libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesShifted8bits() at /libtiff/tools/tiffcrop.c:3753.

Skip to content

Open Issue created Jan 27, 2023 by **Tseng Szu Wei@13579and24680**

**heap-buffer-overflow in extractContigSamplesShifted8bits() at /libtiff/tools/tiffcrop.c:3753 (SIGSEGV)**

**Summary**

An SIGSEGV caused when using tiffcrop.

AddressSanitizer reports it as heap-buffer-overflow.

**Version**

    $ ./tools/tiffcrop  -v
    Library Release: LIBTIFF, Version 4.5.0
    Copyright (c) 1988-1996 Sam Leffler
    Copyright (c) 1991-1996 Silicon Graphics, Inc.
    Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
               : Copyright (c) 1991-1997 Silicon Graphics, Inc
    Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
    
    $ git log --oneline -1
    a63e18ca (HEAD -> master, origin/master, origin/HEAD) Merge branch 'add_windows_DLL_versioninfo' into 'master'

**Steps to reproduce****make**

    git clone https://gitlab.com/libtiff/libtiff.git
    cd libtiff
    ./autogen.sh
    ./configure
    make

**run**

    ./tools/tiffcrop -E l -Z 12:50,12:99 -e divided  -R 270  poc  /dev/null
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 309 (0x135) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 16658 (0x4112) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 512 (0x200) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 32256 (0x7e00) encountered.
    poc: Warning, Nonstandard tile width 1, convert file.
    TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.
    TIFFReadDirectory: Warning, Invalid data type for tag StripOffsets.
    TIFFFetchNormalTag: Warning, IO error during reading of "Tag 16658"; tag ignored.
    _TIFFVSetField: poc: Null count for "Tag 32256" (type 1, writecount -3, passcount 1).
    TIFFReadDirectory: Warning, Invalid data type for tag StripByteCounts.
    TIFFAdvanceDirectory: Error fetching directory count.
    Fax4Decode: Bad code word at line 1 of tile 0 (x 0).
    Fax4Decode: Warning, Premature EOL at line 1 of tile 0 (got 0, expected 1).
    Fax4Decode: Bad code word at line 1 of tile 1 (x 0).
    Fax4Decode: Warning, Premature EOL at line 1 of tile 1 (got 0, expected 1).
    Fax4Decode: Warning, Premature EOL at line 2 of tile 1 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 0 of tile 2 (x 0).
    Fax4Decode: Warning, Premature EOL at line 0 of tile 2 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 2 of tile 2 (x 0).
    Fax4Decode: Warning, Premature EOL at line 2 of tile 2 (got 0, expected 1).
    Fax4Decode: Warning, Premature EOL at line 3 of tile 2 (got 0, expected 1).
    Fax4Decode: Bad code word at line 1 of tile 3 (x 0).
    Fax4Decode: Warning, Premature EOL at line 1 of tile 3 (got 0, expected 1).
    Fax4Decode: Warning, Line length mismatch at line 0 of tile 4 (got 2, expected 1).
    Fax4Decode: Warning, Premature EOF at line 14 of tile 4 (x 0).
    Fax4Decode: Warning, Premature EOL at line 14 of tile 4 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 0 of tile 5 (x 0).
    Fax4Decode: Warning, Premature EOL at line 0 of tile 5 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 2 of tile 5 (x 0).
    Fax4Decode: Warning, Premature EOL at line 2 of tile 5 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 4 of tile 5 (x 0).
    Fax4Decode: Warning, Premature EOL at line 4 of tile 5 (got 0, expected 1).
    Fax4Decode: Warning, Premature EOF at line 6 of tile 5 (x 0).
    (... too long ignore)
    
    fish: Job 1, './tools/tiffcrop -E l -Z 12:50,…' terminated by signal SIGSEGV (Address boundary error)

**Platform**

    $ uname -a
    Linux 13579 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Tue Nov 22 21:24:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    
    $ gcc --version
    gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
    Copyright (C) 2019 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

**ASAN report**

    =================================================================
    ==1821995==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6330000188ec at pc 0x56501555da96 bp 0x7ffc6a94efd0 sp 0x7ffc6a94efc0
    READ of size 1 at 0x6330000188ec thread T0
        #0 0x56501555da95 in extractContigSamplesShifted8bits /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:3753
        #1 0x565015573ffe in extractSeparateRegion /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:7605
        #2 0x565015577fd0 in processCropSelections /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:8621
        #3 0x56501555a0e9 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2807
        #4 0x7f9dc504e082 in __libc_start_main ../csu/libc-start.c:308
        #5 0x565015550b6d in _start (/home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/.libs/tiffcrop+0x9b6d)
    
    0x6330000188ec is located 233 bytes to the right of 98307-byte region [0x633000000800,0x633000018803)
    allocated by thread T0 here:
        #0 0x7f9dc5703808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x7f9dc558af03 in _TIFFmalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/libtiff/tif_unix.c:326
        #2 0x565015550d00 in limitMalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:710
        #3 0x565015571998 in loadImage /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:7087
        #4 0x565015559f86 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2783
        #5 0x7f9dc504e082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:3753 in extractContigSamplesShifted8bits
    Shadow bytes around the buggy address:
      0x0c667fffb0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c667fffb0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c667fffb0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c667fffb0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c667fffb100: 03 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c667fffb110: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa
      0x0c667fffb120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c667fffb130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c667fffb140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c667fffb150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c667fffb160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1821995==ABORTING

