Advisory Database Sync

Author: advisory-database[bot]

advisories/github-reviewed/2025/11/GHSA-c978-wq47-pvvw/GHSA-c978-wq47-pvvw.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c978-wq47-pvvw",
+  "modified": "2025-11-12T21:30:11Z",
+  "published": "2025-11-12T21:30:11Z",
+  "aliases": [
+    "CVE-2025-64170"
+  ],
+  "summary": "sudo-rs: Partial password reveal is possible after timeout",
+  "details": "### Summary\nIf a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens, the keystrokes that were entered are echoed back to the console.\n\n### Example\nUsing sudo-rs:\n```\ngeiger@cerberus:~$ sudo -s\n[sudo: authenticate] Password: sudo-rs: timed out\ngeiger@cerberus:~$ testtesttest\n```\n\n\"testtesttest\" was entered at the password prompt but not confirmed by pressing return and then waiting for the timeout.\n\n### Impact\nThis could reveal partial password information, possibly exposing history files when not carefully handled by the user and on screen, usable for Social Engineering or Pass-By attacks.\n\n### Versions affected\nPasswords timeouts were added in sudo-rs 0.2.7 (with a default set to 5 minutes).\n\n### Credits\nThis issue was discovered and reported by @DevLaTron.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "sudo-rs"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.2.7"
+            },
+            {
+              "fixed": "0.2.10"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/trifectatechfoundation/sudo-rs/commit/0e3d3837aec3ee9fb5dcb8bfe11e8adb367f58f4"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/trifectatechfoundation/sudo-rs"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-549"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-12T21:30:11Z",
+    "nvd_published_at": null
+  }
+}

advisories/unreviewed/2025/05/GHSA-2352-43vg-7vcc/GHSA-2352-43vg-7vcc.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2352-43vg-7vcc",
-  "modified": "2025-05-02T18:31:32Z",
+  "modified": "2025-11-12T21:30:59Z",
   "published": "2025-05-02T18:31:32Z",
   "aliases": [
     "CVE-2023-53039"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-ish-hid: ipc: Fix potential use-after-free in work function\n\nWhen a reset notify IPC message is received, the ISR schedules a work\nfunction and passes the ISHTP device to it via a global pointer\nishtp_dev. If ish_probe() fails, the devm-managed device resources\nincluding ishtp_dev are freed, but the work is not cancelled, causing a\nuse-after-free when the work function tries to access ishtp_dev. Use\ndevm_work_autocancel() instead, so that the work is automatically\ncancelled if probe fails.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -32,8 +37,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-02T16:15:23Z"

advisories/unreviewed/2025/05/GHSA-23wv-q9m5-hq8q/GHSA-23wv-q9m5-hq8q.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-23wv-q9m5-hq8q",
-  "modified": "2025-11-03T21:33:48Z",
+  "modified": "2025-11-12T21:31:03Z",
   "published": "2025-05-09T09:33:20Z",
   "aliases": [
     "CVE-2025-37881"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev()\n\nThe variable d->name, returned by devm_kasprintf(), could be NULL.\nA pointer check is added to prevent potential NULL pointer dereference.\nThis is similar to the fix in commit 3027e7b15b02\n(\"ice: Fix some null pointer dereference issues in ice_ptp.c\").\n\nThis issue is found by our static analysis tool",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -56,8 +61,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-09T07:16:09Z"

