Podofo v0.10.0 was discovered to contain a heap buffer overflow via the component PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3.

We found multiple heap-buffer-overflow in podofo 0.10.0(main/PdfEncrypt.cpp in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3).

**Command Input**

podofoencrypt -rc4v2 -u 1232321 -o 24 poc_file /dev/null

All poc\_file are attached.

**Sanitizer Dump**

    ==3904316==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000e0b at pc 0x0000004ab577 bp 0x7ffe4a6cc310 sp 0x7ffe4a6cbad8
    READ of size 32 at 0x603000000e0b thread T0
        #0 0x4ab576 in __asan_memcpy /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
        #1 0x5bcdd7 in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3(PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfPermissions, PoDoFo::PdfString, PoDoFo::PdfAESV3Revision) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:1908:5
        #2 0x5a39a5 in PoDoFo::PdfEncrypt::CreateFromObject(PoDoFo::PdfObject const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:586:47
        #3 0x6f2e88 in PoDoFo::PdfParser::ReadObjects(PoDoFo::InputStreamDevice&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:631:29
        #4 0x6f09f3 in PoDoFo::PdfParser::Parse(PoDoFo::InputStreamDevice&, bool) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:83:9
        #5 0x67071e in PoDoFo::PdfMemDocument::loadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:148:12
        #6 0x671fcd in PoDoFo::PdfMemDocument::LoadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:137:5
        #7 0x671bdb in PoDoFo::PdfMemDocument::Load(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:119:5
        #8 0x4dfd57 in encrypt(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfPermissions) /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:19:9
        #9 0x4e1112 in main /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:200:9
        #10 0x7fc7de7ed082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #11 0x430f6d in _start (/root/target/Invariants/podofo-0.10.0/build_clang/target/podofoencrypt+0x430f6d)
    
    0x603000000e0b is located 0 bytes to the right of 27-byte region [0x603000000df0,0x603000000e0b)
    allocated by thread T0 here:
        #0 0x4dd2dd in operator new(unsigned long) /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
        #1 0x7fc7dec9d87f in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::reserve(unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x14387f)
        #2 0x7d5c2a in PoDoFo::StandardStreamDevice::readChar(char&) /root/target/Invariants/podofo-0.10.0/src/podofo/auxiliary/StreamDevice.cpp:290:12
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0c067fff8170: fd fd fd fa fa fa 00 00 00 fa fa fa 00 00 00 fa
      0x0c067fff8180: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa 00 00
      0x0c067fff8190: 00 fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
      0x0c067fff81a0: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa
      0x0c067fff81b0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa 00 00
    =>0x0c067fff81c0: 00[03]fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
      0x0c067fff81d0: 00 00 00 fa fa fa fd fd fd fa fa fa 00 00 00 fa
      0x0c067fff81e0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa 00 00
      0x0c067fff81f0: 01 fa fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
      0x0c067fff8200: 00 00 00 fa fa fa fd fd fd fa fa fa 00 00 00 fa
      0x0c067fff8210: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3904316==ABORTING
    

**Environment**

*   OS: Ubuntu 20.04.1
*   clang:12.0.0
*   podofo:0.10.0

we built podofo with AddressSanitizer (ASAN) .

cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang -DCMAKE_C_FLAGS="-O0 -fsanitize=address" -DCMAKE_CXX_FLAGS="-O0 -fsanitize=address"

poc\_files.zip

CVE-2023-31567: Heap-buffer-overflow in podofo 0.10.0(main/PdfEncrypt.cpp in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3) · Issue #71 · podofo/podofo

Podofo v0.10.0 was discovered to contain a heap buffer overflow via the component PoDoFo::PdfEncryptRC4::PdfEncryptRC4.

We found a heap-buffer-overflow in podofo 0.10.0(main/PdfEncrypt.cpp:1132:5 in PoDoFo::PdfEncryptRC4::PdfEncryptRC4).

**Command Input**

podofopdfinfo poc_file 

poc\_file is attached.

