Buffer overflow vulnerability in function stbi__extend_receive in stb_image.h in stb 2.26 via a crafted JPEG file.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Kaka201 opened this issue

Mar 4, 2021

· 2 comments

Closed

**heap overflow in stb\_image.h:2099 #1108**

Kaka201 opened this issue

Mar 4, 2021

· 2 comments

**Comments**

heap overflow by a craft jpeg file in stb\_image.h:2099  
poc poc\_hoob.zip

asan report:

    ==42271==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000559f20 at pc 0x00000051a2dd bp 0x7ffd06a9e900 sp 0x7ffd06a9e8f8
    READ of size 4 at 0x000000559f20 thread T0
        #0 0x51a2dc in stbi__extend_receive /home/kaka/fuzz/stb/tests/./../stb_image.h:2099:16
        #1 0x518400 in stbi__jpeg_decode_block /home/kaka/fuzz/stb/tests/./../stb_image.h:2154:15
        #2 0x517173 in stbi__parse_entropy_coded_data /home/kaka/fuzz/stb/tests/./../stb_image.h:2920:30
        #3 0x5138d0 in stbi__decode_jpeg_image /home/kaka/fuzz/stb/tests/./../stb_image.h:3321:15
        #4 0x510a21 in load_jpeg_image /home/kaka/fuzz/stb/tests/./../stb_image.h:3773:9
        #5 0x4fe7b1 in stbi__jpeg_load /home/kaka/fuzz/stb/tests/./../stb_image.h:3930:13
        #6 0x4f8b3f in stbi__load_and_postprocess_8bit /home/kaka/fuzz/stb/tests/./../stb_image.h:1203:19
        #7 0x4f9d12 in stbi_load_from_memory /home/kaka/fuzz/stb/tests/./../stb_image.h:1373:11
        #8 0x4fd734 in LLVMFuzzerTestOneInput /home/kaka/fuzz/stb/tests/stbi_read_fuzzer.c:19:26
        #9 0x4f84fd in main /home/kaka/fuzz/stb/tests/fuzz_main.c:48:11
        #10 0x7fd09b4ea83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
        #11 0x41b038 in _start (/home/kaka/fuzz/stb/tests/image_fuzzer+0x41b038)
    
    0x000000559f20 is located 32 bytes to the left of global variable '<string literal>' defined in './../stb_image.h:2198:33' (0x559f40) of size 22
      '<string literal>' is ascii string 'can't merge dc and ac'
    0x000000559f20 is located 0 bytes to the right of global variable 'stbi__jbias' defined in './../stb_image.h:2083:18' (0x559ee0) of size 64
    SUMMARY: AddressSanitizer: global-buffer-overflow /home/kaka/fuzz/stb/tests/./../stb_image.h:2099:16 in stbi__extend_receive
    Shadow bytes around the buggy address:
      0x0000800a3390: 00 04 f9 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
      0x0000800a33a0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9
      0x0000800a33b0: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9
      0x0000800a33c0: 00 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 f9
      0x0000800a33d0: 00 00 00 00 00 00 00 02 f9 f9 f9 f9 00 00 00 00
    =>0x0000800a33e0: 00 00 00 00[f9]f9 f9 f9 00 00 06 f9 f9 f9 f9 f9
      0x0000800a33f0: 00 04 f9 f9 f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9
      0x0000800a3400: 00 06 f9 f9 f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9
      0x0000800a3410: 00 00 04 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
      0x0000800a3420: 00 00 f9 f9 f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9
      0x0000800a3430: 00 00 05 f9 f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==42271==ABORTING
    

rygorous added a commit that referenced this issue

Jul 3, 2021

extend\_receive implicitly requires n <= 15 (code length);
the maximum that actually makes sense for 8-bit baseline JPEG is
11, but 15 is the natural limit for us because the AC coding path
stores the number of magnitude bits in a nibble.

Check that DC delta bits are in range before attempting to call
extend\_receive.

Fixes issue #1108.

Thanks for the bug report and repro, sorry for taking a while to respond. Bug is fixed in dev branch, will be in the next release.

rygorous added a commit that referenced this issue

Jul 4, 2021

extend\_receive implicitly requires n <= 15 (code length);
the maximum that actually makes sense for 8-bit baseline JPEG is
11, but 15 is the natural limit for us because the AC coding path
stores the number of magnitude bits in a nibble.

Check that DC delta bits are in range before attempting to call
extend\_receive.

Fixes issue #1108.

CVE-2021-28021 has been assigned for this issue  
report by luo likang from nsfocus security team

CVE-2021-28021: heap overflow in stb_image.h:2099 · Issue #1108 · nothings/stb

An issue was discovered in Open Ticket Request System (OTRS) 6.0.x before 6.0.12. An attacker could send an e-mail message with a malicious link to an OTRS system or an agent. If a logged-in agent opens this link, it could cause the execution of JavaScript in the context of OTRS.

**Release Notes**

**OTRS Group, the world’s leading provider of the OTRS service management suite, including the fully managed OTRS solution and the ITIL® V3-compliant IT service management software OTRS::ITSM.**

*   05/10/2018
*   Security Advisories

**October 05, 2018 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.**

**Security Advisory Details**

*   ID: OSA-2018-06
*   Date: 2018-10-05
*   Title: XSS
*   Severity: 3.9. low
*   Product: OTRS 6.0.x
*   Fixed in: OTRS 6.0.12
*   FULL CVSS v3 VECTOR: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
*   References: CVE-2018-17883

**Vulnerability Description**

This advisory covers vulnerabilities discovered in the OTRS framework.

**Privilege Escalation**

An attacker could send an email with a malicious link to an OTRS system or an agent. If a logged in agent opens this link, it could cause the execution of JavaScript in the context of OTRS.

