OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. Although this vulnerability affects the client side of OpenSMTPD, it is possible to attack a server because the server code launches the client code during bounce handling.

For security advisories for specific releases, click below:

2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 3.0, 3.1, 3.2, 3.3, 3.4, 3.5,  
3.6, 3.7, 3.8, 3.9, 4.0, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 5.0, 5.1,  
5.2, 5.3, 5.4, 5.5, 5.6, 5.7, 5.8, 5.9, 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7,  
6.8, 6.9, 7.0, 7.1, 7.2.  

*   **Goals**
    
    OpenBSD believes in strong security. Our aspiration is to be NUMBER ONE in the industry for security (if we are not already there). Our open software development model permits us to take a more uncompromising view towards increased security than most vendors are able to. We can make changes the vendors would not make. Also, since OpenBSD is exported with cryptography, we are able to take cryptographic approaches towards fixing security problems.
    
*   **Full Disclosure**
    
    Like many readers of the BUGTRAQ mailing list, we believe in full disclosure of security problems. In the operating system arena, we were probably the first to embrace the concept. Many vendors, even of free software, still try to hide issues from their users.
    
    Security information moves very fast in cracker circles. On the other hand, our experience is that coding and releasing of proper security fixes typically requires about an hour of work — very fast fix turnaround is possible. Thus we think that full disclosure helps the people who really care about security.
    
*   **Audit Process**
    
    Our security auditing team typically has between six and twelve members who continue to search for and fix new security holes. We have been auditing since the summer of 1996. The process we follow to increase security is simply a comprehensive file-by-file analysis of every critical software component. We are not so much looking for security holes, as we are looking for basic software bugs, and if years later someone discovers the problem used to be a security issue, and we fixed it because it was just a bug, well, all the better. Flaws have been found in just about every area of the system. Entire new classes of security problems have been found during our audit, and often source code which had been audited earlier needs re-auditing with these new flaws in mind. Code often gets audited multiple times, and by multiple people with different auditing skills.
    
    Some members of our security auditing team worked for Secure Networks, the company that made the industry's premier network security scanning software package Ballista (Secure Networks got purchased by Network Associates, Ballista got renamed to Cybercop Scanner, and well...) That company did a lot of security research, and thus fit in well with the OpenBSD stance. OpenBSD passed Ballista's tests with flying colours since day 1.
    
    Another facet of our security auditing process is its proactiveness. In most cases we have found that the determination of exploitability is not an issue. During our ongoing auditing process we find many bugs, and endeavor to fix them even though exploitability is not proven. We fix the bug, and we move on to find other bugs to fix. We have fixed many simple and obvious careless programming errors in code and only months later discovered that the problems were in fact exploitable. (Or, more likely someone on BUGTRAQ would report that other operating systems were vulnerable to a newly discovered problem, and then it would be discovered that OpenBSD had been fixed in a previous release). In other cases we have been saved from full exploitability of complex step-by-step attacks because we had fixed one of the intermediate steps. An example of where we managed such a success is the lpd advisory that Secure Networks put out.
    
*   **New Technologies**
    
    As we audit source code, we often invent new ways of solving problems. Sometimes these ideas have been used before in some random application written somewhere, but perhaps not taken to the degree that we do.
    
    *   strlcpy() and strlcat()
    *   Memory protection purify
        *   W^X
        *   .rodata segment
        *   Guard pages
        *   Randomized malloc()
        *   Randomized mmap()
        *   atexit() and stdio protection
    *   Privilege separation
    *   Privilege revocation
    *   Chroot jailing
    *   New uids
    *   ProPolice
    *   ... and others
*   **The Reward**
    
    Our proactive auditing process has really paid off. Statements like This problem was fixed in OpenBSD about 6 months ago have become commonplace in security forums like BUGTRAQ.
    
    The most intense part of our security auditing happened immediately before the OpenBSD 2.0 release and during the 2.0→2.1 transition, over the last third of 1996 and first half of 1997. Thousands (yes, thousands) of security issues were fixed rapidly over this year-long period; bugs like the standard buffer overflows, protocol implementation weaknesses, information gathering, and filesystem races. Hence most of the security problems that we encountered were fixed before our 2.1 release, and then a far smaller number needed fixing for our 2.2 release. We do not find as many problems anymore, it is simply a case of diminishing returns. Recently the security problems we find and fix tend to be significantly more obscure or complicated. Still we will persist for a number of reasons:
    
    *   Occasionally we find a simple problem we missed earlier. Doh!
    *   Security is like an arms race; the best attackers will continue to search for more complicated exploits, so we will too.
    *   Finding and fixing subtle flaws in complicated software is a lot of fun.
    
    The auditing process is not over yet, and as you can see we continue to find and fix new security flaws.
    
*   **Secure by Default**
    
    To ensure that novice users of OpenBSD do not need to become security experts overnight (a viewpoint which other vendors seem to have), we ship the operating system in a Secure by Default mode. All non-essential services are disabled. As the user/administrator becomes more familiar with the system, he will discover that he has to enable daemons and other parts of the system. During the process of learning how to enable a new service, the novice is more likely to learn of security considerations.
    
    This is in stark contrast to the increasing number of systems that ship with NFS, mountd, web servers, and various other services enabled by default, creating instantaneous security problems for their users within minutes after their first install.
    
*   **Cryptography**
    
    And of course, since the OpenBSD project is based in Canada, it is possible for us to integrate cryptography. For more information, read the page outlining what we have done with cryptography.
    
*   **Advisories**
    
    Please refer to the links at the top of this page.
    
*   **Watching our Changes**
    
    Since we take a proactive stance with security, we are continually finding and fixing new security problems. Not all of these problems get widely reported because (as stated earlier) many of them are not confirmed to be exploitable; many simple bugs we fix do turn out to have security consequences we could not predict. We do not have the time resources to make these changes available in the above format.
    
    Thus there are usually minor security fixes in the current source code beyond the previous major OpenBSD release. We make a limited guarantee that these problems are of minimal impact and unproven exploitability. If we discover that a problem definitely matters for security, patches will show up here **VERY** quickly.
    
    People who are really concerned with security can do a number of things:
    
    *   If you understand security issues, watch our source-changes mailing list and keep an eye out for things which appear security related. Since exploitability is not proven for many of the fixes we make, do not expect the relevant commit message to say SECURITY FIX!. If a problem is proven and serious, a patch will be available here very shortly after.
    *   Track our current source code tree, and teach yourself how to do a complete system build from time to time (read /usr/src/Makefile carefully). Users can make the assumption that the current source tree always has stronger security than the previous release. However, building your own system from source code is not trivial; it is over 850MB of source code, and problems do occur as we transition between major releases.
    *   Install a binary snapshot for your architecture, which are made available fairly often. For instance, an amd64 snapshot is typically made available daily.
*   **Reporting problems**
    
    If you find a new security problem, you can mail it to security@openbsd.org.  
    If you wish to PGP encode it (but please only do so if privacy is very urgent, since it is inconvenient) use this pgp key.
    
*   **Further Reading**
    
    Numerous papers have been written by OpenBSD team members, many dedicated to security.

CVE-2020-8794: OpenBSD: Security

OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.

For errata on a certain release, click below:  
2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 3.0, 3.1, 3.2, 3.3, 3.4, 3.5,  
3.6, 3.7, 3.8, 3.9, 4.0, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 5.0, 5.1,  
5.2, 5.3, 5.4, 5.5, 5.6, 5.7, 5.8, 5.9, 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.7, 6.8,  
6.9, 7.0, 7.1, 7.2.

Patches for the OpenBSD base system are distributed as unified diffs. Each patch is cryptographically signed with the signify(1) tool and contains usage instructions. All the following patches are also available in one tar.gz file for convenience.

Alternatively, the syspatch(8) utility can be used to apply binary updates on the following architectures: amd64, i386, arm64.

Patches for supported releases are also incorporated into the \-stable branch.