**Sanitizer Dump**

    ==3975233==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000122f at pc 0x0000004ab677 bp 0x7ffc5060df20 sp 0x7ffc5060d6e8
    READ of size 32 at 0x60300000122f thread T0
        #0 0x4ab676 in __asan_memcpy /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
        #1 0x64570f in PoDoFo::PdfEncryptRC4::PdfEncryptRC4(PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfPermissions, int, PoDoFo::PdfEncryptAlgorithm, int, bool) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:1132:5
        #2 0x638356 in PoDoFo::PdfEncrypt::CreateFromObject(PoDoFo::PdfObject const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:556:43
        #3 0x79b3a8 in PoDoFo::PdfParser::ReadObjects(PoDoFo::InputStreamDevice&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:631:29
        #4 0x798f13 in PoDoFo::PdfParser::Parse(PoDoFo::InputStreamDevice&, bool) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:83:9
        #5 0x71c42e in PoDoFo::PdfMemDocument::loadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:148:12
        #6 0x71dcdd in PoDoFo::PdfMemDocument::LoadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:137:5
        #7 0x71d8eb in PoDoFo::PdfMemDocument::Load(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:119:5
        #8 0x4e1be9 in PdfInfoHelper::PdfInfoHelper(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /root/target/Invariants/podofo-0.10.0/tools/podofopdfinfo/pdfinfo.cpp:16:12
        #9 0x4e06b7 in main /root/target/Invariants/podofo-0.10.0/tools/podofopdfinfo/podofopdfinfo.cpp:94:23
        #10 0x7f5ed7b54082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #11 0x43106d in _start (/root/target/Invariants/podofo-0.10.0/build_clang/target/podofopdfinfo+0x43106d)
    
    0x60300000122f is located 0 bytes to the right of 31-byte region [0x603000001210,0x60300000122f)
    allocated by thread T0 here:
        #0 0x4dd3dd in operator new(unsigned long) /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
        #1 0x7f5ed800487f in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::reserve(unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x14387f)
        #2 0x87564a in PoDoFo::StandardStreamDevice::readChar(char&) /root/target/Invariants/podofo-0.10.0/src/podofo/auxiliary/StreamDevice.cpp:290:12
        #3 0x868d29 in PoDoFo::InputStream::Read(char&) /root/target/Invariants/podofo-0.10.0/src/podofo/auxiliary/InputStream.cpp:53:12
        #4 0x7e319a in readHexString(PoDoFo::InputStreamDevice&, PoDoFo::charbuff_t<void>&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfTokenizer.cpp:801:16
    LLVMSymbolizer: error reading file: No such file or directory
        #5 0x7ffc50612342  ([stack]+0x20342)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0c067fff81f0: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
      0x0c067fff8200: fd fd fd fa fa fa 00 00 00 fa fa fa fd fd fd fa
      0x0c067fff8210: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
      0x0c067fff8220: 00 fa fa fa fd fd fd fa fa fa 00 00 00 fa fa fa
      0x0c067fff8230: 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd fd fa
    =>0x0c067fff8240: fa fa 00 00 00[07]fa fa 00 00 00 fa fa fa 00 00
      0x0c067fff8250: 00 00 fa fa fd fd fd fa fa fa fd fd fd fa fa fa
      0x0c067fff8260: 00 00 00 fa fa fa fd fd fd fd fa fa 00 00 00 00
      0x0c067fff8270: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa 00 00
      0x0c067fff8280: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
      0x0c067fff8290: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3975233==ABORTING
    

**Environment**

*   OS: Ubuntu 20.04.1
*   clang:12.0.0
*   podofo:0.10.0

we built podofo with AddressSanitizer (ASAN) .

cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang -DCMAKE_C_FLAGS="-O0 -fsanitize=address" -DCMAKE_CXX_FLAGS="-O0 -fsanitize=address"

poc\_file.zip

CVE-2023-31568: Heap-buffer-overflow in podofo 0.10.0(main/PdfEncrypt.cpp:1132:5 in PoDoFo::PdfEncryptRC4::PdfEncryptRC4) · Issue #72 · podofo/podofo

Red Hat Security Advisory 2023-2654-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include buffer overflow, bypass, crlf injection, and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: nodejs:18 security, bug fix, and enhancement update  
Advisory ID:       RHSA-2023:2654-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2654  
Issue date:        2023-05-09  
CVE Names:         CVE-2021-35065 CVE-2022-4904 CVE-2022-25881   
                   CVE-2023-23918 CVE-2023-23919 CVE-2023-23920   
                   CVE-2023-23936 CVE-2023-24807   
=====================================================================

1. Summary:

An update for the nodejs:18 module is now available for Red Hat Enterprise  
Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:  
nodejs (18.14.2).

