Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> serial: Fix not set tty-&gt;port race condition<br /> <br /> Revert commit bfc467db60b7 ("serial: remove redundant<br /> tty_port_link_device()") because the tty_port_link_device() is not<br /> redundant: the tty-&gt;port has to be confured before we call<br /> uart_configure_port(), otherwise user-space can open console without TTY<br /> linked to the driver.<br /> <br /> This tty_port_link_device() was added explicitly to avoid this exact<br /> issue in commit fb2b90014d78 ("tty: link tty and port before configuring<br /> it as console"), so offending commit basically reverted the fix saying<br /> it is redundant without addressing the actual race condition presented<br /> there.<br /> <br /> Reproducible always as tty-&gt;port warning on Qualcomm SoC with most of<br /> devices disabled, so with very fast boot, and one serial device being<br /> the console:<br /> <br /> printk: legacy console [ttyMSM0] enabled<br /> printk: legacy console [ttyMSM0] enabled<br /> printk: legacy bootconsole [qcom_geni0] disabled<br /> printk: legacy bootconsole [qcom_geni0] disabled<br /> ------------[ cut here ]------------<br /> tty_init_dev: ttyMSM driver does not set tty-&gt;port. This would crash the kernel. Fix the driver!<br /> WARNING: drivers/tty/tty_io.c:1414 at tty_init_dev.part.0+0x228/0x25c, CPU#2: systemd/1<br /> Modules linked in: socinfo tcsrcc_eliza gcc_eliza sm3_ce fuse ipv6<br /> CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G S 6.19.0-rc4-next-20260108-00024-g2202f4d30aa8 #73 PREEMPT<br /> Tainted: [S]=CPU_OUT_OF_SPEC<br /> Hardware name: Qualcomm Technologies, Inc. Eliza (DT)<br /> ...<br /> tty_init_dev.part.0 (drivers/tty/tty_io.c:1414 (discriminator 11)) (P)<br /> tty_open (arch/arm64/include/asm/atomic_ll_sc.h:95 (discriminator 3) drivers/tty/tty_io.c:2073 (discriminator 3) drivers/tty/tty_io.c:2120 (discriminator 3))<br /> chrdev_open (fs/char_dev.c:411)<br /> do_dentry_open (fs/open.c:962)<br /> vfs_open (fs/open.c:1094)<br /> do_open (fs/namei.c:4634)<br /> path_openat (fs/namei.c:4793)<br /> do_filp_open (fs/namei.c:4820)<br /> do_sys_openat2 (fs/open.c:1391 (discriminator 3))<br /> ...<br /> Starting Network Name Resolution...<br /> <br /> Apparently the flow with this small Yocto-based ramdisk user-space is:<br /> <br /> driver (qcom_geni_serial.c): user-space:<br /> ============================ ===========<br /> qcom_geni_serial_probe()<br /> uart_add_one_port()<br /> serial_core_register_port()<br /> serial_core_add_one_port()<br /> uart_configure_port()<br /> register_console()<br /> |<br /> | open console<br /> | ...<br /> | tty_init_dev()<br /> | driver-&gt;ports[idx] is NULL<br /> |<br /> tty_port_register_device_attr_serdev()<br /> tty_port_link_device() ports[idx]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu<br /> <br /> For i.MX8MQ platform, the ADB in the VPUMIX domain has no separate reset<br /> and clock enable bits, but is ungated and reset together with the VPUs.<br /> So we can&amp;#39;t reset G1 or G2 separately, it may led to the system hang.<br /> Remove rst_mask and clk_mask of imx8mq_vpu_blk_ctl_domain_data.<br /> Let imx8mq_vpu_power_notifier() do really vpu reset.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: add missing ice_deinit_hw() in devlink reinit path<br /> <br /> devlink-reload results in ice_init_hw failed error, and then removing<br /> the ice driver causes a NULL pointer dereference.<br /> <br /> [ +0.102213] ice 0000:ca:00.0: ice_init_hw failed: -16<br /> ...<br /> [ +0.000001] Call Trace:<br /> [ +0.000003] <br /> [ +0.000006] ice_unload+0x8f/0x100 [ice]<br /> [ +0.000081] ice_remove+0xba/0x300 [ice]<br /> <br /> Commit 1390b8b3d2be ("ice: remove duplicate call to ice_deinit_hw() on<br /> error paths") removed ice_deinit_hw() from ice_deinit_dev(). As a result<br /> ice_devlink_reinit_down() no longer calls ice_deinit_hw(), but<br /> ice_devlink_reinit_up() still calls ice_init_hw(). Since the control<br /> queues are not uninitialized, ice_init_hw() fails with -EBUSY.<br /> <br /> Add ice_deinit_hw() to ice_devlink_reinit_down() to correspond with<br /> ice_init_hw() in ice_devlink_reinit_up().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: Fix data-race warning and potential load/store tearing<br /> <br /> Fix the following:<br /> <br /> BUG: KCSAN: data-race in rxrpc_peer_keepalive_worker / rxrpc_send_data_packet<br /> <br /> which is reporting an issue with the reads and writes to -&gt;last_tx_at in:<br /> <br /> conn-&gt;peer-&gt;last_tx_at = ktime_get_seconds();<br /> <br /> and:<br /> <br /> keepalive_at = peer-&gt;last_tx_at + RXRPC_KEEPALIVE_TIME;<br /> <br /> The lockless accesses to these to values aren&amp;#39;t actually a problem as the<br /> read only needs an approximate time of last transmission for the purposes<br /> of deciding whether or not the transmission of a keepalive packet is<br /> warranted yet.<br /> <br /> Also, as -&gt;last_tx_at is a 64-bit value, tearing can occur on a 32-bit<br /> arch.<br /> <br /> Fix both of these by switching to an unsigned int for -&gt;last_tx_at and only<br /> storing the LSW of the time64_t. It can then be reconstructed at need<br /> provided no more than 68 years has elapsed since the last transmission.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode<br /> <br /> When operating in HS200 or HS400 timing modes, reducing the clock frequency<br /> below 52MHz will lead to link broken as the Rockchip DWC MSHC controller<br /> requires maintaining a minimum clock of 52MHz in these modes.<br /> <br /> Add a check to prevent illegal clock reduction through debugfs:<br /> <br /> root@debian:/# echo 50000000 &gt; /sys/kernel/debug/mmc0/clock<br /> root@debian:/# [ 30.090146] mmc0: running CQE recovery<br /> mmc0: cqhci: Failed to halt<br /> mmc0: cqhci: spurious TCN for tag 0<br /> WARNING: drivers/mmc/host/cqhci-core.c:797 at cqhci_irq+0x254/0x818, CPU#1: kworker/1:0H/24<br /> Modules linked in:<br /> CPU: 1 UID: 0 PID: 24 Comm: kworker/1:0H Not tainted 6.19.0-rc1-00001-g09db0998649d-dirty #204 PREEMPT<br /> Hardware name: Rockchip RK3588 EVB1 V10 Board (DT)<br /> Workqueue: kblockd blk_mq_run_work_fn<br /> pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : cqhci_irq+0x254/0x818<br /> lr : cqhci_irq+0x254/0x818<br /> ...