*   **001: RELIABILITY FIX: October 28, 2019**   _All architectures_  
    bpf(4) has a race condition during device removal.  
    A source code patch exists which remedies this problem.
*   **002: RELIABILITY FIX: October 28, 2019**   _All architectures_  
    Various third party applications may crash due to symbol collision.  
    A source code patch exists which remedies this problem.
*   **003: RELIABILITY FIX: October 31, 2019**   _All architectures_  
    bgpd(8) can crash on nexthop changes or during startup in certain configurations.  
    A source code patch exists which remedies this problem.
*   **004: RELIABILITY FIX: November 16, 2019**   _All architectures_  
    The kernel could crash due to a NULL pointer dereference in net80211.  
    A source code patch exists which remedies this problem.
*   **005: RELIABILITY FIX: November 16, 2019**   _All architectures_  
    A new kernel may require newer firmware images when using sysupgrade.  
    A source code patch exists which remedies this problem.
*   **006: SECURITY FIX: November 16, 2019**   _All architectures_  
    A regular user could change some network interface parameters due to missing checks in the ioctl(2) system call.  
    A source code patch exists which remedies this problem.
*   **007: SECURITY FIX: November 22, 2019**   _i386 and amd64_  
    A local user could cause the system to hang by reading specific registers when Intel Gen8/Gen9 graphics hardware is in a low power state. A local user could perform writes to memory that should be blocked with Intel Gen9 graphics hardware.  
    A source code patch exists which remedies this problem.
*   **008: SECURITY FIX: November 22, 2019**   _All architectures_  
    Shared memory regions used by some Mesa drivers had permissions which allowed others to access that memory.  
    A source code patch exists which remedies this problem.
*   **009: SECURITY FIX: December 4, 2019**   _All architectures_  
    Environment-provided paths are used for dlopen() in mesa, resulting in escalation to the auth group in xlock(1).  
    A source code patch exists which remedies this problem.
*   **010: SECURITY FIX: December 4, 2019**   _All architectures_  
    libc's authentication layer performed insufficient username validation.  
    A source code patch exists which remedies this problem.
*   **011: SECURITY FIX: December 4, 2019**   _All architectures_  
    xenodm uses the libc authentication layer incorrectly.  
    A source code patch exists which remedies this problem.
*   **012: SECURITY FIX: December 8, 2019**   _All architectures_  
    A user can log in with a different user's login class.  
    A source code patch exists which remedies this problem.
*   **013: SECURITY FIX: December 11, 2019**   _All architectures_  
    ld.so may fail to remove the LD\_LIBRARY\_PATH environment variable for set-user-ID and set-group-ID executables in low memory conditions.  
    A source code patch exists which remedies this problem.
*   **014: SECURITY FIX: December 18, 2019**   _arm64_  
    ARM64 CPUs speculatively execute instructions after ERET.  
    A source code patch exists which remedies this problem.
*   **015: SECURITY FIX: December 20, 2019**   _All architectures_  
    ftp(1) will follow remote redirects to local files.  
    A source code patch exists which remedies this problem.
*   **016: SECURITY FIX: December 20, 2019**   _All architectures_  
    ripd(8) fails to validate authentication lengths.  
    A source code patch exists which remedies this problem.
*   **017: SECURITY FIX: January 17, 2020**   _i386 and amd64_  
    Execution Unit state was not cleared on context switch with Intel Gen9 graphics hardware.  
    A source code patch exists which remedies this problem.
*   **018: RELIABILITY FIX: January 30, 2020**   _All architectures_  
    smtpd can crash on opportunistic TLS downgrade, causing a denial of service.  
    A source code patch exists which remedies this problem.
*   **019: SECURITY FIX: January 30, 2020**   _All architectures_  
    An incorrect check allows an attacker to trick mbox delivery into executing arbitrary commands as root and lmtp delivery into executing arbitrary commands as an unprivileged user.  
    A source code patch exists which remedies this problem.
*   **020: SECURITY FIX: February 17, 2020**   _amd64_  
    A missing range check in the vmm pvclock allows a guest to write to host memory.  
    A source code patch exists which remedies this problem.
*   **021: SECURITY FIX: February 24, 2020**   _All architectures_  
    An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the \_smtpq group.  
    A source code patch exists which remedies this problem.
*   **022: RELIABILITY FIX: March 10, 2020**   _All architectures_  
    Missing input validation in sysctl(2) can be used to crash the kernel.  
    A source code patch exists which remedies this problem.
*   **023: RELIABILITY FIX: March 13, 2020**   _All architectures_  
    Local outbound UDP broadcast or multicast packets sent by a spliced socket can crash the kernel.  
    A source code patch exists which remedies this problem.
*   **024: SECURITY FIX: April 7, 2020**   _All architectures_  
    dhcpd could reference freed memory after releasing a lease with an unusually long uid.  
    A source code patch exists which remedies this problem.
*   **025: SECURITY FIX: April 19, 2020**   _i386, amd64, arm64, loongson, macppc, sparc64_  
    There was an incorrect test for root in the DRM Linux compatibility code.  
    A source code patch exists which remedies this problem.
*   **026: RELIABILITY FIX: May 10, 2020**   _All architectures_  
    ospfd could generate corrupt OSPF Router (Type 1) LSAs in certain situations.  
    A source code patch exists which remedies this problem.
*   **027: SECURITY FIX: May 13, 2020**   _All architectures_  
    An out-of-bounds index access in wscons(4) can cause a kernel crash.  
    A source code patch exists which remedies this problem.
*   **028: SECURITY FIX: May 22, 2020**   _All architectures_  
    Specially crafted queries may crash unbound and unwind. Both can be tricked into amplifying an incoming query.  
    A source code patch exists which remedies this problem.
*   **029: SECURITY FIX: June 1, 2020**   _All architectures_  
    Several problems in Perl's regular expression compiler could lead to corruption of the intermediate language state of a compiled regular expression.  
    A source code patch exists which remedies this problem.
*   **030: SECURITY FIX: June 5, 2020**   _All architectures_  
    Malicious HID descriptors could be misparsed.  
    A source code patch exists which remedies this problem.
*   **031: RELIABILITY FIX: June 8, 2020**   _All architectures_  
    libc's resolver could get into a corrupted state.  
    A source code patch exists which remedies this problem.
*   **032: RELIABILITY FIX: June 11, 2020**   _All architectures_  
    libcrypto may fail to build a valid certificate chain due to expired untrusted issuer certificates.  
    A source code patch exists which remedies this problem.
*   **033: SECURITY FIX: July 9, 2020**   _All architectures_  
    shmget IPC\_STAT leaked some kernel data.  
    A source code patch exists which remedies this problem.
*   **034: RELIABILITY FIX: July 16, 2020**   _All architectures_  
    tty subsystem abuse can impact performance badly.  
    A source code patch exists which remedies this problem.
*   **035: RELIABILITY FIX: July 22, 2020**   _All architectures_  
    Only pty devices need reprint delays.  
    A source code patch exists which remedies this problem.
*   **036: SECURITY FIX: July 27, 2020**   _All architectures_  
    In iked, incorrect use of EVP\_PKEY\_cmp allows an authentication bypass.  
    A source code patch exists which remedies this problem.
*   **037: SECURITY FIX: July 31, 2020**   _All architectures_  
    Malformed messages can cause heap corruption in the X Input Method client implementation in libX11.  
    A source code patch exists which remedies this problem.
*   **038: SECURITY FIX: July 31, 2020**   _All architectures_  
    Pixmaps inside the xserver were an info leak.  
    A source code patch exists which remedies this problem.
*   **039: RELIABILITY FIX: August 7, 2020**   _All architectures_  
    The recent security errata 037 broke X11 input methods.  
    A source code patch exists which remedies this problem.
*   **040: SECURITY FIX: August 25, 2020**   _All architectures_  
    An integer overflow in libX11 could lead to a double free. Additionally fix a regression in ximcp.  
    A source code patch exists which remedies this problem.
*   **041: SECURITY FIX: August 25, 2020**   _All architectures_  
    Various X server extensions had deficient input validation.  
    A source code patch exists which remedies this problem.
*   **042: SECURITY FIX: September 5, 2020**   _amd64, arm64_  
    A buffer overflow was discovered in an amdgpu ioctl.  
    A source code patch exists which remedies this problem.

CVE-2019-19726: OpenBSD 6.6 Errata

An exploitable out-of-bounds write vulnerability exists in the igcore19d.dll PNG header-parser of the Accusoft ImageGear 19.3.0 library. A specially crafted PNG file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the viction to trigger the vulnerability.

**Summary**

An exploitable out-of-bounds write vulnerability exists in the igcore19d.dll PNG header-parser of the Accusoft ImageGear 19.3.0 library. A specially crafted PNG file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the viction to trigger the vulnerability.

**Tested Versions**

Accusoft ImageGear 19.3.0

**Product URLs**

https://www.accusoft.com/products/imagegear/overview/

**CVSSv3 Score**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-787: Out-of-bounds Write

**Details**

This vulnerability is present in the Accusoft ImageGear library, which is a document0imaging developer toolkit providing all kinds of functionality related with an image conversion, creation, editing, etc.

There is a vulnerability in the function responsible for handling the PNG header. A specially crafted PNG IHDR Width field file can lead to an out of bounds write and remote code execution.

If we try to load a malformed PNG file via the IG_load_file function, we end up in the following situation:

    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    Time Travel Position: 488D3:0
    igCore19d!IG_mpi_page_set+0x111d27:
    00007fff`b8a00ec7 8022f0          and     byte ptr [rdx],0F0h ds:00000247`f35d0001=??
    0:000> kb
     # RetAddr           : Args to Child                                                           : Call Site
    00 00007fff`b89fc097 : 00000247`f35c0000 000000b7`fa6fd0b0 00000000`00000005 00000000`00000005 : igCore19d!IG_mpi_page_set+0x111d27
    01 00007fff`b89fd770 : 00000000`00000000 000000b7`fa6fee30 00000000`00000000 00000247`e3101f20 : igCore19d!IG_mpi_page_set+0x10cef7
    02 00007fff`b89fa75d : 00000000`00000000 000000b7`fa6feee0 00000000`1000001a 00007fff`d28040a4 : igCore19d!IG_mpi_page_set+0x10e5d0
    03 00007fff`b88bd704 : 00000247`dc910ff0 00000000`00000008 00000247`e30f7fe0 6cca9737`00000037 : igCore19d!IG_mpi_page_set+0x10b5bd
    04 00007fff`b8906c99 : 00000000`00000021 000000b7`fa6ff908 000000b7`fa6ff3e0 00000000`00000000 : igCore19d!IG_image_savelist_get+0xef4
    05 00007fff`b890653c : 00000247`dc844fc8 00007fff`b88fcc95 00000000`00000000 00000000`00000000 : igCore19d!IG_mpi_page_set+0x17af9
    06 00007fff`b888e7c0 : 00000247`e2fc4fa5 00007fff`ece39570 00000000`00000000 00007fff`ece380b0 : igCore19d!IG_mpi_page_set+0x1739c
    07 00007ff7`55ff1112 : 00007fff`ece39570 00000000`00000000 00007fff`ece39570 000000b7`fa6ff938 : igCore19d!IG_load_file+0x80
    08 00007ff7`55ff122c : 00000247`e2fc4fa5 00000247`e2fc4fec 00000247`00000021 00000000`00001000 : igFuzzer!fuzzme+0x32 [d:\projects\imagegear\fuzzer\igfuzzer\igfuzzer\igfuzzer.cpp @ 47] 
    09 00007ff7`55ff1474 : 00000000`00000004 00000247`e2fc4f70 00007fff`efa83670 00000000`00000033 : igFuzzer!main+0xbc [d:\projects\imagegear\fuzzer\igfuzzer\igfuzzer\igfuzzer.cpp @ 79] 
    0a (Inline Function) : --------`-------- --------`-------- --------`-------- --------`-------- : igFuzzer!invoke_main+0x22 [d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78] 
    0b 00007fff`edc04034 : 00000000`00000000 00000000`00000000 00000000`00000ca8 00000000`00000000 : igFuzzer!__scrt_common_main_seh+0x10c [d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 
    0c 00007fff`efa83691 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
    0d 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
    

As we can see, an out of bounds write has occurred. Looking at pseudo-code of this vulnerable function we can see that:

    Line 1 	__int64 __fastcall Set_Element(PBYTE buffer, unsigned __int8 a2, __int16 a3, __int16 a4)
    Line 2 	{
    Line 3 	  int index; // er8
    Line 4 	  BYTE *ptr; // rdx
    Line 5    int v4;
    Line 5.1  int v5;
    Line 6 	  v4 = a2;
    Line 7 	  v5 = a2 * a3;
    Line 8 	  v6 = (v5 >> 31) & 7;
    Line 9 	  result = ((v6 + v5) & 7u) - v6;
    Line 10	  index = (v6 + v5) >> 3;
    Line 11	  
    Line 12	  (...)
    Line 13	  
    Line 14	  ptr = &buffer[index];
    Line 15	  if ( (_DWORD)result )
    Line 16		*ptr &= 0xF0u;        
    

an access violation occurs at line 16. Let us check out the buffer variable:

    0:000> !heap -p -a 0x000001a3e4859000
    	address 000001a3e4859000 found in
    	_DPH_HEAP_ROOT @ 1a3dcfd1000
    	in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
    							 1a3e4bb7ea0:      1a3e4859000             ffff -      1a3e4858000            12000
    	00007ff85bf7f4bf ntdll!RtlDebugAllocateHeap+0x000000000000003f
    	00007ff85bf2b530 ntdll!RtlpAllocateHeap+0x000000000008f760
    	00007ff85be99725 ntdll!RtlpAllocateHeapInternal+0x00000000000005e5
    	00007ff82f2a6407 MSVCR110!malloc+0x000000000000005b
    	00007ff818e3781b igCore19d!AF_memm_alloc+0x000000000000002b
    	00007ff818f4bdfe igCore19d!IG_mpi_page_set+0x000000000010cc5e
    	00007ff818f4d770 igCore19d!IG_mpi_page_set+0x000000000010e5d0
    	00007ff818f4a75d igCore19d!IG_mpi_page_set+0x000000000010b5bd
    	00007ff818e0d704 igCore19d!IG_image_savelist_get+0x0000000000000ef4
    	00007ff818e56c99 igCore19d!IG_mpi_page_set+0x0000000000017af9
    	00007ff818e5653c igCore19d!IG_mpi_page_set+0x000000000001739c
    	00007ff818dde7c0 igCore19d!IG_load_file+0x0000000000000080
    *** WARNING: Unable to verify checksum for igFuzzer.exe
    	00007ff633951112 igFuzzer!fuzzme+0x0000000000000032 [d:\projects\imagegear\fuzzer\igfuzzer\igfuzzer\igfuzzer.cpp @ 47]
    	00007ff63395122c igFuzzer!main+0x00000000000000bc [d:\projects\imagegear\fuzzer\igfuzzer\igfuzzer\igfuzzer.cpp @ 79]
    	00007ff633951474 igFuzzer!__scrt_common_main_seh+0x000000000000010c [d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288]
    	00007ff85b974034 KERNEL32!BaseThreadInitThunk+0x0000000000000014
    	00007ff85bef3691 ntdll!RtlUserThreadStart+0x0000000000000021
    

The ptr variable points to a location 000001a3e4855001 which is a location below the beginning of the buffer\` variable allocated space.

That situation appears because calculated index has the value : 0xffffffffffffc001 which added to beginning of the buffer address causes an integer overflow.

The size of the buffer, based on further analysis, is strictly related with the IHDR -> Width chunk field value. Which, in our case is equal to 0xFFFF.

Let us step out of this Set_Element function and see from where the two arguments based on which the index value is calculated are comming from:

    Line 1   internalIndex = *((unsigned __int8 *)&v104 + v34 + 1);
    Line 2   counter = 0;
    Line 3   if ( *ptrToTableOfValues > 0u )
    Line 4   {
    Line 5 		eleSize = elements[eleIndex + 1];
    Line 6 		do
    Line 7 		{
    Line 8 		  if ( (signed __int64)DIB_bit_depth_get(objContext) > 16 )
    Line 9 		  {
    Line 10			v45 = 0i64;
    Line 11			if ( (signed int)v38 > 0 )
    Line 12			{
    Line 13			  v46 = v38 * counter;
    Line 14			  do
    Line 15			  {
    Line 16				v47 = *((_BYTE *)v19 + v46);
    Line 17				v46 = (unsigned int)(v46 + 1);
    Line 18				v48 = v45++ + *(_QWORD *)&array[8 * index];
    Line 19				*(_BYTE *)(v48 + internalIndex * (unsigned __int64)v38) = v47;
    Line 20			  }
    Line 21			  while ( v45 < v38 );
    Line 22			}
    Line 23		  }
    Line 24		  else
    Line 25		  {
    Line 26			v41 = (unsigned __int64)DIB_bit_depth_get(objContext);
    Line 27			v42 = (signed int)(v41 * counter) / 8;
    Line 28			if ( v41 > 8u )
    Line 29			  v43 = v19[v42 / 2];
    Line 30			else
    Line 31			  v43 = ((unsigned __int16)((*((unsigned __int8 *)v19 + v42) << (signed int)(v41 * counter) % -8) & 0xFF) >> (8 - v41)) & 0xFF;
    Line 32			bitDepth = (unsigned __int64)DIB_bit_depth_get(objContext);
    Line 33			Set_Element(*(PBYTE *)&array[8 * index], bitDepth, internalIndex, v43);
    Line 34		  }
    Line 35		  ++counter;
    Line 36		  internalIndex += eleSize;
    Line 37		}
    Line 38		while ( counter < *maxValue );
    

We can see that while loop is controlled by the maxValue variable which in our case is equal 0x7FFF (it is IHDR->Width / 2) Each loop cycle the internalIndex variable is incremented by eleSize (in our case 2). Its easy to guess that internalIndex variable will be bigger than 0x7FFF because the number of iterations depends on maxValue and counter, which is incremented during each cycle just by 1. A value bigger than 0x7FFF (INT\_MAX) for the internalIndex variable has additional consequences inside the Set_Elements function. The internalIndex value is passed to the Set_Elements function as the third argument in the form of __int16 (signed 16-bit integer). It means that its value in our case 0x8001 is smaller than 0 and thats why during the multiplication we end up with index < 0 ( 0xffffffffffffc001) what at the end results in ptr pointing to an address below the beginning of the buffer space. Additionaly there is no check to see whether the calculated index is not bigger than the buffer size. There are some checks inside PNG_get_deflate_data function related to IHDR->Width but for Width in the range of <0xFFBA; 0xFFFF> they are bypased and OOBW takes place. Also to trigger this vulnerability DIB_bit_depth needs to be smaller or equal 16. All these circumstances lead to out of bounds write and in consequences can allow an attacker to achieve remote code execution.

**Crash Information**

    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    
    
    DUMP_CLASS: 2
    
    DUMP_QUALIFIER: 2
    
    MODLIST_WITH_TSCHKSUM_HASH:  1aa67d2c18112c8decc3d1fdc606b26bc45cbfe0
    
    MODLIST_SHA1_HASH:  32defb2ff0bde8e528d48523aab41a049e5a1db6
    
    NTGLOBALFLAG:  2100000
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    PRODUCT_TYPE:  1
    
    SUITE_MASK:  272
    
    DUMP_TYPE:  fe
    
    APPLICATION_VERIFIER_LOADED: 1
    
    FAULTING_IP: 
    igCore19d!IG_mpi_page_set+111d27
    00007fff`b8a00ec7 8022f0          and     byte ptr [rdx],0F0h
    
    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 00007fffb8a00ec7 (igCore19d!IG_mpi_page_set+0x0000000000111d27)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 0000000000000000
       Parameter[1]: 00000247f35d0001
    Attempt to read from address 00000247f35d0001
    
    FAULTING_THREAD:  000032a0
    
    PROCESS_NAME:  igFuzzer.exe
    
    FOLLOWUP_IP: 
    igCore19d!IG_mpi_page_set+111d27
    00007fff`b8a00ec7 8022f0          and     byte ptr [rdx],0F0h
    
    READ_ADDRESS:  00000247f35d0001 
    
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    EXCEPTION_CODE_STR:  c0000005
    
    EXCEPTION_PARAMETER1:  0000000000000000
    
    EXCEPTION_PARAMETER2:  00000247f35d0001
    
    WATSON_BKT_PROCSTAMP:  5d26f980
    
    WATSON_BKT_MODULE:  igCore19d.dll
    
    WATSON_BKT_MODSTAMP:  5c101edf
    
    WATSON_BKT_MODOFFSET:  190ec7
    
    WATSON_BKT_MODVER:  19.3.0.0
    
    MODULE_VER_PRODUCT:  Accusoft ImageGear
    
    BUILD_VERSION_STRING:  10.0.17134.753 (WinBuild.160101.0800)
    
    ANALYSIS_SESSION_HOST:  ICELENOVO
    
    ANALYSIS_SESSION_TIME:  07-18-2019 08:57:13.0937
    
    ANALYSIS_VERSION: 10.0.18914.1001 amd64fre
    
    THREAD_ATTRIBUTES: 
    OS_LOCALE:  ENU
    
    BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_AVRF
    
    DEFAULT_BUCKET_ID:  INVALID_POINTER_READ_AVRF
    
    PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT
    
    PROBLEM_CLASSES: 
    
    	ID:     [0n313]
    	Type:   [@ACCESS_VIOLATION]
    	Class:  Addendum
    	Scope:  BUCKET_ID
    	Name:   Omit
    	Data:   Omit
    	PID:    [Unspecified]
    	TID:    [0x32a0]
    	Frame:  [0] : igCore19d!IG_mpi_page_set
    
    	ID:     [0n285]
    	Type:   [INVALID_POINTER_READ]
    	Class:  Primary
    	Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
    			BUCKET_ID
    	Name:   Add
    	Data:   Omit
    	PID:    [Unspecified]
    	TID:    [0x32a0]
    	Frame:  [0] : igCore19d!IG_mpi_page_set
    
    	ID:     [0n98]
    	Type:   [AVRF]
    	Class:  Addendum
    	Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
    			BUCKET_ID
    	Name:   Add
    	Data:   Omit
    	PID:    [0x2d80]
    	TID:    [0x32a0]
    	Frame:  [0] : igCore19d!IG_mpi_page_set
    
    LAST_CONTROL_TRANSFER:  from 00007fffb89fc097 to 00007fffb8a00ec7
    
    STACK_TEXT:  
    000000b7`fa6fcfa8 00007fff`b89fc097 : 00000247`f35c0000 000000b7`fa6fd0b0 00000000`00000005 00000000`00000005 : igCore19d!IG_mpi_page_set+0x111d27
    000000b7`fa6fcfb0 00007fff`b89fd770 : 00000000`00000000 000000b7`fa6fee30 00000000`00000000 00000247`e3101f20 : igCore19d!IG_mpi_page_set+0x10cef7
    000000b7`fa6fed80 00007fff`b89fa75d : 00000000`00000000 000000b7`fa6feee0 00000000`1000001a 00007fff`d28040a4 : igCore19d!IG_mpi_page_set+0x10e5d0
    000000b7`fa6fede0 00007fff`b88bd704 : 00000247`dc910ff0 00000000`00000008 00000247`e30f7fe0 6cca9737`00000037 : igCore19d!IG_mpi_page_set+0x10b5bd
    000000b7`fa6ff2f0 00007fff`b8906c99 : 00000000`00000021 000000b7`fa6ff908 000000b7`fa6ff3e0 00000000`00000000 : igCore19d!IG_image_savelist_get+0xef4
    000000b7`fa6ff370 00007fff`b890653c : 00000247`dc844fc8 00007fff`b88fcc95 00000000`00000000 00000000`00000000 : igCore19d!IG_mpi_page_set+0x17af9
    000000b7`fa6ff850 00007fff`b888e7c0 : 00000247`e2fc4fa5 00007fff`ece39570 00000000`00000000 00007fff`ece380b0 : igCore19d!IG_mpi_page_set+0x1739c
    000000b7`fa6ff890 00007ff7`55ff1112 : 00007fff`ece39570 00000000`00000000 00007fff`ece39570 000000b7`fa6ff938 : igCore19d!IG_load_file+0x80
    000000b7`fa6ff8e0 00007ff7`55ff122c : 00000247`e2fc4fa5 00000247`e2fc4fec 00000247`00000021 00000000`00001000 : igFuzzer!fuzzme+0x32
    000000b7`fa6ff930 00007ff7`55ff1474 : 00000000`00000004 00000247`e2fc4f70 00007fff`efa83670 00000000`00000033 : igFuzzer!main+0xbc
    000000b7`fa6ff970 00007fff`edc04034 : 00000000`00000000 00000000`00000000 00000000`00000ca8 00000000`00000000 : igFuzzer!__scrt_common_main_seh+0x10c
    000000b7`fa6ff9b0 00007fff`efa83691 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
    000000b7`fa6ff9e0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
    
    
    STACK_COMMAND:  ~0s ; .cxr ; kb
    
    THREAD_SHA1_HASH_MOD_FUNC:  5fc40328a3686d13dfccd6be23cd62ee5b669c24
    
    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  e577b2c9c4565bf4611a915c81bb2af79ea54a08
    
    THREAD_SHA1_HASH_MOD:  95fb16a8183863913ce23932c842443f579c4d87
    
    FAULT_INSTR_CODE:  b9f02280
    
    SYMBOL_STACK_INDEX:  0
    
    SYMBOL_NAME:  igCore19d!IG_mpi_page_set+111d27
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: igCore19d
    
    IMAGE_NAME:  igCore19d.dll
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  5c101edf
    
    FAILURE_BUCKET_ID:  INVALID_POINTER_READ_AVRF_c0000005_igCore19d.dll!IG_mpi_page_set
    
    BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_AVRF_igCore19d!IG_mpi_page_set+111d27
    
    FAILURE_EXCEPTION_CODE:  c0000005
    
    FAILURE_IMAGE_NAME:  igCore19d.dll
    
    BUCKET_ID_IMAGE_STR:  igCore19d.dll
    
    FAILURE_MODULE_NAME:  igCore19d
    
    BUCKET_ID_MODULE_STR:  igCore19d
    
    FAILURE_FUNCTION_NAME:  IG_mpi_page_set
    
    BUCKET_ID_FUNCTION_STR:  IG_mpi_page_set
    
    BUCKET_ID_OFFSET:  111d27
    
    BUCKET_ID_MODTIMEDATESTAMP:  5c101edf
    
    BUCKET_ID_MODCHECKSUM:  41928b
    
    BUCKET_ID_MODVER_STR:  19.3.0.0
    
    BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_AVRF_
    
    FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT
    
    FAILURE_SYMBOL_NAME:  igCore19d.dll!IG_mpi_page_set
    
    TARGET_TIME:  2019-07-16T14:59:31.000Z
    
    OSBUILD:  9200
    
    OSSERVICEPACK:  753
    
    SERVICEPACK_NUMBER: 0
    
    OS_REVISION: 0
    
    OSPLATFORM_TYPE:  x64
    
    OSNAME:  Windows 8
    
    OSEDITION:  Windows 8
    
    USER_LCID:  0
    
    OSBUILD_TIMESTAMP:  unknown_date
    
    BUILDDATESTAMP_STR:  160101.0800
    
    BUILDLAB_STR:  WinBuild
    
    BUILDOSVER_STR:  10.0.17134.753
    
    ANALYSIS_SESSION_ELAPSED_TIME:  22489
    
    ANALYSIS_SOURCE:  UM
    
    FAILURE_ID_HASH_STRING:  um:invalid_pointer_read_avrf_c0000005_igcore19d.dll!ig_mpi_page_set
    
    FAILURE_ID_HASH:  {bfd6b5ab-5824-8327-06e6-1c2f38a120f0}
    
    Followup:     MachineOwner
    ---------
    
    0:000> lmv a rip
    Browse full module list
    start             end                 module name
    00007fff`b8870000 00007fff`b8c83000   igCore19d   (export symbols)       igCore19d.dll
    	Loaded symbol image file: igCore19d.dll
    	Mapped memory image file: d:\projects\ImageGear\Build\Bin\x64\igCore19d.dll
    	Image path: d:\projects\ImageGear\Build\Bin\x64\igCore19d.dll
    	Image name: igCore19d.dll
    	Browse all global symbols  functions  data
    	Timestamp:        Tue Dec 11 16:32:31 2018 (5C101EDF)
    	CheckSum:         0041928B
    	ImageSize:        00413000
    	File version:     19.3.0.0
    	Product version:  19.3.0.0
    	File flags:       0 (Mask 3F)
    	File OS:          4 Unknown Win32
    	File type:        2.0 Dll
    	File date:        00000000.00000000
    	Translations:     0409.04b0
    	Information from resource tables:
    		CompanyName:      Accusoft Corporation
    		ProductName:      Accusoft ImageGear
    		InternalName:     igcore19d.dll
    		OriginalFilename: igcore19d.dll
    		ProductVersion:   19.3.0.0
    		FileVersion:      19.3.0.0
    		FileDescription:  Accusoft ImageGear CORE DLL 
    		LegalCopyright:   Copyright© 1996-2018 Accusoft Corporation. All rights reserved.
    		LegalTrademarks:  ImageGearÆ and AccusoftÆ are registered trademarks of Accusoft Corporation
    

**Timeline**

2019-07-30 - Vendor Disclosure  
2019-11-27 - Vendor patched  
2019-12-02 - Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

CVE-2019-5076: TALOS-2019-0865 || Cisco Talos Intelligence Group

An exploitable out-of-bounds write vulnerability exists in the igcore19d.dll TIFdecodethunderscan function of Accusoft ImageGear 19.3.0 library. A specially crafted TIFF file can cause an out of bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

**Summary**

An exploitable out-of-bounds write vulnerability exists in the igcore19d.dll TIF\_decode\_thunderscan function of Accusoft ImageGear 19.3.0 library. A specially crafted TIFF file can cause an out of bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

**Tested Versions**

Accusoft ImageGear 19.3.0

**Product URLs**

https://www.accusoft.com/products/imagegear/overview/

**CVSSv3 Score**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-787: Out-of-bounds Write

**Details**

This vulnerability is present in the Accusoft ImageGear library which is a document imaging developer toolkit providing all kinds of functionality related with an image conversion, creation, editing,etc.

