illumos illumos-gate before 676abcb has a stack buffer overflow in /dev/net, leading to privilege escalation via a stat on a long file name in /dev/net.

**illumos-gate**

This is the core illumos source tree.

**Building**

The illumos build must be run on an illumos-based operating system. See the Building illumos section of our documentation for detailed instructions.

**Contributing**

Code changes must be reviewed and tested. If you'd like to submit a change for inclusion in the project, please see the Contributing to illumos guide in our documentation.

**Community**

The illumos community is small but active. We welcome everybody who would like to use the software and participate in the community -- whether you've decades of experience in systems software, or you're just getting started; whether you work for a company that uses illumos, or you just find it personally interesting.

Our Community guide includes details about our Mailing Lists and IRC channels.

**Code of Conduct**

Participation in our community spaces, and in the project in general, are covered by our Code of Conduct. By participating in the project you agree to abide by its terms.

**License**

Most of the existing code is licensed under the CDDL and we expect new code will generally be under this license as well. Modifications of existing code may not alter the original license terms. Integrations of code from upstream sources that use another open source license are permissible, subject to approval of the advocates.

CVE-2023-31284: GitHub - illumos/illumos-gate at 16b76d3cb933ff92018a2a75594449010192eacb

In NanoMQ v0.15.0-0, Heap overflow occurs in read_byte function of mqtt_code.c.

**Describe the bug**  
Heap overflow occurred in read\_byte function of mqtt\_code.c Confirmed with address sanitizer

    =================================================================
    ==104134==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f000010b2f at pc 0x55e80f3d0747 bp 0x7f98a11f28b0 sp 0x7f98a11f28a0
    READ of size 1 at 0x60f000010b2f thread T13
        #0 0x55e80f3d0746 in read_byte /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/supplemental/mqtt/mqtt_codec.c:2712
        #1 0x55e80f3d68f1 in decode_buf_properties /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/supplemental/mqtt/mqtt_codec.c:3754
        #2 0x55e80f398540 in conn_handler /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/sp/protocol/mqtt/mqtt_parser.c:616
        #3 0x55e80f47ca51 in tcptran_pipe_nego_cb /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/sp/transport/mqtt/broker_tcp.c:349
        #4 0x55e80f37ba2f in nni_taskq_thread /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/taskq.c:50
        #5 0x55e80f37cde7 in nni_thr_wrap /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/thread.c:94
        #6 0x55e80f385f9c in nni_plat_thr_main /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/platform/posix/posix_thread.c:266
        #7 0x7f98aaac8b42 in start_thread nptl/pthread_create.c:442
        #8 0x7f98aab5a9ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
    
    0x60f000010b2f is located 0 bytes to the right of 175-byte region [0x60f000010a80,0x60f000010b2f)
    allocated by thread T13 here:
        #0 0x7f98aad34867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
        #1 0x55e80f381604 in nni_alloc /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/platform/posix/posix_alloc.c:20
        #2 0x55e80f35076b in nng_alloc /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/nng.c:60
        #3 0x55e80f47c765 in tcptran_pipe_nego_cb /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/sp/transport/mqtt/broker_tcp.c:331
        #4 0x55e80f37ba2f in nni_taskq_thread /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/taskq.c:50
        #5 0x55e80f37cde7 in nni_thr_wrap /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/thread.c:94
        #6 0x55e80f385f9c in nni_plat_thr_main /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/platform/posix/posix_thread.c:266
        #7 0x7f98aaac8b42 in start_thread nptl/pthread_create.c:442
    
