Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-26981: [BUG] global-buffer-overflow in lou_checktable · Issue #1171 · liblouis/liblouis

Liblouis through 3.21.0 has a buffer overflow in compilePassOpcode in compileTranslationTable.c (called, indirectly, by tools/lou_checktable.c).

CVE
#ubuntu#c++#buffer_overflow

Describe the bug
There is a global-buffer-overflow bug found in compilePassOpcode, can be triggered via lou_checktable+ ASan

To Reproduce
Steps to reproduce the behavior:

export CC=clang && export CFLAGS="-fsanitize=address -g"
./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
./tools/lou_checktable  POC

Output:

==17764==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000102f062 at pc 0x00000051d4ce bp 0x7ffdfad96390 sp 0x7ffdfad96388
WRITE of size 2 at 0x00000102f062 thread T0
    #0 0x51d4cd in compilePassOpcode /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:1896:31
    #1 0x50f7bf in compileRule /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:3947:11
    #2 0x4ff42b in compileFile /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4660:9
    #3 0x4fbbe9 in compileTable /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4767:9
    #4 0x4f9bdf in getTable /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4939:7
    #5 0x4f9061 in _lou_getTable /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4848:2
    #6 0x4fb51f in lou_getTable /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4860:2
    #7 0x4f4109 in main /benchmark/vulnerable/liblouis/tools/lou_checktable.c:114:16
    #8 0x7f6ff64f0bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x41b699 in _start (/benchmark/vulnerable/liblouis/tools/lou_checktable+0x41b699)

0x00000102f062 is located 0 bytes to the right of global variable 'passRuleDots' defined in 'compileTranslationTable.c:1850:21' (0x102e060) of size 4098
SUMMARY: AddressSanitizer: global-buffer-overflow /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:1896:31 in compilePassOpcode
Shadow bytes around the buggy address:
  0x0000801fddb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801fddc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801fddd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801fdde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801fddf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000801fde00: 00 00 00 00 00 00 00 00 00 00 00 00[02]f9 f9 f9
  0x0000801fde10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801fde20: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801fde30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801fde40: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801fde50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==17764==ABORTING

System

OS: Ubuntu
OS version : can be reproduced in 18.04/20.04
clang version: 12.0.1 (release/12.x)
liblouis Version : latest commit 4d73c81

Credit
NCNIPC of China
Hexhive

POC
POC.zip

Related news

CVE-2022-32824: About the security content of tvOS 15.6

The issue was addressed with improved memory handling. This issue is fixed in tvOS 15.6, watchOS 8.7, iOS 15.6 and iPadOS 15.6. An app may be able to disclose kernel memory.

CVE-2022-32855: About the security content of iOS 15.6 and iPadOS 15.6

A logic issue was addressed with improved state management. This issue is fixed in iOS 15.6 and iPadOS 15.6. A user may be able to view restricted content from the lock screen.

Gentoo Linux Security Advisory 202301-06

Gentoo Linux Security Advisory 202301-6 - Multiple vulnerabilities have been discovered in liblouis, the worst of which could result in denial of service. Versions less than 3.22.0 are affected.

CVE-2022-32793: About the security content of macOS Monterey 12.5

Multiple out-of-bounds write issues were addressed with improved bounds checking. This issue is fixed in macOS Monterey 12.5, watchOS 8.7, tvOS 15.6, iOS 15.6 and iPadOS 15.6. An app may be able to disclose kernel memory.

Apple Security Advisory 2022-07-20-6

Apple Security Advisory 2022-07-20-6 - watchOS 8.7 addresses buffer overflow, bypass, code execution, out of bounds read, out of bounds write, and spoofing vulnerabilities.

Apple Security Advisory 2022-07-20-5

Apple Security Advisory 2022-07-20-5 - tvOS 15.6 addresses buffer overflow, bypass, code execution, information leakage, out of bounds read, out of bounds write, and spoofing vulnerabilities.

Apple Security Advisory 2022-07-20-2

Apple Security Advisory 2022-07-20-2 - macOS Monterey 12.5 addresses bypass, code execution, information leakage, null pointer, out of bounds read, out of bounds write, and spoofing vulnerabilities.

Apple Security Advisory 2022-07-20-1

Apple Security Advisory 2022-07-20-1 - iOS 15.6 and iPadOS 15.6 addresses buffer overflow, bypass, code execution, information leakage, null pointer, out of bounds read, out of bounds write, and spoofing vulnerabilities.

Ubuntu Security Notice USN-5476-1

Ubuntu Security Notice 5476-1 - Han Zheng discovered that Liblouis incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash. This issue was addressed in Ubuntu 21.10 and Ubuntu 22.04 LTS. It was discovered that Liblouis incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code or cause a crash.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907