CVE-2018-18397 – kernel: userfaultfd bypasses tmpfs file permissions
https://notcve.org/view.php?id=CVE-2018-18397
The userfaultfd implementation in the Linux kernel before 4.19.7 mishandles access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the user has read-only access to that file, and that file contains holes), related to fs/userfaultfd.c and mm/userfaultfd.c. La implementación de userfaultfd en el kernel de Linux en versiones anteriores a la 4.17 gestiona de manera incorrecta para ciertas llamadas ioctl UFFDIO_, tal y como queda demostrado al permitir que usuarios locales escriban datos en huecos en un archivo tmpfs (si el usuario tiene acceso de solo lectura a dicho archivo que contiene huecos). Esto está relacionado con fs/userfaultfd.c y mm/userfaultfd.c. A flaw was found in the Linux kernel with files on tmpfs and hugetlbfs. An attacker is able to bypass file permissions on filesystems mounted with tmpfs/hugetlbs to modify a file and possibly disrupt normal system behavior. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=29ec90660d68bbdd69507c1c8b4e33aa299278b1 https://access.redhat.com/errata/RHBA-2019:0327 https://access.redhat.com/errata/RHSA-2019:0163 https://access.redhat.com/errata/RHSA-2019:0202 https://access.redhat.com/errata/RHSA-2019:0324 https://access.redhat.com/errata/RHSA-2019:0831 https://bugs.chromium.org/p/project-zero/issues/detail?id=1700 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.87& • CWE-20: Improper Input Validation CWE-863: Incorrect Authorization •
CVE-2018-18559 – kernel: Use-after-free due to race condition in AF_PACKET implementation
https://notcve.org/view.php?id=CVE-2018-18559
In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout_add from setsockopt and bind on an AF_PACKET socket. This issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 incomplete fix for a race condition. The code mishandles a certain multithreaded case involving a packet_do_bind unregister action followed by a packet_notifier register action. Later, packet_release operates on only one of the two applicable linked lists. The attacker can achieve Program Counter control. • https://access.redhat.com/errata/RHBA-2019:0327 https://access.redhat.com/errata/RHSA-2019:0163 https://access.redhat.com/errata/RHSA-2019:0188 https://access.redhat.com/errata/RHSA-2019:1170 https://access.redhat.com/errata/RHSA-2019:1190 https://access.redhat.com/errata/RHSA-2019:3967 https://access.redhat.com/errata/RHSA-2019:4159 https://access.redhat.com/errata/RHSA-2020:0174 https://blogs.securiteam.com/index.php/archives/3731 https://access.redhat.com/security/ • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free •
CVE-2018-1000805 – python-paramiko: Authentication bypass in auth_handler.py
https://notcve.org/view.php?id=CVE-2018-1000805
Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity. Paramiko en versiones 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5 y 1.17.6 contiene una vulnerabilidad de control de acceso incorrecto en el servidor SSH que puede resultar en la ejecución remota de código. Este ataque parece ser explotable mediante conectividad de red. • https://access.redhat.com/errata/RHBA-2018:3497 https://access.redhat.com/errata/RHSA-2018:3347 https://access.redhat.com/errata/RHSA-2018:3406 https://access.redhat.com/errata/RHSA-2018:3505 https://github.com/paramiko/paramiko/issues/1283 https://herolab.usd.de/wp-content/uploads/sites/4/usd20180023.txt https://lists.debian.org/debian-lts-announce/2018/10/msg00018.html https://lists.debian.org/debian-lts-announce/2021/12/msg00025.html https://usn.ubuntu.com/3796-1 h • CWE-305: Authentication Bypass by Primary Weakness CWE-863: Incorrect Authorization •
CVE-2018-10911 – glusterfs: Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory
https://notcve.org/view.php?id=CVE-2018-10911
A flaw was found in the way dic_unserialize function of glusterfs does not handle negative key length values. An attacker could use this flaw to read memory from other locations into the stored dict value. Se ha detectado un error en la forma en la que la función dic_unserialize en glusterfs no gestiona los valores de longitud de clave negativos. Un atacante podría utilizar este error para leer la memoria de otras ubicaciones en el valor dict almacenado. A flaw was found in dict.c:dict_unserialize function of glusterfs, dic_unserialize function does not handle negative key length values. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html https://access.redhat.com/errata/RHSA-2018:2607 https://access.redhat.com/errata/RHSA-2018:2608 https://access.redhat.com/errata/RHSA-2018:2892 https://access.redhat.com/errata/RHSA-2018:3242 https://access.redhat.com/errata/RHSA-2018:3470 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10911 https://lists.debian.org/debian-lts-announce/2018/09/msg00021.html https://lists.debian.org/debian-lts • CWE-190: Integer Overflow or Wraparound CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-502: Deserialization of Untrusted Data •
CVE-2018-10873 – spice: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service
https://notcve.org/view.php?id=CVE-2018-10873
A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could send specially crafted messages to its peer which would result in a crash or, potentially, other impacts. Se ha descubierto una vulnerabilidad en SPICE en versiones anteriores a la 0.14.1 en la que el código generado utilizado para deserializar mensajes carecía de comprobaciones de límites suficientes. Un cliente o servidor malicioso, después de la autenticación, podría enviar mensajes especialmente manipulados a su peer, lo que resultaría en un cierre inesperado o, potencialmente, otros impactos. A vulnerability was discovered in SPICE where the generated code used for demarshalling messages lacked sufficient bounds checks. • http://www.securityfocus.com/bid/105152 https://access.redhat.com/errata/RHSA-2018:2731 https://access.redhat.com/errata/RHSA-2018:2732 https://access.redhat.com/errata/RHSA-2018:3470 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10873 https://gitlab.freedesktop.org/spice/spice-common/commit/bb15d4815ab586b4c4a20f4a565970a44824c42c https://lists.debian.org/debian-lts-announce/2018/08/msg00035.html https://lists.debian.org/debian-lts-announce/2018/08/msg00037.html https://lists.debi • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •