Buffer Overflow vulnerability found in Libming swftophp v.0.4.8 allows a local attacker to cause a denial of service via the cws2fws function in util/decompile.c.

Allocation size overflow in the latest version of libming at function cws2fws in util/main.c:111.

**Environment**

Ubuntu 18.04, 64 bit  
libming 0.4.8

**Steps to reproduce**

1.  download file

    wget https://github.com/libming/libming/archive/refs/tags/ming-0_4_8.tar.gz
    tar -zxvf ming-0_4_8.tar.gz
    

2.  compile libming with ASAN

    cd libming-ming-0_4_8
    ./autogen.sh
    export FORCE_UNSAFE_CONFIGURE=1
    export LLVM_COMPILER=clang
    CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -fcommon -Wno-error" ./configure --prefix=`pwd`/obj-bc --with-php-config=/usr/bin/php-config7.2 --enable-static --disable-shared
    make
    make install
    
    cd obj-bc/bin/
    extract-bc swftophp
    clang -fsanitize=address -lz -lm swftophp.bc -o swftophp_asan
    

3.  command for reproducing the error

Download poc:  
libming\_0-4-8\_swftophp\_allocation-size-overflow\_main111.zip

**ASAN report**

    root@2413df779df0:~/compiler1804/libming-ming-0_4_8/obj-bc/bin# ./swftophp_asan libming_0-4-8_swftophp_allocation-size-overflow_main111.swf 
    =================================================================
    ==60493==ERROR: AddressSanitizer: requested allocation size 0xffffffffff000533 (0xffffffffff001538 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
        #0 0x4ae288 in realloc /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164
        #1 0x4f9334 in cws2fws /root/compiler1804/libming-ming-0_4_8/util/main.c:111:15
        #2 0x4f99dd in readMovieHeader /root/compiler1804/libming-ming-0_4_8/util/main.c:198:18
        #3 0x4f97ee in main /root/compiler1804/libming-ming-0_4_8/util/main.c:346:5
        #4 0x7f6a64b67c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    ==60493==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: allocation-size-too-big /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164 in realloc
    ==60493==ABORTING

CVE-2023-30085: Allocation size overflow in cws2fws() at main.c:111 · Issue #267 · libming/libming

Red Hat Security Advisory 2023-2148-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include buffer overflow, bypass, denial of service, double free, memory leak, null pointer, out of bounds read, privilege escalation, traversal, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2023:2148-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2148  
Issue date:        2023-05-09  
CVE Names:         CVE-2021-26341 CVE-2021-33655 CVE-2022-1462  
                   CVE-2022-1789 CVE-2022-1882 CVE-2022-2196  
                   CVE-2022-2663 CVE-2022-3028 CVE-2022-3435  
                   CVE-2022-3522 CVE-2022-3524 CVE-2022-3566  
                   CVE-2022-3567 CVE-2022-3619 CVE-2022-3623  
                   CVE-2022-3625 CVE-2022-3628 CVE-2022-3640  
                   CVE-2022-3707 CVE-2022-4128 CVE-2022-4129  
                   CVE-2022-20141 CVE-2022-21505 CVE-2022-28388  
                   CVE-2022-33743 CVE-2022-39188 CVE-2022-39189  
                   CVE-2022-41674 CVE-2022-42703 CVE-2022-42720  
                   CVE-2022-42721 CVE-2022-42722 CVE-2022-42896  
                   CVE-2022-43750 CVE-2022-47929 CVE-2023-0394  
                   CVE-2023-0461 CVE-2023-0590 CVE-2023-1195  
                   CVE-2023-1382  
====================================================================  
1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux NFV (v. 9) - x86_64  
Red Hat Enterprise Linux RT (v. 9) - x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* use-after-free in l2cap_connect and l2cap_le_connect_req in  
net/bluetooth/l2cap_core.c (CVE-2022-42896)

* net/ulp: use-after-free in listening ULP sockets (CVE-2023-0461)

* hw: cpu: AMD CPUs may transiently execute beyond unconditional direct  
branch (CVE-2021-26341)

* malicious data for FBIOPUT_VSCREENINFO ioctl may cause OOB write memory  
(CVE-2021-33655)

* possible race condition in drivers/tty/tty_buffers.c (CVE-2022-1462)

* KVM: NULL pointer dereference in kvm_mmu_invpcid_gva (CVE-2022-1789)

* use-after-free in free_pipe_info() could lead to privilege escalation  
(CVE-2022-1882)

* KVM: nVMX: missing IBPB when exiting from nested guest can lead to  
Spectre v2 attacks (CVE-2022-2196)

* netfilter: nf_conntrack_irc message handling issue (CVE-2022-2663)

* race condition in xfrm_probe_algs can lead to OOB read/write  
(CVE-2022-3028)

* out-of-bounds read in fib_nh_match of the file net/ipv4/fib_semantics.c  
(CVE-2022-3435)

* race condition in hugetlb_no_page() in mm/hugetlb.c (CVE-2022-3522)

* memory leak in ipv6_renew_options() (CVE-2022-3524)

* data races around icsk->icsk_af_ops in do_ipv6_setsockopt (CVE-2022-3566)

* data races around sk->sk_prot (CVE-2022-3567)

* memory leak in l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c  
(CVE-2022-3619)

* denial of service in follow_page_pte in mm/gup.c due to poisoned pte  
entry (CVE-2022-3623)

* use-after-free after failed devlink reload in devlink_param_get  
(CVE-2022-3625)

* USB-accessible buffer overflow in brcmfmac (CVE-2022-3628)

* use after free flaw in l2cap_conn_del in net/bluetooth/l2cap_core.c  
(CVE-2022-3640)

* Double-free in split_2MB_gtt_entry when function  
intel_gvt_dma_map_guest_page failed (CVE-2022-3707)

* mptcp: NULL pointer dereference in subflow traversal at disconnect time  
(CVE-2022-4128)

* l2tp: missing lock when clearing sk_user_data can lead to NULL pointer  
dereference (CVE-2022-4129)

* igmp: use-after-free in ip_check_mc_rcu when opening and closing inet  
sockets (CVE-2022-20141)

* lockdown bypass using IMA (CVE-2022-21505)

* double free in usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c  
(CVE-2022-28388)

* network backend may cause Linux netfront to use freed SKBs (XSA-405)  
(CVE-2022-33743)

* unmap_mapping_range() race with munmap() on VM_PFNMAP mappings leads to  
stale TLB entry (CVE-2022-39188)

* TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED leading  
to guest malfunctioning (CVE-2022-39189)

* u8 overflow problem in cfg80211_update_notlisted_nontrans()  
(CVE-2022-41674)

* use-after-free related to leaf anon_vma double reuse (CVE-2022-42703)

* use-after-free in bss_ref_get in net/wireless/scan.c (CVE-2022-42720)

* BSS list corruption in cfg80211_add_nontrans_list in net/wireless/scan.c  
(CVE-2022-42721)

* Denial of service in beacon protection for P2P-device (CVE-2022-42722)

* memory corruption in usbmon driver (CVE-2022-43750)

* NULL pointer dereference in traffic control subsystem (CVE-2022-47929)

* NULL pointer dereference in rawv6_push_pending_frames (CVE-2023-0394)

* use-after-free due to race condition in qdisc_graft() (CVE-2023-0590)

* use-after-free caused by invalid pointer hostname in fs/cifs/connect.c  
(CVE-2023-1195)

* denial of service in tipc_conn_close (CVE-2023-1382)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.2 Release Notes linked from the References section.

4. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2061703 - CVE-2021-26341 hw: cpu: AMD CPUs may transiently execute beyond unconditional direct branch  
2073091 - CVE-2022-28388 kernel: double free in usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c  
2078466 - CVE-2022-1462 kernel: possible race condition in drivers/tty/tty_buffers.c  
2089701 - CVE-2022-1882 kernel: use-after-free in free_pipe_info() could lead to privilege escalation  
2090723 - CVE-2022-1789 kernel: KVM: NULL pointer dereference in kvm_mmu_invpcid_gva  
2106830 - CVE-2022-21505 kernel: lockdown bypass using IMA  
2107924 - CVE-2022-33743 kernel: network backend may cause Linux netfront to use freed SKBs (XSA-405)  
2108691 - CVE-2021-33655 kernel: malicious data for FBIOPUT_VSCREENINFO ioctl may cause OOB write memory  
2114937 - CVE-2022-20141 kernel: igmp: use-after-free in ip_check_mc_rcu when opening and closing inet sockets  
2122228 - CVE-2022-3028 kernel: race condition in xfrm_probe_algs can lead to OOB read/write  
2123056 - CVE-2022-2663 kernel: netfilter: nf_conntrack_irc message handling issue  
2124788 - CVE-2022-39189 kernel: TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED leading to guest malfunctioning  
2130141 - CVE-2022-39188 kernel: unmap_mapping_range() race with munmap() on VM_PFNMAP mappings leads to stale TLB entry  
2133483 - CVE-2022-42703 kernel: use-after-free related to leaf anon_vma double reuse  
2133490 - CVE-2022-3435 kernel: out-of-bounds read in fib_nh_match of the file net/ipv4/fib_semantics.c  
2134377 - CVE-2022-41674 kernel: u8 overflow problem in cfg80211_update_notlisted_nontrans()  
2134380 - CVE-2022-4128 kernel: mptcp: NULL pointer dereference in subflow traversal at disconnect time  
2134451 - CVE-2022-42720 kernel: use-after-free in bss_ref_get in net/wireless/scan.c  
2134506 - CVE-2022-42721 kernel: BSS list corruption in cfg80211_add_nontrans_list in net/wireless/scan.c  
2134517 - CVE-2022-42722 kernel: Denial of service in beacon protection for P2P-device  
2134528 - CVE-2022-4129 kernel: l2tp: missing lock when clearing sk_user_data can lead to NULL pointer dereference  
2137979 - CVE-2022-3707 kernel: Double-free in split_2MB_gtt_entry when function intel_gvt_dma_map_guest_page failed  
2139610 - CVE-2022-3640 kernel: use after free flaw in l2cap_conn_del in net/bluetooth/l2cap_core.c  
2143893 - CVE-2022-3566 kernel: data races around icsk->icsk_af_ops in do_ipv6_setsockopt  
2143943 - CVE-2022-3567 kernel: data races around sk->sk_prot  
2144720 - CVE-2022-3625 kernel: use-after-free after failed devlink reload in devlink_param_get  
2147364 - CVE-2022-42896 kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c  
2150947 - CVE-2022-3524 kernel: memory leak in ipv6_renew_options()  
2150960 - CVE-2022-3628 kernel: USB-accessible buffer overflow in brcmfmac  
2150979 - CVE-2022-3522 kernel: race condition in hugetlb_no_page() in mm/hugetlb.c  
2151270 - CVE-2022-43750 kernel: memory corruption in usbmon driver  
2154171 - CVE-2023-1195 kernel: use-after-free caused by invalid pointer hostname in fs/cifs/connect.c  
2154235 - CVE-2022-3619 kernel: memory leak in l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c  
2160023 - CVE-2022-2196 kernel: KVM: nVMX: missing IBPB when exiting from nested guest can lead to Spectre v2 attacks  
2162120 - CVE-2023-0394 kernel: NULL pointer dereference in rawv6_push_pending_frames  
2165721 - CVE-2022-3623 kernel: denial of service in follow_page_pte in mm/gup.c due to poisoned pte entry  
2165741 - CVE-2023-0590 kernel: use-after-free due to race condition in qdisc_graft()  
2168246 - CVE-2022-47929 kernel: NULL pointer dereference in traffic control subsystem  
2176192 - CVE-2023-0461 kernel: net/ulp: use-after-free in listening ULP sockets  
2177371 - CVE-2023-1382 kernel: denial of service in tipc_conn_close

6. Package List:

Red Hat Enterprise Linux NFV (v. 9):

Source:  
kernel-rt-5.14.0-284.11.1.rt14.296.el9_2.src.rpm

x86_64:  
kernel-rt-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-debuginfo-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-devel-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-kvm-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-modules-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-modules-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-modules-extra-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debuginfo-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-devel-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-kvm-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-modules-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-modules-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-modules-extra-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm

Red Hat Enterprise Linux RT (v. 9):

Source:  
kernel-rt-5.14.0-284.11.1.rt14.296.el9_2.src.rpm

x86_64:  
kernel-rt-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-debuginfo-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-devel-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-modules-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-modules-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-modules-extra-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debuginfo-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-devel-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-modules-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-modules-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-modules-extra-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-26341  
https://access.redhat.com/security/cve/CVE-2021-33655  
https://access.redhat.com/security/cve/CVE-2022-1462  
https://access.redhat.com/security/cve/CVE-2022-1789  
https://access.redhat.com/security/cve/CVE-2022-1882  
https://access.redhat.com/security/cve/CVE-2022-2196  
https://access.redhat.com/security/cve/CVE-2022-2663  
https://access.redhat.com/security/cve/CVE-2022-3028  
https://access.redhat.com/security/cve/CVE-2022-3435  
https://access.redhat.com/security/cve/CVE-2022-3522  
https://access.redhat.com/security/cve/CVE-2022-3524  
https://access.redhat.com/security/cve/CVE-2022-3566  
https://access.redhat.com/security/cve/CVE-2022-3567  
https://access.redhat.com/security/cve/CVE-2022-3619  
https://access.redhat.com/security/cve/CVE-2022-3623  
https://access.redhat.com/security/cve/CVE-2022-3625  
https://access.redhat.com/security/cve/CVE-2022-3628  
https://access.redhat.com/security/cve/CVE-2022-3640  
https://access.redhat.com/security/cve/CVE-2022-3707  
https://access.redhat.com/security/cve/CVE-2022-4128  
https://access.redhat.com/security/cve/CVE-2022-4129  
https://access.redhat.com/security/cve/CVE-2022-20141  
https://access.redhat.com/security/cve/CVE-2022-21505  
https://access.redhat.com/security/cve/CVE-2022-28388  
https://access.redhat.com/security/cve/CVE-2022-33743  
https://access.redhat.com/security/cve/CVE-2022-39188  
https://access.redhat.com/security/cve/CVE-2022-39189  
https://access.redhat.com/security/cve/CVE-2022-41674  
https://access.redhat.com/security/cve/CVE-2022-42703  
https://access.redhat.com/security/cve/CVE-2022-42720  
https://access.redhat.com/security/cve/CVE-2022-42721  
https://access.redhat.com/security/cve/CVE-2022-42722  
https://access.redhat.com/security/cve/CVE-2022-42896  
https://access.redhat.com/security/cve/CVE-2022-43750  
https://access.redhat.com/security/cve/CVE-2022-47929  
https://access.redhat.com/security/cve/CVE-2023-0394  
https://access.redhat.com/security/cve/CVE-2023-0461  
https://access.redhat.com/security/cve/CVE-2023-0590  
https://access.redhat.com/security/cve/CVE-2023-1195  
https://access.redhat.com/security/cve/CVE-2023-1382  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFo0NtzjgjWX9erEAQhskQ//eAqMI93djEsADoo5zb3EO3xEGrb//Im2  
ptPycHLLL6ZG+t/+1PiMk/e8LwhV2hrxz7nzc4xh8tNO4TRuF0WK/sR8Iv4y6/Fs  
95X25NgEndOlHk7uUVgEdTYvZnpNh27XJwyEHDu6HV8suxY6gfbYHqV7zlkGBi43  
zQA+sfEDXFVfvLug/RpaD0J7wXc0JyUoG4OratWV1E37zw9mNPSX1P0bFy4QoKXL  
rhG1Xc+qSWK3kjnJjpeU8nIJGhL2oJDFVuICkiC+aEp7C//DE1TA7L7u3Z+7Tou/  
BpPmjMyfXF/UQYZtJCrCRiTj/RsRIqaUSoy3/3MO8jxVMR6FIm/QTjY63JCGfj6A  
OahLv77oKDJXuHQQ7JkHycKMOc+JfX/ZNtxtgn2gYFfpjPTY/klTJP8iM9KhnTuQ  
2lF5jvYJihYhGio+cyl5Ad/XmzsHh7cTQR3XKtNa7p9/+QkAKt10LhbzxvebThFd  
cZtLUsdph4wO6T+RrZ5XdwvOSox1C40mfOnwJO41M/9GXPHoxhmwrZYBWKE1PY0J  
Jq9m+pYgKv+ioTW1FWloM22mu0PW/L5F3djzAVujShX0iRgfW2Aao3n+L8A22bYD  
Q+5LbFsWZwpeK7zXgXocJlY7j667sT9UGqBwk4xMfAiS5A0p2Zo1rkIre2lvmF2D  
JJU7NBGa9VU=YrUX  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2148-01

Red Hat Security Advisory 2023-2458-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include buffer overflow, bypass, denial of service, double free, memory leak, null pointer, out of bounds read, privilege escalation, traversal, and use-after-free vulnerabilities.

