Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: cls_flow: fix NULL pointer dereference on shared blocks<br /> <br /> flow_change() calls tcf_block_q() and dereferences q-&gt;handle to derive<br /> a default baseclass. Shared blocks leave block-&gt;q NULL, causing a NULL<br /> deref when a flow filter without a fully qualified baseclass is created<br /> on a shared block.<br /> <br /> Check tcf_block_shared() before accessing block-&gt;q and return -EINVAL<br /> for shared blocks. This avoids the null-deref shown below:<br /> <br /> =======================================================================<br /> KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]<br /> RIP: 0010:flow_change (net/sched/cls_flow.c:508)<br /> Call Trace:<br /> tc_new_tfilter (net/sched/cls_api.c:2432)<br /> rtnetlink_rcv_msg (net/core/rtnetlink.c:6980)<br /> [...]<br /> =======================================================================

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_conntrack_expect: use expect-&gt;helper<br /> <br /> Use expect-&gt;helper in ctnetlink and /proc to dump the helper name.<br /> Using nfct_help() without holding a reference to the master conntrack<br /> is unsafe.<br /> <br /> Use exp-&gt;master-&gt;helper in ctnetlink path if userspace does not provide<br /> an explicit helper when creating an expectation to retain the existing<br /> behaviour. The ctnetlink expectation path holds the reference on the<br /> master conntrack and nf_conntrack_expect lock and the nfnetlink glue<br /> path refers to the master ct that is attached to the skb.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: avoid overflows in ip6_datagram_send_ctl()<br /> <br /> Yiming Qian reported :<br /> <br /> I believe I found a locally triggerable kernel bug in the IPv6 sendmsg<br /> ancillary-data path that can panic the kernel via `skb_under_panic()`<br /> (local DoS).<br /> <br /> The core issue is a mismatch between:<br /> <br /> - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type<br /> `__u16`) and<br /> - a pointer to the *last* provided destination-options header (`opt-&gt;dst1opt`)<br /> <br /> when multiple `IPV6_DSTOPTS` control messages (cmsgs) are provided.<br /> <br /> - `include/net/ipv6.h`:<br /> - `struct ipv6_txoptions::opt_flen` is `__u16` (wrap possible).<br /> (lines 291-307, especially 298)<br /> - `net/ipv6/datagram.c:ip6_datagram_send_ctl()`:<br /> - Accepts repeated `IPV6_DSTOPTS` and accumulates into `opt_flen`<br /> without rejecting duplicates. (lines 909-933)<br /> - `net/ipv6/ip6_output.c:__ip6_append_data()`:<br /> - Uses `opt-&gt;opt_flen + opt-&gt;opt_nflen` to compute header<br /> sizes/headroom decisions. (lines 1448-1466, especially 1463-1465)<br /> - `net/ipv6/ip6_output.c:__ip6_make_skb()`:<br /> - Calls `ipv6_push_frag_opts()` if `opt-&gt;opt_flen` is non-zero.<br /> (lines 1930-1934)<br /> - `net/ipv6/exthdrs.c:ipv6_push_frag_opts()` / `ipv6_push_exthdr()`:<br /> - Push size comes from `ipv6_optlen(opt-&gt;dst1opt)` (based on the<br /> pointed-to header). (lines 1179-1185 and 1206-1211)<br /> <br /> 1. `opt_flen` is a 16-bit accumulator:<br /> <br /> - `include/net/ipv6.h:298` defines `__u16 opt_flen; /* after fragment hdr */`.<br /> <br /> 2. `ip6_datagram_send_ctl()` accepts *repeated* `IPV6_DSTOPTS` cmsgs<br /> and increments `opt_flen` each time:<br /> <br /> - In `net/ipv6/datagram.c:909-933`, for `IPV6_DSTOPTS`:<br /> - It computes `len = ((hdr-&gt;hdrlen + 1) opt_flen += len;` (line 927)<br /> - `opt-&gt;dst1opt = hdr;` (line 928)<br /> <br /> There is no duplicate rejection here (unlike the legacy<br /> `IPV6_2292DSTOPTS` path which rejects duplicates at<br /> `net/ipv6/datagram.c:901-904`).