Security Fix(es):

* glob-parent: Regular Expression Denial of Service (CVE-2021-35065)

* c-ares: buffer overflow in config_sortlist() due to missing string length  
check (CVE-2022-4904)

* http-cache-semantics: Regular Expression Denial of Service (ReDoS)  
vulnerability (CVE-2022-25881)

* Node.js: Permissions policies can be bypassed via process.mainModule  
(CVE-2023-23918)

* Node.js: OpenSSL error handling issues in nodejs crypto library  
(CVE-2023-23919)

* Node.js: Fetch API did not protect against CRLF injection in host headers  
(CVE-2023-23936)

* Node.js: insecure loading of ICU data through ICU_DATA environment  
variable (CVE-2023-23920)

* Node.js: Regular Expression Denial of Service in Headers fetch API  
(CVE-2023-24807)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service  
2165824 - CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability  
2168631 - CVE-2022-4904 c-ares: buffer overflow in config_sortlist() due to missing string length check  
2171935 - CVE-2023-23918 Node.js: Permissions policies can be bypassed via process.mainModule  
2172170 - CVE-2023-23919 Node.js: OpenSSL error handling issues in nodejs crypto library  
2172190 - CVE-2023-23936 Node.js: Fetch API did not protect against CRLF injection in host headers  
2172204 - CVE-2023-24807 Node.js: Regular Expression Denial of Service in Headers fetch API  
2172217 - CVE-2023-23920 Node.js: insecure loading of ICU data through ICU_DATA environment variable  
2178088 - nodejs:18/nodejs: Rebase to the latest Nodejs 18 release [rhel-9] [rhel-9.2.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
nodejs-18.14.2-2.module+el9.2.0.z+18497+a402347c.src.rpm  
nodejs-nodemon-2.0.20-2.module+el9.2.0.z+18497+a402347c.src.rpm  
nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601.src.rpm

aarch64:  
nodejs-18.14.2-2.module+el9.2.0.z+18497+a402347c.aarch64.rpm  
nodejs-debuginfo-18.14.2-2.module+el9.2.0.z+18497+a402347c.aarch64.rpm  
nodejs-debugsource-18.14.2-2.module+el9.2.0.z+18497+a402347c.aarch64.rpm  
nodejs-devel-18.14.2-2.module+el9.2.0.z+18497+a402347c.aarch64.rpm  
nodejs-full-i18n-18.14.2-2.module+el9.2.0.z+18497+a402347c.aarch64.rpm  
npm-9.5.0-1.18.14.2.2.module+el9.2.0.z+18497+a402347c.aarch64.rpm

noarch:  
nodejs-docs-18.14.2-2.module+el9.2.0.z+18497+a402347c.noarch.rpm  
nodejs-nodemon-2.0.20-2.module+el9.2.0.z+18497+a402347c.noarch.rpm  
nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601.noarch.rpm  
nodejs-packaging-bundler-2021.06-4.module+el9.1.0+15718+e52ec601.noarch.rpm

ppc64le:  
nodejs-18.14.2-2.module+el9.2.0.z+18497+a402347c.ppc64le.rpm  
nodejs-debuginfo-18.14.2-2.module+el9.2.0.z+18497+a402347c.ppc64le.rpm  
nodejs-debugsource-18.14.2-2.module+el9.2.0.z+18497+a402347c.ppc64le.rpm  
nodejs-devel-18.14.2-2.module+el9.2.0.z+18497+a402347c.ppc64le.rpm  
nodejs-full-i18n-18.14.2-2.module+el9.2.0.z+18497+a402347c.ppc64le.rpm  
npm-9.5.0-1.18.14.2.2.module+el9.2.0.z+18497+a402347c.ppc64le.rpm

s390x:  
nodejs-18.14.2-2.module+el9.2.0.z+18497+a402347c.s390x.rpm  
nodejs-debuginfo-18.14.2-2.module+el9.2.0.z+18497+a402347c.s390x.rpm  
nodejs-debugsource-18.14.2-2.module+el9.2.0.z+18497+a402347c.s390x.rpm  
nodejs-devel-18.14.2-2.module+el9.2.0.z+18497+a402347c.s390x.rpm  
nodejs-full-i18n-18.14.2-2.module+el9.2.0.z+18497+a402347c.s390x.rpm  
npm-9.5.0-1.18.14.2.2.module+el9.2.0.z+18497+a402347c.s390x.rpm