**poc**

poc

CVE-2023-25435: heap-buffer-overflow in extractContigSamplesShifted8bits()  at /libtiff/tools/tiffcrop.c:3753 (SIGSEGV) (#518) · Issues · libtiff / libtiff · GitLab

A missing permission check in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier allows attackers with Overall/Read permissions to connect to an attacker-specified webserver using attacker-specified credentials. Version 4.8.0.130 requires POST requests and Overall/Administer permission for the affected form validation method.

**Jenkins NS-ND Integration Performance Publisher Plugin vulnerable to Missing Authorization**

High severity GitHub Reviewed Published Sep 22, 2022 • Updated Sep 23, 2022

GHSA-j2mj-g8jp-gjfm: Jenkins NS-ND Integration Performance Publisher Plugin vulnerable to Missing Authorization

F-Secure SAFE Browser 19.1 before 19.2 for Android allows an IDN homograph attack.

**STATUS**: Fixed

**RISK LEVEL**: Medium

**FIX**: No user action is required. Newer version 19.2 has been released in the automatic update channel since 22nd Dec 2022..

F‑Secure SAFE browser for Android is vulnerable to an IDN homo­graph attack when displaying messages containing malicious URLs. Trick that can deceive users into thinking they are visiting a legitimate web­site when in fact they are directed to a malicious homo­graph, domain name.

This issue was reported to F‑Secure through the Vulnerability Reward Program. No known exploit or attack has been seen in the wild.

F-Secure Corporation would like to thank Rafi Andhika Galuh for bringing this issue to our attention.

CVE-2022-47524: CVE-2022-47524 | F-Secure

FATEK Automation WinProladder versions 3.30 and prior proper validation of user-supplied data when parsing project files, which could result in a stack-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code.

CVE-2021-38430: FATEK Automation WinProladder | CISA

sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.

Something went wrong, but don’t fret — let’s give it another shot.

CVE-2016-20013

The leak of a draft opinion overturning Roe v. Wade quickly sparked a court investigation. Which laws may have been violated, if any, remains uncertain.

The leak of a seismic draft opinion from the US Supreme Court that would overturn _Roe v. Wade_ has somehow managed overnight to elicit roughly equal outpourings of anger from the right and left: The left has rallied to decry a decision that would overturn a 50-year-old cornerstone of reproductive rights. Conservatives, despite the historic victory the ruling would represent for their side, have meanwhile targeted their political outrage at a far more specific individual: the leaker.

Just hours after Politico published a draft of the majority ruling written by Justice Samuel Alito calling the _Roe_ decision "egregiously wrong from the start" and overruling that five-decade-old precedent, figures across the right issued a chorus of calls for the investigation and prosecution of the anonymous source of the "illegal" leak. CBS News went so far as to report—somewhat vaguely—that it expects an investigation “involving the FBI” into the leak's source. And Chief Justice John Roberts has opened an investigation into the disclosure.

But all of that furor is undermined by an inconvenient legal truth: Leaking a Supreme Court decision doesn't actually seem to be a crime—at least not by any clear and undisputed definition. "Right now, it's unclear whether the leaker broke any law at all," says Trevor Timm, a First Amendment–focused lawyer and the executive director of the Freedom of the Press Foundation. "Even the people claiming this act is beyond the pale and the FBI must investigate haven't pointed to a definitive law this leaker allegedly broke."

Timm cites a lengthy Twitter thread published late Monday by the well-known UC Berkeley legal scholar Orin Kerr, who responded to the leak Monday night by pointing out that a Supreme Court draft doesn't meet any of the obvious criteria that would make it an illegal document to hand to a journalist: Most important, it's not classified, so leaking it doesn't open the leaker to prosecution under the Espionage Act. "As far as I can tell, there is no federal criminal law that directly prohibits disclosure of a draft legal opinion," Kerr concluded.

Of course, if the source is someone who hacked into a computer of, say, a Supreme Court justice or law clerk—or swiped the paper off their desk—the leaker could be prosecuted with computer fraud and abuse or theft, Kerr points out. But otherwise, despite the historical rarity of Supreme Court leaks and the politically radioactive nature of this one, Kerr argues there's no slam-dunk argument to federally prosecute the leaker.

Instead, Kerr suggests that any federal prosecutor seeking to make a case against Politico's leaker might have to resort to a far shakier statute, known as 18 U.S.C. § 641. That broad statute forbids the theft or misuse of government-owned "things of value"—a broadly written law seemingly designed at a surface level to prevent embezzlement or graft by those with access to the government's property. But whether it applies to information—and what kind of information, given to whom—remains an open question in federal law, with different circuit courts fundamentally disagreeing in their rulings.