Red Hat Security Advisory 2023-2458-01

Red Hat Security Advisory 2023-2256-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include buffer overflow, bypass, code execution, information leakage, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: webkit2gtk3 security and bug fix update  
Advisory ID:       RHSA-2023:2256-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2256  
Issue date:        2023-05-09  
CVE Names:         CVE-2022-32886 CVE-2022-32888 CVE-2022-32923  
                   CVE-2022-42799 CVE-2022-42823 CVE-2022-42824  
                   CVE-2022-42826 CVE-2022-42852 CVE-2022-42863  
                   CVE-2022-42867 CVE-2022-46691 CVE-2022-46692  
                   CVE-2022-46698 CVE-2022-46699 CVE-2022-46700  
                   CVE-2023-23517 CVE-2023-23518 CVE-2023-25358  
                   CVE-2023-25360 CVE-2023-25361 CVE-2023-25362  
                   CVE-2023-25363  
====================================================================  
1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

Security Fix(es):

* webkitgtk: use-after-free issue leading to arbitrary code execution  
(CVE-2022-42826)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2023-23517)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2023-23518)

* webkitgtk: buffer overflow issue was addressed with improved memory  
handling (CVE-2022-32886)

* webkitgtk: out-of-bounds write issue was addressed with improved bounds  
checking (CVE-2022-32888)

* webkitgtk: correctness issue in the JIT was addressed with improved  
checks (CVE-2022-32923)

* webkitgtk: issue was addressed with improved UI handling (CVE-2022-42799)

* webkitgtk: type confusion issue leading to arbitrary code execution  
(CVE-2022-42823)

* webkitgtk: sensitive information disclosure issue (CVE-2022-42824)

* webkitgtk: memory disclosure issue was addressed with improved memory  
handling (CVE-2022-42852)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2022-42863)

* webkitgtk: use-after-free issue leading to arbitrary code execution  
(CVE-2022-42867)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2022-46691)

* webkitgtk: Same Origin Policy bypass issue (CVE-2022-46692)

* webkitgtk: logic issue leading to user information disclosure  
(CVE-2022-46698)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2022-46699)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2022-46700)

* webkitgtk: heap-use-after-free in WebCore::RenderLayer::addChild()  
(CVE-2023-25358)

* webkitgtk: heap-use-after-free in WebCore::RenderLayer::renderer()  
(CVE-2023-25360)

* webkitgtk: heap-use-after-free in WebCore::RenderLayer::setNextSibling()  
(CVE-2023-25361)

* webkitgtk: heap-use-after-free in  
WebCore::RenderLayer::repaintBlockSelectionGaps() (CVE-2023-25362)

* webkitgtk: heap-use-after-free in  
WebCore::RenderLayer::updateDescendantDependentFlags() (CVE-2023-25363)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.2 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2127467 - Upgrade WebKitGTK for RHEL 9.2  
2128643 - CVE-2022-32886 webkitgtk: buffer overflow issue was addressed with improved memory handling  
2140501 - CVE-2022-32888 webkitgtk: out-of-bounds write issue was addressed with improved bounds checking  
2140502 - CVE-2022-32923 webkitgtk: correctness issue in the JIT was addressed with improved checks  
2140503 - CVE-2022-42799 webkitgtk: issue was addressed with improved UI handling  
2140504 - CVE-2022-42824 webkitgtk: sensitive information disclosure issue  
2140505 - CVE-2022-42823 webkitgtk: type confusion issue leading to arbitrary code execution  
2156986 - CVE-2022-42852 webkitgtk: memory disclosure issue was addressed with improved memory handling  
2156987 - CVE-2022-42863 webkitgtk: memory corruption issue leading to arbitrary code execution  
2156989 - CVE-2022-42867 webkitgtk: use-after-free issue leading to arbitrary code execution  
2156990 - CVE-2022-46691 webkitgtk: memory corruption issue leading to arbitrary code execution  
2156991 - CVE-2022-46692 webkitgtk: Same Origin Policy bypass issue  
2156992 - CVE-2022-46698 webkitgtk: logic issue leading to user information disclosure  
2156993 - CVE-2022-46699 webkitgtk: memory corruption issue leading to arbitrary code execution  
2156994 - CVE-2022-46700 webkitgtk: memory corruption issue leading to arbitrary code execution  
2167715 - CVE-2023-23518 webkitgtk: memory corruption issue leading to arbitrary code execution  
2167716 - CVE-2022-42826 webkitgtk: use-after-free issue leading to arbitrary code execution  
2167717 - CVE-2023-23517 webkitgtk: memory corruption issue leading to arbitrary code execution  
2175099 - CVE-2023-25358 webkitgtk: heap-use-after-free in WebCore::RenderLayer::addChild()  
2175101 - CVE-2023-25360 webkitgtk: heap-use-after-free in WebCore::RenderLayer::renderer()  
2175103 - CVE-2023-25361 webkitgtk: heap-use-after-free in WebCore::RenderLayer::setNextSibling()  
2175105 - CVE-2023-25362 webkitgtk: heap-use-after-free in WebCore::RenderLayer::repaintBlockSelectionGaps()  
2175107 - CVE-2023-25363 webkitgtk: heap-use-after-free in WebCore::RenderLayer::updateDescendantDependentFlags()

