAfRZB1Svzhl+W164GGks1YKZ  
9WbJ255lvCuXuNbmP+I1xYtuN5epP1saNAET/3HDkJUbXre5T3wdGCjgJnfyE6vf  
JhAwqVYEbOabRisnEhkP67yHk6mEz2QzH+KbbxyS7hCHp+I4RIMNhxPeoPb2Mn/t  
3oja8bC1WGpJaOaQy99UlCD11L8li30LbVb95V8l91tVzbXJwfOCmdjdRp+8/xA/  
fSpNdjCa7rbX8FWeU/FNunia/KkkJgc3qa65+e0muq99gdBk/+1HrrysjZt2oya5  
/vOMLjDfRmfqyB2fn65Isl2PhJnJN9EtPXeEFGLGNmRfqVlg2w4qXm2UUGDPmeuF  
rQrsYJ7YLLfQp7JejtNbPZbH+csEXFn2DRVv9YdOX5/H+a/boqe0h+9Wtmywzfw1  
uH+A5iY5JyLhknMyzfopCfpZIcV4ieRxeOdKvkUom67zKr2OAigSGxpz7EFdnunn  
gITqkbFqHtdjcCq/Vuj+vlfcUP7iLrWNSR9FZc9k9QcN0kaot8CqUmXF4zjkH/le  
sZMm+pcds9XpShSb3SXatKj3YY/O+DbHEcuKFSjg6DSHwEz4GLI=  
=tV7a  
-----END PGP SIGNATURE-----

Debian Security Advisory 5392-1

Red Hat Security Advisory 2023-1931-01 - GNU Emacs is a powerful, customizable, self-documenting text editor. It provides special code editing features, a scripting language, and the capability to read e-mail and news. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: emacs security update  
Advisory ID:       RHSA-2023:1931-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1931  
Issue date:        2023-04-24  
CVE Names:         CVE-2023-28617   
=====================================================================

1. Summary:

An update for emacs is now available for Red Hat Enterprise Linux 8.6  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS EUS (v.8.6) - noarch

3. Description:

GNU Emacs is a powerful, customizable, self-documenting text editor. It  
provides special code editing features, a scripting language (elisp), and  
the capability to read e-mail and news.

Security Fix(es):

* emacs: command injection vulnerability in org-mode (CVE-2023-28617)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2180544 - CVE-2023-28617 emacs: command injection vulnerability in org-mode

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

aarch64:  
emacs-26.1-7.el8_6.1.aarch64.rpm  
emacs-common-26.1-7.el8_6.1.aarch64.rpm  
emacs-common-debuginfo-26.1-7.el8_6.1.aarch64.rpm  
emacs-debuginfo-26.1-7.el8_6.1.aarch64.rpm  
emacs-debugsource-26.1-7.el8_6.1.aarch64.rpm  
emacs-lucid-26.1-7.el8_6.1.aarch64.rpm  
emacs-lucid-debuginfo-26.1-7.el8_6.1.aarch64.rpm  
emacs-nox-26.1-7.el8_6.1.aarch64.rpm  
emacs-nox-debuginfo-26.1-7.el8_6.1.aarch64.rpm

noarch:  
emacs-terminal-26.1-7.el8_6.1.noarch.rpm

ppc64le:  
emacs-26.1-7.el8_6.1.ppc64le.rpm  
emacs-common-26.1-7.el8_6.1.ppc64le.rpm  
emacs-common-debuginfo-26.1-7.el8_6.1.ppc64le.rpm  
emacs-debuginfo-26.1-7.el8_6.1.ppc64le.rpm  
emacs-debugsource-26.1-7.el8_6.1.ppc64le.rpm  
emacs-lucid-26.1-7.el8_6.1.ppc64le.rpm  
emacs-lucid-debuginfo-26.1-7.el8_6.1.ppc64le.rpm  
emacs-nox-26.1-7.el8_6.1.ppc64le.rpm  
emacs-nox-debuginfo-26.1-7.el8_6.1.ppc64le.rpm

s390x:  
emacs-26.1-7.el8_6.1.s390x.rpm  
emacs-common-26.1-7.el8_6.1.s390x.rpm  
emacs-common-debuginfo-26.1-7.el8_6.1.s390x.rpm  
emacs-debuginfo-26.1-7.el8_6.1.s390x.rpm  
emacs-debugsource-26.1-7.el8_6.1.s390x.rpm  
emacs-lucid-26.1-7.el8_6.1.s390x.rpm  
emacs-lucid-debuginfo-26.1-7.el8_6.1.s390x.rpm  
emacs-nox-26.1-7.el8_6.1.s390x.rpm  
emacs-nox-debuginfo-26.1-7.el8_6.1.s390x.rpm