"Legal scholarship provides little clarity regarding § 641’s interpretation; only a few scholars have even recognized § 641’s application to information," reads a _Columbia Law Review_ article about the statute's use for prosecuting leakers, written by Jessica Lutkenhaus, an attorney focused on criminal defense at the law firm Wilmer Hale. "The circuits disagree about whether § 641 applies to information, and, if it does, what its scope is: What information constitutes a 'thing of value'?"

Sharing information is arguably fundamentally different from stealing "a thing of value," Freedom of the Press Foundation's Timm points out. "You can't steal a government Jeep or take something tangible or physical from government offices," Timm says. "But copying something can be construed as different from stealing something. You copy it, and the original thing is still there, and you just leave with papers that didn't exist before."

That ambiguity has led different federal courts to come to contradictory conclusions. A Fourth Circuit court, for instance, found in 1991 that a Department of Defense employee who left the DOD for a job at a defense contractor and took information with him was guilty of violating § 641. But a Ninth Circuit court has come to an opposite conclusion, finding in a 1959 case that "intangible" goods are not covered by § 641. That ruling was later applied in 1988 by the same circuit to the case of an information leaker, a naval officer accused of stealing computer punch cards related to secret encryption information. The court confirmed that the information itself was not covered by § 641—though his appeal was thrown out anyway because he'd stolen the physical punch cards that stored it.

Other circuit courts have come to conclusions somewhere in between, with some finding, for instance, that the § 641 _does_ apply to information leaks but noting that this doesn't extend to those covered by the First Amendment's protections on free speech and freedom of the press—findings with direct relevance to Politico's Supreme Court leaker.

Several of the most notable leakers in history have been charged under 18 U.S.C. § 641, too, including Daniel Ellsberg, Chelsea Manning, and Edward Snowden. But the use of that law was overshadowed by their prosecution under the Espionage Act, since all three were accused of leaking classified secrets, and none set a clear precedent. Ellsberg's charges were dropped due to improper government conduct by the Nixon administration, and Snowden has yet to face trial. Manning was convicted on the 18 U.S.C. § 641 count she faced, but in a military court, not a civilian one.

All of that leaves the legal status of Politico's leaker—if they are identified—far from certain. But any confident argument that they committed a crime is on equally shaky terrain, argues Timm. And that's especially true in a case where the leaker appears to have leaked a document directly to the press, with a clear interest in making the information public.

"Even if prosecutors think 18 U.S.C. § 641 applies, I'd have serious First Amendment concerns with broadly applying it to anyone who leaks a government document to the press," Timm says. "Leaks to the press are as American as apple pie. And, in many cases throughout history, have furthered democracy rather than hindered it."

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   Sober influencers and the end of alcohol
*   For mRNA, Covid vaccines are just the beginning
*   The future of the web is AI-generated marketing copy
*   Keep your home connected with the best wi-fi routers
*   How to limit who can contact you on Instagram
*   👁️ Explore AI like never before with our new database
*   🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

Is Leaking a SCOTUS Opinion a Crime? The Law Is Far From Clear

Unknown senders have been shipping smartwatches to service members, leading to questions regarding what kind of ulterior motive is at play, malware or otherwise.

The US Army's Criminal Investigation Division (CID) is warning service members to look out for unsolicited smartwatches arriving in the mail, which likely carry risks of malware and allowing unauthorized access to sensitive systems.

When used, the smartwatches are able to auto-connect to the local Wi-Fi network, and can also connect to cellphones, thus allowing access to a user's data. The snooped information can be private and used to exploit a victim, the advisory warned, and it's possible that these watches also carry malware that could allow a threat actor to access, save, or transfer data such as banking information, account information, or personal contacts. 

"Most people have heard about techniques involving leaving random malicious USB devices around for curious victims to plug in. This 'surprise smartwatch' tactic leverages the same human curiosity, and grants a threat actor access to some of your most sensitive personal information," said Melissa Bischoping, director of endpoint security research at Tanium, in an emailed comment. "As the adage goes, if it's too good to be true, it probably is, and if you're not paying for the product, you ARE the product."

Alternatively, these mystery smartwatches sent from unknown senders could also be used for a practice known as "brushing," in which presumably counterfeit products are sent via mail to random individuals so that companies can write positive reviews in the name of the person they sent the product to.

Should anyone, military personnel or otherwise, receive a product such as this, the CID advises recipients not to turn it on and to report it to local counterintelligence, or through its "Report a Crime" portal, where individuals can also submit tips.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Suspicious Smartwatches Mailed to US Army Personnel

The hwPartsDFR module has a vulnerability in API calling verification. Successful exploitation of this vulnerability may affect device confidentiality.