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
webkit2gtk3-2.38.5-1.el9.src.rpm

aarch64:  
webkit2gtk3-2.38.5-1.el9.aarch64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9.aarch64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9.aarch64.rpm  
webkit2gtk3-devel-2.38.5-1.el9.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9.aarch64.rpm  
webkit2gtk3-jsc-2.38.5-1.el9.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9.aarch64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9.aarch64.rpm

ppc64le:  
webkit2gtk3-2.38.5-1.el9.ppc64le.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9.ppc64le.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9.ppc64le.rpm  
webkit2gtk3-devel-2.38.5-1.el9.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9.ppc64le.rpm  
webkit2gtk3-jsc-2.38.5-1.el9.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9.ppc64le.rpm

s390x:  
webkit2gtk3-2.38.5-1.el9.s390x.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9.s390x.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9.s390x.rpm  
webkit2gtk3-devel-2.38.5-1.el9.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9.s390x.rpm  
webkit2gtk3-jsc-2.38.5-1.el9.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9.s390x.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9.s390x.rpm

x86_64:  
webkit2gtk3-2.38.5-1.el9.i686.rpm  
webkit2gtk3-2.38.5-1.el9.x86_64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9.i686.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9.x86_64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9.i686.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9.x86_64.rpm  
webkit2gtk3-devel-2.38.5-1.el9.i686.rpm  
webkit2gtk3-devel-2.38.5-1.el9.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9.i686.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9.x86_64.rpm  
webkit2gtk3-jsc-2.38.5-1.el9.i686.rpm  
webkit2gtk3-jsc-2.38.5-1.el9.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9.x86_64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9.i686.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-32886  
https://access.redhat.com/security/cve/CVE-2022-32888  
https://access.redhat.com/security/cve/CVE-2022-32923  
https://access.redhat.com/security/cve/CVE-2022-42799  
https://access.redhat.com/security/cve/CVE-2022-42823  
https://access.redhat.com/security/cve/CVE-2022-42824  
https://access.redhat.com/security/cve/CVE-2022-42826  
https://access.redhat.com/security/cve/CVE-2022-42852  
https://access.redhat.com/security/cve/CVE-2022-42863  
https://access.redhat.com/security/cve/CVE-2022-42867  
https://access.redhat.com/security/cve/CVE-2022-46691  
https://access.redhat.com/security/cve/CVE-2022-46692  
https://access.redhat.com/security/cve/CVE-2022-46698  
https://access.redhat.com/security/cve/CVE-2022-46699  
https://access.redhat.com/security/cve/CVE-2022-46700  
https://access.redhat.com/security/cve/CVE-2023-23517  
https://access.redhat.com/security/cve/CVE-2023-23518  
https://access.redhat.com/security/cve/CVE-2023-25358  
https://access.redhat.com/security/cve/CVE-2023-25360  
https://access.redhat.com/security/cve/CVE-2023-25361  
https://access.redhat.com/security/cve/CVE-2023-25362  
https://access.redhat.com/security/cve/CVE-2023-25363  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFo08tzjgjWX9erEAQizzA//ZfzdltwdtCXIOyqB+fCYF071RAjvFVho  
gGI/whuz9NHfhE1rFBw/C4pwVbauyRLEb8woNd6YM1fjr8itYOcvO1oFp8VU5sVr  
pC87bfUitNVO2nuZ/tbcM8HAz30HqjEV63o8PEJlRVz44+kY5RVlRIO+1dqWImYc  
Tv39Cd3NYB1BVNKQXB+sHZa11aSdFoJsPmMDyP2CRR+/hc5rwfPtqMYf5Nuwkf5+  
M25FubVdNJKJOvaxrqvqmJ52kA6bzazo9mX1fYUahPUtiiQlp6O1x5WgP/AqsoO/  
ZXy2dWFu7kUlq9ATL0YbhDmNUZVbYVBajobmvFXXpLklvI0iothfcX8mQXsSvy1Y  
ZBYShGu88cpS+qrn7jOTmkjNIWHFNHlhJs1JUdZ6zkN1IkXTyI7jaOmxCC5/elac  
SrNTweI/G3zA2QosLwdJMpsSPi2EHU10S/SiSx8VZaehLgkkY0NRW77c4CdlPs5z  
5/JldynPytqNqSxxT/4kYprTyrR7JnL/6BL0oqOGK2+aAiJdWx9bwjm9SD4lOwOe  
QPZUtkL7GWRccAjagX8YFccoJu9nOdNSAObJyDYXVRS1rftqOdYn6RYU8FHHCCOv  
g0cWjH87k4AWBvavbA9DhpftLvEz1oDGnUfZks4/tJeWKAWI/wQDWK3xTjAx4qYD  
6EzZBUU3xAw=k7TK  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2256-01

Red Hat Security Advisory 2023-2260-01 - GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Issues addressed include a buffer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: gstreamer1-plugins-good security update  
Advisory ID:       RHSA-2023:2260-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2260  
Issue date:        2023-05-09  
CVE Names:         CVE-2022-1920 CVE-2022-1921 CVE-2022-1922  
                   CVE-2022-1923 CVE-2022-1924 CVE-2022-1925  
                   CVE-2022-2122  
====================================================================  
1. Summary:

An update for gstreamer1-plugins-good is now available for Red Hat  
Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

GStreamer is a streaming media framework based on graphs of filters which  
operate on media data. The gstreamer1-plugins-good packages contain a  
collection of well-supported plug-ins of good quality and under the LGPL  
license.

Security Fix(es):

* gstreamer-plugins-good: Potential heap overwrite in  
gst_matroska_demux_add_wvpk_header() (CVE-2022-1920)

* gstreamer-plugins-good: Heap-based buffer overflow in the avi demuxer  
when handling certain AVI files (CVE-2022-1921)

* gstreamer-plugins-good: Potential heap overwrite in mkv demuxing using  
zlib decompression (CVE-2022-1922)

* gstreamer-plugins-good: Potential heap overwrite in mkv demuxing using  
bz2 decompression (CVE-2022-1923)

* gstreamer-plugins-good: Potential heap overwrite in mkv demuxing using  
lzo decompression (CVE-2022-1924)

* gstreamer-plugins-good: Potential heap overwrite in mkv demuxing using  
HEADERSTRIP decompression (CVE-2022-1925)

