ISHACK AI BOT

Debian: CVE-2024-11233: php7.4, php8.2 -- security update Severity 9 CVSS (AV:N/AC:L/Au:N/C:P/I:N/A:C) Published 11/24/2024 Created 12/03/2024 Added 12/02/2024 Modified 01/28/2025 Description In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas. Solution(s) debian-upgrade-php7-4 debian-upgrade-php8-2 References https://attackerkb.com/topics/cve-2024-11233 CVE - 2024-11233 DSA-5819-1

Debian: CVE-2024-11234: php7.4, php8.2 -- security update Severity 6 CVSS (AV:N/AC:L/Au:N/C:P/I:P/A:N) Published 11/24/2024 Created 12/03/2024 Added 12/02/2024 Modified 01/30/2025 Description In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user. Solution(s) debian-upgrade-php7-4 debian-upgrade-php8-2 References https://attackerkb.com/topics/cve-2024-11234 CVE - 2024-11234 DSA-5819-1

PHP Vulnerability: CVE-2024-11234 Severity 6 CVSS (AV:N/AC:L/Au:N/C:P/I:P/A:N) Published 11/24/2024 Created 12/04/2024 Added 12/02/2024 Modified 01/30/2025 Description In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user. Solution(s) php-upgrade-8_1_31 php-upgrade-8_2_26 php-upgrade-8_3_14 References https://attackerkb.com/topics/cve-2024-11234 CVE - 2024-11234

Alma Linux: CVE-2024-53899: Important: python36:3.6 security update (ALSA-2024-10953) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 11/24/2024 Created 12/20/2024 Added 12/19/2024 Modified 02/12/2025 Description virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287. Solution(s) alma-upgrade-python-nose-docs alma-upgrade-python-pymongo-doc alma-upgrade-python-sqlalchemy-doc alma-upgrade-python-virtualenv-doc alma-upgrade-python3-bson alma-upgrade-python3-distro alma-upgrade-python3-docs alma-upgrade-python3-docutils alma-upgrade-python3-nose alma-upgrade-python3-pygments alma-upgrade-python3-pymongo alma-upgrade-python3-pymongo-gridfs alma-upgrade-python3-pymysql alma-upgrade-python3-scipy alma-upgrade-python3-sqlalchemy alma-upgrade-python3-virtualenv alma-upgrade-python3-wheel alma-upgrade-python3-wheel-wheel alma-upgrade-python36 alma-upgrade-python36-debug alma-upgrade-python36-devel alma-upgrade-python36-rpm-macros References https://attackerkb.com/topics/cve-2024-53899 CVE - 2024-53899 https://errata.almalinux.org/8/ALSA-2024-10953.html

VMware Photon OS: CVE-2024-53899 Severity 7 CVSS (AV:L/AC:L/Au:N/C:C/I:C/A:C) Published 11/24/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/12/2025 Description virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-53899 CVE - 2024-53899

VMware Photon OS: CVE-2024-52804 Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 11/22/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-52804 CVE - 2024-52804

OS X update for WebKit (CVE-2024-44309) Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 11/22/2024 Created 11/23/2024 Added 11/22/2024 Modified 01/28/2025 Description A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1 and iPadOS 18.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems. Solution(s) apple-osx-upgrade-15_1_1 References https://attackerkb.com/topics/cve-2024-44309 CVE - 2024-44309 https://support.apple.com/en-us/121753

Oracle Linux: CVE-2024-52804: ELSA-2024-10590:python-tornado security update (IMPORTANT) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 11/22/2024 Created 12/10/2024 Added 12/02/2024 Modified 01/07/2025 Description Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue. A flaw was found in Tornado's HTTP cookie parsing algorithm. This vulnerability allows excessive CPU consumption via maliciously crafted cookie headers, potentially blocking the processing of other requests. Solution(s) oracle-linux-upgrade-python3-tornado References https://attackerkb.com/topics/cve-2024-52804 CVE - 2024-52804 ELSA-2024-10590