x86_64:  
nodejs-18.14.2-2.module+el9.2.0.z+18497+a402347c.x86_64.rpm  
nodejs-debuginfo-18.14.2-2.module+el9.2.0.z+18497+a402347c.x86_64.rpm  
nodejs-debugsource-18.14.2-2.module+el9.2.0.z+18497+a402347c.x86_64.rpm  
nodejs-devel-18.14.2-2.module+el9.2.0.z+18497+a402347c.x86_64.rpm  
nodejs-full-i18n-18.14.2-2.module+el9.2.0.z+18497+a402347c.x86_64.rpm  
npm-9.5.0-1.18.14.2.2.module+el9.2.0.z+18497+a402347c.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-35065  
https://access.redhat.com/security/cve/CVE-2022-4904  
https://access.redhat.com/security/cve/CVE-2022-25881  
https://access.redhat.com/security/cve/CVE-2023-23918  
https://access.redhat.com/security/cve/CVE-2023-23919  
https://access.redhat.com/security/cve/CVE-2023-23920  
https://access.redhat.com/security/cve/CVE-2023-23936  
https://access.redhat.com/security/cve/CVE-2023-24807  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFqIu9zjgjWX9erEAQiE5hAAj4qxnD40mNjLtviH4BL/Ub0ZXN9DjCrY  
+Jpjv+iJ39Kj4CfFYZOGi50OOFxv3f4aj4xjy2vSRdVWRfsr9KT/F21YxPW+N8wu  
VJWQwQ3ZOR3kIdC02aW6ryhSiY3lWfLlqyWvawFTkjWeYvm8L5ijIt/rkGAAcnse  
1oxwQdVwCt67K9KkQum6Z7hxejNep42Kj28qg3HBd89uaXVG9Rv+PDjHQRyvWx43  
TA/IyQz4jZX8HtnQQQuKuWv85+lODQ6OPaqgXxegft9By1oyGKZGO+x1o0UBDCJm  
+rBetXaeTUvLoegah4KGa409fv8kT0y79Pb9hyIoZVKuJNZ/SOcfmahpXpPDWVtq  
8ARxz7VY07zWIppWH7T9cs+eG9XM97555tAKQ5RRwkLPSvXt/2VBv2y857E8A8bK  
2TML70L0YR5rw+5wijKwaCpVZdnJunMb13+O22Fl7nj+WbTdngWis/XHnRee/3pW  
ZwXTBdaGa7kvVOT675XwV+J11joOv6EZGa5Gk1IbTwj3iPyH5mwiqKafrMFKpLnj  
dpAANcjcHpuefP1U/iqne1uPzI1G3UOrRJU4GwXESFh/fN13HT7Y6WDbbZ6QMc1z  
ABSij1nIRKnOeyzEV6IbC0utFPIgY+/y/q2YS2eD+5Vu0PrUNE29rPMmBO3yo/OO  
WlzGel54pfU=  
=Znor  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2654-01

Red Hat Security Advisory 2023-2655-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include buffer overflow, bypass, crlf injection, and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: nodejs and nodejs-nodemon security, bug fix, and enhancement update  
Advisory ID:       RHSA-2023:2655-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2655  
Issue date:        2023-05-09  
CVE Names:         CVE-2022-4904 CVE-2022-25881 CVE-2023-23918   
                   CVE-2023-23920 CVE-2023-23936 CVE-2023-24807   
=====================================================================

1. Summary:

An update for nodejs and nodejs-nodemon is now available for Red Hat  
Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:  
nodejs (16.19.1), nodejs-nodemon (2.0.20).

Security Fix(es):

* c-ares: buffer overflow in config_sortlist() due to missing string length  
check (CVE-2022-4904)

* http-cache-semantics: Regular Expression Denial of Service (ReDoS)  
vulnerability (CVE-2022-25881)

* Node.js: Permissions policies can be bypassed via process.mainModule  
(CVE-2023-23918)

* Node.js: Fetch API did not protect against CRLF injection in host headers  
(CVE-2023-23936)

* Node.js: insecure loading of ICU data through ICU_DATA environment  
variable (CVE-2023-23920)

* Node.js: Regular Expression Denial of Service in Headers fetch API  
(CVE-2023-24807)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2165824 - CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability  
2168631 - CVE-2022-4904 c-ares: buffer overflow in config_sortlist() due to missing string length check  
2171935 - CVE-2023-23918 Node.js: Permissions policies can be bypassed via process.mainModule  
2172190 - CVE-2023-23936 Node.js: Fetch API did not protect against CRLF injection in host headers  
2172204 - CVE-2023-24807 Node.js: Regular Expression Denial of Service in Headers fetch API  
2172217 - CVE-2023-23920 Node.js: insecure loading of ICU data through ICU_DATA environment variable  
2178076 - nodejs: Rebase to the latest Nodejs 16 release [rhel-9] [rhel-9.2.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
nodejs-16.19.1-1.el9_2.src.rpm  
nodejs-nodemon-2.0.20-3.el9_2.src.rpm