<br /> <br /> If enough large `IPV6_DSTOPTS` cmsgs are provided, `opt_flen` wraps<br /> while `dst1opt` still points to a large (2048-byte)<br /> destination-options header.<br /> <br /> In the attached PoC (`poc.c`):<br /> <br /> - 32 cmsgs with `hdrlen=255` =&gt; `len = (255+1)*8 = 2048`<br /> - 1 cmsg with `hdrlen=0` =&gt; `len = 8`<br /> - Total increment: `32*2048 + 8 = 65544`, so `(__u16)opt_flen == 8`<br /> - The last cmsg is 2048 bytes, so `dst1opt` points to a 2048-byte header.<br /> <br /> 3. The transmit path sizes headers using the wrapped `opt_flen`:<br /> <br /> - In `net/ipv6/ip6_output.c:1463-1465`:<br /> - `headersize = sizeof(struct ipv6hdr) + (opt ? opt-&gt;opt_flen +<br /> opt-&gt;opt_nflen : 0) + ...;`<br /> <br /> With wrapped `opt_flen`, `headersize`/headroom decisions underestimate<br /> what will be pushed later.<br /> <br /> 4. When building the final skb, the actual push length comes from<br /> `dst1opt` and is not limited by wrapped `opt_flen`:<br /> <br /> - In `net/ipv6/ip6_output.c:1930-1934`:<br /> - `if (opt-&gt;opt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);`<br /> - In `net/ipv6/exthdrs.c:1206-1211`, `ipv6_push_frag_opts()` pushes<br /> `dst1opt` via `ipv6_push_exthdr()`.<br /> - In `net/ipv6/exthdrs.c:1179-1184`, `ipv6_push_exthdr()` does:<br /> - `skb_push(skb, ipv6_optlen(opt));`<br /> - `memcpy(h, opt, ipv6_optlen(opt));`<br /> <br /> With insufficient headroom, `skb_push()` underflows and triggers<br /> `skb_under_panic()` -&gt; `BUG()`:<br /> <br /> - `net/core/skbuff.c:2669-2675` (`skb_push()` calls `skb_under_panic()`)<br /> - `net/core/skbuff.c:207-214` (`skb_panic()` ends in `BUG()`)<br /> <br /> - The `IPV6_DSTOPTS` cmsg path requires `CAP_NET_RAW` in the target<br /> netns user namespace (`ns_capable(net-&gt;user_ns, CAP_NET_RAW)`).<br /> - Root (or any task with `CAP_NET_RAW`) can trigger this without user<br /> namespaces.<br /> - An unprivileged `uid=1000` user can trigger this if unprivileged<br /> user namespaces are enabled and it can create a userns+netns to obtain<br /> namespaced `CAP_NET_RAW` (the attached PoC does this).<br /> <br /> - Local denial of service: kernel BUG/panic (system crash).<br /> -<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nfnetlink_log: account for netlink header size<br /> <br /> This is a followup to an old bug fix: NLMSG_DONE needs to account<br /> for the netlink header size, not just the attribute size.<br /> <br /> This can result in a WARN splat + drop of the netlink message,<br /> but other than this there are no ill effects.

Sourcecodester Cab Management System v1.0 is vulnerable to SQL injection in the file /cms/admin/categories/view_category.php.

Sourcecodester Cab Management System 1.0 is vulnerable to SQL Injection in the file /cms/admin/bookings/view_booking.php.

Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_book.php.

Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_admin.php.

Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_student.php.

Sourcecodester Online Reviewer System v1.0 is vulnerale to SQL Injection in the file /system/system/admins/assessments/examproper/exam-update.php.

Sourcecodester Online Reviewer System v1.0 is vulnerable to SQL Injection in the file /system/system/admins/assessments/examproper/questions-view.php.

Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP.<br /> <br /> This issue affects Apache SkyWalking MCP: 0.1.0.<br /> <br /> Users are recommended to upgrade to version 0.2.0, which fixes this issue.