Debian: CVE-2024-53101: linux, linux-6.1 -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 11/25/2024 Created 12/03/2024 Added 12/02/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: fs: Fix uninitialized value issue in from_kuid and from_kgid ocfs2_setattr() uses attr->ia_mode, attr->ia_uid and attr->ia_gid in a trace point even though ATTR_MODE, ATTR_UID and ATTR_GID aren't set. Initialize all fields of newattrs to avoid uninitialized variables, by checking if ATTR_MODE, ATTR_UID, ATTR_GID are initialized, otherwise 0. Solution(s) debian-upgrade-linux debian-upgrade-linux-6-1 References https://attackerkb.com/topics/cve-2024-53101 CVE - 2024-53101 DLA-4008-1

Debian: CVE-2024-53097: linux, linux-6.1 -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 11/25/2024 Created 12/03/2024 Added 12/02/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: mm: krealloc: Fix MTE false alarm in __do_krealloc This patch addresses an issue introduced by commit 1a83a716ec233 ("mm: krealloc: consider spare memory for __GFP_ZERO") which causes MTE (Memory Tagging Extension) to falsely report a slab-out-of-bounds error. The problem occurs when zeroing out spare memory in __do_krealloc. The original code only considered software-based KASAN and did not account for MTE. It does not reset the KASAN tag before calling memset, leading to a mismatch between the pointer tag and the memory tag, resulting in a false positive. Example of the error: ================================================================== swapper/0: BUG: KASAN: slab-out-of-bounds in __memset+0x84/0x188 swapper/0: Write at addr f4ffff8005f0fdf0 by task swapper/0/1 swapper/0: Pointer tag: [f4], memory tag: [fe] swapper/0: swapper/0: CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12. swapper/0: Hardware name: MT6991(ENG) (DT) swapper/0: Call trace: swapper/0:dump_backtrace+0xfc/0x17c swapper/0:show_stack+0x18/0x28 swapper/0:dump_stack_lvl+0x40/0xa0 swapper/0:print_report+0x1b8/0x71c swapper/0:kasan_report+0xec/0x14c swapper/0:__do_kernel_fault+0x60/0x29c swapper/0:do_bad_area+0x30/0xdc swapper/0:do_tag_check_fault+0x20/0x34 swapper/0:do_mem_abort+0x58/0x104 swapper/0:el1_abort+0x3c/0x5c swapper/0:el1h_64_sync_handler+0x80/0xcc swapper/0:el1h_64_sync+0x68/0x6c swapper/0:__memset+0x84/0x188 swapper/0:btf_populate_kfunc_set+0x280/0x3d8 swapper/0:__register_btf_kfunc_id_set+0x43c/0x468 swapper/0:register_btf_kfunc_id_set+0x48/0x60 swapper/0:register_nf_nat_bpf+0x1c/0x40 swapper/0:nf_nat_init+0xc0/0x128 swapper/0:do_one_initcall+0x184/0x464 swapper/0:do_initcall_level+0xdc/0x1b0 swapper/0:do_initcalls+0x70/0xc0 swapper/0:do_basic_setup+0x1c/0x28 swapper/0:kernel_init_freeable+0x144/0x1b8 swapper/0:kernel_init+0x20/0x1a8 swapper/0:ret_from_fork+0x10/0x20 ================================================================== Solution(s) debian-upgrade-linux debian-upgrade-linux-6-1 References https://attackerkb.com/topics/cve-2024-53097 CVE - 2024-53097 DLA-4008-1

SUSE: CVE-2024-11498: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/25/2024 Created 01/04/2025 Added 01/03/2025 Modified 01/03/2025 Description There exists a stack buffer overflow in libjxl. A specifically-crafted file can cause the JPEG XL decoder to use large amounts of stack space (up to 256mb is possible, maybe 512mb), potentially exhausting the stack. An attacker can craft a file that will cause excessive memory usage. We recommend upgrading past commit 65fbec56bc578b6b6ee02a527be70787bbd053b0. Solution(s) suse-upgrade-libmozjs-115-0 suse-upgrade-mozjs115 suse-upgrade-mozjs115-devel References https://attackerkb.com/topics/cve-2024-11498 CVE - 2024-11498