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the April 2023 Android security bulletin:

Critical: none

High: CVE-2022-40503, CVE-2022-36449, CVE-2022-38181, CVE-2022-41757, CVE-2022-42716, CVE-2021-0872, CVE-2021-0873, CVE-2021-0874, CVE-2021-0875, CVE-2021-0876, CVE-2021-0878, CVE-2021-0879, CVE-2021-0880, CVE-2021-0881, CVE-2021-0882, CVE-2021-0883, CVE-2021-0884, CVE-2021-0885, CVE-2023-20941

Medium: CVE-2023-0266

Low: none

Already included in previous updates: CVE-2023-20906, CVE-2023-20951, CVE-2023-20952, CVE-2023-20954, CVE-2023-20955, CVE-2022-25712, CVE-2022-33245, CVE-2023-21065, CVE-2023-21019, CVE-2023-21018, CVE-2022-20532, CVE-2022-20542, CVE-2023-20996, CVE-2023-20997, CVE-2023-20998, CVE-2023-20999, CVE-2023-21034, CVE-2023-21016, CVE-2023-21024, CVE-2023-21020, CVE-2023-21021, CVE-2023-20994, CVE-2023-21025, CVE-2023-21032

※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2021-46881: Memory overwriting vulnerability caused by addition overflow in the video framework

Severity: Critical

Affected versions: EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0

Impact: Successful exploitation of this vulnerability can affect availability.

CVE-2021-46882: Memory overwriting vulnerability caused by addition overflow in the video framework

Severity: Critical

Affected versions: EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0

Impact: Successful exploitation of this vulnerability can affect availability.

CVE-2021-46883: Memory overwriting vulnerability caused by addition overflow in the video framework

Severity: Critical

Affected versions: EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0

Impact: Successful exploitation of this vulnerability can affect availability.

CVE-2021-46884: Memory overwriting vulnerability caused by addition overflow in the video framework

Severity: Critical

Affected versions: EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0

Impact: Successful exploitation of this vulnerability can affect availability.

CVE-2021-46885: Memory overwriting vulnerability caused by addition overflow in the video framework

Severity: High

Affected versions: EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0

Impact: Successful exploitation of this vulnerability can affect availability.

CVE-2021-46886: Memory overwriting vulnerability caused by addition overflow in the video framework

Severity: High

Affected versions: EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0

Impact: Successful exploitation of this vulnerability can affect availability.

CVE-2021-46887: Lack of length check vulnerability in the HW\_KEYMASTER module

Severity: High

Affected versions: EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0

Impact: Successful exploitation of this vulnerability may cause out-of-bounds read.

CVE-2022-48480: Integer overflow vulnerability in some phones

Severity: High

Affected versions: EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-0116: Vulnerability of missing authentication for some received broadcasts in the reminder module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2023-0117: Vulnerability of unstrict app identity verification in the online authentication function of the hwKitAssistant module

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability may affect the availability of some features, such as MeeTime.

CVE-2023-31225: Service hijacking vulnerability in the Gallery app

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers can use malicious apps to spoof services, which may cause download failures and affect availability.

CVE-2023-31226: Improper permission verification vulnerability in the SDK on which the MediaPlaybackController module depends

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2023-31227: Vulnerability of missing API calling verification in the hwPartsDFR module

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Attackers can exploit this vulnerability by using reflection for API calling, affecting device confidentiality.

CVE-2023-31227: May

It won’t solve all of your privacy problems, but a virtual private network can make you a less tempting target for hackers.

A virtual private network (VPN) is like a protective tunnel you can use to pass through a public network, protecting your data from outside eyes. Whether you're worried about hiding your browsing activity from your internet service provider so it doesn't sell your data to advertisers, or you want to stay safe on a public Wi-Fi hot spot to keep nearby digital snoops from capturing your passwords, a VPN can help protect you.

However, while a VPN will keep you safe at your local coffee shop, it comes with a cost. Using a VPN means your VPN provider will know everything about your browsing habits. This makes VPN providers a target for hackers. Be sure you even need one before you read on.

Picking the right VPN service is serious business. Most VPN providers say they keep no logs of their users' activity, but this is rarely verified. You're stuck taking companies at their word. For this reason, we've limited our testing to VPN providers that have been independently audited by security firms and have published the results.

To help you sort out when and why you might want a VPN, as well as why you might not, be sure to read through our complete guide to VPNs below. If you're sure you want to use a VPN, here are our top picks among commercial VPN providers.

_Updated September 2022: We've included some updated speed test results, included some new features from Surfshark, and noted our experiences paying for Mullvad with bitcoin._

_Special offer for Gear readers: Get a_ _**1-year subscription to**_ **WIRED** _**for $5 ($25 off)**__. This includes unlimited access to_ WIRED._com and our print magazine (if you'd like). Subscriptions help fund the work we do every day._

> If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more.

Best for Most People

**Surfshark VPN**

Surfshark wouldn't be my top pick if my life depended on my VPN, but for most of us that's not the case. If you just want a way to get around some geographical restrictions on content (aka access Netflix) and protect your traffic while using an open Wi-Fi hot spot, Surfshark is a good choice. It's secure, and it provides a great value for the money if you pay for two years up front.