    Thread T13 created by T0 here:
        #0 0x7f98aacd8685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
        #1 0x55e80f3860cc in nni_plat_thr_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/platform/posix/posix_thread.c:279
        #2 0x55e80f37d093 in nni_thr_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/thread.c:121
        #3 0x55e80f37bd51 in nni_taskq_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/taskq.c:95
        #4 0x55e80f37cab1 in nni_taskq_sys_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/taskq.c:294
        #5 0x55e80f366a57 in nni_init_helper /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/init.c:35
        #6 0x55e80f386471 in nni_plat_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/platform/posix/posix_thread.c:422
        #7 0x55e80f366ad8 in nni_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/init.c:58
        #8 0x55e80f3aa85c in nni_proto_mqtt_open /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/sp/protocol.c:37
        #9 0x55e80f3a6c00 in nng_nmq_tcp0_open /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/sp/protocol/mqtt/nmq_mqtt.c:1258
        #10 0x55e80f34b744 in broker /home/lab/Desktop/broker/nanomq3/nanomq/nanomq/apps/broker.c:865
        #11 0x55e80f34fc72 in broker_start /home/lab/Desktop/broker/nanomq3/nanomq/nanomq/apps/broker.c:1592
        #12 0x55e80f31a3bf in main /home/lab/Desktop/broker/nanomq3/nanomq/nanomq/nanomq.c:142
        #13 0x7f98aaa5dd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/supplemental/mqtt/mqtt_codec.c:2712 in read_byte
    Shadow bytes around the buggy address:
      0x0c1e7fffa110: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1e7fffa120: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
      0x0c1e7fffa130: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1e7fffa140: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
      0x0c1e7fffa150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c1e7fffa160: 00 00 00 00 00[07]fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fffa170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fffa180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fffa190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fffa1a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fffa1b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==104134==ABORTING
    

import time 
import socket

def check\_input(input, sleep\_time \= 0.01):
	s \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
	while True:
		try:
			s.connect(('127.0.0.1', 1883))
			s.send(input)      
			s.close()
			break
		except ConnectionResetError:
			continue
		except ConnectionRefusedError:
			break

	time.sleep(sleep\_time)

def check\_crash\_log(crash\_log):
	for c in reversed(crash\_log):
		c\_bytes \= bytearray.fromhex(c)
		status \= check\_input(c\_bytes, 0.25)
		if status \== False:
			print('\[+\] A crash was detected')
			return c\_bytes
	print('\[-\] No crash..')
	exit(\-1)

with open('target-1675832337.790905.txt', 'r') as f:
	crash\_log \= f.readlines()

check\_crash\_log(crash\_log)

CVE-2023-29994: [Bug] Heap-based Buffer Overflow in `mqtt_code.c`(`read_byte`) · Issue #1042 · emqx/nanomq

In NanoMQ v0.15.0-0, a Heap overflow occurs in copyn_utf8_str function of mqtt_parser.c

\==88333==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 168 byte(s) in 1 object(s) allocated from:  
#0 0x7fb518c98a37 in \_\_interceptor\_calloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cpp:154  
#1 0x564ecf7d6fb5 in nni\_zalloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_alloc.c:26  
#2 0x564ecf7c0f6b in nni\_msg\_alloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:387  
#3 0x564ecfb348d4 in tcptran\_pipe\_recv\_cb /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/sp/transport/mqtt/broker\_tcp.c:766  
#4 0x564ecf7d13af in nni\_taskq\_thread /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/taskq.c:50  
#5 0x564ecf7d2767 in nni\_thr\_wrap /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/thread.c:94  
#6 0x564ecf7db91c in nni\_plat\_thr\_main /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_thread.c:266  
#7 0x7fb518570b42 in start\_thread nptl/pthread\_create.c:442

Direct leak of 168 byte(s) in 1 object(s) allocated from:  
#0 0x7fb518c98a37 in \_\_interceptor\_calloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cpp:154  
#1 0x564ecf7d6fb5 in nni\_zalloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_alloc.c:26  
#2 0x564ecf7c0f6b in nni\_msg\_alloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:387  
#3 0x564ecf80390a in nano\_pipe\_start /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/sp/protocol/mqtt/nmq\_mqtt.c:616  
#4 0x564ecf7cdc88 in nni\_listener\_add\_pipe /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/socket.c:1601  
#5 0x564ecf7be3c1 in listener\_accept\_cb /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/listener.c:357  
#6 0x564ecf7d13af in nni\_taskq\_thread /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/taskq.c:50  
#7 0x564ecf7d2767 in nni\_thr\_wrap /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/thread.c:94  
#8 0x564ecf7db91c in nni\_plat\_thr\_main /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_thread.c:266  
#9 0x7fb518570b42 in start\_thread nptl/pthread\_create.c:442

Direct leak of 168 byte(s) in 1 object(s) allocated from:  
#0 0x7fb518c98a37 in \_\_interceptor\_calloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cpp:154  
#1 0x564ecf7d6fb5 in nni\_zalloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_alloc.c:26  
#2 0x564ecf7c0f6b in nni\_msg\_alloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:387  
#3 0x564ecfb33fa4 in tcptran\_pipe\_recv\_cb /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/sp/transport/mqtt/broker\_tcp.c:670  
#4 0x564ecf7d13af in nni\_taskq\_thread /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/taskq.c:50  
#5 0x564ecf7d2767 in nni\_thr\_wrap /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/thread.c:94  
#6 0x564ecf7db91c in nni\_plat\_thr\_main /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_thread.c:266  
#7 0x7fb518570b42 in start\_thread nptl/pthread\_create.c:442

Indirect leak of 66 byte(s) in 1 object(s) allocated from:  
#0 0x7fb518c98a37 in \_\_interceptor\_calloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cpp:154  
#1 0x564ecf7d6fb5 in nni\_zalloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_alloc.c:26  
#2 0x564ecf7bfd46 in nni\_chunk\_grow /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:158  
#3 0x564ecf7c0fbb in nni\_msg\_alloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:397  
#4 0x564ecfb33fa4 in tcptran\_pipe\_recv\_cb /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/sp/transport/mqtt/broker\_tcp.c:670  
#5 0x564ecf7d13af in nni\_taskq\_thread /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/taskq.c:50  
#6 0x564ecf7d2767 in nni\_thr\_wrap /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/thread.c:94  
#7 0x564ecf7db91c in nni\_plat\_thr\_main /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_thread.c:266  
#8 0x7fb518570b42 in start\_thread nptl/pthread\_create.c:442

Indirect leak of 64 byte(s) in 1 object(s) allocated from:  
#0 0x7fb518c98a37 in \_\_interceptor\_calloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cpp:154  
#1 0x564ecf7d6fb5 in nni\_zalloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_alloc.c:26  
#2 0x564ecf7bfd46 in nni\_chunk\_grow /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:158  
#3 0x564ecf7c0fbb in nni\_msg\_alloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:397  
#4 0x564ecfb348d4 in tcptran\_pipe\_recv\_cb /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/sp/transport/mqtt/broker\_tcp.c:766  
#5 0x564ecf7d13af in nni\_taskq\_thread /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/taskq.c:50  
#6 0x564ecf7d2767 in nni\_thr\_wrap /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/thread.c:94  
#7 0x564ecf7db91c in nni\_plat\_thr\_main /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_thread.c:266  
#8 0x7fb518570b42 in start\_thread nptl/pthread\_create.c:442

Indirect leak of 64 byte(s) in 1 object(s) allocated from:  
#0 0x7fb518c98a37 in \_\_interceptor\_calloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cpp:154  
#1 0x564ecf7d6fb5 in nni\_zalloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_alloc.c:26  
#2 0x564ecf7bfd46 in nni\_chunk\_grow /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:158  
#3 0x564ecf7c0fbb in nni\_msg\_alloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:397  
#4 0x564ecf80390a in nano\_pipe\_start /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/sp/protocol/mqtt/nmq\_mqtt.c:616  
#5 0x564ecf7cdc88 in nni\_listener\_add\_pipe /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/socket.c:1601  
#6 0x564ecf7be3c1 in listener\_accept\_cb /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/listener.c:357  
#7 0x564ecf7d13af in nni\_taskq\_thread /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/taskq.c:50  
#8 0x564ecf7d2767 in nni\_thr\_wrap /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/thread.c:94  
#9 0x564ecf7db91c in nni\_plat\_thr\_main /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix\_thread.c:266  
#10 0x7fb518570b42 in start\_thread nptl/pthread\_create.c:442

SUMMARY: AddressSanitizer: 698 byte(s) leaked in 6 allocation(s).

CVE-2023-29995: [Bug] Heap-based Buffer Overflow in `mqtt_parser.c` - `copyn_utf8_str()` · Issue #1043 · emqx/nanomq

Gentoo Linux Security Advisory 202305-20 - A buffer overflow vulnerability has been discovered in libapreq2 which could result in denial of service. Versions less than 2.17 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-20  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: libapreq2: Buffer Overflow  
     Date: May 03, 2023  
     Bugs: #866536  
       ID: 202305-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A buffer overflow vulnerability has been discovered in libapreq2 which  
could result in denial of service.

Background  
==========

libapreq is a shared library with associated modules for manipulating  
client request data via the Apache API.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  www-apache/libapreq2       < 2.17                        >= 2.17

Description  
===========

TODO

Impact  
======

An attacker could submit a crafted multipart form to trigger the buffer  
overflow and cause a denial of service.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All libapreq2 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-apache/libapreq2-2.17"

References  
==========

[ 1 ] CVE-2022-22728  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22728

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-20

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-20

An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart, or out-of-bounds read). This is possible because of inconsistent boundary checks that do not account for reading 3 bytes (instead of 2) in this 0xff case.