x86_64:  
emacs-26.1-7.el8_6.1.x86_64.rpm  
emacs-common-26.1-7.el8_6.1.x86_64.rpm  
emacs-common-debuginfo-26.1-7.el8_6.1.x86_64.rpm  
emacs-debuginfo-26.1-7.el8_6.1.x86_64.rpm  
emacs-debugsource-26.1-7.el8_6.1.x86_64.rpm  
emacs-lucid-26.1-7.el8_6.1.x86_64.rpm  
emacs-lucid-debuginfo-26.1-7.el8_6.1.x86_64.rpm  
emacs-nox-26.1-7.el8_6.1.x86_64.rpm  
emacs-nox-debuginfo-26.1-7.el8_6.1.x86_64.rpm

Red Hat Enterprise Linux BaseOS EUS (v.8.6):

Source:  
emacs-26.1-7.el8_6.1.src.rpm

noarch:  
emacs-filesystem-26.1-7.el8_6.1.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-28617  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZEYnQtzjgjWX9erEAQjH3w//bWrgMmx4RYmB43o0HZrDlzViBA9LdE7v  
INgXKCdUkzbfl8YflwRIijqn0ENNvUUHeluGwfFQiPmH5mwVpFhvSoLkoyQXBVHx  
i2Z3r6EGhGrMFYZ8FOj24bZNZZkqqRrYPcFymPTQPE/soAMOERVsGdy/nLATcvpO  
I/NblcjcNqWe1VepT3V1i5gwlWOa22OfnJUh9e05LSWkVg/9Gxl2AVcTN9Y2s1jw  
9tg7nJZA/bs2sDbbLawjxPLoNszJlxZAZlITRXVCKGrvutnhqTxFGWOx4fvnQWEa  
3xLz4nLGCr+sXyHu6Q4mjLEK40b74daY80roFfk++fuDuo5dZQIvh/J04tp9oTh2  
1TEBD8INRSC+dEBiDB4ZfuwQvX1C5zn8aFFURluuXFNILsnWbC5crNdtetw75JCS  
4UnRiJnp07XI+Y9ASlf+tIP+r9zqny5KRzrpCTKL+GZ1XzQczkLdP3n2TrMQx2/I  
M9/WFo7ASfLOxsRobk3ddPJd5iGoxyzA4SnU6Cq5utmF8Xl08ZXDCLtXx+GorDH6  
QZdDvUxLUX+PewJZqEmw6R7MfEamt9ORePcsnA/Yemt7tSjSJy8+AI0T/WdHfLHd  
7hqgcbbb/kWyNFWiXEA9td+pkyhphuDDw7x/QDdKHgHJXK23NQvDpmTxg8OH3zGO  
i7gZUc/hfDI=  
=7r7b  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1931-01

Red Hat Security Advisory 2023-1930-01 - GNU Emacs is a powerful, customizable, self-documenting text editor. It provides special code editing features, a scripting language, and the capability to read e-mail and news. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: emacs security update  
Advisory ID:       RHSA-2023:1930-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1930  
Issue date:        2023-04-24  
CVE Names:         CVE-2023-28617   
=====================================================================

1. Summary:

An update for emacs is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 8) - noarch

3. Description:

GNU Emacs is a powerful, customizable, self-documenting text editor. It  
provides special code editing features, a scripting language (elisp), and  
the capability to read e-mail and news.

Security Fix(es):

* emacs: command injection vulnerability in org-mode (CVE-2023-28617)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2180544 - CVE-2023-28617 emacs: command injection vulnerability in org-mode

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

aarch64:  
emacs-26.1-7.el8_7.1.aarch64.rpm  
emacs-common-26.1-7.el8_7.1.aarch64.rpm  
emacs-common-debuginfo-26.1-7.el8_7.1.aarch64.rpm  
emacs-debuginfo-26.1-7.el8_7.1.aarch64.rpm  
emacs-debugsource-26.1-7.el8_7.1.aarch64.rpm  
emacs-lucid-26.1-7.el8_7.1.aarch64.rpm  
emacs-lucid-debuginfo-26.1-7.el8_7.1.aarch64.rpm  
emacs-nox-26.1-7.el8_7.1.aarch64.rpm  
emacs-nox-debuginfo-26.1-7.el8_7.1.aarch64.rpm

