CVE-2023-49298
https://notcve.org/view.php?id=CVE-2023-49298
OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions. • https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275308 https://bugs.gentoo.org/917224 https://github.com/openzfs/zfs/issues/15526 https://github.com/openzfs/zfs/pull/15571 https://github.com/openzfs/zfs/releases/tag/zfs-2.1.14 https://github.com/openzfs/zfs/releases/tag/zfs-2.2.2 https://lists.debian.org/debian-lts-announce/2024/03/msg00019.html https://news.ycombinator.com/item?id=38405731 https://news.ycombinator.com/item?id=38770168 https://web.archive • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2023-5978 – Incorrect libcap_net limitation list manipulation
https://notcve.org/view.php?id=CVE-2023-5978
In versions of FreeBSD 13-RELEASE before 13-RELEASE-p5, under certain circumstances the cap_net libcasper(3) service incorrectly validates that updated constraints are strictly subsets of the active constraints. When only a list of resolvable domain names was specified without setting any other limitations, an application could submit a new list of domains including include entries not previously listed. This could permit the application to resolve domain names that were previously restricted. En las versiones 13-RELEASE anteriores a 13-RELEASE-p5 de FreeBSD, bajo ciertas circunstancias el servicio cap_net libcasper(3) valida incorrectamente que las restricciones actualizadas son estrictamente subconjuntos de las restricciones activas. Cuando solo se especificaba una lista de nombres de dominio resolubles sin establecer otras limitaciones, una aplicación podía enviar una nueva lista de dominios que incluyeran entradas que no figuraban anteriormente. • https://security.freebsd.org/advisories/FreeBSD-SA-23:16.cap_net.asc https://security.netapp.com/advisory/ntap-20231214-0003 • CWE-269: Improper Privilege Management •
CVE-2023-5941 – libc stdio buffer overflow
https://notcve.org/view.php?id=CVE-2023-5941
In versions of FreeBSD 12.4-RELEASE prior to 12.4-RELEASE-p7 and FreeBSD 13.2-RELEASE prior to 13.2-RELEASE-p5 the __sflush() stdio function in libc does not correctly update FILE objects' write space members for write-buffered streams when the write(2) system call returns an error. Depending on the nature of an application that calls libc's stdio functions and the presence of errors returned from the write(2) system call (or an overridden stdio write routine) a heap buffer overflow may occur. Such overflows may lead to data corruption or the execution of arbitrary code at the privilege level of the calling program. En las versiones 12.4-RELEASE anteriores a 12.4-RELEASE-p7 y 13.2-RELEASE anteriores a 13.2-RELEASE-p5 de FreeBSD, la función stdio __sflush() en libc no actualiza correctamente los miembros del espacio de escritura de los objetos FILE para secuencias con búfer de escritura cuando la llamada al sistema write(2) devuelve un error. Dependiendo de la naturaleza de una aplicación que llama a las funciones stdio de libc y la presencia de errores devueltos por la llamada al sistema write(2) (o una rutina de escritura stdio anulada), puede ocurrir un desbordamiento del buffer del heap. • https://security.freebsd.org/advisories/FreeBSD-SA-23:15.stdio.asc https://security.netapp.com/advisory/ntap-20231214-0004 • CWE-131: Incorrect Calculation of Buffer Size CWE-787: Out-of-bounds Write •
CVE-2023-5370 – arm64 boot CPUs may lack speculative execution protections
https://notcve.org/view.php?id=CVE-2023-5370
On CPU 0 the check for the SMCCC workaround is called before SMCCC support has been initialized. This resulted in no speculative execution workarounds being installed on CPU 0. En la CPU 0, se llama a la verificación del workaround de SMCCC antes de que se haya inicializado el soporte de SMCCC. Esto resultó en que no se instalaran workarounds de ejecución especulativa en la CPU 0. • https://security.FreeBSD.org/advisories/FreeBSD-SA-23:14.smccc.asc https://security.netapp.com/advisory/ntap-20231124-0005 • CWE-665: Improper Initialization •
CVE-2023-5369 – copy_file_range insufficient capability rights check
https://notcve.org/view.php?id=CVE-2023-5369
Before correction, the copy_file_range system call checked only for the CAP_READ and CAP_WRITE capabilities on the input and output file descriptors, respectively. Using an offset is logically equivalent to seeking, and the system call must additionally require the CAP_SEEK capability. This incorrect privilege check enabled sandboxed processes with only read or write but no seek capability on a file descriptor to read data from or write data to an arbitrary location within the file corresponding to that file descriptor. Antes de la corrección, la llamada al sistema copy_file_range verificó solo las capabilities CAP_READ y CAP_WRITE en los descriptores de archivos de entrada y salida, respectivamente. Usar un desplazamiento es lógicamente equivalente a buscar, y la llamada al sistema debe requerir adicionalmente la capability CAP_SEEK. Esta verificación de privilegios incorrecta permitió que los procesos aislados con solo lectura o escritura pero sin capacidad de búsqueda en un descriptor de archivo leyeran o escribieran datos en una ubicación arbitraria dentro del archivo correspondiente a ese descriptor de archivo. • https://security.FreeBSD.org/advisories/FreeBSD-SA-23:13.capsicum.asc https://security.netapp.com/advisory/ntap-20231124-0009 • CWE-273: Improper Check for Dropped Privileges •