* gstreamer-plugins-good: Potential heap overwrite in mp4 demuxing using  
zlib decompression (CVE-2022-2122)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.2 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2130935 - CVE-2022-1920 gstreamer-plugins-good: Potential heap overwrite in gst_matroska_demux_add_wvpk_header()  
2130949 - CVE-2022-1921 gstreamer-plugins-good: Heap-based buffer overflow in the avi demuxer when handling certain AVI files  
2130955 - CVE-2022-1922 gstreamer-plugins-good: Potential heap overwrite in mkv demuxing using zlib decompression  
2130959 - CVE-2022-1923 gstreamer-plugins-good: Potential heap overwrite in mkv demuxing using bz2 decompression  
2131003 - CVE-2022-1924 gstreamer-plugins-good: Potential heap overwrite in mkv demuxing using lzo decompression  
2131007 - CVE-2022-1925 gstreamer-plugins-good: Potential heap overwrite in mkv demuxing using HEADERSTRIP decompression  
2131018 - CVE-2022-2122 gstreamer-plugins-good: Potential heap overwrite in mp4 demuxing using zlib decompression

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
gstreamer1-plugins-good-1.18.4-6.el9.src.rpm

aarch64:  
gstreamer1-plugins-good-1.18.4-6.el9.aarch64.rpm  
gstreamer1-plugins-good-debuginfo-1.18.4-6.el9.aarch64.rpm  
gstreamer1-plugins-good-debugsource-1.18.4-6.el9.aarch64.rpm  
gstreamer1-plugins-good-gtk-1.18.4-6.el9.aarch64.rpm  
gstreamer1-plugins-good-gtk-debuginfo-1.18.4-6.el9.aarch64.rpm  
gstreamer1-plugins-good-qt-debuginfo-1.18.4-6.el9.aarch64.rpm

ppc64le:  
gstreamer1-plugins-good-1.18.4-6.el9.ppc64le.rpm  
gstreamer1-plugins-good-debuginfo-1.18.4-6.el9.ppc64le.rpm  
gstreamer1-plugins-good-debugsource-1.18.4-6.el9.ppc64le.rpm  
gstreamer1-plugins-good-gtk-1.18.4-6.el9.ppc64le.rpm  
gstreamer1-plugins-good-gtk-debuginfo-1.18.4-6.el9.ppc64le.rpm  
gstreamer1-plugins-good-qt-debuginfo-1.18.4-6.el9.ppc64le.rpm

s390x:  
gstreamer1-plugins-good-1.18.4-6.el9.s390x.rpm  
gstreamer1-plugins-good-debuginfo-1.18.4-6.el9.s390x.rpm  
gstreamer1-plugins-good-debugsource-1.18.4-6.el9.s390x.rpm  
gstreamer1-plugins-good-gtk-1.18.4-6.el9.s390x.rpm  
gstreamer1-plugins-good-gtk-debuginfo-1.18.4-6.el9.s390x.rpm  
gstreamer1-plugins-good-qt-debuginfo-1.18.4-6.el9.s390x.rpm

x86_64:  
gstreamer1-plugins-good-1.18.4-6.el9.i686.rpm  
gstreamer1-plugins-good-1.18.4-6.el9.x86_64.rpm  
gstreamer1-plugins-good-debuginfo-1.18.4-6.el9.i686.rpm  
gstreamer1-plugins-good-debuginfo-1.18.4-6.el9.x86_64.rpm  
gstreamer1-plugins-good-debugsource-1.18.4-6.el9.i686.rpm  
gstreamer1-plugins-good-debugsource-1.18.4-6.el9.x86_64.rpm  
gstreamer1-plugins-good-gtk-1.18.4-6.el9.i686.rpm  
gstreamer1-plugins-good-gtk-1.18.4-6.el9.x86_64.rpm  
gstreamer1-plugins-good-gtk-debuginfo-1.18.4-6.el9.i686.rpm  
gstreamer1-plugins-good-gtk-debuginfo-1.18.4-6.el9.x86_64.rpm  
gstreamer1-plugins-good-qt-debuginfo-1.18.4-6.el9.i686.rpm  
gstreamer1-plugins-good-qt-debuginfo-1.18.4-6.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1920  
https://access.redhat.com/security/cve/CVE-2022-1921  
https://access.redhat.com/security/cve/CVE-2022-1922  
https://access.redhat.com/security/cve/CVE-2022-1923  
https://access.redhat.com/security/cve/CVE-2022-1924  
https://access.redhat.com/security/cve/CVE-2022-1925  
https://access.redhat.com/security/cve/CVE-2022-2122  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFo06dzjgjWX9erEAQhrwQ//Ux/jfIsdlOlcSYh49YQrv5mmRH639gQE  
TVDDFz5x/9zRwuos1650/zyEs5SF3F9pBFgc8FeU9V2styVUuIYTgKtI3vYexa48  
LfoWcFZhVHNq60onLmoH/1TJsIdPA5Lvdmk2kqMn0+dA77CD9EAviilfWkTDp27F  
I1fTX0L0S8d7JZAscwMsrCefItv/5LG+tH2bN6ZokA21aV1RkLqaKylJdZj5+m2y  
dSyelBeEidfQTxaj9CNZftOrQjDziyW6JFVfQna2sOuz7ejOMUkfy25ZH145M9Y6  
0P7S71w+8FVk76AlrKE3qGyh0V13dfHTQpZW6cca4yzrKmoH2G4EDFHo0g9PrSwD  
eKFRmnJ6VNkyc4lgQT7G5ME1PsNYlRsX5WAUKWzT8RaIcxIWDr96UhoeKC2gYiaW  
wr/aOcBij0NZkdWN+9NbnXZqrwIRPTe8dOJpQpO9Nojsev4o7LZhWdS1z5C0xwsu  
wdPIlMofZ8/x01z39b/CVPsmESk0kefw7w5rwj+9XO2QcXwZkrshpZM8tMjhrMlF  
WyEOPPli2WpQfjco/jiMhV8cjKHSCHQSYPt67QZXtUFqD68P8AI1RhX9K7VhPVRo  
gOTkEsGxwqp2uLiTvYc7kElDjbKD/6nd52MANo4TR4aO2sZsTylCNeQ7I2bROhE4  
krFzi7LnE2s=IWWY  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2260-01

Sngrep v1.6.0 was discovered to contain a stack buffer overflow via the function packet_set_payload at /src/packet.c.