Surfshark offers a kill switch that automatically stops your traffic if your VPN connection fails, and it supports multihop VPN connects, which means your traffic goes from your machine to a VPN server to another VPN server, and then to the destination server. This provides an extra layer of protection should the VPN itself be compromised, though there is a corresponding speed hit when using a multihop connection. The company also recently added support for manual Wireguard configuration. Most people will be fine sticking with Surfshark's apps, but if you're trying to connect your entire network to Surfshark directly through a router, the manual configuration will be welcome news.

In my testing over the years, Surfshark has consistently had some of the best speeds of any VPN I've used. Yes, it is slower than not using a VPN, but I have never had any problem streaming HD content through Surfshark. It's fast enough that in most cases you won't notice any speed degradation at all.

Surfshark is based in the British Virgin Islands, which, although technically a territory of Great Britain, is generally considered a safe haven and has no data-retention laws. What I don't like is that Surfshark is legally untested. The company has a zero-log policy, and you can (and should) opt out of the diagnostic crash reports in the app. Still, you're taking Surfshark at its word when it says it won't keep logs of your internet activity. Encouragingly, the company's browser extensions have undergone an independent security audit that didn't turn up any significant problems. 

Surfshark recently merged with NordVPN. So far we have not noticed any changes for its customers, but we will be keeping an eye on it going forward.

**Surfshark costs $2.50 per month if you buy two years up front, $4 per month if you buy one year up front.**

Best for Advanced Users

**Mullvad VPN**

Mullvad is based in Sweden and first came to my attention because of its early support for WireGuard, a faster protocol for tunneling VPN traffic.

Another thing I like is Mullvad's system for accepting cash payments. If you prefer to remain totally anonymous, you can generate a random account number, write that number down on a slip of paper, and mail it, along with cash, to Sweden. In theory, no one will be able to connect you to that account. (The truly paranoid will don a tinfoil hat, wear gloves, print from a public printer, and mail from a remote mailbox.) I have not tested the cash option, but I did recently extend my Mullvad subscription using bitcoin and it worked without a hitch.

Part of what I like about Mullvad is its down-to-earth approach that doesn't overhype with its marketing and helps users take additional steps to protect their privacy. For example, the company has an entire page showing you how to disable WebRTC in your web browser. As long as WebRTC is enabled (and it is by default in most browsers), websites can view your actual IP address even when you use a VPN.

Mullvad offers apps for every major platform, as well as routers. The applications are all open source, and you can check the code yourself on GitHub. The service has been independently audited as well. Advanced users can download configuration files and use them directly with OpenVPN or Wireguard.

In my testing, speeds were very good. I never encountered a situation where I couldn't get a fast connection. Over the years Mullvad has become the VPN I rely on day-to-day.

**Mullvad VPN costs 5 euros (around $6) per month, cash or charge.**

Best for VPN Newcomers

**TunnelBear VPN**

Choosing a VPN can be overwhelming. If you're tired of security mumbo jumbo and lock icons, TunnelBear might be the VPN for you. Its cute bear animations help demystify what VPNs do, how they work, and what they can offer you. Sometimes the easiest way to make technology more approachable is to put a friendly face on it.

Don't worry though, TunnelBear isn't all cute bear animations. It has the same security features as other VPN providers, like a no-logging policy and a clear privacy policy, and it's been independently audited.

In my testing, speeds with TunnelBear were competitive with the other options listed here. One of my favorite parts of TunnelBear is the free trial option, which makes it easy to test-drive it and see what your speeds are like without committing. TunnelBear has fewer geographic server locations than some of our other options, but unless you're traveling abroad or need to get around a specific geo-restriction, that shouldn't matter for most users.

**TunnelBear costs $3.33 per month if you buy one year up front****.**

Best for Circumventing Geographic Restrictions

**NordVPN**

NordVPN is one of the most popular VPNs around, thanks to a wide selection of servers and reasonable prices. It's also one of the most reliable ways I've found to circumvent location-based restrictions. I used it extensively while living in Mexico to get around Netflix's geographic restrictions. That said, this is a cat-and-mouse game; Netflix is always updating its server ban list, so NordVPN might not work in the future.

NordVPN is based out of Panama, which is not part of the Five Eyes, Nine Eyes, or 14 Eyes jurisdictions. That doesn't mean your government can't spy on you, but it does at least mean it will have to put in some extra legwork to do it (yes, that's about where we are these days). NordVPN has been audited a number of times, most recently in June of last year, when third-party auditor VerSprite found nothing amiss. As noted above, NordVPN and Surfshark recently announced a merger. Both will continue to operate as separate entities, but they are now a single company.

NordVPN also recently added a new service dubbed Threat Protection, which will block web-based trackers, phishing attempts, some ads, and malicious websites. I have not tested it extensively, and I personally rely on browser-based plug-ins to block threats like this. But if you're looking for an all-in-one solution, this might work.

I've never had an issue with speed using NordVPN, and the user interface of its apps is dead simple. Just click the country you want to use and the app will take care of connecting and configuring everything for you. If you want manual control, you can connect by using NordVPN's configuration files.

**NordVPN costs $5 per month if you buy one year up front. It also has frequent sales on a two-year deal that works out to about $3 a month.**

Best for High-Risk Use Cases

**Tor**

If you're in a situation where personal security is of the utmost importance, do not rely on a VPN. Use Tor (ideally through Tails) instead.