Debian: CVE-2024-53099: linux -- security update Severity 6 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:C) Published 11/25/2024 Created 01/14/2025 Added 01/13/2025 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: bpf: Check validity of link->type in bpf_link_show_fdinfo() If a newly-added link type doesn't invoke BPF_LINK_TYPE(), accessing bpf_link_type_strs[link->type] may result in an out-of-bounds access. To spot such missed invocations early in the future, checking the validity of link->type in bpf_link_show_fdinfo() and emitting a warning when such invocations are missed. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2024-53099 CVE - 2024-53099

Huawei EulerOS: CVE-2024-53099: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/25/2024 Created 02/12/2025 Added 02/11/2025 Modified 02/11/2025 Description In the Linux kernel, the following vulnerability has been resolved: bpf: Check validity of link->type in bpf_link_show_fdinfo() If a newly-added link type doesn't invoke BPF_LINK_TYPE(), accessing bpf_link_type_strs[link->type] may result in an out-of-bounds access. To spot such missed invocations early in the future, checking the validity of link->type in bpf_link_show_fdinfo() and emitting a warning when such invocations are missed. Solution(s) huawei-euleros-2_0_sp12-upgrade-bpftool huawei-euleros-2_0_sp12-upgrade-kernel huawei-euleros-2_0_sp12-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp12-upgrade-kernel-tools huawei-euleros-2_0_sp12-upgrade-kernel-tools-libs huawei-euleros-2_0_sp12-upgrade-python3-perf References https://attackerkb.com/topics/cve-2024-53099 CVE - 2024-53099 EulerOS-SA-2025-1192

Oracle Linux: CVE-2024-53096: ELSA-2025-20095: Unbreakable Enterprise kernel security update (IMPORTANT) (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:P/I:N/A:C) Published 11/25/2024 Created 02/12/2025 Added 02/10/2025 Modified 02/13/2025 Description In the Linux kernel, the following vulnerability has been resolved: mm: resolve faulty mmap_region() error path behaviour The mmap_region() function is somewhat terrifying, with spaghetti-like control flow and numerous means by which issues can arise and incomplete state, memory leaks and other unpleasantness can occur. A large amount of the complexity arises from trying to handle errors late in the process of mapping a VMA, which forms the basis of recently observed issues with resource leaks and observable inconsistent state. Taking advantage of previous patches in this series we move a number of checks earlier in the code, simplifying things by moving the core of the logic into a static internal function __mmap_region(). Doing this allows us to perform a number of checks up front before we do any real work, and allows us to unwind the writable unmap check unconditionally as required and to perform a CONFIG_DEBUG_VM_MAPLE_TREE validation unconditionally also. We move a number of things here: 1. We preallocate memory for the iterator before we call the file-backed memory hook, allowing us to exit early and avoid having to perform complicated and error-prone close/free logic. We carefully free iterator state on both success and error paths. 2. The enclosing mmap_region() function handles the mapping_map_writable() logic early. Previously the logic had the mapping_map_writable() at the point of mapping a newly allocated file-backed VMA, and a matching mapping_unmap_writable() on success and error paths. We now do this unconditionally if this is a file-backed, shared writable mapping. If a driver changes the flags to eliminate VM_MAYWRITE, however doing so does not invalidate the seal check we just performed, and we in any case always decrement the counter in the wrapper. We perform a debug assert to ensure a driver does not attempt to do the opposite. 3. We also move arch_validate_flags() up into the mmap_region() function. This is only relevant on arm64 and sparc64, and the check is only meaningful for SPARC with ADI enabled. We explicitly add a warning for this arch if a driver invalidates this check, though the code ought eventually to be fixed to eliminate the need for this. With all of these measures in place, we no longer need to explicitly close the VMA on error paths, as we place all checks which might fail prior to a call to any driver mmap hook. This eliminates an entire class of errors, makes the code easier to reason about and more robust. Solution(s) oracle-linux-upgrade-kernel-uek References https://attackerkb.com/topics/cve-2024-53096 CVE - 2024-53096 ELSA-2025-20095

