At least on Android there is a nice app for the first point. It will track your calls and messages and remind you to contact people in certain intervals based on predefined contact group settings: https://play.google.com/store/apps/details?id=me.barta.stayi...
The Gitlab licensing model was recently change and the lowest tier starter license was removed.
Anyone knows which of these new features a customer receives that is still on "starter" (which can be kept for up to one year after the change to the license model)?
All new features target Free/Premium/Ultimate. Starter customer are still getting new features, improvements and fixes — they are the same features that are also available on the Free tier. For Starter customers who elected to upgrade to Premium for free, they will also have access to the new Premium features.
Public information is very thin on the exploitability of this. Are you able to elaborate a little bit where MSG_PEEK might be used?
Is it used in the kernel? Only in specific applications?
Reading the original link, it looks like the kernel corruption only happens when an user space application uses the recvfrom() syscall using the MSG_PEEK option. MSG_PEEK is only used AFAIK only in specific applications that need to "peek" at the message without consuming it. This is not a very common use case, but some research should be done to understand if there is some popular application using it.
If I've understood this correctly, it turns it into a local privilege escalation opportunity: run a vulnerable application as the user, use the exploit to get code execution in the kernel.
> MSG_PEEK is only used AFAIK only in specific applications that need to "peek" at the message without consuming it
I never used the MSG_PEEK flag, but over 15 years ago (maybe it wasnt implemented yet?) I accomplished a similar task by using the SO_REUSEADDR and SO_REUSEPORT flags which worked nicely on Windows too. The goal was to have several UDP "agents" listening on the same port on the same machine (which would normally raise an EADDRINUSE error), all of them examining a packet and acting upon a header contained in that packet. All them would receive a copy of the packet on their respective socket (that was the flags purpose), so that they could filter it and act only if the header contained data relative to that agent. This allowed a very modular approach where once the protocol was defined I could compile only the agent I needed without touching the others.
This is a flag that the application has to explicitly set when receiving data. Looks like this flag has limited usage based on the description. I've checked with the strace tool few programs that use UDP on my Linux boxes: unbound resolver, ntpd, openvpn. None seems to use it.
MSG_PEEK
This flag causes the receive operation to return data from the beginning of the receive queue without removing that data from the queue. Thus, a subsequent receive call will return the same data.
I've managed to find one case, the net-snmp package uses MSG_PEEK in the SMUX subagent system, heaven knows why. But since the smux socket is practically always bound to localhost, that is not a problem.
As far as I can tell, a packet from a non-localhost source may be received, but (obviously) the udp_recvmsg does not get called since the system call is not triggered.
Unfortunately, there is a large amount of devices such as home routers, televisions, phones, etc, that are completely impossible to update. So, being aware of cases of software that actually use MSG_PEEK might be useful.
It contains these two links
- https://packetstorm.news/files/id/189989
- https://gist.github.com/R-Security/1c707a08f9c7f9a91d9d84b50...
The first is also about the LPE, the second is apparently by the same author, names the same CVE-ID but is about a remote code execution?