Using the Tor network accomplishes some of the same things as a VPN, but it's a little bit different. Tor provides anonymity, meaning no one can figure out who you are, but not necessarily privacy. People still might be able to see what you're doing, they just won't know it's you doing it. (VPNs provide privacy because no one can see what you're doing while you're going out of a VPN tunnel, but you don't have anonymity because the VPN provider knows who you are.)

Tor is simple to set up. All you need to do is download the Tor browser, and it will connect you to the web. Once you're connected to the Tor network, you can browse the web as you normally would. Except everything will be slower. When using Tor, your request for a website hops around the Tor network, bouncing between servers, before emerging and connecting to the actual site you want to visit. This makes Tor slow, sometimes incredibly slow, but that's necessary to protect your anonymity. And yes, you can combine a VPN with Tor, though that's somewhat beyond the scope of this guide.

How We Picked

VPN providers like to claim they keep no logs, which means they know nothing about what you do using their services. There are a variety of reasons to be skeptical about this claim, namely because they have to have a user ID of some kind tied to a payment method, which means the potential exists to link your credit card number (and thus your identity) to your browsing activity.

For that reason, I mainly limited my testing to providers that have been subpoenaed for user data in the US or Europe and failed to produce the logs or have at least undergone a third-party security audit. While these criteria can't guarantee the providers aren't saving log data, this method of selection gives us a starting point for filtering through the hundreds of VPN providers. Unfortunately other factors also come into play, VPNs that once made our list—Like ExpressVPN—are sometimes sold to less reputable companies. In cases like ExpressVPN I chose to remove it mainly because I have no way to know if it remains trustworthy or not.

Using these criteria, I narrowed the field to the most popular, reputable VPN providers and began testing them over a variety of networks (4G, cable, FiOS, and plenty of painfully slow coffee shop networks) over the past nine months. I tested network speed and ease of use (how you connect), and I also considered available payment methods, how often connections dropped, and any slowdowns I encountered.

Why You Might Not Need a VPN

It's important to understand not just what a VPN can do, but also what it can't do. As noted above, VPNs act like a protective tunnel. A VPN shields you from people trying to snoop on your traffic while it's in transit between your computer and the website you're browsing or the service you're using.

Public networks that anyone can join—even if they have to use a password to connect—are easy hunting grounds for attackers who want to see your network data. If your data is being sent unencrypted—like if the website you're connecting to doesn't use the secure HTTPS method—the amount of information an attacker can gather from you can be disastrous. Web browsers make it easy to tell when your connection is secure. Just look for a green lock icon at the top of your screen next to the web address. These days, most websites connect using HTTPS, so you're probably fine. But if that green lock icon isn't there, as it sometimes isn't on school, library, and small business websites, anyone can view whatever data you're sending. Unless you're using a VPN, which hides all of your activity, even on unencrypted websites.

Just connecting to a VPN isn't enough. Be sure to check out our guide to using a VPN to make sure you have everything set up correctly.

A VPN also changes your IP address, which adds an additional layer of protection. By giving you a different IP address, a VPN can make it appear as though you're in a different physical location. So even if you're sitting in California, the website you're accessing will think you're in Canada, Hungary, Uruguay, or Thailand. Unfortunately, this method of obscuring your location is not airtight. Technology built into web browsers that's known as WebRTC can leak your true IP address even when you're using a VPN. If this is a concern, disable WebRTC in your browser before connecting to a VPN. Mullvad has instructions on how to disable WebRTC in most browsers.

It's debatable how much masking your IP address really helps protect your privacy in the first place. Your IP address is only one of many, many bits of data websites collect about you. If privacy is your concern, you're better off using web browsers (and extensions) that offer additional tools to protect your privacy. Mozilla Firefox has several of these tools available. Or if you want to get serious about it, use the ultra-private Tor browser as noted above.

To add to the confusion around VPNs, providers—even some I've recommended here, unfortunately—often engage in misleading marketing. Nearly every VPN service website I visited had some kind of red banner claiming I was “not protected,” even when I was using a VPN at the time. The problem is that I wasn't using _their_ VPN. More honest VPN providers, like Mullvad, tell you what's actually happening: “You're not protected _by Mullvad_.” Kudos to Mullvad for not using fear to sell subscriptions.

Either way, the important thing to remember is that using a VPN does not make you anonymous. While VPNs may not be able to do much to protect your privacy, they are an essential tool when it comes to protecting you from snoops trying to gather your unencrypted data sent over insecure networks.