*** Pendiente de traducción *** The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the delete_maxgalleria_media() and maxgalleria_rename_image() functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to delete or rename attachments owned by other users (including administrators). The rename flow also deletes all postmeta for the target attachment, causing data loss.

*** Pendiente de traducción *** The Essential Addons for Elementor – Popular Elementor Templates &amp; Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s Info Box widget in all versions up to, and including, 6.5.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

*** Pendiente de traducción *** The Modula Image Gallery – Photo Grid &amp; Video Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.13.6. This is due to the plugin not properly verifying that a user is authorized to modify specific posts before updating them via the REST API. This makes it possible for authenticated attackers, with contributor level access and above, to update the title, excerpt, and content of arbitrary posts by passing post IDs in the modulaImages field when editing a gallery.

*** Pendiente de traducción *** The Mail Mint plugin for WordPress is vulnerable to blind SQL Injection via the &amp;#39;forms&amp;#39;, &amp;#39;automation&amp;#39;, &amp;#39;email/templates&amp;#39;, and &amp;#39;contacts/import/tutorlms/map&amp;#39; API endpoints in all versions up to, and including, 1.19.2 . This is due to insufficient escaping on the user supplied &amp;#39;order-by&amp;#39;, &amp;#39;order-type&amp;#39;, and &amp;#39;selectedCourses&amp;#39; parameters and lack of sufficient preparation on the existing SQL queries. This makes it possible for authenticated attackers, with administrator level access and above, to append additional SQL queries into already existing queries.

*** Pendiente de traducción *** The Super Page Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Activity Log in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

*** Pendiente de traducción *** The Truelysell Core plugin for WordPress is vulnerable to privilege escalation in versions less than, or equal to, 1.8.7. This is due to insufficient validation of the user_role parameter during user registration. This makes it possible for unauthenticated attackers to create accounts with elevated privileges, including administrator access.

*** Pendiente de traducción *** The myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s &amp;#39;mycred_load_coupon&amp;#39; shortcode in all versions up to, and including, 2.9.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.