CVE-2022-40302: Releases · FRRouting/frr

Insufficient length checks in the ShapeShift KeepKey hardware wallet firmware before 7.7.0 allow a global buffer overflow via crafted messages. Flaws in cf_confirmExecTx() in ethereum_contracts.c can be used to reveal arbitrary microcontroller memory on the device screen or crash the device. With physical access to a PIN-unlocked device, attackers can extract the BIP39 mnemonic secret from the hardware wallet.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-27892: remove obsolete cfunc code by markrypt0 · Pull Request #337 · keepkey/keepkey-firmware

A buffer overflow vulnerability in the Zyxel NBG-418N v2 firmware versions prior to V1.00(AARP.14)C0 could allow a remote authenticated attacker with administrator privileges to cause denial-of-service (DoS) conditions by executing crafted CLI commands on a vulnerable device.

CVE-2023-22924

SmartDNS through 41 before 56d0332 allows an out-of-bounds write because of a stack-based buffer overflow in the _dns_encode_domain function in the dns.c file, via a crafted DNS request.

Expand Up @@ -274,6 +274,10 @@ static int \_dns\_encode\_domain(struct dns\_context \*context, const char \*domain) total\_len++; if (dict\_offset >= 0) { int offset = 0xc000 | dict\_offset; if (\_dns\_left\_len(context) < 2) { return -1; }  
\_dns\_write\_short(&ptr\_num, offset); context->ptr++; ptr\_num = NULL; Expand All @@ -295,6 +299,10 @@ static int \_dns\_encode\_domain(struct dns\_context \*context, const char \*domain) domain++; }  
if (\_dns\_left\_len(context) < 1) { return -1; }  
\*ptr\_num = num;  
if (total\_len > 1) { Expand Down Expand Up @@ -575,7 +583,7 @@ struct dns\_rr\_nested \*dns\_add\_rr\_nested\_start(struct dns\_rr\_nested \*rr\_nested\_bu return rr\_nested\_buffer; }  
int dns\_add\_rr\_nested\_memcpy(struct dns\_rr\_nested \*rr\_nested, void \*data, int data\_len) int dns\_add\_rr\_nested\_memcpy(struct dns\_rr\_nested \*rr\_nested, const void \*data, int data\_len) { if (rr\_nested == NULL || data == NULL || data\_len <= 0) { return -1; Expand Down Expand Up @@ -603,6 +611,12 @@ int dns\_add\_rr\_nested\_end(struct dns\_rr\_nested \*rr\_nested, dns\_type\_t rtype) return -1; }  
/\* NO SVC keys, reset ptr \*/ if (len <= 14) { rr\_nested->context.ptr = rr\_nested->rr\_start; return 0; }  
\_dns\_write\_short(&ptr, len - rr\_nested->rr\_head\_len);  
return \_dns\_rr\_add\_end(rr\_nested->context.packet, rr\_nested->type, rtype, len); Expand Down Expand Up @@ -1076,7 +1090,12 @@ int dns\_add\_HTTPS\_start(struct dns\_rr\_nested \*svcparam\_buffer, struct dns\_packet return -1; }  
int target\_len = strnlen(target, DNS\_MAX\_CNAME\_LEN) + 1; int target\_len = 0; if (target == NULL) { target = ""; }  
target\_len = strnlen(target, DNS\_MAX\_CNAME\_LEN) + 1; if (\_dns\_left\_len(&svcparam\_buffer->context) < 2 + target\_len) { return -1; } Expand Down Expand Up @@ -1117,6 +1136,22 @@ int dns\_HTTPS\_add\_port(struct dns\_rr\_nested \*svcparam, unsigned short port) return 0; }  
int dns\_HTTPS\_add\_alpn(struct dns\_rr\_nested \*svcparam, const char \*alpn, int alpn\_len) { if (\_dns\_left\_len(&svcparam->context) < 2 + 2 + alpn\_len) { return -1; }  
unsigned short value = DNS\_HTTPS\_T\_ALPN; dns\_add\_rr\_nested\_memcpy(svcparam, &value, 2);  