aarch64:  
nodejs-16.19.1-1.el9_2.aarch64.rpm  
nodejs-debuginfo-16.19.1-1.el9_2.aarch64.rpm  
nodejs-debugsource-16.19.1-1.el9_2.aarch64.rpm  
nodejs-full-i18n-16.19.1-1.el9_2.aarch64.rpm  
nodejs-libs-16.19.1-1.el9_2.aarch64.rpm  
nodejs-libs-debuginfo-16.19.1-1.el9_2.aarch64.rpm  
npm-8.19.3-1.16.19.1.1.el9_2.aarch64.rpm

noarch:  
nodejs-docs-16.19.1-1.el9_2.noarch.rpm  
nodejs-nodemon-2.0.20-3.el9_2.noarch.rpm

ppc64le:  
nodejs-16.19.1-1.el9_2.ppc64le.rpm  
nodejs-debuginfo-16.19.1-1.el9_2.ppc64le.rpm  
nodejs-debugsource-16.19.1-1.el9_2.ppc64le.rpm  
nodejs-full-i18n-16.19.1-1.el9_2.ppc64le.rpm  
nodejs-libs-16.19.1-1.el9_2.ppc64le.rpm  
nodejs-libs-debuginfo-16.19.1-1.el9_2.ppc64le.rpm  
npm-8.19.3-1.16.19.1.1.el9_2.ppc64le.rpm

s390x:  
nodejs-16.19.1-1.el9_2.s390x.rpm  
nodejs-debuginfo-16.19.1-1.el9_2.s390x.rpm  
nodejs-debugsource-16.19.1-1.el9_2.s390x.rpm  
nodejs-full-i18n-16.19.1-1.el9_2.s390x.rpm  
nodejs-libs-16.19.1-1.el9_2.s390x.rpm  
nodejs-libs-debuginfo-16.19.1-1.el9_2.s390x.rpm  
npm-8.19.3-1.16.19.1.1.el9_2.s390x.rpm

x86_64:  
nodejs-16.19.1-1.el9_2.x86_64.rpm  
nodejs-debuginfo-16.19.1-1.el9_2.i686.rpm  
nodejs-debuginfo-16.19.1-1.el9_2.x86_64.rpm  
nodejs-debugsource-16.19.1-1.el9_2.i686.rpm  
nodejs-debugsource-16.19.1-1.el9_2.x86_64.rpm  
nodejs-full-i18n-16.19.1-1.el9_2.x86_64.rpm  
nodejs-libs-16.19.1-1.el9_2.i686.rpm  
nodejs-libs-16.19.1-1.el9_2.x86_64.rpm  
nodejs-libs-debuginfo-16.19.1-1.el9_2.i686.rpm  
nodejs-libs-debuginfo-16.19.1-1.el9_2.x86_64.rpm  
npm-8.19.3-1.16.19.1.1.el9_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4904  
https://access.redhat.com/security/cve/CVE-2022-25881  
https://access.redhat.com/security/cve/CVE-2023-23918  
https://access.redhat.com/security/cve/CVE-2023-23920  
https://access.redhat.com/security/cve/CVE-2023-23936  
https://access.redhat.com/security/cve/CVE-2023-24807  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFqIqdzjgjWX9erEAQgSdw//QJLUMT4b/8nJR6/7MbqWDlAMa0briuTe  
94T8Wq+QYlX8+EdEC/bFIRUDARd5eK9ohUJoPiO3a8YEfbDg5sgyWR0COhBzVVLO  
qaJWivEGZxZXJzadCQprcDPwQxfjsQoCoKOHEtXCuwsHAtOch19gWVUej6k+UlM7  
a4oxv7QZwf0VsAzywhLtN1EeTVVMTt8kJUa1by7LBK1KyD0j5s2r23DLS73Jw8yT  
GGmpwLC4I6mJDud6gw8eKzCSFcgxkS7W7Rf+BdeFPXrZZQwLh6F+vzjQrBbeJYv2  
zzNj988HJFycue+UALwTVEAB92dl2uJpNl03Fc6YEXvKcRlEKK31skkYAagcTO9w  
fdaws6ehyEdvXWYFdi1E9RRona21DPA+QwXV4TeOwPdZveeSvn1UlL0Claf8vbfr  
Cc3yptFTNCO7BRCrExxTpDmlGEu/3akHul4w1E5EmA3pi0SN2RzM/O3k9/jwPeoZ  
0Nn8xeIL6fMNLZ/v4kTg/V03Z8cQoR0dDlsl0adQ7T37XB6AlkdKR+AWlzE6Uck/  
VGnatpoi9NOTLUfdimXKVED6nogPSc4cjrRwbaive8TR7NJdWNUFcDbjtPfOpcRI  
+h+LCCsm8VYIOp366fD5uB5O1k+KtpFlB2makTBiU1aBhALx8irLhKiz+LwN6oaJ  
rq/beUR7oDM=  
=I1D5  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2655-01