VMware Photon OS: CVE-2024-53097 Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 11/25/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description In the Linux kernel, the following vulnerability has been resolved: mm: krealloc: Fix MTE false alarm in __do_krealloc This patch addresses an issue introduced by commit 1a83a716ec233 ("mm: krealloc: consider spare memory for __GFP_ZERO") which causes MTE (Memory Tagging Extension) to falsely report a slab-out-of-bounds error. The problem occurs when zeroing out spare memory in __do_krealloc. The original code only considered software-based KASAN and did not account for MTE. It does not reset the KASAN tag before calling memset, leading to a mismatch between the pointer tag and the memory tag, resulting in a false positive. Example of the error: ================================================================== swapper/0: BUG: KASAN: slab-out-of-bounds in __memset+0x84/0x188 swapper/0: Write at addr f4ffff8005f0fdf0 by task swapper/0/1 swapper/0: Pointer tag: [f4], memory tag: [fe] swapper/0: swapper/0: CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12. swapper/0: Hardware name: MT6991(ENG) (DT) swapper/0: Call trace: swapper/0:dump_backtrace+0xfc/0x17c swapper/0:show_stack+0x18/0x28 swapper/0:dump_stack_lvl+0x40/0xa0 swapper/0:print_report+0x1b8/0x71c swapper/0:kasan_report+0xec/0x14c swapper/0:__do_kernel_fault+0x60/0x29c swapper/0:do_bad_area+0x30/0xdc swapper/0:do_tag_check_fault+0x20/0x34 swapper/0:do_mem_abort+0x58/0x104 swapper/0:el1_abort+0x3c/0x5c swapper/0:el1h_64_sync_handler+0x80/0xcc swapper/0:el1h_64_sync+0x68/0x6c swapper/0:__memset+0x84/0x188 swapper/0:btf_populate_kfunc_set+0x280/0x3d8 swapper/0:__register_btf_kfunc_id_set+0x43c/0x468 swapper/0:register_btf_kfunc_id_set+0x48/0x60 swapper/0:register_nf_nat_bpf+0x1c/0x40 swapper/0:nf_nat_init+0xc0/0x128 swapper/0:do_one_initcall+0x184/0x464 swapper/0:do_initcall_level+0xdc/0x1b0 swapper/0:do_initcalls+0x70/0xc0 swapper/0:do_basic_setup+0x1c/0x28 swapper/0:kernel_init_freeable+0x144/0x1b8 swapper/0:kernel_init+0x20/0x1a8 swapper/0:ret_from_fork+0x10/0x20 ================================================================== Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-53097 CVE - 2024-53097

AdoptOpenJDK: CVE-2024-21208: Vulnerability in the Networking component Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:P) Published 11/25/2024 Created 11/26/2024 Added 11/25/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Solution(s) adoptopenjdk-upgrade-latest References https://attackerkb.com/topics/cve-2024-21208 CVE - 2024-21208 https://adoptopenjdk.net/releases

VMware Photon OS: CVE-2024-53099 Severity 6 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:C) Published 11/25/2024 Created 01/30/2025 Added 01/29/2025 Modified 02/04/2025 Description In the Linux kernel, the following vulnerability has been resolved: bpf: Check validity of link->type in bpf_link_show_fdinfo() If a newly-added link type doesn't invoke BPF_LINK_TYPE(), accessing bpf_link_type_strs[link->type] may result in an out-of-bounds access. To spot such missed invocations early in the future, checking the validity of link->type in bpf_link_show_fdinfo() and emitting a warning when such invocations are missed. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-53099 CVE - 2024-53099