noarch:  
emacs-terminal-26.1-7.el8_7.1.noarch.rpm

ppc64le:  
emacs-26.1-7.el8_7.1.ppc64le.rpm  
emacs-common-26.1-7.el8_7.1.ppc64le.rpm  
emacs-common-debuginfo-26.1-7.el8_7.1.ppc64le.rpm  
emacs-debuginfo-26.1-7.el8_7.1.ppc64le.rpm  
emacs-debugsource-26.1-7.el8_7.1.ppc64le.rpm  
emacs-lucid-26.1-7.el8_7.1.ppc64le.rpm  
emacs-lucid-debuginfo-26.1-7.el8_7.1.ppc64le.rpm  
emacs-nox-26.1-7.el8_7.1.ppc64le.rpm  
emacs-nox-debuginfo-26.1-7.el8_7.1.ppc64le.rpm

s390x:  
emacs-26.1-7.el8_7.1.s390x.rpm  
emacs-common-26.1-7.el8_7.1.s390x.rpm  
emacs-common-debuginfo-26.1-7.el8_7.1.s390x.rpm  
emacs-debuginfo-26.1-7.el8_7.1.s390x.rpm  
emacs-debugsource-26.1-7.el8_7.1.s390x.rpm  
emacs-lucid-26.1-7.el8_7.1.s390x.rpm  
emacs-lucid-debuginfo-26.1-7.el8_7.1.s390x.rpm  
emacs-nox-26.1-7.el8_7.1.s390x.rpm  
emacs-nox-debuginfo-26.1-7.el8_7.1.s390x.rpm

x86_64:  
emacs-26.1-7.el8_7.1.x86_64.rpm  
emacs-common-26.1-7.el8_7.1.x86_64.rpm  
emacs-common-debuginfo-26.1-7.el8_7.1.x86_64.rpm  
emacs-debuginfo-26.1-7.el8_7.1.x86_64.rpm  
emacs-debugsource-26.1-7.el8_7.1.x86_64.rpm  
emacs-lucid-26.1-7.el8_7.1.x86_64.rpm  
emacs-lucid-debuginfo-26.1-7.el8_7.1.x86_64.rpm  
emacs-nox-26.1-7.el8_7.1.x86_64.rpm  
emacs-nox-debuginfo-26.1-7.el8_7.1.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
emacs-26.1-7.el8_7.1.src.rpm

noarch:  
emacs-filesystem-26.1-7.el8_7.1.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-28617  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZEYnQdzjgjWX9erEAQgYZBAAk1j91NDn4D4TtEIZUN/O7x/nUtgn/HNX  
NT9NGe4VIlNmDlLbo2oN2QHN+a6UB3cDMU5zuY/GsxulwbKq+NbSXlcib5X8QG91  
YNSJt0lhIZkATQKLetcS8+sfIS3I03cLJVTeTFzll/yjVhQl9loKrDE9XO0TO7MG  
mkfwMCPSj7SZe8BMKPQKVQ0lxrTrZ6+OcTsTmh7v6KtuwoR2ekqzdHKbWkcaFPlA  
R/XvN6HwVD10jTbQXoN9p5576TAEHynJ0BkyqtaGs7cNQeGd3deFDjOj/rTdrs7I  
bVrfpgO7MAuHXj6gnIILghLRSNIwEABmiQlT67+9p1z/zrhhkWU4Cjy3Xe8v5sXl  
jctLAHnqz0Eds+5vGp8L+uPfyXjrEoGGtVGO3ruJPcf7UqufSkkOKJHt28fmJwgW  
dnIAXKy3Fdg15b06Dc50QvYEFNkkYU801IgWFZb75PcNr6nLluO6KZwteCJO8w7r  
DP44IubEiri4VMkYxk3KTwZk6IjKdpGcoyDLy7FANHbGarbYDctmxlw7OY10ygck  
Ewt6nzD52qgwyt5q7CCpH/KYa96uJXAugmkUiEwQHeHZakMq2yyiXrxg7b1Gg88o  
ttZSL2pdeYg4oNs3bU6A5GrSP57zGWEYY++1zbJCew9EKdBAnJw5vqRsq6x/JBQc  
6Wk6g1DQ26M=  
=u1kk  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1930-01