Null pointer dereference for some Intel(R) Trace Analyzer and Collector software before version 2021.8.0 published Dec 2022 may allow an authenticated user to potentially enable information disclosure via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Trace Analyzer and Collector Software Advisory**

Intel ID:

INTEL-SA-00805

Advisory Category:

Software

Impact of vulnerability:

Escalation of Privilege, Information Disclosure

Severity rating:

HIGH

Original release:

05/09/2023

Last revised:

05/09/2023

**Summary: **

Potential security vulnerabilities in some Intel® Trace Analyzer and Collector software may allow escalation of privilege or information disclosure.  Intel is releasing software updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2023-23569

Description: Stack-based buffer overflow for some Intel(R) Trace Analyzer and Collector software before version 2021.8.0 published Dec 2022 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.8 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVEID: CVE-2023-23580

Description: Stack-based buffer overflow for some Intel(R) Trace Analyzer and Collector software before version 2021.8.0 published Dec 2022 may allow an authenticated user to potentially escalation of privilege via local access.

CVSS Base Score: 4.8 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CVEID: CVE-2023-23910

Description: Out-of-bounds write for some Intel(R) Trace Analyzer and Collector software before version 2021.8.0 published Dec 2022 may allow an authenticated user to potentially escalation of privilege via local access.

CVSS Base Score: 3.9 Low

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

CVEID: CVE-2022-42878

Description: Null pointer dereference for some Intel(R) Trace Analyzer and Collector software before version 2021.8.0 published Dec 2022 may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 2.8 Low

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CVEID: CVE-2023-23909

Description: Out-of-bounds read for some Intel(R) Trace Analyzer and Collector software before version 2021.8.0 published Dec 2022 may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 2.8 Low

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

**Affected Products:**

Intel® Trace Analyzer and Collector software before version 2021.8.0 published Dec 2022.

Intel® oneAPI HPC Toolkit before version 2023.0.0.

**Recommendations:**

Intel recommends updating Intel® Trace Analyzer and Collector software to version 2021.8.0 published Dec 2022 or later.

Updates are available for download at this location:

https://www.intel.com/content/www/us/en/developer/articles/tool/oneapi-standalone-components.html#trace

Intel® Trace Analyzer and Collector is also a component of the Intel® oneAPI HPC Toolkit. Updates are available for download at this location:

https://www.intel.com/content/www/us/en/developer/tools/oneapi/hpc-toolkit-download.html

**Acknowledgements:**

These issues were found externally.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/09/2023

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

© Intel Corporation.  Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries United States and other countries.  Other names and brands may be claimed as the property of others.

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-42878: INTEL-SA-00805

Double free in some Intel(R) Server Board BMC firmware before version 2.90 may allow a privileged user to enable information disclosure via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Server Board BMC Firmware Advisory**

Intel ID:

INTEL-SA-00839

Advisory Category:

Firmware

Impact of vulnerability:

Escalation of Privilege, Denial of Service, Information Disclosure

Severity rating:

HIGH

Original release:

05/09/2023

Last revised:

05/09/2023

**Summary: **

Potential security vulnerabilities in some Intel® Server Board Baseboard Management Controller (BMC) firmware may allow escalation of privilege, denial of service or information disclosure. Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2023-22661

Description: Buffer overflow in some Intel(R) Server Board BMC firmware before version 2.90 may allow a privileged user to enable escalation of privilege via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2023-22297

Description: Access of memory location after end of buffer in some Intel(R) Server Board BMC firmware before version 2.90 may allow a privileged user to enable escalation of privilege via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2023-25545

Description: Improper buffer restrictions in some Intel(R) Server Board BMC firmware before version 2.90 may allow a privileged user to enable escalation of privilege via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2023-22442

Description: Out of bounds write in some Intel(R) Server Board BMC firmware before version 2.90 may allow a privileged user to enable escalation of privilege via local access.

CVSS Base Score: 7.9 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

CVEID: CVE-2023-22379

Description: Improper input validation in some Intel(R) Server Board BMC firmware before version 2.90 may allow a privileged user to enable information disclosure via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

CVEID: CVE-2023-25776

Description: Improper input validation in some Intel(R) Server Board BMC firmware before version 2.90 may allow a privileged user to enable information disclosure via local access.

CVSS Base Score: 6.3 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:H

CVEID: CVE-2023-28411

Description: Double free in some Intel(R) Server Board BMC firmware before version 2.90 may allow a privileged user to enable information disclosure via local access.