advisories/unreviewed/2025/05/GHSA-25vh-j698-43q9/GHSA-25vh-j698-43q9.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-25vh-j698-43q9",
-  "modified": "2025-05-02T18:31:36Z",
+  "modified": "2025-11-12T21:31:01Z",
   "published": "2025-05-02T18:31:35Z",
   "aliases": [
     "CVE-2023-53094"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: fsl_lpuart: fix race on RX DMA shutdown\n\nFrom time to time DMA completion can come in the middle of DMA shutdown:\n\n<process ctx>:\t\t\t\t<IRQ>:\nlpuart32_shutdown()\n  lpuart_dma_shutdown()\n    del_timer_sync()\n\t\t\t\t\tlpuart_dma_rx_complete()\n\t\t\t\t\t  lpuart_copy_rx_to_tty()\n\t\t\t\t\t    mod_timer()\n    lpuart_dma_rx_free()\n\nWhen the timer fires a bit later, sport->dma_rx_desc is NULL:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000004\npc : lpuart_copy_rx_to_tty+0xcc/0x5bc\nlr : lpuart_timer_func+0x1c/0x2c\nCall trace:\n lpuart_copy_rx_to_tty\n lpuart_timer_func\n call_timer_fn\n __run_timers.part.0\n run_timer_softirq\n __do_softirq\n __irq_exit_rcu\n irq_exit\n handle_domain_irq\n gic_handle_irq\n call_on_irq_stack\n do_interrupt_handler\n ...\n\nTo fix this fold del_timer_sync() into lpuart_dma_rx_free() after\ndmaengine_terminate_sync() to make sure timer will not be re-started in\nlpuart_copy_rx_to_tty() <= lpuart_dma_rx_complete().",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -36,8 +41,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-362"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-02T16:15:28Z"

advisories/unreviewed/2025/05/GHSA-2c7r-jxv5-347c/GHSA-2c7r-jxv5-347c.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2c7r-jxv5-347c",
-  "modified": "2025-11-03T21:33:48Z",
+  "modified": "2025-11-12T21:31:03Z",
   "published": "2025-05-09T09:33:20Z",
   "aliases": [
     "CVE-2025-37883"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/sclp: Add check for get_zeroed_page()\n\nAdd check for the return value of get_zeroed_page() in\nsclp_console_init() to prevent null pointer dereference.\nFurthermore, to solve the memory leak caused by the loop\nallocation, add a free helper to do the free job.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -44,8 +49,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-09T07:16:09Z"