There is a vulnerability in the TIF\_decode\_thunderscan function . A specially crafted TIFF file can lead to an out of bounds write and remote code execution. Trying to load a malformed TIFF file via IG_load_file function, we end up in the following situation:

    (21b8.2a30): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    igCore19d!IG_mpi_page_set+0x1402e0:
    00007ff8`1d35f480 f3aa            rep stos byte ptr [rdi]
    0:000> kb
     # RetAddr           : Args to Child                                                           : Call Site
    00 00007ff8`1d35e760 : 000000de`ce1ef210 00007ff8`1d35f23f 000001e4`08fb8ff0 00000000`00000000 : igCore19d!IG_mpi_page_set+0x1402e0
    01 00007ff8`1d35df56 : 000000de`ce1ef8b0 00000000`1000001e 00000000`00000003 000001e4`08b65d50 : igCore19d!IG_mpi_page_set+0x13f5c0
    02 00007ff8`1d362867 : 00000000`00000004 000000de`ce1ef8b0 00000000`00000000 000001e4`000003e8 : igCore19d!IG_mpi_page_set+0x13edb6
    03 00007ff8`1d35b154 : 00000000`00000001 000001e4`08b65d50 00000000`1000001e 000000de`ce1ef380 : igCore19d!IG_mpi_page_set+0x1436c7
    04 00007ff8`1d1ed704 : 000001e4`022e8ff0 00000000`00000004 00000000`00000000 00007ff8`00000037 : igCore19d!IG_mpi_page_set+0x13bfb4
    05 00007ff8`1d236c99 : 00000000`00000028 000000de`ce1efdd8 000000de`ce1ef8b0 00000000`00000000 : igCore19d!IG_image_savelist_get+0xef4
    06 00007ff8`1d23653c : 000001e4`0221cfc8 00007ff8`1d22cc95 00000000`00000000 00000000`00000000 : igCore19d!IG_mpi_page_set+0x17af9
    07 00007ff8`1d1be7c0 : 000001e4`08908fa5 00007ff8`58519570 00000000`00000000 00007ff8`585180b0 : igCore19d!IG_mpi_page_set+0x1739c
    *** WARNING: Unable to verify checksum for igFuzzer.exe
    08 00007ff6`33951112 : 00007ff8`58519570 00000000`00000000 00007ff8`58519570 000000de`ce1efe08 : igCore19d!IG_load_file+0x80
    09 00007ff6`3395122c : 000001e4`08908fa5 000001e4`08908fe8 000001e4`00000021 00000000`00001000 : igFuzzer!fuzzme+0x32 [d:\projects\imagegear\fuzzer\igfuzzer\igfuzzer\igfuzzer.cpp @ 47] 
    0a 00007ff6`33951474 : 00000000`00000004 000001e4`08908f70 00000000`00000000 00000000`00000000 : igFuzzer!main+0xbc [d:\projects\imagegear\fuzzer\igfuzzer\igfuzzer\igfuzzer.cpp @ 79] 
    0b (Inline Function) : --------`-------- --------`-------- --------`-------- --------`-------- : igFuzzer!invoke_main+0x22 [d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78] 
    0c 00007ff8`5b974034 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : igFuzzer!__scrt_common_main_seh+0x10c [d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 
    0d 00007ff8`5bef3691 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
    0e 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
    

As we can see, an out-of-bounds write operation occurred. Looking at the pseudo-code of this vulnerable function we can see that:

    Line 1 	__int64 __fastcall TIF_decode_thunderscan(__int64 a1, unsigned int a2, char *a3)
    Line 2 	{
    Line 3 	  unsigned int currentOffset; // ebp
    Line 4 	  char v4; // si
    Line 5 	  char *dstBuffer; // rbx
    Line 6 	  unsigned int value_div2; // er15
    Line 7 	  struct_a1 *v7; // r13
    Line 8 	  unsigned int loopCounter; // er14
    Line 9 	  unsigned int valFromFile; // er12
    Line 10	  char _readByteFromFile; // r8
    Line 11	  char v11; // al
    Line 12	  signed int v12; // edx
    Line 13	  int v13; // eax
    Line 14	  char v14; // si
    Line 15	  char v15; // al
    Line 16	  signed int loopLimit; // edx
    Line 17	  int x; // eax
    Line 18	  char v18; // si
    Line 19	  char v19; // al
    Line 20	  char v20; // si
    Line 21	  char *v21; // rdi
    Line 22	  unsigned __int64 v22; // rdx
    Line 23	  char readByteFromFile; // [rsp+58h] [rbp+10h]
    Line 24
    Line 25	  currentOffset = 0;
    Line 26	  v4 = 0;
    Line 27	  dstBuffer = a3;
    Line 28	  value_div2 = a2;
    Line 29	  v7 = (struct_a1 *)a1;
    Line 30	  loopCounter = 0;
    Line 31	  if ( !a2 )
    Line 32		return 0i64;
    Line 33	  valFromFile = 2 * a2;
    Line 34	  do
    Line 35	  {
    Line 36		if ( currentOffset >= valFromFile || !(unsigned int)IOb_byte_read(v7, &readByteFromFile) )
    Line 37		  break;
    Line 38		_readByteFromFile = readByteFromFile;
    Line 39		if ( readByteFromFile & 0xC0 )
    Line 40		{
    Line 41		  switch ( readByteFromFile & 0xC0 )
    Line 42		  {
    Line 43			(...)
    Line 44		  }
    Line 45		}
    Line 46		else
    Line 47		{
    Line 48		  (...)
    Line 49		  if ( _readByteFromFile > 0 )
    Line 50		  {
    Line 51			v21 = dstBuffer;
    Line 52			v22 = (unsigned __int8)(((unsigned __int8)(_readByteFromFile - 1) >> 1) + 1);
    Line 53			dstBuffer += v22;
    Line 54			memset(v21, v20, v22);
    Line 55			_readByteFromFile += -2 * v22;
    Line 56			readByteFromFile = _readByteFromFile;
    Line 57		  }
    Line 58		  if ( _readByteFromFile == -1 )
    Line 59		  {
    Line 60			--dstBuffer;
    Line 61			*dstBuffer &= 0xF0u;
    Line 62		  }
    Line 63		  v4 = v20 & 0xF;
    Line 64		}
    Line 65		++loopCounter;
    Line 66	  }
    Line 67	  while ( loopCounter < value_div2 );
    Line 68	  return 0i64;
    Line 69	}
    

A while loop is controlled via the value_div2 variable. Its value is equal to 1 and comes from a value read directly from the file at offset 0xAA (IFD->ENT->value \[2 bytes size\]) and later divided by 2 (the value can not be smaller than 1 so for 1 the result is 1 and for 2 and 3 it is also 1). dstBuffer is also allocated based on that value :

    0:000> !heap -p -a 0x000002b99906eff0
    	address 000002b99906eff0 found in
    	_DPH_HEAP_ROOT @ 2b9919a1000
    	in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
    							 2b99963a000:      2b99906eff0                1 -      2b99906e000             2000
    	00007ff85bf7f4bf ntdll!RtlDebugAllocateHeap+0x000000000000003f
    	00007ff85bf2b530 ntdll!RtlpAllocateHeap+0x000000000008f760
    	00007ff85be99725 ntdll!RtlpAllocateHeapInternal+0x00000000000005e5
    	00007ff838cc6407 MSVCR110!malloc+0x000000000000005b
    	00007ff81d21781b igCore19d!AF_memm_alloc+0x000000000000002b
    	00007ff81d35e613 igCore19d!IG_mpi_page_set+0x000000000013f473
    	00007ff81d35df56 igCore19d!IG_mpi_page_set+0x000000000013edb6
    	00007ff81d362867 igCore19d!IG_mpi_page_set+0x00000000001436c7
    	00007ff81d35b154 igCore19d!IG_mpi_page_set+0x000000000013bfb4
    	00007ff81d1ed704 igCore19d!IG_image_savelist_get+0x0000000000000ef4
    	00007ff81d236c99 igCore19d!IG_mpi_page_set+0x0000000000017af9
    	00007ff81d23653c igCore19d!IG_mpi_page_set+0x000000000001739c
    	00007ff81d1be7c0 igCore19d!IG_load_file+0x0000000000000080
    *** WARNING: Unable to verify checksum for igFuzzer.exe
    	00007ff633951112 igFuzzer!fuzzme+0x0000000000000032 [d:\projects\imagegear\fuzzer\igfuzzer\igfuzzer\igfuzzer.cpp @ 47]
    	00007ff63395122c igFuzzer!main+0x00000000000000bc [d:\projects\imagegear\fuzzer\igfuzzer\igfuzzer\igfuzzer.cpp @ 79]
    	00007ff633951474 igFuzzer!__scrt_common_main_seh+0x000000000000010c [d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288]
    	00007ff85b974034 KERNEL32!BaseThreadInitThunk+0x0000000000000014
    	00007ff85bef3691 ntdll!RtlUserThreadStart+0x0000000000000021
    

During each loop cycle a byte is read from the file at line 36 into the variable readByteFromFile starting from offset:

    0 + sizeof(IFH) == 8
    

Next based on the value of readByteFromFile a proper action is taken. The vulnerability appears if value of readByteFromFile is in the range <1;63> and its value after specific calculations (((i - 1)/ 2 ) + 1) is bigger than the value used for dstBuffer allocation. In our case the capacity of dstBuffer is 1 and the byte read from offset 0x8 is equal to 0x3F. Passing 0x3F value into above formula we obtain a value equal to 0x20. That value is used in a memcpy operation as a size argument.

Below code generating possible pair values :

    >>> for i in range(0,255):
    	if not (i & 0xC0):
    		print "Read byte : 0x{0:X} - memcpy size arg : 0x{1:X}".format(i,(((i - 1)/ 2 ) + 1))
    	
    	(...)
    	Read byte : 0x3F - memcpy size arg : 0x20
    

All these circumstances lead to an out of bounds write which can allow an attacker to gain remote code execution.