CVSS Base Score: 6.3 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:N

CVEID: CVE-2023-25175

Description: Improper input validation in some Intel(R) Server Board BMC firmware before version 2.90 may allow a privileged user to enable information disclosure via local access.

CVSS Base Score: 6.1 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L

CVEID: CVE-2023-24475

Description: Out of bounds read in some Intel(R) Server Board BMC firmware before version 2.90 may allow a privileged user to enable information disclosure via local access.

CVSS Base Score: 6.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H

CVEID: CVE-2023-22443

Description: Integer overflow in some Intel(R) Server Board BMC firmware before version 2.90 may allow a privileged user to enable denial of service via local access.

CVSS Base Score: 6.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

**Affected Products:**

Intel® Server Board M50CYP Family BMC firmware before version 2.90.

Intel® Server Board D50TNP Family BMC firmware before version 2.90.

**Recommendations:**

Intel recommends updating the firmware for the affected Intel® Server Boards to the latest version:

Updates for Intel® Server Board M50CYP Family BMC firmware can be found here.

Updates for Intel® Server Board D50TNP Family BMC firmware can be found here.

**Acknowledgements:**

The following issues were found internally by Intel employees.  Intel would like to thank Fabian Galindo Sanchez, Daniel Medina Velazquez and Thierry Fernandes Faria.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/09/2023

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

© Intel Corporation.  Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries United States and other countries.  Other names and brands may be claimed as the property of others.

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2023-28411: INTEL-SA-00839

Heap-based buffer overflow vulnerability exists in CX-Drive All models V3.01 and earlier. By having a user open a specially crafted SDD file, arbitrary code may be executed and/or information may be disclosed.

Published:2023/04/24  Last Updated:2023/04/24

**Overview**

OMRON CX-Drive contains a heap-based buffer overflow vulnerability.

**Products Affected**

*   CX-Drive All models V3.01 and earlier

To check the product names and versions, refer to the manual "CX-Drive Operation User's Manual (W453-E1)" provided by the developer.

**Description**

CX-Drive provided by OMRON Corporation contains a heap-based buffer overflow vulnerability (CWE-122, CVE-2023-27385).

**Impact**

By having a user open a specially crafted SDD file, arbitrary code may be executed and/or information may be disclosed.

**Solution**

**Apply Workarounds**  
Applying the workarounds may mitigate the impacts of this vulnerability.  
For the details of the workarounds, refer to the information provided by the developer under \[Vendor Status\] section.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector(AV)

Physical (P)

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required (R)

None (N)

Scope(S)

Unchanged (U)

Changed (C)

Confidentiality Impact(C)

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

**Credit**

Michael Heinzl reported this vulnerability to JPCERT/CC.  
JPCERT/CC coordinated with the developer.

**Other Information**

JPCERT Alert

  

JPCERT Reports

  

CERT Advisory

  

CPNI Advisory

  

TRnotes

  

CVE

CVE-2023-27385  

JVN iPedia

CVE-2023-27385: Heap-based buffer overflow vulnerability in OMRON CX-Drive

A buffer overflow vulnerability was discovered on firmware version validation that could lead to an unauthenticated remote code execution in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices. An attacker would require exploitation of another vulnerability to raise their privileges in order to exploit this buffer overflow vulnerability.

This issue affects My Cloud Home and My Cloud Home Duo: through 9.4.0-191; ibi: through 9.4.0-191. 





**WDC Tracking Number:** WDC-23003  
**Product Line:** My Cloud Home, My Cloud Home Duo, and SanDisk ibi  
**Published:** February 13, 2023

**Last Updated:** February 13, 2023

**Description**

Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi firmware versions 9.4.0-191 and higher include updates to help improve the security of your devices.

Your devices will be automatically updated to reflect the latest firmware version.

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud Home

9.4.0-191

February 8, 2023

My Cloud Home Duo

9.4.0-191

February 8, 2023

SanDisk ibi

9.4.0-191

February 8, 2023

For more information on the latest security updates, see the release notes.

**Advisory Summary**

Addressed an uncontrolled resource consumption issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted.

**CVE Number:** CVE-2022-36326

Addressed a path traversal vulnerability that could allow an attacker to write files to locations with certain critical filesystem types leading to remote code execution.

**CVE Number:** CVE-2022-36327

Addressed a path traversal vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations.

**CVE Number:** CVE-2022-36328

Addressed an improper privilege management issue that could allow an attacker to cause a denial of service over the OTA mechanism.

**CVE Number:** CVE-2022-36329

Addressed a buffer overflow vulnerability on firmware version validation that could lead to an unauthenticated remote code execution.