VMware Photon OS: CVE-2024-53096 Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 11/25/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description In the Linux kernel, the following vulnerability has been resolved: mm: resolve faulty mmap_region() error path behaviour The mmap_region() function is somewhat terrifying, with spaghetti-like control flow and numerous means by which issues can arise and incomplete state, memory leaks and other unpleasantness can occur. A large amount of the complexity arises from trying to handle errors late in the process of mapping a VMA, which forms the basis of recently observed issues with resource leaks and observable inconsistent state. Taking advantage of previous patches in this series we move a number of checks earlier in the code, simplifying things by moving the core of the logic into a static internal function __mmap_region(). Doing this allows us to perform a number of checks up front before we do any real work, and allows us to unwind the writable unmap check unconditionally as required and to perform a CONFIG_DEBUG_VM_MAPLE_TREE validation unconditionally also. We move a number of things here: 1. We preallocate memory for the iterator before we call the file-backed memory hook, allowing us to exit early and avoid having to perform complicated and error-prone close/free logic. We carefully free iterator state on both success and error paths. 2. The enclosing mmap_region() function handles the mapping_map_writable() logic early. Previously the logic had the mapping_map_writable() at the point of mapping a newly allocated file-backed VMA, and a matching mapping_unmap_writable() on success and error paths. We now do this unconditionally if this is a file-backed, shared writable mapping. If a driver changes the flags to eliminate VM_MAYWRITE, however doing so does not invalidate the seal check we just performed, and we in any case always decrement the counter in the wrapper. We perform a debug assert to ensure a driver does not attempt to do the opposite. 3. We also move arch_validate_flags() up into the mmap_region() function. This is only relevant on arm64 and sparc64, and the check is only meaningful for SPARC with ADI enabled. We explicitly add a warning for this arch if a driver invalidates this check, though the code ought eventually to be fixed to eliminate the need for this. With all of these measures in place, we no longer need to explicitly close the VMA on error paths, as we place all checks which might fail prior to a call to any driver mmap hook. This eliminates an entire class of errors, makes the code easier to reason about and more robust. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-53096 CVE - 2024-53096

Huawei EulerOS: CVE-2024-53099: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/25/2024 Created 02/12/2025 Added 02/11/2025 Modified 02/11/2025 Description In the Linux kernel, the following vulnerability has been resolved: bpf: Check validity of link->type in bpf_link_show_fdinfo() If a newly-added link type doesn't invoke BPF_LINK_TYPE(), accessing bpf_link_type_strs[link->type] may result in an out-of-bounds access. To spot such missed invocations early in the future, checking the validity of link->type in bpf_link_show_fdinfo() and emitting a warning when such invocations are missed. Solution(s) huawei-euleros-2_0_sp11-upgrade-bpftool huawei-euleros-2_0_sp11-upgrade-kernel huawei-euleros-2_0_sp11-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp11-upgrade-kernel-tools huawei-euleros-2_0_sp11-upgrade-kernel-tools-libs huawei-euleros-2_0_sp11-upgrade-python3-perf References https://attackerkb.com/topics/cve-2024-53099 CVE - 2024-53099 EulerOS-SA-2025-1159

Debian: CVE-2024-53096: linux, linux-6.1 -- security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 11/25/2024 Created 12/03/2024 Added 12/02/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: mm: resolve faulty mmap_region() error path behaviour The mmap_region() function is somewhat terrifying, with spaghetti-like control flow and numerous means by which issues can arise and incomplete state, memory leaks and other unpleasantness can occur. A large amount of the complexity arises from trying to handle errors late in the process of mapping a VMA, which forms the basis of recently observed issues with resource leaks and observable inconsistent state. Taking advantage of previous patches in this series we move a number of checks earlier in the code, simplifying things by moving the core of the logic into a static internal function __mmap_region(). Doing this allows us to perform a number of checks up front before we do any real work, and allows us to unwind the writable unmap check unconditionally as required and to perform a CONFIG_DEBUG_VM_MAPLE_TREE validation unconditionally also. We move a number of things here: 1. We preallocate memory for the iterator before we call the file-backed memory hook, allowing us to exit early and avoid having to perform complicated and error-prone close/free logic. We carefully free iterator state on both success and error paths. 2. The enclosing mmap_region() function handles the mapping_map_writable() logic early. Previously the logic had the mapping_map_writable() at the point of mapping a newly allocated file-backed VMA, and a matching mapping_unmap_writable() on success and error paths. We now do this unconditionally if this is a file-backed, shared writable mapping. If a driver changes the flags to eliminate VM_MAYWRITE, however doing so does not invalidate the seal check we just performed, and we in any case always decrement the counter in the wrapper. We perform a debug assert to ensure a driver does not attempt to do the opposite. 3. We also move arch_validate_flags() up into the mmap_region() function. This is only relevant on arm64 and sparc64, and the check is only meaningful for SPARC with ADI enabled. We explicitly add a warning for this arch if a driver invalidates this check, though the code ought eventually to be fixed to eliminate the need for this. With all of these measures in place, we no longer need to explicitly close the VMA on error paths, as we place all checks which might fail prior to a call to any driver mmap hook. This eliminates an entire class of errors, makes the code easier to reason about and more robust. Solution(s) debian-upgrade-linux debian-upgrade-linux-6-1 References https://attackerkb.com/topics/cve-2024-53096 CVE - 2024-53096 DLA-4008-1

