Jordy Zomer

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to an out-of-bounds read in `ksmbd vfs stream read()`. It occurs when a client's offset is a negative value, leading to an out-of-bounds read from `stream buf`. This problem arises when the 'vfs objects = streams xattr parameter' is set in `ksmbd.conf`. The exploitation of this issue may allow a remote attacker to disclose protected information and cause a denial of service by sending specially crafted SMB requests to files with ADS. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions are not explicitly specified in the provided descriptions. Description: The issue is related to an Out-of-Bounds Write in `ksmbd vfs stream write`. It occurs when an offset from the client is a negative value, allowing data to be written outside the allocated buffer bounds. This happens when the 'vfs objects = streams xattr parameter' is set in `ksmbd.conf`. Recommendations: Since specific affected versions are not provided, a general recommendation cannot be accurately tailored to each version. However, based on the information given, to resolve the issue, ensure that the `ksmbd vfs stream write` function properly handles negative offset values from clients, and review the configuration of `ksmbd.conf` to avoid settings that could trigger this issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** The vulnerability is related to the xsk map delete elem function in the Linux kernel, which allows an out-of-bounds write due to implicit type conversion. This can lead to memory corruption and potentially allow an attacker to cause a denial of service. The issue arises when a large unsigned value for map->max entries bypasses the intended bounds check, allowing a negative value to be used as an array index. Technical details include the use of the `xchg` operation to cause an out-of-bounds write and the passing of an invalid `map entry` to `xsk map sock delete`, which can lead to further memory corruption. The `xsk map delete elem` function is vulnerable, specifically the comparison between `k` and `map->max entries`, and the use of `k` as an index in `m->xsk map[k]`. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.74 or later. As a temporary workaround, consider restricting access to the `xsk map delete elem` function until a patch is available. Additionally, avoid using the `xchg` operation on the `map entry` variable in the `xsk map delete elem` function.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** The issue is related to out-of-bounds (OOB) writes in the devmap when deleting elements. This is caused by the index used for accessing map entries being a signed integer, which leads to OOB writes. The fix involves changing the type from int to u32. Additionally, when the map is released from the system via `dev map free()`, an iterator variable is also an int, implying OOB accesses, which needs to be changed to u32. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.74 or later. As a temporary workaround, consider restricting access to the `dev map free()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 11.7.3 macOS versions prior to 12.6.3 macOS versions prior to 13.2 **Description** The issue was addressed with improved memory handling. An app may be able to execute arbitrary code with kernel privileges. **Recommendations** For macOS Big Sur, update to version 11.7.3 to resolve the issue. For macOS Monterey, update to version 12.6.3 to resolve the issue. For macOS Ventura, update to version 13.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** macOS Monterey versions prior to 12.4 **Description** An out-of-bounds write issue was addressed with improved bounds checking. This issue allows an attacker that has already achieved code execution in macOS Recovery to potentially escalate to kernel privileges. **Recommendations** For macOS Monterey versions prior to 12.4, update to version 12.4 to resolve the issue. As a temporary workaround, consider restricting access to macOS Recovery to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A potential issue in the Linux kernel has been identified, where the `cmd` variable could be used as a Spectre v1 gadget, potentially allowing the leakage of kernel memory contents to userspace via speculative execution. This is prevented by using `array index nospec`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a potential Spectre v1 gadget in the dma-buf heaps of the Linux kernel. The `nr` variable, supplied by a user and used as an array index, could allow an attacker to leak kernel memory contents to userspace via speculative execution. This can be prevented by using `array index nospec`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: macOS versions prior to Security Update 2021-005 Catalina Description: A race condition was addressed with additional validation. Mounting a maliciously crafted NFS network share may lead to arbitrary code execution with system privileges. Recommendations: For versions prior to Security Update 2021-005 Catalina, apply Security Update 2021-005 to fix the issue. As a temporary workaround, consider restricting access to NFS network shares until the update is applied. Avoid mounting unknown or untrusted NFS network shares to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Jansson versions through 2.13.1 Description: An issue was discovered due to a parsing error in `json loads`, resulting in an out-of-bounds read-access bug. This issue only occurs when a programmer fails to follow the API specification. Recommendations: For versions through 2.13.1, ensure that programmers follow the API specification to avoid the out-of-bounds read-access bug. As a temporary workaround, consider adding input validation to the `json loads` function to prevent malformed input from causing the bug. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenConnect versions prior to 8.08 **Description** The issue is related to the mishandling of negative return values from `X509 check ` function calls, which could assist attackers in performing man-in-the-middle attacks. This vulnerability is associated with shortcomings in handling exceptional states in the OpenConnect VPN client's `X509 check ` function. Exploitation of this issue may allow a remote attacker to access confidential data. **Recommendations** For OpenConnect versions prior to 8.08, update to version 8.08 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive data until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 3.16 through 5.5.6 **Description** An issue in the Linux kernel leads to an out-of-bounds read because the FDC index is not checked for errors before assigning it. This issue is related to the `set fdc` function in `drivers/block/floppy.c`. Additionally, there is a buffer overflow issue in the `rwsem down write slowpath` function in `kernel/locking/rwsem.c`, which can allow an attacker to disclose protected information or cause a denial of service. **Recommendations** For Linux kernel versions 3.16 through 5.5.6, consider disabling the `set fdc` function in `drivers/block/floppy.c` as a temporary workaround until a patch is available. Restrict access to the `rwsem down write slowpath` function in `kernel/locking/rwsem.c` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Sleuth Kit (TSK) versions 4.6.4 and earlier **Description** The issue allows attackers to cause a denial of service. It is related to the function `hfs cat traverse` in `tsk/fs/hfs.c`, which does not properly determine when a key length is too large. This can lead to a SEGV on an unknown address with READ memory access in a `tsk getu16` call in `hfs dir open meta cb` in `tsk/fs/hfs dent.c`. **Recommendations** For versions 4.6.4 and earlier, as a temporary workaround, consider restricting access to the `hfs cat traverse` function in `tsk/fs/hfs.c` until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP versions 7.1.x through 7.1.26 PHP versions 7.3.x through 7.3.2 **Description** The issue is related to a buffer overflow in the `phar tar writeheaders int` function in `ext/phar/tar.c` of the PHP interpreter. This can be exploited by a remote attacker to execute arbitrary code. The buffer overflow occurs via a long link value. However, the vendor notes that the link value is used only when an archive contains a symlink, which currently cannot happen, making a practical attack usually impossible. **Recommendations** For PHP versions 7.1.x through 7.1.26, update to version 7.1.27 or later. For PHP versions 7.3.x through 7.3.2, update to version 7.3.3 or later.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to the commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47 **Description** The issue is related to the `copy from user` function in the Linux kernel, which does not implement the ` uaccess begin nospec` feature. This allows a user to bypass the "access ok" check and pass a kernel pointer to `copy from user()`, potentially leading to information leakage. An attacker could exploit this to access protected memory from a program without the necessary privileges by creating conditions for incorrect branch prediction. **Recommendations** Upgrade beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47 to resolve the issue. As a temporary workaround, consider restricting access to the `copy from user` function until a patch is available.