**CVE Number:** CVE-2022-36330

CVE-2022-36330: WDC-23003 Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi Firmware Version 9.4.0-191 | Western Digital

Buffer Overflow vulnerability found in Libtiff V.4.0.7 allows a local attacker to cause a denial of service via the tiffcp function in tiffcp.c.

CVE-2023-30086

Buffer Overflow vulnerability found in Libming swftophp v.0.4.8 allows a local attacker to cause a denial of service via the newVar_N in util/decompile.c.

Heap buffer overflow in the latest version of libming at function newVar\_N in util/decompile.c:654.

**Environment**

Ubuntu 18.04, 64 bit  
libming 0.4.8

**Steps to reproduce**

1.  download file

    wget https://github.com/libming/libming/archive/refs/tags/ming-0_4_8.tar.gz
    tar -zxvf ming-0_4_8.tar.gz
    

2.  compile libming with ASAN

    cd libming-ming-0_4_8
    ./autogen.sh
    export FORCE_UNSAFE_CONFIGURE=1
    export LLVM_COMPILER=clang
    CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -fcommon -Wno-error" ./configure --prefix=`pwd`/obj-bc --with-php-config=/usr/bin/php-config7.2 --enable-static --disable-shared
    make
    make install
    
    cd obj-bc/bin/
    extract-bc swftophp
    clang -fsanitize=address -lz -lm swftophp.bc -o swftophp_asan
    

3.  command for reproducing the error

Download poc:  
libming\_0-4-8\_swftophp\_heap-buffer-overflow\_decompile654.zip

**ASAN report**

    root@2413df779df0:~/compiler1804/libming-ming-0_4_8/obj-bc/bin# ./swftophp_asan libming_0-4-8_swftophp_heap-buffer-overflow_decompile654.swf 
    header indicates a filesize of 0 but filesize is 166
    <?php
    $m = new SWFMovie(0);
    
    ming_setscale(1.0);
    $m->setRate(0.000000);
    $m->setDimension(0, 1);
    
    /* Note: xMin and/or yMin are not 0! */
    
    $m->setFrames(0);
    
    /* SWF_DOACTION */
        16:SWFACTION_FSCOMMAND2
      Can't get int for type: 10
    =================================================================
    ==60490==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000001880 at pc 0x000000439494 bp 0x7ffd310a9d90 sp 0x7ffd310a9540
    READ of size 1025 at 0x619000001880 thread T0
        #0 0x439493 in __interceptor_strlen.part.36 /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372
        #1 0x5022e5 in newVar_N /root/compiler1804/libming-ming-0_4_8/util/decompile.c:654:11
        #2 0x4fbe07 in decompileNEWOBJECT /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1588:7
        #3 0x4fab64 in decompileAction /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3190:3
        #4 0x501b27 in decompileActions /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3401:6
        #5 0x503b31 in decompile5Action /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3423:2
        #6 0x4f7865 in outputSWF_DOACTION /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:1548:29
        #7 0x4f72ac in outputBlock /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:2079:4
        #8 0x4f9d21 in readMovie /root/compiler1804/libming-ming-0_4_8/util/main.c:277:4
        #9 0x4f984d in main /root/compiler1804/libming-ming-0_4_8/util/main.c:350:2
        #10 0x7fe2276bdc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #11 0x41b8d9 in _start (/root/compiler1804/libming-ming-0_4_8/obj-bc/bin/swftophp_asan+0x41b8d9)
    
    0x619000001880 is located 0 bytes to the right of 1024-byte region [0x619000001480,0x619000001880)
    allocated by thread T0 here:
        #0 0x4ae288 in realloc /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164
        #1 0x502330 in newVar_N /root/compiler1804/libming-ming-0_4_8/util/decompile.c:657:18
        #2 0x4fbe07 in decompileNEWOBJECT /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1588:7
        #3 0x4fab64 in decompileAction /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3190:3
        #4 0x501b27 in decompileActions /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3401:6
        #5 0x503b31 in decompile5Action /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3423:2
        #6 0x4f7865 in outputSWF_DOACTION /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:1548:29
        #7 0x4f72ac in outputBlock /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:2079:4
        #8 0x4f9d21 in readMovie /root/compiler1804/libming-ming-0_4_8/util/main.c:277:4
        #9 0x4f984d in main /root/compiler1804/libming-ming-0_4_8/util/main.c:350:2
        #10 0x7fe2276bdc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372 in __interceptor_strlen.part.36
    Shadow bytes around the buggy address:
      0x0c327fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff82d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff82e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff82f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff8300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c327fff8310:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==60490==ABORTING

Tag

#buffer_overflow