Affected by this vulnerability are all releases of OTRS 6.0.x up to and including 6.0.11.

**Release Name:**

Security Advisory 2018-06: Security Update for OTRS Framework

**PGP Key**

*   pub 2048R/9C227C6B 2011-03-21 \[expires at: 2020-11-16\]
*   uid OTRS Security Team <security@otrs.org\>
*   GPG Fingerprint E330 4608 DA6E 34B7 1551 C244 7F9E 44E9 9C22 7C6B

**Archives**

*   Security Advisories

**Find us on Social Media**

CVE-2018-17883: Security Advisory 2018-06: Security Update for OTRS Framework - ((OTRS)) Community Edition

An improper access control vulnerability [CWE-284] in FortiOS versions 6.4.8 and prior and 7.0.3 and prior may allow an authenticated attacker with a restricted user profile to gather sensitive information and modify the SSL-VPN tunnel status of other VDOMs using specific CLI commands.

** PSIRT Advisories**

**FortiOS - Improper Inter-VDOM access control**

**Summary**

An improper access control vulnerability \[CWE-284\] in FortiOS may allow an authenticated attacker with a restricted user profile to gather sensitive information and modify the SSL-VPN tunnel status of other VDOMs using specific CLI commands.

**Affected Products**

FortiGate version 7.0.3 and below.  
FortiGate version 6.4.8 and below.

**Solutions**

Please upgrade to FortiGate version 7.0.4 or above.  
Please upgrade to FortiGate version 6.4.9 or above.

**Acknowledgement**

Fortinet is pleased to thank Alexis La Goutte for reporting this vulnerability under responsible disclosure.

CVE-2021-41032: Fortiguard

The WCFM Frontend Manager plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 6.6.0 due to missing capability checks on various AJAX actions. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to perform a wide variety of actions such as modifying knowledge bases, modifying notices, modifying payments, managing vendors, capabilities, and so much more. There were hundreds of AJAX endpoints affected.

CVE-2022-4937: Changeset 2630745 for wc-frontend-manager – WordPress Plugin Repository

A missing permission check in Jenkins Apprenda Plugin 2.2.0 and earlier allows users with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

**Jenkins Apprenda Plugin has Missing Authorization vulnerability**

Moderate severity GitHub Reviewed Published Sep 22, 2022 • Updated Sep 23, 2022

GHSA-52v4-wxrx-gjjm: Jenkins Apprenda Plugin has Missing Authorization vulnerability

The parent process would not properly check whether the Speech Synthesis feature is enabled, when receiving instructions from a child process. This vulnerability affects Thunderbird < 91.9.

Sorry, I can't find "_1764778?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-29913: Invalid Bug ID

A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository.

**Missing Authorization in Jenkins XP-Dev Plugin**

Moderate severity GitHub Reviewed Published Nov 16, 2022 • Updated Nov 21, 2022

GHSA-x9wp-gfrr-p5rp: Missing Authorization in Jenkins XP-Dev Plugin

Improper input validation in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier may allow a remote attacker to execute commands.

As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

**Please sign in**

**SUMMARY**

**NPort IAW5000A-I/O Series Serial Device Server Vulnerabilities**

*   Security Advisory ID: MPSA-210501
*   Version: V1.0
*   Release Date: May 27, 2021
*   Reference:
    *   CVE-2021-32974
    *   BDU:2021-02699, BDU:2021-02700, BDU:2021-02701, BDU:2021-02702, BDU:2021-02703, BDU:2021-02704, BDU:2021-02705,BDU:2021-02706, BDU:2021-02707, BDU:2021-02708

Multiple product vulnerabilities were identified in Moxa’s NPort IAW5000A-I/O Series Wireless Device Server. In response to this, Moxa has developed related solutions to address these vulnerabilities.

The identified vulnerability types and potential impacts are shown below:

Item

Vulnerability Type

Impact

1

Buffer Overflow (CWE-120)  
BDU:2021-02699, BDU:2021-02702

A buffer overflow in the built-in web server allows remote attackers to initiate a DoS attack.

2

Stack-Based Buffer Overflow (CWE-121)  
BDU:2021-02700, BDU:2021-02701, BDU:2021-02703, BDU:2021-02704, BDU:2021-02708

A buffer overflow in the built-in web server allows remote attackers to initiate a DoS attack and execute arbitrary code (RCE).

3

Improper Input Validation (CWE-20)  
BDU:2021-02705, BDU:2021-02706

Data can be copied without validation in the built-in web server, which allows remote attackers to initiate a DoS attack.

4

OS Command Injection (CWE-78)  
BDU:2021-02707

Improper input validation in the built-in web server allows remote attackers to execute the OS command.

**AFFECTED PRODUCTS AND SOLUTIONS**

**Affected Products:**

The affected products and firmware versions are shown below.

Product Series

Affected Versions

NPort IAW5000A-I/O Series

Firmware Version 2.2 or lower

**Solutions:**

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Series

Solutions

NPort IAW5000A-I/O Series

Please contact Moxa Technical Support for a security patch.

**Acknowledgment:**

We would like to express our appreciation to Konstantin Kondratev, Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar for reporting the vulnerabilities, working with us to help enhance the security of our products, and helping us provide a better service to our customers.  
 

**Revision History:**

VERSION

DESCRIPTION

RELEASE DATE

1.0

First Release

May 27, 2021

**Relevant Products**

NPort IAW5000A-I/O Series ·

*     Print this page
    
*   You can manage and share your saved list in My Moxa
    

**Let’s get that fixed**

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability

Search

lenovo warranty check/lookup | check warranty status | lenovo support us