The Best VPNs to Protect Yourself Online

Integer underflow in grub_net_recv_ip4_packets; A malicious crafted IP packet can lead to an integer underflow in grub_net_recv_ip4_packets() function on rsm->total_len value. Under certain circumstances the total_len value may end up wrapping around to a small integer number which will be used in memory allocation. If the attack succeeds in such way, subsequent operations can write past the end of the buffer.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 7 Jun 2022 19:04:13 +0000
From: John Haxby <john.haxby@...cle.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
CC: Daniel Kiper <daniel.kiper@...cle.com>
Subject: \[SECURITY PATCH 00/30\]  Multiple GRUB2 vulnerabilities - 2022/06/07
 round

\[ This message was sent to grub-devel@....org.   It's archived at.    \]
\[ https://lists.gnu.org/archive/html/grub-devel/2022-06/msg00035.html \]
\[ and the 30 individual patches are linked from there as well as in.  \]
\[ the git repo. These issues were previously brought to the.          \]
\[ linux-distros list.                                                 \]


Hi all,

This patch set contains a bundle of fixes for various security flaws discovered
in the GRUB2 during last year. The most severe ones, i.e. potentially exploitable,
have CVEs assigned and are listed at the end of this email. Additionally, the list
of CVEs contains a CVE assigned for the shim vulnerability. It has been added
for completeness.

Details of exactly what needs updating will be provided by the respective
distros and vendors when updates become available. Here \[1\] we are listing at
least some links to the messaging known at the time of this posting.

Full mitigation against all CVEs will require updated shim with latest SBAT
(Secure Boot Advanced Targeting) \[2\] data provided by distros and vendors.
This time UEFI revocation list (dbx) will not be used and revocation of broken
artifacts will be done with SBAT only. For information on how to apply the
latest SBAT revocations, please see mokutil(1). Vendor shims may explicitly
permit known older boot artifacts to boot.

Updated GRUB2, shim and other boot artifacts from all the affected vendors will
be made available when the embargo lifts or some time thereafter.

I am posting all the GRUB2 upstream patches which fix all security bugs found
and reported up until now. Major Linux distros carry or will carry soon one
form or another of these patches. Now all the GRUB2 upstream patches are in
the GRUB2 git repository \[3\] too.

I would like to thank, in alphabetical order, the following people who were working
really hard on the GRUB, shim and other things related to these issues:
 - Alec Brown (Oracle),
 - Alexander Burmashev (Oracle),
 - Andrew Cooper (Citrix),
 - Chris Coulson (Canonical),
 - D. Jared Dominguez (Red Hat),
 - Daniel Axtens,
 - Darren Kenny (Oracle),
 - Eric Snowberg (Oracle),
 - Ilya Okomin (Oracle),
 - Jagannathan Raman (Oracle),
 - Jan Setje-Eilers (Oracle),
 - Jeremiah Cox,
 - John Haxby (Oracle),
 - Julian Andres Klode (Canonical),
 - Lidong Chen (Oracle),
 - Marco A Benatto (Red Hat),
 - Marcus Meissner (SUSE),
 - Marta Lewandowska (Red Hat),
 - Michael Chang (SUSE),
 - Peter Jones (Red Hat),
 - Petr Janda (Red Hat),
 - Robbie Harwood (Red Hat),
 - Robert Truxal (Microsoft),
 - Ross Philipson (Oracle),
 - Steve McIntyre (Debian),
 - Sudhakar Kuppusamy (IBM),
 - Tamas K Lengyel (Intel),
 - Todd Cullum (Red Hat),
 - Vikram Narayanan (University of California Irvine).

We would not be able to succeed without all your hard work.

It was very big pleasure to work with you all.

Thank you!

Daniel

\[1\] Red Hat: https://access.redhat.com/security/security-updates/#/
   SUSE:    https://www.suse.com/support/kb/doc/?id=000020668

\[2\] https://github.com/rhboot/shim/blob/main/SBAT.md

\[3\] https://git.savannah.gnu.org/gitweb/?p=grub.git
   https://git.savannah.gnu.org/git/grub.git

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2021-3695 grub2: Crafted PNG grayscale images may lead to out-of-bounds write in heap
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write in the
heap area. An attacker may take advantage of that to cause heap data corruption
or eventually arbitrary code execution and circumvent secure boot protections.
This issue has a high complexity to be exploited as an attacker needs to
perform some triage over the heap layout to achieve significant results, also
the values written into the memory are repeated three times in a row making
difficult to produce valid payloads.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2021-3696 grub2: Crafted PNG image may lead to out-of-bound write during huffman table handling
5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L

A heap out-of-bounds write may happen during the handling of Huffman tables in
the PNG reader. This may lead to data corruption in the heap space.
Confidentiality, Integrity and Availability impact may be considered Low as it's
very complex to an attacker control the encoding and positioning of corrupted
Huffman entries to achieve results such as arbitrary code execution and/or
secure boot circumvention.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2021-3697 grub2: Crafted JPEG image can lead to buffer underflow write in the heap
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

A crafted JPEG image may lead the JPEG reader to underflow its data pointer,
allowing user controlled data to be written in heap. To be successfully
performed the attacker needs to do some triage over the heap layout and craft
an image with a malicious format and payload. This vulnerability can lead to
data corruption and eventual code execution or secure boot circumvention.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28733 grub2: Integer underflow in grub\_net\_recv\_ip4\_packets
8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