How to trigger  
Compile the program with AddressSanitizer  
Run command $ ./sngrep -N -R -I $PoC  
Details  
ASAN report  
$./sngrep -N -R -I $PoC

    Dialog count: 0=================================================================
    ==974123==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fda5fffe9a0 at pc 0x00000049b787 bp 0x7fda5fff98d0 sp 0x7fda5fff9098
    READ of size 57344 at 0x7fda5fffe9a0 thread T1
        #0 0x49b786 in __asan_memcpy (/home/root/randomFuzz/sngrep/sngrep/sngrep_N_R_I/sngrep+0x49b786)
        #1 0x4dc7f1 in packet_set_payload /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/packet.c:147:9
        #2 0x4d1697 in parse_packet /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:430:9
        #3 0x7fda61bad466  (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x23466)
        #4 0x7fda61b9bf67 in pcap_loop (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x11f67)
        #5 0x4cf5c9 in capture_thread /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:1042:5
        #6 0x7fda61b6d608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
        #7 0x7fda61918132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    Address 0x7fda5fffe9a0 is located in stack of thread T1 at offset 20512 in frame
        #0 0x4d067f in parse_packet /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:321
    
      This frame has 3 object(s):
        [32, 20512) 'data' (line 333)
        [20768, 20772) 'size_capture' (line 337) <== Memory access at offset 20512 partially underflows this variable
        [20784, 20788) 'size_payload' (line 339) <== Memory access at offset 20512 partially underflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    Thread T1 created by T0 here:
        #0 0x486a8c in pthread_create (/home/root/randomFuzz/sngrep/sngrep/sngrep_N_R_I/sngrep+0x486a8c)
        #1 0x4d712c in capture_launch_thread /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:1027:13
        #2 0x4efb9e in main /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/main.c:433:9
        #3 0x7fda6181d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/root/randomFuzz/sngrep/sngrep/sngrep_N_R_I/sngrep+0x49b786) in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0ffbcbff7ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ffbcbff7cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ffbcbff7d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ffbcbff7d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ffbcbff7d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0ffbcbff7d30: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x0ffbcbff7d40: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x0ffbcbff7d50: f2 f2 f2 f2 04 f2 04 f3 00 00 00 00 00 00 00 00
      0x0ffbcbff7d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ffbcbff7d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ffbcbff7d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==974123==ABORTING

CVE-2023-31981: [bug] sngrep stack buffer overflow · Issue #430 · irontec/sngrep

Catdoc v0.95 was discovered to contain a global buffer overflow via the function process_file at /src/reader.c.

When the program input contains the option of "-b" , the program will cause global buffer overflow error.

Test Environment  
Ubuntu 20.04, 64 bit catdoc (version: 0.95; )

How to trigger  
Compile the program with AddressSanitizer  
Run command $ .catdoc -b $POC  
Details  
ASAN report  
$./catdoc -b $POC

    =================================================================
    ==928572==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000ddb81e at pc 0x0000004cfcf2 bp 0x7ffd66b3b610 sp 0x7ffd66b3b608
    READ of size 2 at 0x000000ddb81e thread T0
        #0 0x4cfcf1 in process_file /home/root/FuzzDateset/catdoc/catdoc-0.95/src/reader.c:175:6
        #1 0x4d12a2 in analyze_format /home/root/FuzzDateset/catdoc/catdoc-0.95/src/analyze.c:38:10
        #2 0x4cd221 in main /home/root/FuzzDateset/catdoc/catdoc-0.95/src/catdoc.c:180:6
        #3 0x7fcb6627f082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #4 0x41d44d in _start (/home/root/randomFuzz/catdoc/catdoc/catdoc_a_u_b/catdoc+0x41d44d)
    
    0x000000ddb81e is located 2 bytes to the left of global variable 'buffer' defined in 'reader.c:13:20' (0xddb820) of size 524288
    0x000000ddb81e is located 22 bytes to the right of global variable 'output_buffer' defined in 'catdoc.c:26:22' (0xddb800) of size 8
    SUMMARY: AddressSanitizer: global-buffer-overflow /home/root/FuzzDateset/catdoc/catdoc-0.95/src/reader.c:175:6 in process_file
    Shadow bytes around the buggy address:
      0x0000801b36b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801b36c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801b36d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801b36e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801b36f0: 00 00 00 00 04 f9 f9 f9 00 f9 f9 f9 00 f9 f9 f9
    =>0x0000801b3700: 00 f9 f9[f9]00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801b3710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801b3720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801b3730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801b3740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801b3750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==928572==ABORTING
    

The URL of PoC is PoC

CVE-2023-31979: catdoc  global buffer overflow -- by misuse of the option "-b" · Issue #9 · petewarden/catdoc

Sngrep v1.6.0 was discovered to contain a heap buffer overflow via the function capture_packet_reasm_ip at /src/capture.c.

