
CVE-2023-34967 – Samba: type confusion in mdssvc rpc service for spotlight
https://notcve.org/view.php?id=CVE-2023-34967
20 Jul 2023 — A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the pass... • https://access.redhat.com/errata/RHSA-2023:6667 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •

CVE-2023-34966 – Samba: infinite loop in mdssvc rpc service for spotlight
https://notcve.org/view.php?id=CVE-2023-34966
20 Jul 2023 — An infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This flaw allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting... • https://access.redhat.com/errata/RHSA-2023:6667 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •

CVE-2022-2127 – Samba: out-of-bounds read in winbind auth_crap
https://notcve.org/view.php?id=CVE-2022-2127
20 Jul 2023 — An out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbindd_pam_auth_crap.c. When performing NTLM authentication, the client replies to cryptographic challenges back to the server. These replies have variable lengths, and Winbind fails to check the lan manager response length. When Winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in Winbind, possibly resulting in a crash. It was discovered that Samba incorrectly... • https://access.redhat.com/errata/RHSA-2023:6667 • CWE-125: Out-of-bounds Read •

CVE-2023-3347 – Samba: smb2 packet signing is not enforced when "server signing = required" is set
https://notcve.org/view.php?id=CVE-2023-3347
20 Jul 2023 — A vulnerability was found in Samba's SMB2 packet signing mechanism. The SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. This flaw allows an attacker to perform attacks, such as a man-in-the-middle attack, by intercepting the network traffic and modifying the SMB2 messages between client and server, affecting the integrity of the data. It was discovered that Samba incorrectly handled W... • https://access.redhat.com/errata/RHSA-2023:4325 • CWE-347: Improper Verification of Cryptographic Signature CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel •

CVE-2023-34968 – Samba: spotlight server-side share path disclosure
https://notcve.org/view.php?id=CVE-2023-34968
20 Jul 2023 — A path disclosure vulnerability was found in Samba. As part of the Spotlight protocol, Samba discloses the server-side absolute path of shares, files, and directories in the results for search queries. This flaw allows a malicious client or an attacker with a targeted RPC request to view the information that is part of the disclosed path. It was discovered that Samba incorrectly handled Winbind NTLM authentication responses. An attacker could possibly use this issue to cause Samba to crash, resulting in a d... • https://access.redhat.com/errata/RHSA-2023:6667 • CWE-201: Insertion of Sensitive Information Into Sent Data •

CVE-2023-3618 – Segmentation fault in fax3encode in libtiff/tif_fax3.c
https://notcve.org/view.php?id=CVE-2023-3618
12 Jul 2023 — A flaw was found in libtiff. A specially crafted tiff file can lead to a segmentation fault due to a buffer overflow in the Fax3Encode function in libtiff/tif_fax3.c, resulting in a denial of service. It was discovered that LibTIFF could be made to write out of bounds when processing certain malformed image files with the tiffcrop utility. If a user were tricked into opening a specially crafted image file, an attacker could possibly use this issue to cause tiffcrop to crash, resulting in a denial of service... • https://access.redhat.com/security/cve/CVE-2023-3618 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •

CVE-2023-3354 – Improper i/o watch removal in tls handshake can lead to remote unauthenticated denial of service
https://notcve.org/view.php?id=CVE-2023-3354
11 Jul 2023 — A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service. This update for qemu fixes the following issues. • https://access.redhat.com/security/cve/CVE-2023-3354 • CWE-476: NULL Pointer Dereference •

CVE-2023-1672 – Race condition exists in the key generation and rotation functionality
https://notcve.org/view.php?id=CVE-2023-1672
11 Jul 2023 — A race condition exists in the Tang server functionality for key generation and key rotation. This flaw results in a small time window where Tang private keys become readable by other processes on the same host. Brian McDermott discovered that Tang incorrectly handled permissions when creating/rotating keys. A local attacker could possibly use this issue to read the keys. • https://access.redhat.com/security/cve/CVE-2023-1672 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •

CVE-2023-3269 – Distros-[dirtyvma] privilege escalation via non-rcu-protected vma traversal
https://notcve.org/view.php?id=CVE-2023-3269
06 Jul 2023 — A vulnerability exists in the memory management subsystem of the Linux kernel. The lock handling for accessing and updating virtual memory areas (VMAs) is incorrect, leading to use-after-free problems. This issue can be successfully exploited to execute arbitrary kernel code, escalate containers, and gain root privileges. Ruihan Li discovered that the memory management subsystem in the Linux kernel contained a race condition when accessing VMAs in certain conditions, leading to a use-after-free vulnerabilit... • https://github.com/lrh2000/StackRot • CWE-416: Use After Free •

CVE-2023-3089 – Ocp & fips mode
https://notcve.org/view.php?id=CVE-2023-3089
05 Jul 2023 — A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated. Red Hat Advanced Cluster Management for Kubernetes 2.8.1 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applicati... • https://access.redhat.com/security/cve/CVE-2023-3089 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE-521: Weak Password Requirements CWE-693: Protection Mechanism Failure •