A malicious crafted IP packet can lead to an integer underflow in
grub\_net\_recv\_ip4\_packets() function on rsm->total\_len value. Under certain
circumstances the total\_len value may end up wrapping around to a small integer
number which will be used in memory allocation. If the attack succeeds in such
way, subsequent operations can write past the end of the buffer.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28734 grub2: Out-of-bounds write when handling split HTTP headers
7/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

When handling split HTTP headers, GRUB2 HTTP code accidentally moves its
internal data buffer point by one position. This can lead to a out-of-bound
write further when parsing the HTTP request, writing a NULL byte past the
buffer. It's conceivable that an attacker controlled set of packets can lead
to corruption of the GRUB2's internal memory metadata.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28735 grub2: shim\_lock verifier allows non-kernel files to be loaded
6.7/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

The GRUB2's shim\_lock verifier allows non-kernel files to be loaded on shim-powered
secure boot systems. Allowing such files to be loaded may lead to unverified
code and modules to be loaded in GRUB2 breaking the secure boot trust-chain.

Reported-by: Julian Andres Klode

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28736 grub2: use-after-free in grub\_cmd\_chainloader()
6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

There's a use-after-free vulnerability in grub\_cmd\_chainloader() function. The
chainloader command is used to boot up operating systems that doesn't support
multiboot and do not have direct support from GRUB2. When executing chainloader
more than once a use-after-free vulnerability is triggered. If an attacker can
control the GRUB2's memory allocation pattern sensitive data may be exposed and
arbitrary code execution can be achieved.

Reported-by: Chris Coulson

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28737: shim: Buffer overflow when loading crafted EFI images
6.5/CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

There's a possible overflow in handle\_image() when shim tries to load and execute
crafted EFI executables. The handle\_image() function takes into account the SizeOfRawData
field from each section to be loaded. An attacker can leverage this to perform
out-of-bound writes into memory. Arbitrary code execution is not discarded in
such scenario.

Reported-by: Chris Coulson

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

grub-core/commands/boot.c          |  66 +++++++++++++++++++++++++++++++++++++++++++++++-------
grub-core/fs/btrfs.c               | 105 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
grub-core/fs/f2fs.c                |  58 ++++++++++++++++++++++++++++++++++++-----------
grub-core/kern/efi/sb.c            |  39 +++++++++++++++++++++++++++++---
grub-core/kern/file.c              |   2 ++
grub-core/loader/efi/chainloader.c |  46 ++++++++++++++++++++------------------
grub-core/net/dns.c                |  25 ++++++++++++++++-----
grub-core/net/http.c               |  17 +++++++++-----
grub-core/net/ip.c                 |  10 ++++++++-
grub-core/net/net.c                |  11 +++++++--
grub-core/net/netbuff.c            |  13 +++++++++++
grub-core/net/tftp.c               |   3 ++-
grub-core/normal/charset.c         |   2 ++
grub-core/video/readers/jpeg.c     | 106 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------
grub-core/video/readers/png.c      | 158 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------------------------
include/grub/loader.h              |   5 +++++
include/grub/net.h                 |   1 +
include/grub/verify.h              |   1 +
18 files changed, 501 insertions(+), 167 deletions(-)

Chris Coulson (3):
     loader/efi/chainloader: Simplify the loader state
     commands/boot: Add API to pass context to loader
     loader/efi/chainloader: Use grub\_loader\_set\_ex()

Daniel Axtens (20):
     kern/file: Do not leak device\_name on error in grub\_file\_open()
     video/readers/png: Abort sooner if a read operation fails
     video/readers/png: Refuse to handle multiple image headers
     video/readers/png: Drop greyscale support to fix heap out-of-bounds write
     video/readers/png: Avoid heap OOB R/W inserting huff table items
     video/readers/png: Sanity check some huffman codes
     video/readers/jpeg: Abort sooner if a read operation fails
     video/readers/jpeg: Do not reallocate a given huff table
     video/readers/jpeg: Refuse to handle multiple start of streams
     video/readers/jpeg: Block int underflow -> wild pointer write
     normal/charset: Fix array out-of-bounds formatting unicode for display
     net/ip: Do IP fragment maths safely
     net/netbuff: Block overly large netbuff allocs
     net/dns: Fix double-free addresses on corrupt DNS response
     net/dns: Don't read past the end of the string we're checking against
     net/tftp: Prevent a UAF and double-free from a failed seek
     net/tftp: Avoid a trivial UAF
     net/http: Do not tear down socket if it's already been torn down
     net/http: Fix OOB write for split http headers
     net/http: Error out on headers with LF without CR

Darren Kenny (3):
     fs/btrfs: Fix several fuzz issues with invalid dir item sizing
     fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
     fs/btrfs: Fix more fuzz issues related to chunks

Julian Andres Klode (1):
     kern/efi/sb: Reject non-kernel files in the shim\_lock verifier

Sudhakar Kuppusamy (3):
     fs/f2fs: Do not read past the end of nat journal entries
     fs/f2fs: Do not read past the end of nat bitmap
     fs/f2fs: Do not copy file names that are too long

**Download attachment "**signature.asc**" of type "**application/pgp-signature**" (269 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us