How to trigger  
Compile the program with AddressSanitizer  
Run command $ ./sngrep -N -R -I $PoC  
Details  
ASAN report  
$./sngrep -N -R -I $PoC

    Dialog count: 0=================================================================
    ==974271==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000080a0 at pc 0x0000004d385c bp 0x7f69535f92f0 sp 0x7f69535f92e8
    READ of size 2 at 0x6020000080a0 thread T1
        #0 0x4d385b in capture_packet_reasm_ip /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:678:49
        #1 0x4d0d09 in parse_packet /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:367:17
        #2 0x7f695522a466  (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x23466)
        #3 0x7f6955218f67 in pcap_loop (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x11f67)
        #4 0x4cf5c9 in capture_thread /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:1042:5
        #5 0x7f69551ea608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
        #6 0x7f6954f95132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    0x6020000080a0 is located 15 bytes to the right of 1-byte region [0x602000008090,0x602000008091)
    allocated by thread T1 here:
        #0 0x49c3cd in __interceptor_malloc (/home/root/randomFuzz/sngrep/sngrep/sngrep_N_R_I/sngrep+0x49c3cd)
        #1 0x4dbb59 in packet_add_frame /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/packet.c:123:19
        #2 0x4d31ee in capture_packet_reasm_ip /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:639:9
        #3 0x4d0d09 in parse_packet /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:367:17
        #4 0x7f695522a466  (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x23466)
    
    Thread T1 created by T0 here:
        #0 0x486a8c in pthread_create (/home/root/randomFuzz/sngrep/sngrep/sngrep_N_R_I/sngrep+0x486a8c)
        #1 0x4d712c in capture_launch_thread /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:1027:13
        #2 0x4efb9e in main /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/main.c:433:9
        #3 0x7f6954e9a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:678:49 in capture_packet_reasm_ip
    Shadow bytes around the buggy address:
      0x0c047fff8fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9000: fa fa 00 00 fa fa fd fa fa fa fd fa fa fa 00 00
    =>0x0c047fff9010: fa fa 01 fa[fa]fa fd fd fa fa 00 00 fa fa 01 fa
      0x0c047fff9020: fa fa 00 00 fa fa 01 fa fa fa 00 00 fa fa 01 fa
      0x0c047fff9030: fa fa 00 00 fa fa 01 fa fa fa 00 00 fa fa 01 fa
      0x0c047fff9040: fa fa 00 00 fa fa 01 fa fa fa 00 00 fa fa 01 fa
      0x0c047fff9050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==974271==ABORTING

CVE-2023-31982: [bug] sngrep heap buffer overflow · Issue #431 · irontec/sngrep

libming v0.4.8 was discovered to contain a stack buffer overflow via the function makeswf_preprocess at /util/makeswf_utils.c.

When the program input contains the option of "-D" or "-o" , the program will cause stack buffer overflow error.

How to trigger  
Compile the program with AddressSanitizer  
Run command $ touch aaa  
$ ./makeswf -D iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii -o aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaa  
Details  
ASAN report

    $ ./makeswf -D  iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii -o  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaa
    Output file name: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    Output compression level: 9
    Output SWF version: 6
    Preprocessing ../../aaa... =================================================================
    ==2497535==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd856fb8a0 at pc 0x00000043d930 bp 0x7ffd856fb370 sp 0x7ffd856fab08
    WRITE of size 1291 at 0x7ffd856fb8a0 thread T0
        #0 0x43d92f in __interceptor_vsprintf (/home/root/Dataset/libming/sourcecode/origin_asan/install/bin/makeswf+0x43d92f)
        #1 0x43e913 in sprintf (/home/root/Dataset/libming/sourcecode/origin_asan/install/bin/makeswf+0x43e913)
        #2 0x4d0fca in makeswf_preprocess /home/root/Dataset/libming/sourcecode/libming-ming-0_4_8/util/makeswf_utils.c:251:2
        #3 0x4d0a33 in makeswf_compile_source /home/root/Dataset/libming/sourcecode/libming-ming-0_4_8/util/makeswf_utils.c:114:10
        #4 0x4cddc6 in main /home/root/Dataset/libming/sourcecode/libming-ming-0_4_8/util/makeswf.c:412:9
        #5 0x7f3229403082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #6 0x41d5bd in _start (/home/root/Dataset/libming/sourcecode/origin_asan/install/bin/makeswf+0x41d5bd)
    
    Address 0x7ffd856fb8a0 is located in stack of thread T0 at offset 1056 in frame
        #0 0x4d0d7f in makeswf_preprocess /home/root/Dataset/libming/sourcecode/libming-ming-0_4_8/util/makeswf_utils.c:240
    
      This frame has 2 object(s):
        [32, 1056) 'buf' (line 241)
        [1184, 1328) 'statbuf' (line 243) <== Memory access at offset 1056 partially underflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/root/Dataset/libming/sourcecode/origin_asan/install/bin/makeswf+0x43d92f) in __interceptor_vsprintf
    Shadow bytes around the buggy address:
      0x100030ad76c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100030ad76d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100030ad76e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100030ad76f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100030ad7700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x100030ad7710: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x100030ad7720: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x100030ad7730: 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
      0x100030ad7740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100030ad7750: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
      0x100030ad7760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==2497535==ABORTING

CVE-2023-31976: makeswf stack buffer overflow · Issue #265 · libming/libming

An arbitrary code execution vulnerability contained in Rockwell Automation's Arena Simulation software was reported that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow potentially resulting in a complete loss of confidentiality, integrity, and availability.


Skip Navigation

menu

*   Support Center
*   Get Support Chat & Submit a Question Phone Support Holiday Schedule
*   Training & Webinars
*   Online Forum
*   Customer Care Customer Care Overview Phone Support Holiday Schedule

Sign In

Quickly log in or create an account using an existing service

Yahoo

What will happen: When you click on this button you will be taken to Yahoo. Once you log in, Yahoo will verify you and send you back here where you'll be logged in!

Log In or Create an AccountOpens new dialog

Please log in to continue, Username Password

Email Address \*

Username \*

Password

Re-enter a value for the field 'Password'

Must match Password

First Name \*

Last Name \*

Forgot your username or password?

The page will refresh upon submission. Any pending input will be lost.

03-Feb-2022 - Important product notice regarding Microsoft vulnerability patch (MS KB5004442)

Current product hierarchy

1.  Automation Control
2.  Design & Configuration
3.  Arena

ID: PN1621 | Access Levels: Everyone

**Search**

Did you mean:

**Published Date**Published Date 05/09/2023

**Login Required to View Full Answer Content**

Please use the 'Sign In' button above

Tag

#buffer_overflow