Andrea Barisani

Name of the Vulnerable Software and Affected Versions: Trusted Firmware OP-TEE Trusted OS versions through 3.15.0 Description: An issue in the OPTEE-OS CSU driver for NXP i.MX6UL SoC devices lacks security access configuration for wakeup-related registers. This results in TrustZone bypass, allowing the NonSecure World to perform arbitrary memory read/write operations on Secure World memory. The issue involves a v cycle. Recommendations: For versions through 3.15.0, consider disabling the CSU driver for NXP i.MX6UL SoC devices as a temporary workaround until a patch is available. Restrict access to the Secure World memory to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: OPTEE-OS CSU driver for NXP i.MX SoC devices (affected versions not specified) Description: The issue involves a lack of security access configuration in the OPTEE-OS CSU driver for several NXP i.MX SoC device models. This results in a TrustZone bypass, allowing the NonSecure World to perform arbitrary memory read and write operations on Secure World memory. The exploitation of this issue involves a DMA capable peripheral. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DENX U-Boot versions through 2018.09-rc1 **Description** The issue is a buffer overflow that can be exploited remotely through a malicious TFTP server due to mishandled TFTP traffic. Additionally, local exploitation is possible via a crafted kernel image. **Recommendations** For DENX U-Boot versions through 2018.09-rc1, as a temporary workaround, consider restricting access to TFTP servers and avoiding the use of crafted kernel images until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DENX U-Boot versions prior to 2018.09-rc1 **Description** The issue arises from mishandled filesystem loading, leading to a locally exploitable buffer overflow when a crafted kernel image is used. **Recommendations** For versions prior to 2018.09-rc1, update to a version that properly handles filesystem loading to prevent the buffer overflow.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 9.3 OS X versions prior to 10.11.4 **Description** The issue is caused by a buffer overflow in the AppleUSBNetworking component, allowing physically proximate attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted USB device. **Recommendations** For Apple iOS versions prior to 9.3, update to version 9.3 or later. For OS X versions prior to 10.11.4, update to version 10.11.4 or later.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions prior to 1.2.16 **Description** The issue allows remote attackers to execute arbitrary SQL commands via a crafted envelope tag in a "mc issue attachment get" SOAP request. This is due to a SQL injection vulnerability in the mci file get function in api/soap/mc file api.php. **Recommendations** For versions prior to 1.2.16, update to version 1.2.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the `mci file get` function in `api/soap/mc file api.php` to minimize the risk of exploitation. Avoid using crafted envelope tags in `mc issue attachment get` SOAP requests until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Chyrp versions 2.0 and earlier **Description** The issue allows remote authenticated users to upload a .php file and execute arbitrary PHP code via a write post action to the default URI under admin/. This is possible because the upload handler.php in the swfupload extension relies on client-side JavaScript code to restrict the file extensions of uploaded files. **Recommendations** For Chyrp versions 2.0 and earlier, update the swfupload extension to properly validate and restrict file extensions on the server-side, rather than relying on client-side JavaScript code. As a temporary workaround, consider disabling the upload functionality in the admin panel until a proper fix is applied. Restrict access to the upload handler.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Chyrp versions 2.1 and earlier **Description** A directory traversal issue allows remote attackers to include and execute arbitrary local files. This is achieved by using a ..%2F (encoded dot dot slash) in the `action` parameter to the default URI. **Recommendations** For Chyrp versions 2.1 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ganeti versions 1.2.4 through 1.2.8 Ganeti versions 2.0.0 through 2.0.4 Ganeti versions 2.1.0 before 2.1.0~rc2 **Description** The issue is related to "path sanitization errors" in the iallocator framework, allowing for directory traversal vulnerabilities. This enables remote attackers to execute arbitrary programs via a crafted external script name supplied through the HTTP remote API (RAPI). Additionally, local users can execute arbitrary programs and gain privileges via a crafted external script name supplied through a gnt-* command. **Recommendations** For Ganeti versions 1.2.4 through 1.2.8, update to a version outside of this range to mitigate the risk. For Ganeti versions 2.0.0 through 2.0.4, update to a version outside of this range to mitigate the risk. For Ganeti versions 2.1.0 before 2.1.0~rc2, update to version 2.1.0~rc2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** zgv versions before 5.8 xzgv versions before 0.8 **Description** The issue is related to multiple vulnerabilities in the zgv and xzgv packages, which can lead to a breach of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. Specifically, a heap-based buffer overflow in zgv and xzgv might allow user-assisted attackers to execute arbitrary code via a JPEG image with more than 3 output components, such as a CMYK or YCCK color space. **Recommendations** For zgv versions before 5.8, update to version 5.8 or later to resolve the issue. For xzgv versions before 0.8, update to version 0.8 or later to resolve the issue. As a temporary workaround, consider avoiding the use of JPEG images with more than 3 output components, such as CMYK or YCCK color spaces, until a patch is available.