**Crash Information**

    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    
    DUMP_CLASS: 2
    
    DUMP_QUALIFIER: 0
    
    MODLIST_WITH_TSCHKSUM_HASH:  e6311aced106b626c7f0882ce5e44d10d5417c9e
    
    MODLIST_SHA1_HASH:  65c7eea70564f728d27c5e9e2c5360b823e6fec9
    
    NTGLOBALFLAG:  2100000
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    PRODUCT_TYPE:  1
    
    SUITE_MASK:  272
    
    DUMP_TYPE:  fe
    
    APPLICATION_VERIFIER_LOADED: 1
    
    FAULTING_IP: 
    igCore19d!IG_mpi_page_set+1402e0
    00007ff8`1d35f480 f3aa            rep stos byte ptr [rdi]
    
    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 00007ff81d35f480 (igCore19d!IG_mpi_page_set+0x00000000001402e0)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 0000000000000001
       Parameter[1]: 000002b99906f000
    Attempt to write to address 000002b99906f000
    
    FAULTING_THREAD:  000008ec
    
    PROCESS_NAME:  igFuzzer.exe
    
    FOLLOWUP_IP: 
    igCore19d!IG_mpi_page_set+1402e0
    00007ff8`1d35f480 f3aa            rep stos byte ptr [rdi]
    
    WRITE_ADDRESS:  000002b99906f000 
    
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    EXCEPTION_CODE_STR:  c0000005
    
    EXCEPTION_PARAMETER1:  0000000000000001
    
    EXCEPTION_PARAMETER2:  000002b99906f000
    
    WATSON_BKT_PROCSTAMP:  5d26f980
    
    WATSON_BKT_MODULE:  igCore19d.dll
    
    WATSON_BKT_MODSTAMP:  5c101edf
    
    WATSON_BKT_MODOFFSET:  1bf480
    
    WATSON_BKT_MODVER:  19.3.0.0
    
    MODULE_VER_PRODUCT:  Accusoft ImageGear
    
    BUILD_VERSION_STRING:  17134.1.amd64fre.rs4_release.180410-1804
    
    ANALYSIS_SESSION_HOST:  ICELENOVO
    
    ANALYSIS_SESSION_TIME:  07-19-2019 07:14:24.0934
    
    ANALYSIS_VERSION: 10.0.18914.1001 amd64fre
    
    THREAD_ATTRIBUTES: 
    OS_LOCALE:  ENU
    
    BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_AVRF
    
    DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE_AVRF
    
    PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT
    
    PROBLEM_CLASSES: 
    
    	ID:     [0n313]
    	Type:   [@ACCESS_VIOLATION]
    	Class:  Addendum
    	Scope:  BUCKET_ID
    	Name:   Omit
    	Data:   Omit
    	PID:    [Unspecified]
    	TID:    [0x8ec]
    	Frame:  [0] : igCore19d!IG_mpi_page_set
    
    	ID:     [0n286]
    	Type:   [INVALID_POINTER_WRITE]
    	Class:  Primary
    	Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
    			BUCKET_ID
    	Name:   Add
    	Data:   Omit
    	PID:    [Unspecified]
    	TID:    [0x8ec]
    	Frame:  [0] : igCore19d!IG_mpi_page_set
    
    	ID:     [0n98]
    	Type:   [AVRF]
    	Class:  Addendum
    	Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
    			BUCKET_ID
    	Name:   Add
    	Data:   Omit
    	PID:    [0x1be0]
    	TID:    [0x8ec]
    	Frame:  [0] : igCore19d!IG_mpi_page_set
    
    LAST_CONTROL_TRANSFER:  from 00007ff81d35e760 to 00007ff81d35f480
    
    STACK_TEXT:  
    000000fe`6a1be940 00007ff8`1d35e760 : 000000fe`6a1beba0 00007ff8`1d35f23f 000002b9`99068ff0 00000000`00000000 : igCore19d!IG_mpi_page_set+0x1402e0
    000000fe`6a1be990 00007ff8`1d35df56 : 000000fe`6a1bf240 00000000`1000001e 00000000`00000003 000002b9`98c15d50 : igCore19d!IG_mpi_page_set+0x13f5c0
    000000fe`6a1bea60 00007ff8`1d362867 : 00000000`00000004 000000fe`6a1bf240 00000000`00000000 000002b9`000003e8 : igCore19d!IG_mpi_page_set+0x13edb6
    000000fe`6a1beae0 00007ff8`1d35b154 : 00000000`00000001 000002b9`98c15d50 00000000`1000001e 000000fe`6a1bed10 : igCore19d!IG_mpi_page_set+0x1436c7
    000000fe`6a1beb50 00007ff8`1d1ed704 : 000002b9`92488ff0 00000000`00000004 00000000`00000000 00007ff8`00000037 : igCore19d!IG_mpi_page_set+0x13bfb4
    000000fe`6a1bf150 00007ff8`1d236c99 : 00000000`00000028 000000fe`6a1bf768 000000fe`6a1bf240 00000000`00000000 : igCore19d!IG_image_savelist_get+0xef4
    000000fe`6a1bf1d0 00007ff8`1d23653c : 000002b9`923bcfc8 00007ff8`1d22cc95 00000000`00000000 00000000`00000000 : igCore19d!IG_mpi_page_set+0x17af9
    000000fe`6a1bf6b0 00007ff8`1d1be7c0 : 000002b9`989b8fa5 00007ff8`58519570 00000000`00000000 00007ff8`585180b0 : igCore19d!IG_mpi_page_set+0x1739c
    000000fe`6a1bf6f0 00007ff6`33951112 : 00007ff8`58519570 00000000`00000000 00007ff8`58519570 000000fe`6a1bf798 : igCore19d!IG_load_file+0x80
    000000fe`6a1bf740 00007ff6`3395122c : 000002b9`989b8fa5 000002b9`989b8fe8 000002b9`00000021 00000000`00001000 : igFuzzer!fuzzme+0x32
    000000fe`6a1bf790 00007ff6`33951474 : 00000000`00000004 000002b9`989b8f70 00000000`00000000 00000000`00000000 : igFuzzer!main+0xbc
    000000fe`6a1bf7d0 00007ff8`5b974034 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : igFuzzer!__scrt_common_main_seh+0x10c
    000000fe`6a1bf810 00007ff8`5bef3691 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
    000000fe`6a1bf840 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
    
    
    STACK_COMMAND:  ~0s ; .cxr ; kb
    
    THREAD_SHA1_HASH_MOD_FUNC:  82a7bc6dd3104d830ca26855c5e07a6d00940aaa
    
    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  b0d9fe750119f0cca8352c6ddb9fc4142deab619
    
    THREAD_SHA1_HASH_MOD:  252eeb5ab64e7dfeac0928d869d2e1c90b7990ce
    
    FAULT_INSTR_CODE:  244aaf3
    
    SYMBOL_STACK_INDEX:  0
    
    SYMBOL_NAME:  igCore19d!IG_mpi_page_set+1402e0
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: igCore19d
    
    IMAGE_NAME:  igCore19d.dll
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  5c101edf
    
    FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_AVRF_c0000005_igCore19d.dll!IG_mpi_page_set
    
    BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_AVRF_igCore19d!IG_mpi_page_set+1402e0
    
    FAILURE_EXCEPTION_CODE:  c0000005
    
    FAILURE_IMAGE_NAME:  igCore19d.dll
    
    BUCKET_ID_IMAGE_STR:  igCore19d.dll
    
    FAILURE_MODULE_NAME:  igCore19d
    
    BUCKET_ID_MODULE_STR:  igCore19d
    
    FAILURE_FUNCTION_NAME:  IG_mpi_page_set
    
    BUCKET_ID_FUNCTION_STR:  IG_mpi_page_set
    
    BUCKET_ID_OFFSET:  1402e0
    
    BUCKET_ID_MODTIMEDATESTAMP:  5c101edf
    
    BUCKET_ID_MODCHECKSUM:  41928b
    
    BUCKET_ID_MODVER_STR:  19.3.0.0
    
    BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_AVRF_
    
    FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT
    
    FAILURE_SYMBOL_NAME:  igCore19d.dll!IG_mpi_page_set
    
    TARGET_TIME:  2019-07-19T10:14:30.000Z
    
    OSBUILD:  17134
    
    OSSERVICEPACK:  753
    
    SERVICEPACK_NUMBER: 0
    
    OS_REVISION: 0
    
    OSPLATFORM_TYPE:  x64
    
    OSNAME:  Windows 10
    
    OSEDITION:  Windows 10 WinNt SingleUserTS
    
    USER_LCID:  0
    
    OSBUILD_TIMESTAMP:  unknown_date
    
    BUILDDATESTAMP_STR:  180410-1804
    
    BUILDLAB_STR:  rs4_release
    
    BUILDOSVER_STR:  10.0.17134.1.amd64fre.rs4_release.180410-1804
    
    ANALYSIS_SESSION_ELAPSED_TIME:  1588
    
    ANALYSIS_SOURCE:  UM
    
    FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_avrf_c0000005_igcore19d.dll!ig_mpi_page_set
    
    FAILURE_ID_HASH:  {39ff52ad-9054-81fd-3e4d-ef5d82e4b2c1}
    
    
    0:000> lmv a rip
    Browse full module list
    start             end                 module name
    00007fff`b8870000 00007fff`b8c83000   igCore19d   (export symbols)       igCore19d.dll
    	Loaded symbol image file: igCore19d.dll
    	Mapped memory image file: d:\projects\ImageGear\Build\Bin\x64\igCore19d.dll
    	Image path: d:\projects\ImageGear\Build\Bin\x64\igCore19d.dll
    	Image name: igCore19d.dll
    	Browse all global symbols  functions  data
    	Timestamp:        Tue Dec 11 16:32:31 2018 (5C101EDF)
    	CheckSum:         0041928B
    	ImageSize:        00413000
    	File version:     19.3.0.0
    	Product version:  19.3.0.0
    	File flags:       0 (Mask 3F)
    	File OS:          4 Unknown Win32
    	File type:        2.0 Dll
    	File date:        00000000.00000000
    	Translations:     0409.04b0
    	Information from resource tables:
    		CompanyName:      Accusoft Corporation
    		ProductName:      Accusoft ImageGear
    		InternalName:     igcore19d.dll
    		OriginalFilename: igcore19d.dll
    		ProductVersion:   19.3.0.0
    		FileVersion:      19.3.0.0
    		FileDescription:  Accusoft ImageGear CORE DLL 
    		LegalCopyright:   Copyright© 1996-2018 Accusoft Corporation. All rights reserved.
    		LegalTrademarks:  ImageGearÆ and AccusoftÆ are registered trademarks of Accusoft Corporation
    

**Timeline**

2019-07-30 - Vendor Disclosure  
2019-11-27 - Vendor patched  
2019-12-02 - Public Release

Discovered by Marcin Towalski & Marcin 'Icewall' Noga of Cisco Talos.

CVE-2019-5083: TALOS-2019-0875 || Cisco Talos Intelligence Group

In the Linux kernel before 5.3.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098.

CVE-2019-19526

In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e.

CVE-2019-19527

An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because a guest can manipulate its virtualised %cr4 in a way that is incompatible with Linux (and possibly other guest kernels).