Oracle Linux: CVE-2024-53101: ELSA-2025-20095: Unbreakable Enterprise kernel security update (IMPORTANT) (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 11/25/2024 Created 02/12/2025 Added 02/10/2025 Modified 02/13/2025 Description In the Linux kernel, the following vulnerability has been resolved: fs: Fix uninitialized value issue in from_kuid and from_kgid ocfs2_setattr() uses attr->ia_mode, attr->ia_uid and attr->ia_gid in a trace point even though ATTR_MODE, ATTR_UID and ATTR_GID aren't set. Initialize all fields of newattrs to avoid uninitialized variables, by checking if ATTR_MODE, ATTR_UID, ATTR_GID are initialized, otherwise 0. Solution(s) oracle-linux-upgrade-kernel-uek References https://attackerkb.com/topics/cve-2024-53101 CVE - 2024-53101 ELSA-2025-20095 ELSA-2025-20100

Huawei EulerOS: CVE-2024-53096: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/25/2024 Created 02/12/2025 Added 02/11/2025 Modified 02/11/2025 Description In the Linux kernel, the following vulnerability has been resolved: mm: resolve faulty mmap_region() error path behaviour The mmap_region() function is somewhat terrifying, with spaghetti-like control flow and numerous means by which issues can arise and incomplete state, memory leaks and other unpleasantness can occur. A large amount of the complexity arises from trying to handle errors late in the process of mapping a VMA, which forms the basis of recently observed issues with resource leaks and observable inconsistent state. Taking advantage of previous patches in this series we move a number of checks earlier in the code, simplifying things by moving the core of the logic into a static internal function __mmap_region(). Doing this allows us to perform a number of checks up front before we do any real work, and allows us to unwind the writable unmap check unconditionally as required and to perform a CONFIG_DEBUG_VM_MAPLE_TREE validation unconditionally also. We move a number of things here: 1. We preallocate memory for the iterator before we call the file-backed memory hook, allowing us to exit early and avoid having to perform complicated and error-prone close/free logic. We carefully free iterator state on both success and error paths. 2. The enclosing mmap_region() function handles the mapping_map_writable() logic early. Previously the logic had the mapping_map_writable() at the point of mapping a newly allocated file-backed VMA, and a matching mapping_unmap_writable() on success and error paths. We now do this unconditionally if this is a file-backed, shared writable mapping. If a driver changes the flags to eliminate VM_MAYWRITE, however doing so does not invalidate the seal check we just performed, and we in any case always decrement the counter in the wrapper. We perform a debug assert to ensure a driver does not attempt to do the opposite. 3. We also move arch_validate_flags() up into the mmap_region() function. This is only relevant on arm64 and sparc64, and the check is only meaningful for SPARC with ADI enabled. We explicitly add a warning for this arch if a driver invalidates this check, though the code ought eventually to be fixed to eliminate the need for this. With all of these measures in place, we no longer need to explicitly close the VMA on error paths, as we place all checks which might fail prior to a call to any driver mmap hook. This eliminates an entire class of errors, makes the code easier to reason about and more robust. Solution(s) huawei-euleros-2_0_sp11-upgrade-bpftool huawei-euleros-2_0_sp11-upgrade-kernel huawei-euleros-2_0_sp11-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp11-upgrade-kernel-tools huawei-euleros-2_0_sp11-upgrade-kernel-tools-libs huawei-euleros-2_0_sp11-upgrade-python3-perf References https://attackerkb.com/topics/cve-2024-53096 CVE - 2024-53096 EulerOS-SA-2025-1159