Red Hat Security Advisory 2023-1816-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift Data Foundation 4.12.2 Bug Fix and security update  
Advisory ID:       RHSA-2023:1816-01  
Product:           RHODF  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1816  
Issue date:        2023-04-17  
CVE Names:         CVE-2020-10735 CVE-2021-28861 CVE-2022-4304   
                   CVE-2022-4415 CVE-2022-4450 CVE-2022-40897   
                   CVE-2022-41717 CVE-2022-45061 CVE-2022-48303   
                   CVE-2023-0215 CVE-2023-0286 CVE-2023-23916   
=====================================================================

1. Summary:

Updated images that fix several bugs are now available for Red Hat  
OpenShift Data Foundation 4.12.2 on Red Hat Enterprise Linux 8 from Red Hat  
Container Registry.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Data Foundation is software-defined storage integrated  
with and optimized for the Red Hat OpenShift Data Foundation. Red Hat  
OpenShift Data Foundation is a highly scalable, production-grade persistent  
storage for stateful applications running in the Red Hat OpenShift  
Container Platform. In addition to persistent storage, Red Hat OpenShift  
Data Foundation provisions a multicloud data management service with an S3  
compatible API.

Security Fix(es):

* golang: net/http: An attacker can cause excessive memory growth in a Go  
server accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* [backport 4.12] s3 sync directory to a bucket fails with Internal Error  
in between the upload operation (BZ#2170416)

* [4.12 clone] [Noobaa] Secrets are used in env variables (BZ#2171968)

* [Backport to 4.12.z] Placeholder bug to backport the odf changes for  
Managed services epic RHSTOR-2442  to 4.12.z (BZ#2174335)

* [ODF 4.12] Missing the status-reporter binary causing pods  
"report-status-to-provider" remain in CreateContainerError on ODF to ODF  
cluster on ROSA (BZ#2179978)

* [MDR] After upgrade(redhat-operators) on hub from 4.12.1 to 4.12.2  
noticed 2 token-exchange-agent pods on managed clusters and one of them on  
CBLO (BZ#2183198)

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests  
2171968 - [4.12 clone] [Noobaa] Secrets are used in env variables  
2174335 - [Backport to 4.12.z] Placeholder bug to backport the odf changes for Managed services epic RHSTOR-2442  to 4.12.z  
2175365 - [4.12.z] Upgrade from 4.12.0 to 4.12.1 doesn't work  
2179978 - [ODF 4.12] Missing the status-reporter binary causing pods "report-status-to-provider" remain in CreateContainerError on ODF to ODF cluster on ROSA  
2183198 - [MDR] After upgrade(redhat-operators) on hub from 4.12.1 to 4.12.2 noticed 2 token-exchange-agent pods on managed clusters and one of them on CBLO  
2186455 - Include at ODF 4.12 container images the RHEL8 CVE fix on "openssl"

5. References:

https://access.redhat.com/security/cve/CVE-2020-10735  
https://access.redhat.com/security/cve/CVE-2021-28861  
https://access.redhat.com/security/cve/CVE-2022-4304  
https://access.redhat.com/security/cve/CVE-2022-4415  
https://access.redhat.com/security/cve/CVE-2022-4450  
https://access.redhat.com/security/cve/CVE-2022-40897  
https://access.redhat.com/security/cve/CVE-2022-41717  
https://access.redhat.com/security/cve/CVE-2022-45061  
https://access.redhat.com/security/cve/CVE-2022-48303  
https://access.redhat.com/security/cve/CVE-2023-0215  
https://access.redhat.com/security/cve/CVE-2023-0286  
https://access.redhat.com/security/cve/CVE-2023-23916  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZEOpudzjgjWX9erEAQgudA//c1DhcceGIufqRhheeM1fMJLx1pr8aS5C  
fVkwxXyNVip1BZta1fwLstIPEcbNG1Q3xCnjVmDqjxkG4sPh7HdkzmtIVdt9JSBX  
3TKSqHUMtP7m1dtlP8xg2fyQ8Om7Ki9xE6KCkijR3TwDZMZOkFtRg6D9MbSPT7+s  
3tvq+vEQ2HVr13KEdMC7kSSyvZsqLgCT3LcURFxn/rZipGy+DDJeK8uGhMe2uF43  
QPsYBb0qhm2s6T+6QWhBPahOgDxqCtP8KSgO6RNuieubL/E+wr+sV8LBXkrPZ71N  
QT6MEY7R8x5Af7+04t0INnFg2Bqo+eJPLPgLGpTqFtJeoDm0HAeqliHgv7SFqex5  
FPArRIPPgzjjEFASv4dr1r4WKAr9PWaGCrFE4OZM2m5ibQi//SWJuEn1719T5WDf  
+BGCJ8UfOWOX3J385rECIm2r0ZL5yPq2XBoPJUEcA0I0YSswlOjD6V6ovaROSNrh  
NU2eA/xSj4vwDTEC+FojZAeL1IT7uAFUJCYMq+zcyqTFRE+C7tDo8zcnVuJVhHq2  
xhezfIlbgBbcEHr5omqVp4utqDSCfYfhoGFxUJtW07iEJmq01R9lPsNbdVQsAGW4  
8/Xt+P4wU6LIYNcAM4S5yxMy2KMN/rDKwoxSljg4I6dM8uWUJAF2iaGA1+T2dKq5  
GfmMJLVuC8A=  
=MYP7  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1816-01