**Information**

Advisory

XSA-293

Public release

2019-03-05 12:00

Updated

2019-10-25 11:09

Version

4

CVE(s)

CVE-2019-17347

Title

x86: PV kernel context switch corruption

**Files**advisory-293.txt (signed advisory file)  
xsa293.meta  
xsa293/4.7-1.patch  
xsa293/4.7-2.patch  
xsa293/4.7-3.patch  
xsa293/4.8-1.patch  
xsa293/4.8-2.patch  
xsa293/4.8-3.patch  
xsa293/4.9-1.patch  
xsa293/4.9-2.patch  
xsa293/4.10-1.patch  
xsa293/4.10-2.patch  
xsa293/4.11-1.patch  
xsa293/4.11-2.patch  
xsa293/unstable-1.patch  
xsa293/unstable-2.patch**Advisory**

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2019-17347 / XSA-293
                              version 4

                x86: PV kernel context switch corruption

UPDATES IN VERSION 4
====================

Correct affected versions statement.

CVE assigned.

ISSUE DESCRIPTION
=================

On hardware supporting the fsgsbase feature, 64bit PV guests can set and
clear the applicable control bit in its virtualised %cr4, but the
feature remains fully active in hardware.  Therefore, the associated
instructions are actually usable.

Linux, which does not currently support this feature, has various
optimisations in its context switch path which justifiably assume that
userspace can't actually make changes without a system call.

Xen's behaviour of having this feature active behind the guest kernel's
back undermines the correctness of any context switch logic which
depends on the feature being disabled.

Userspace can therefore corrupt fsbase or gsbase (commonly used for
Thread Local Storage) in the next thread to be scheduled on the
current vcpu.

IMPACT
======

A malicious unprivileged guest userspace process can escalate its
privilege to that of other userspace processes in the same guest, and
potentially thereby to that of the guest operating system.

Additionally, some guest software which attempts to use this CPU
feature may trigger the bug accidentally, leading to crashes or
corruption of other processes in the same guest.

VULNERABLE SYSTEMS
==================

Xen versions 4.4 and later are vulnerable.  Xen 4.3 and earlier are not
vulnerable.

Only x86 hardware with the fsgsbase feature is vulnerable.  This is
believed to be Intel IvyBridge and later hardware, and AMD Steamroller
and later hardware.

ARM hardware is not affected.

Only 64bit PV guests can exploit the vulnerability.  32bit PV guests,
and HVM/PVH guests cannot exploit the vulnerability.

Whether the bug is exploitable, and whether it will be triggered by
accident, depend in a complicated way on the guest operating system
and its configuration.  Most guests are vulnerable to malicious
userspace processes.

MITIGATION
==========

Running only 32bit PV or HVM/PVH guests will avoid this vulnerability.

CREDITS
=======

This issue was discovered by Andy Lutomirski.

RESOLUTION
==========

Applying the appropriate attached patches resolves this issue.

xsa293/unstable-?.patch         xen-unstable
xsa293/4.11-?.patch             Xen 4.11.x
xsa293/4.10-?.patch             Xen 4.10.x
xsa293/4.9-?.patch              Xen 4.9.x
xsa293/4.8-?.patch              Xen 4.8.x
xsa293/4.7-?.patch              Xen 4.7.x

$ sha256sum xsa293\* xsa293\*/\*
27baf055642a3a7e9d2b1a961e15a46b592eca7c6f63e28e3bcb19e4cebfd0bd  xsa293.meta
865596b3dca81712a7d3d78f22e40aed1a08732f93b1950af6f092d893323a0f  xsa293/4.7-1.patch
032559c4bbdfe0987b9d3b15cf8661d8d8a5d4e2e989c944490ac171305fba3b  xsa293/4.7-2.patch
d3d91a1a5083b0a1992750b808aefacd0f0d4e7e92d1436e620a542e935cdadd  xsa293/4.7-3.patch
14b3db49375e353394b831a342d873d83615285d516f8cb08a0e1564d675cd51  xsa293/4.8-1.patch
1efc2ee18f54c7c41f478e944b3b708eb283bfa9de68a1046033d57784846c30  xsa293/4.8-2.patch
0d28899cad0e6798ae6a96717c15363ddf5a35e334ede02becdc81538ae589cc  xsa293/4.8-3.patch
b24210a74eb9dca5c7af902d223dba1b1b372df06a99fb1b0df8e92c9f9632f3  xsa293/4.9-1.patch
f68101f80d9843c1cdbb70188caec7009a0d52d33d811d22091e7c1f265a15e1  xsa293/4.9-2.patch
194e42599eac16afab14856760901705a0600c1308645495f30d30f8dd68734c  xsa293/4.10-1.patch
1fdee59bba66bd6b3ea4949913457dbcb1b8d5cb85fd8fb60aacac9a403ee9a9  xsa293/4.10-2.patch
277ba95e9a2276378fc9b3bcf89b694b9670256cde62278ade2e90d3fd5f7c46  xsa293/4.11-1.patch
724a0f433427a747876cbec09381dc1ca99286cea0ecbdd098c6e68fb135eeda  xsa293/4.11-2.patch
837eb67900a7c70cf7a00836cb312506925ca1fd29529144ff312316b0dbb086  xsa293/unstable-1.patch
0a6df8c8778a1c7e1fb71825695a86dee36f2e9345b39a06e3a364ad8b938de0  xsa293/unstable-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2y1+8MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ+v0H/21IMJyzcEdBt5Ki3zJ4gWL5XKxzy7p5r8IyvLto
KulFRzMU2gopsrSji394Inl+iydSEgSRGNMytpJ6HlYmAH+O5xJe3BVsLyf4tvTO
ONTs72xin6mm3h/cUSVtLzTfLAYX6AA37uy/kqUOGH9Bn1VDNhKFDwTjwb7riaDe
cHpvCaQJGK9HBYjzD8HyAfh0nKupgLb19FdG5r2CjXqyHK1A+bC3LPdOc9jfNYrY
YP4LV0nSU5XOBi6RrOSXySadvQQTXtaFACtpcRGQEhrXKmO+bUCQiyJzn2JtmxZP
7uMN9OqR6idl3mxgBb1QiHfxIFw2NB/MC6BoTBn4+Ea7yJk=
=cxjY
-----END PGP SIGNATURE-----

Xenproject.org Security Team

CVE-2019-17347: 293 - Xen Security Advisories

pam-python before 1.0.7-1 has an issue in regard to the default environment variable handling of Python, which could allow for local root escalation in certain PAM setups.

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 18 Sep 2019 20:25:13 +1000
Source: pam-python
Binary: libpam-python libpam-python-dbgsym libpam-python-doc
Architecture: source amd64 all
Version: 1.0.7-1
Distribution: unstable
Urgency: high
Maintainer: Russell Stuart <russell-debian@stuart.id.au>
Changed-By: Russell Stuart <russell-debian@stuart.id.au>
Description:
 libpam-python - Enables PAM modules to be written in Python
 libpam-python-doc - Documentation for the bindings provided by libpam-python
Changes:
 pam-python (1.0.7-1) unstable; urgency=high
 .
   \* New upstream.
Checksums-Sha1:
 13792bdb8286d2942a90e9e83cd6b8e427f108bd 1961 pam-python\_1.0.7-1.dsc
 f2c303011b3cd61a88d3fcab845c30ceac46356c 47487 pam-python\_1.0.7.orig.tar.gz
 328aac8c65742534bb70fffadc44b3ff39821bc4 14444 pam-python\_1.0.7-1.debian.tar.xz
 8169b63698dd49bdc72969d683925fa3c8194482 49544 libpam-python-dbgsym\_1.0.7-1\_amd64.deb
 7342e17ce735c164b9ab51469924db1b02a2860e 54216 libpam-python-doc\_1.0.7-1\_all.deb
 ad04838c6c47b83fc7684431a9b5a1b483ccd2fc 29736 libpam-python\_1.0.7-1\_amd64.deb
 fac1721938134d71f53e1612fc5cfaa5ecf1bad7 8375 pam-python\_1.0.7-1\_amd64.buildinfo
Checksums-Sha256:
 a17b6b97a8595d2a7c675d2ad2ffcc5bdb758a1d110366e966928e7cea05a5b7 1961 pam-python\_1.0.7-1.dsc
 96ce72fe355b03b87c0eb540ecef06f33738f98f56581e81eb5bffbad1a47e07 47487 pam-python\_1.0.7.orig.tar.gz
 e0347d1fbd8ef513b0ffab295d9a21af85023db57570f4376ac0e14bd0f97b42 14444 pam-python\_1.0.7-1.debian.tar.xz
 46895904cfca2594b5907c1df54ace39aeba2c4bfc16c8336b8c9745bff445d6 49544 libpam-python-dbgsym\_1.0.7-1\_amd64.deb
 8b855eacf01205c7c0ebcb606d6263d0e9936b036f0a21e867949a48e5389b65 54216 libpam-python-doc\_1.0.7-1\_all.deb
 b8ebf514996c4082e942a30c21e03408351454729b70a84724e567be39617ed4 29736 libpam-python\_1.0.7-1\_amd64.deb
 892564dae6899af1704003a85b5e895d00330bb027a1dbd8fb4beeabd9b468ae 8375 pam-python\_1.0.7-1\_amd64.buildinfo
Files:
 043ab8fd69c3bc5099c16e0bdaf24208 1961 admin optional pam-python\_1.0.7-1.dsc
 55153c1a8015a7ede87985fa6816db78 47487 admin optional pam-python\_1.0.7.orig.tar.gz
 1729d21155d32bd146088f4210f410ab 14444 admin optional pam-python\_1.0.7-1.debian.tar.xz
 2ab74a8d5fcd74b655b059b76b8d9670 49544 debug optional libpam-python-dbgsym\_1.0.7-1\_amd64.deb
 942bc7e6443aac9c0eaca34d89db04be 54216 doc optional libpam-python-doc\_1.0.7-1\_all.deb
 07d1730fbb343a85a8c52ce6d1c3d69f 29736 admin optional libpam-python\_1.0.7-1\_amd64.deb
 9e7c02ea01afe05cb1441ff137cd469c 8375 admin optional pam-python\_1.0.7-1\_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZqiOeH6lCkTWvjmorNSfiF5UUm4FAl2GJgwACgkQrNSfiF5U
Um6qRw//YB6R1EoUlm6/Ox+JBrM8XdzupdBBlT94qtS3C68m9G9mkFBjLo/ANUNv
td4DpGewVHQPg8lUp9+gHvRFCNFyLwjo1xCk/1DCyfZuLvIic/WB279M/Ylsv0ay
GKLeEJyc6Beq6ISazgwD0ErdLC6S4SBJvaewz/7D/PnK8HeB2ZZOt5knwmELJq++
E870ZH8LDIzzkQ6DR/Ae0308ho7wVREOICM1lDIbuYaKro2+rmDPr3+cgCTfW7BM
hagaFG2SMmKnJ2oT35meLGGL6fFX2vuJ+9VVkObSmYrY1RyCnAAHbd8cPOtQ/sPP
97xUSKydJOdvuKWveKG2+1WkSpbwMAcAuoqPBAUKkVHWLMdw7vURNwM9RVPLxbea
noAU3aUzNTDidBNnkskTbGmu75XI2xqc6xJceXaXnszu70p8TUKwU9lDmLMNdUWj
UkHJsbl6mONojIoy9L9fLdINOb6TZNS7/kgiiE7eMHizRi8zVXtsmDRXDrnhom7A
ldAhc7091eT3XICLtk30g/FUHdubcDRCWnc3lpaKx3GNVcztS8UZhbhWMZGytkWe
GUlrRyRDTkyt+hStKc9t524h/WxSytFq8Pn+EKnleI+wWGbGs0h6FU3UortaCFZC
ngwEHFqdsPvRVAZPXKkvm/HNgSTkqdmlDv3LIkXTyxi04ktXMRI=
=sYh5
-----END PGP SIGNATURE-----