advisories/unreviewed/2025/05/GHSA-2jfj-pqmf-3wq3/GHSA-2jfj-pqmf-3wq3.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2jfj-pqmf-3wq3",
-  "modified": "2025-05-08T09:30:25Z",
+  "modified": "2025-11-12T21:31:02Z",
   "published": "2025-05-08T09:30:25Z",
   "aliases": [
     "CVE-2025-37827"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: return EIO on RAID1 block group write pointer mismatch\n\nThere was a bug report about a NULL pointer dereference in\n__btrfs_add_free_space_zoned() that ultimately happens because a\nconversion from the default metadata profile DUP to a RAID1 profile on two\ndisks.\n\nThe stack trace has the following signature:\n\n  BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile\n  BUG: kernel NULL pointer dereference, address: 0000000000000058\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 0 P4D 0\n  Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n  RIP: 0010:__btrfs_add_free_space_zoned.isra.0+0x61/0x1a0\n  RSP: 0018:ffffa236b6f3f6d0 EFLAGS: 00010246\n  RAX: 0000000000000000 RBX: ffff96c8132f3400 RCX: 0000000000000001\n  RDX: 0000000010000000 RSI: 0000000000000000 RDI: ffff96c8132f3410\n  RBP: 0000000010000000 R08: 0000000000000003 R09: 0000000000000000\n  R10: 0000000000000000 R11: 00000000ffffffff R12: 0000000000000000\n  R13: ffff96c758f65a40 R14: 0000000000000001 R15: 000011aac0000000\n  FS: 00007fdab1cb2900(0000) GS:ffff96e60ca00000(0000) knlGS:0000000000000000\n  CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000000000000058 CR3: 00000001a05ae000 CR4: 0000000000350ef0\n  Call Trace:\n  <TASK>\n  ? __die_body.cold+0x19/0x27\n  ? page_fault_oops+0x15c/0x2f0\n  ? exc_page_fault+0x7e/0x180\n  ? asm_exc_page_fault+0x26/0x30\n  ? __btrfs_add_free_space_zoned.isra.0+0x61/0x1a0\n  btrfs_add_free_space_async_trimmed+0x34/0x40\n  btrfs_add_new_free_space+0x107/0x120\n  btrfs_make_block_group+0x104/0x2b0\n  btrfs_create_chunk+0x977/0xf20\n  btrfs_chunk_alloc+0x174/0x510\n  ? srso_return_thunk+0x5/0x5f\n  btrfs_inc_block_group_ro+0x1b1/0x230\n  btrfs_relocate_block_group+0x9e/0x410\n  btrfs_relocate_chunk+0x3f/0x130\n  btrfs_balance+0x8ac/0x12b0\n  ? srso_return_thunk+0x5/0x5f\n  ? srso_return_thunk+0x5/0x5f\n  ? __kmalloc_cache_noprof+0x14c/0x3e0\n  btrfs_ioctl+0x2686/0x2a80\n  ? srso_return_thunk+0x5/0x5f\n  ? ioctl_has_perm.constprop.0.isra.0+0xd2/0x120\n  __x64_sys_ioctl+0x97/0xc0\n  do_syscall_64+0x82/0x160\n  ? srso_return_thunk+0x5/0x5f\n  ? __memcg_slab_free_hook+0x11a/0x170\n  ? srso_return_thunk+0x5/0x5f\n  ? kmem_cache_free+0x3f0/0x450\n  ? srso_return_thunk+0x5/0x5f\n  ? srso_return_thunk+0x5/0x5f\n  ? syscall_exit_to_user_mode+0x10/0x210\n  ? srso_return_thunk+0x5/0x5f\n  ? do_syscall_64+0x8e/0x160\n  ? sysfs_emit+0xaf/0xc0\n  ? srso_return_thunk+0x5/0x5f\n  ? srso_return_thunk+0x5/0x5f\n  ? seq_read_iter+0x207/0x460\n  ? srso_return_thunk+0x5/0x5f\n  ? vfs_read+0x29c/0x370\n  ? srso_return_thunk+0x5/0x5f\n  ? srso_return_thunk+0x5/0x5f\n  ? syscall_exit_to_user_mode+0x10/0x210\n  ? srso_return_thunk+0x5/0x5f\n  ? do_syscall_64+0x8e/0x160\n  ? srso_return_thunk+0x5/0x5f\n  ? exc_page_fault+0x7e/0x180\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7fdab1e0ca6d\n  RSP: 002b:00007ffeb2b60c80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n  RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdab1e0ca6d\n  RDX: 00007ffeb2b60d80 RSI: 00000000c4009420 RDI: 0000000000000003\n  RBP: 00007ffeb2b60cd0 R08: 0000000000000000 R09: 0000000000000013\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 00007ffeb2b6343b R14: 00007ffeb2b60d80 R15: 0000000000000001\n  </TASK>\n  CR2: 0000000000000058\n  ---[ end trace 0000000000000000 ]---\n\nThe 1st line is the most interesting here:\n\n BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile\n\nWhen a RAID1 block-group is created and a write pointer mismatch between\nthe disks in the RAID set is detected, btrfs sets the alloc_offset to the\nlength of the block group marking it as full. Afterwards the code expects\nthat a balance operation will evacuate the data in this block-group and\nrepair the problems.\n\nBut before this is possible, the new space of this block-group will be\naccounted in the free space cache. But in __btrfs_\n---truncated---",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-08T07:15:53Z"

advisories/unreviewed/2025/05/GHSA-2px8-v868-2g2q/GHSA-2px8-v868-2g2q.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2px8-v868-2g2q",
-  "modified": "2025-05-02T18:31:32Z",
+  "modified": "2025-11-12T21:30:58Z",
   "published": "2025-05-02T18:31:32Z",
   "aliases": [
     "CVE-2023-53037"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Bad drive in topology results kernel crash\n\nWhen the SAS Transport Layer support is enabled and a device exposed to\nthe OS by the driver fails INQUIRY commands, the driver frees up the memory\nallocated for an internal HBA port data structure. However, in some places,\nthe reference to the freed memory is not cleared. When the firmware sends\nthe Device Info change event for the same device again, the freed memory is\naccessed and that leads to memory corruption and OS crash.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-02T16:15:22Z"