Oracle Linux: CVE-2024-53097: ELSA-2024-12884: Unbreakable Enterprise kernel security update (IMPORTANT) (Multiple Advisories) Severity 2 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:P) Published 11/25/2024 Created 12/19/2024 Added 12/17/2024 Modified 01/23/2025 Description In the Linux kernel, the following vulnerability has been resolved: mm: krealloc: Fix MTE false alarm in __do_krealloc This patch addresses an issue introduced by commit 1a83a716ec233 ("mm: krealloc: consider spare memory for __GFP_ZERO") which causes MTE (Memory Tagging Extension) to falsely report a slab-out-of-bounds error. The problem occurs when zeroing out spare memory in __do_krealloc. The original code only considered software-based KASAN and did not account for MTE. It does not reset the KASAN tag before calling memset, leading to a mismatch between the pointer tag and the memory tag, resulting in a false positive. Example of the error: ================================================================== swapper/0: BUG: KASAN: slab-out-of-bounds in __memset+0x84/0x188 swapper/0: Write at addr f4ffff8005f0fdf0 by task swapper/0/1 swapper/0: Pointer tag: [f4], memory tag: [fe] swapper/0: swapper/0: CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12. swapper/0: Hardware name: MT6991(ENG) (DT) swapper/0: Call trace: swapper/0:dump_backtrace+0xfc/0x17c swapper/0:show_stack+0x18/0x28 swapper/0:dump_stack_lvl+0x40/0xa0 swapper/0:print_report+0x1b8/0x71c swapper/0:kasan_report+0xec/0x14c swapper/0:__do_kernel_fault+0x60/0x29c swapper/0:do_bad_area+0x30/0xdc swapper/0:do_tag_check_fault+0x20/0x34 swapper/0:do_mem_abort+0x58/0x104 swapper/0:el1_abort+0x3c/0x5c swapper/0:el1h_64_sync_handler+0x80/0xcc swapper/0:el1h_64_sync+0x68/0x6c swapper/0:__memset+0x84/0x188 swapper/0:btf_populate_kfunc_set+0x280/0x3d8 swapper/0:__register_btf_kfunc_id_set+0x43c/0x468 swapper/0:register_btf_kfunc_id_set+0x48/0x60 swapper/0:register_nf_nat_bpf+0x1c/0x40 swapper/0:nf_nat_init+0xc0/0x128 swapper/0:do_one_initcall+0x184/0x464 swapper/0:do_initcall_level+0xdc/0x1b0 swapper/0:do_initcalls+0x70/0xc0 swapper/0:do_basic_setup+0x1c/0x28 swapper/0:kernel_init_freeable+0x144/0x1b8 swapper/0:kernel_init+0x20/0x1a8 swapper/0:ret_from_fork+0x10/0x20 ================================================================== Solution(s) oracle-linux-upgrade-kernel-uek References https://attackerkb.com/topics/cve-2024-53097 CVE - 2024-53097 ELSA-2024-12884 ELSA-2025-20018

Oracle Linux: CVE-2024-53099: ELSA-2025-20095: Unbreakable Enterprise kernel security update (IMPORTANT) (Multiple Advisories) Severity 6 CVSS (AV:L/AC:L/Au:M/C:C/I:N/A:C) Published 11/25/2024 Created 02/12/2025 Added 02/10/2025 Modified 02/13/2025 Description In the Linux kernel, the following vulnerability has been resolved: bpf: Check validity of link->type in bpf_link_show_fdinfo() If a newly-added link type doesn't invoke BPF_LINK_TYPE(), accessing bpf_link_type_strs[link->type] may result in an out-of-bounds access. To spot such missed invocations early in the future, checking the validity of link->type in bpf_link_show_fdinfo() and emitting a warning when such invocations are missed. Solution(s) oracle-linux-upgrade-kernel-uek References https://attackerkb.com/topics/cve-2024-53099 CVE - 2024-53099 ELSA-2025-20095

Foxit Reader: PDF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability (CVE-2024-9249) Severity 6 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:C) Published 11/22/2024 Created 12/11/2024 Added 12/10/2024 Modified 01/28/2025 Description Foxit PDF Reader PDF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24301. Solution(s) foxit-reader-upgrade-latest References https://attackerkb.com/topics/cve-2024-9249 CVE - 2024-9249 https://www.foxit.com/support/security-bulletins.html https://www.zerodayinitiative.com/advisories/ZDI-24-1301/