CVE-2019-16729: Debian Package Tracker

SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.

CVE-2019-16294: Scintilla

IMAPFilter through 2.6.12 does not validate the hostname in an SSL certificate.

**Debian Bug report logs - #939702  
imapfilter: CVE-2016-10937: does not validate hostname**

Toggle useless messages

**Report forwarded** to debian-bugs-dist@lists.debian.org, team@security.debian.org, team@security.debian.org, Francesco Paolo Lovergine <frankie@debian.org>:  
Bug#939702; Package imapfilter. (Sat, 07 Sep 2019 21:48:04 GMT) (full text, mbox, link).

**Acknowledgement sent** to Quentin Hibon <qh.public@yahoo.com>:  
New Bug report received and forwarded. Copy sent to team@security.debian.org, team@security.debian.org, Francesco Paolo Lovergine <frankie@debian.org>. (Sat, 07 Sep 2019 21:48:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: imapfilter
Version: 1:2.6.12-1
Severity: grave
Tags: security upstream
Justification: user security hole

Dear maintainer,

imapfilter does not validate the hostname while validating the 
certificate, as explained in the upstream issue:

https://github.com/lefcha/imapfilter/issues/142

-- System Information:
Debian Release: 10.1
 APT prefers stable-updates
 APT policy: (500, 'stable-updates'), (500, 'stable'), (90, 'testing'), (80, 'stable'), (70, 'testing'), (60, 'unstable'), (50, 'unstable')
Architecture: amd64 (x86\_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT\_OOT\_MODULE, TAINT\_UNSIGNED\_MODULE
Locale: LANG=en\_US.UTF-8, LC\_CTYPE=en\_US.UTF-8 (charmap=UTF-8), LANGUAGE=en\_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages imapfilter depends on:
ii  libc6        2.28-10
ii  liblua5.2-0  5.2.4-1.1+b2
ii  libpcre3     2:8.39-12
ii  libssl1.1    1.1.1c-1

imapfilter recommends no packages.

imapfilter suggests no packages.

-- no debconf information

**Changed Bug title to 'imapfilter: CVE-2016-10937: does not validate hostname' from 'imapfilter: does not validate hostname'.** Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 08 Sep 2019 19:00:07 GMT) (full text, mbox, link).

**Information forwarded** to debian-bugs-dist@lists.debian.org, team@security.debian.org, Francesco Paolo Lovergine <frankie@debian.org>:  
Bug#939702; Package imapfilter. (Mon, 16 Sep 2019 21:33:03 GMT) (full text, mbox, link).

**Acknowledgement sent** to Quentin Hibon <qh.public@yahoo.com>:  
Extra info received and forwarded to list. Copy sent to team@security.debian.org, Francesco Paolo Lovergine <frankie@debian.org>. (Mon, 16 Sep 2019 21:33:03 GMT) (full text, mbox, link).

Message #14 received at 939702@bugs.debian.org (full text, mbox, reply):

Dear maintainer,

a fix is now available for this vulnerability:

https://github.com/lefcha/imapfilter/commit/bf2515da752eddd54973adb0853c6aa289e921b6

**Added tag(s) fixed-upstream.** Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Thu, 19 Sep 2019 19:51:07 GMT) (full text, mbox, link).

**Reply sent** to Sylvestre Ledru <sylvestre@debian.org>:  
You have taken responsibility. (Wed, 25 Sep 2019 15:45:09 GMT) (full text, mbox, link).

**Notification sent** to Quentin Hibon <qh.public@yahoo.com>:  
Bug acknowledged by developer. (Wed, 25 Sep 2019 15:45:09 GMT) (full text, mbox, link).

Message #21 received at 939702-close@bugs.debian.org (full text, mbox, reply):

Source: imapfilter
Source-Version: 1:2.6.13-1

We believe that the bug you reported is fixed in the latest version of
imapfilter, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 939702@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sylvestre Ledru <sylvestre@debian.org> (supplier of updated imapfilter package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 25 Sep 2019 16:10:51 +0200
Source: imapfilter
Architecture: source
Version: 1:2.6.13-1
Distribution: unstable
Urgency: medium
Maintainer: Francesco Paolo Lovergine <frankie@debian.org>
Changed-By: Sylvestre Ledru <sylvestre@debian.org>
Closes: 939702
Changes:
 imapfilter (1:2.6.13-1) unstable; urgency=medium
 .
   \* New upstream release
     - Validates the hostname (Closes: #939702)
Checksums-Sha1:
 286821cde8cf2d080be8296bdf5b6a8f2f2f593f 1948 imapfilter\_2.6.13-1.dsc
 94fed16e7902d3eb8d58194e964a7b5742f9e11d 59467 imapfilter\_2.6.13.orig.tar.gz
 d24defbbbd71ea5943f675d38f8148a6f68f6e63 5384 imapfilter\_2.6.13-1.debian.tar.xz
 34ee504c315e4b418387058ea77394463c631f56 6017 imapfilter\_2.6.13-1\_amd64.buildinfo
Checksums-Sha256:
 1b0885268245947ca5bc85a32c293cd02f634bfd073259d0393f6808dc08bb8c 1948 imapfilter\_2.6.13-1.dsc
 8ad94b94ddd47bd051ec875a3ba347bf3427f98ca4b63d60f38ea3a704c8afb2 59467 imapfilter\_2.6.13.orig.tar.gz
 1287875fb904d964b452e8a3a9e7a06e09f750b043a2738a3325975e0bcc65d6 5384 imapfilter\_2.6.13-1.debian.tar.xz
 ac6c4184cf643778c89d0b77c7db01aaebc6f3801bc02abda832bc3a83fb8b75 6017 imapfilter\_2.6.13-1\_amd64.buildinfo
Files:
 a29bff9ac31efef4bc1b3271723d3d12 1948 mail optional imapfilter\_2.6.13-1.dsc
 6398609530556a4e52a0bae0d438a833 59467 mail optional imapfilter\_2.6.13.orig.tar.gz
 2ab3fcc00aa5b27891f3f0a8f5e6a8ac 5384 mail optional imapfilter\_2.6.13-1.debian.tar.xz
 197c142788bb2ade2aca9c5f499ffe72 6017 mail optional imapfilter\_2.6.13-1\_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtg21mU05vsTRqVzPfmUo2nUvG+EFAl2LfdkACgkQfmUo2nUv
G+Gf0w/7BkKkPx0EfnsBaORm2qGCabznOCWZNQJZkpdhXnLGy1pHjt3OoDw9aEBM
AfYAm9jRL8KQ/BqnkbsV1kPohO84GIXMVdHw/DxxnO6/KMMiutF3hGRk8guarkr1
r3LSxVuzWc+ycfFxfWehNxu/EV4umTtL2Qq+ve4Q4tj4LG+ipXgxxyn6SokmiPoa
WFLB2bwywVaQI3lv5Xv5NqV17YMZC2waVogeUOY2AjwTl0GeDKPUUEN+PajDFNvB
Ew1tQik59AwcG1KwDioR9+0sIxpO7p7Rsr1NHCXCp1UzTC9ikFHVWyLcwD4mMqtf
uUdN41GUBMvVrN7HDszbWCzYmozWX0uOq29JFF2qLzpcl7EfORvyYI9AuPZkhSaO
8fXqka0aR10CqihR92N9Fl9TK69Wqbdrtac8JdmLPgIA8BhCSpx464BV8MuhuEOr
Da+hS8yYkkhtCCKGnGhDLlhkndMHN7SUgNZSPDOUkQJAI5Al/j7q5v/R51K8+SSZ
WLW+5mSQdTlOyKHdoM22IS8bB4qwXd9qAUcGxpOBMhm/pZxGfI22n4BWNmQ3DxUD
SDLjYfVxMAvB/JBHWBo2cQq2qU/xHP7hoYVS/C4kzhNetkTnECQX9vcBbbI0ZGjZ
d/Yfz5qi4r9ACVJZ5jpEANhGTJwAinWY2oDzyWG8ZPjPNFDbM9Y=
=28UH
-----END PGP SIGNATURE-----

**Bug archived.** Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 12 Sep 2021 07:25:18 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Thu Feb 16 03:05:56 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Tag

#amd