mp4v2 v2.0.0 was discovered to contain a heap buffer overflow via the mp4v2::impl::MP4StringProperty::~MP4StringProperty() function at src/mp4property.cpp.

Permalink

Cannot retrieve contributors at this time

**Heap-buffer-overflow src/mp4property.cpp:338:17 in mp4v2::impl::MP4StringProperty::~MP4StringProperty()****project address**

https://github.com/TechSmith/mp4v2

**info**

OS：Ubuntu20.04 TLS

Build: mkdir build && cd build && cmake .. && make

**Poc**

https://github.com/z1r00/fuzz\_vuln/blob/main/mp4v2/heap-buffer-overflow/mp4property.cpp/poc1.mp4

**ASAN Info**

./mp4info poc1.mp4

./mp4info version 2.0.0
/home/ubuntu/fuzzing/mp4v2/poc1.mp4:
=================================================================
==2321319\==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000158 at pc 0x7f0be169f82a bp 0x7ffe0644aba0 sp 0x7ffe0644ab98
READ of size 8 at 0x602000000158 thread T0
    #0 0x7f0be169f829 in mp4v2::impl::MP4StringProperty::~MP4StringProperty() /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4property.cpp:338:17
    #1 0x7f0be169f919 in mp4v2::impl::MP4StringProperty::~MP4StringProperty() /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4property.cpp:335:1
    #2 0x7f0be161a7d4 in mp4v2::impl::MP4Atom::~MP4Atom() /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4atom.cpp:66:9
    #3 0x7f0be1587419 in mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() /home/ubuntu/mprv2\_fuzz/mp4v2/src/atoms.h:344:7
    #4 0x7f0be1624cd6 in mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom\*) /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4atom.cpp:206:3
    #5 0x7f0be1626ffb in mp4v2::impl::MP4Atom::ReadChildAtoms() /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4atom.cpp:442:31
    #6 0x7f0be1625990 in mp4v2::impl::MP4Atom::Read() /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4atom.cpp:247:11
    #7 0x7f0be163960d in mp4v2::impl::MP4File::ReadFromFile() /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4file.cpp:431:18
    #8 0x7f0be1637f1f in mp4v2::impl::MP4File::Read(char const\*, MP4FileProvider\_s const\*) /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4file.cpp:98:5
    #9 0x7f0be15e60e2 in MP4Read /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4.cpp:106:16
    #10 0x7f0be169ae58 in MP4FileInfo /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4info.cpp:614:29
    #11 0x4c8141 in main /home/ubuntu/mprv2\_fuzz/mp4v2/util/mp4info.cpp:77:22
    #12 0x7f0be0e3f082 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x24082)
    #13 0x41d52d in \_start (/home/ubuntu/mprv2\_fuzz/mp4v2/build/mp4info+0x41d52d)

0x602000000158 is located 0 bytes to the right of 8-byte region \[0x602000000150,0x602000000158)
allocated by thread T0 here:
    #0 0x495f89 in realloc (/home/ubuntu/mprv2\_fuzz/mp4v2/build/mp4info+0x495f89)
    #1 0x7f0be1534c3d in mp4v2::impl::MP4Realloc(void\*, unsigned int) /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4util.h:80:18
    #2 0x7f0be16b428f in mp4v2::impl::MP4StringArray::Resize(unsigned int) /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4array.h:138:1
    #3 0x7f0be169f9a3 in mp4v2::impl::MP4StringProperty::SetCount(unsigned int) /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4property.cpp:346:14

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/mprv2\_fuzz/mp4v2/src/mp4property.cpp:338:17 in mp4v2::impl::MP4StringProperty::~MP4StringProperty()
Shadow bytes around the buggy address:
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa 00 00
  0x0c047fff8010: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8020: fa fa fd fa fa fa fd fa fa fa 00\[fa\]fa fa fd fd
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2321319==ABORTING

Tag

#linux