advisories/unreviewed/2025/05/GHSA-2x8x-5r7x-jcgh/GHSA-2x8x-5r7x-jcgh.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2x8x-5r7x-jcgh",
-  "modified": "2025-05-09T09:33:20Z",
+  "modified": "2025-11-12T21:31:03Z",
   "published": "2025-05-09T09:33:20Z",
   "aliases": [
     "CVE-2025-37886"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npds_core: make wait_context part of q_info\n\nMake the wait_context a full part of the q_info struct rather\nthan a stack variable that goes away after pdsc_adminq_post()\nis done so that the context is still available after the wait\nloop has given up.\n\nThere was a case where a slow development firmware caused\nthe adminq request to time out, but then later the FW finally\nfinished the request and sent the interrupt.  The handler tried\nto complete_all() the completion context that had been created\non the stack in pdsc_adminq_post() but no longer existed.\nThis caused bad pointer usage, kernel crashes, and much wailing\nand gnashing of teeth.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -32,8 +37,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-09T07:16:09Z"

advisories/unreviewed/2025/05/GHSA-3p47-qj26-6gg7/GHSA-3p47-qj26-6gg7.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3p47-qj26-6gg7",
-  "modified": "2025-05-09T09:33:20Z",
+  "modified": "2025-11-12T21:31:02Z",
   "published": "2025-05-09T09:33:20Z",
   "aliases": [
     "CVE-2025-37866"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf-bootctl: use sysfs_emit_at() in secure_boot_fuse_state_show()\n\nA warning is seen when running the latest kernel on a BlueField SOC:\n[251.512704] ------------[ cut here ]------------\n[251.512711] invalid sysfs_emit: buf:0000000003aa32ae\n[251.512720] WARNING: CPU: 1 PID: 705264 at fs/sysfs/file.c:767 sysfs_emit+0xac/0xc8\n\nThe warning is triggered because the mlxbf-bootctl driver invokes\n\"sysfs_emit()\" with a buffer pointer that is not aligned to the\nstart of the page. The driver should instead use \"sysfs_emit_at()\"\nto support non-zero offsets into the destination buffer.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -25,7 +30,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-09T07:16:07Z"

advisories/unreviewed/2025/05/GHSA-3qx6-96c8-pv99/GHSA-3qx6-96c8-pv99.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3qx6-96c8-pv99",
-  "modified": "2025-05-09T09:33:20Z",
+  "modified": "2025-11-12T21:31:03Z",
   "published": "2025-05-09T09:33:20Z",
   "aliases": [
     "CVE-2025-37882"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Fix isochronous Ring Underrun/Overrun event handling\n\nThe TRB pointer of these events points at enqueue at the time of error\noccurrence on xHCI 1.1+ HCs or it's NULL on older ones. By the time we\nare handling the event, a new TD may be queued at this ring position.\n\nI can trigger this race by rising interrupt moderation to increase IRQ\nhandling delay. Similar delay may occur naturally due to system load.\n\nIf this ever happens after a Missed Service Error, missed TDs will be\nskipped and the new TD processed as if it matched the event. It could\nbe given back prematurely, risking data loss or buffer UAF by the xHC.\n\nDon't complete TDs on xrun events and don't warn if queued TDs don't\nmatch the event's TRB pointer, which can be NULL or a link/no-op TRB.\nDon't warn if there are no queued TDs at all.\n\nNow that it's safe, also handle xrun events if the skip flag is clear.\nThis ensures completion of any TD stuck in 'error mid TD' state right\nbefore the xrun event, which could happen if a driver submits a finite\nnumber of URBs to a buggy HC and then an error occurs on the last TD.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-09T07:16:09Z"