value = alpn\_len; dns\_add\_rr\_nested\_memcpy(svcparam, &value, 2); dns\_add\_rr\_nested\_memcpy(svcparam, alpn, alpn\_len);  
return 0; }  
int dns\_HTTPS\_add\_ech(struct dns\_rr\_nested \*svcparam, void \*ech, int ech\_len) { if (\_dns\_left\_len(&svcparam->context) < 2 + 2 + ech\_len) { Expand All @@ -1133,7 +1168,7 @@ int dns\_HTTPS\_add\_ech(struct dns\_rr\_nested \*svcparam, void \*ech, int ech\_len) return 0; }  
int dns\_HTTPS\_add\_ipv4hint(struct dns\_rr\_nested \*svcparam, unsigned char addr\[\]\[DNS\_RR\_A\_LEN\], int addr\_num) int dns\_HTTPS\_add\_ipv4hint(struct dns\_rr\_nested \*svcparam, unsigned char \*addr\[\], int addr\_num) { if (\_dns\_left\_len(&svcparam->context) < 4 + addr\_num \* DNS\_RR\_A\_LEN) { return -1; Expand All @@ -1151,7 +1186,8 @@ int dns\_HTTPS\_add\_ipv4hint(struct dns\_rr\_nested \*svcparam, unsigned char addr\[\]\[  
return 0; } int dns\_HTTPS\_add\_ipv6hint(struct dns\_rr\_nested \*svcparam, unsigned char addr\[\]\[DNS\_RR\_AAAA\_LEN\], int addr\_num)  
int dns\_HTTPS\_add\_ipv6hint(struct dns\_rr\_nested \*svcparam, unsigned char \*addr\[\], int addr\_num) { if (\_dns\_left\_len(&svcparam->context) < 4 + addr\_num \* DNS\_RR\_AAAA\_LEN) { return -1; Expand All @@ -1175,41 +1211,48 @@ int dns\_add\_HTTPS\_end(struct dns\_rr\_nested \*svcparam) return dns\_add\_rr\_nested\_end(svcparam, DNS\_T\_HTTPS); }  
struct dns\_https\_param \*dns\_get\_HTTPS\_svcparm\_start(struct dns\_rrs \*rrs, char \*domain, int maxsize, int \*ttl, int \*priority, char \*target, int target\_size) int dns\_get\_HTTPS\_svcparm\_start(struct dns\_rrs \*rrs, struct dns\_https\_param \*\*https\_param, char \*domain, int maxsize, int \*ttl, int \*priority, char \*target, int target\_size) { int qtype = 0; unsigned char \*data = NULL; int rr\_len = 0;  
data = dns\_get\_rr\_nested\_start(rrs, domain, maxsize, &qtype, ttl, &rr\_len); if (data == NULL) { return NULL; return \-1; }  
if (qtype != DNS\_T\_HTTPS) { return NULL; return \-1; }  
if (rr\_len < 2) { return NULL; return \-1; }  
\*priority = \_dns\_read\_short(&data); rr\_len -= 2; if (rr\_len <= 0) { return NULL; return \-1; }  
int len = strnlen((char \*)data, rr\_len); safe\_strncpy(target, (char \*)data, target\_size); data += len + 1; rr\_len -= len + 1; if (rr\_len <= 0) { return NULL; if (rr\_len < 0) { return -1; }  
if (rr\_len == 0) { \*https\_param = NULL; return 0; }  
return (struct dns\_https\_param \*)data; \*https\_param = (struct dns\_https\_param \*)data;  
return 0; }  
struct dns\_https\_param \*dns\_get\_HTTPS\_svcparm\_next(struct dns\_rrs \*rrs, struct dns\_https\_param \*param) Expand Down Expand Up @@ -1925,12 +1968,16 @@ static int \_dns\_encode\_HTTPS(struct dns\_context \*context, struct dns\_rrs \*rrs) int priority = 0; struct dns\_https\_param \*param = NULL;  
param = dns\_get\_HTTPS\_svcparm\_start(rrs, domain, DNS\_MAX\_CNAME\_LEN, &ttl, &priority, target, DNS\_MAX\_CNAME\_LEN); if (param == NULL) { tlog(TLOG\_ERROR, "get https param failed."); return -1; ret = dns\_get\_HTTPS\_svcparm\_start(rrs, &param, domain, DNS\_MAX\_CNAME\_LEN, &ttl, &priority, target, DNS\_MAX\_CNAME\_LEN); if (ret < 0) { tlog(TLOG\_DEBUG, "get https param failed."); return 0; }  
qtype = DNS\_T\_HTTPS; qclass = DNS\_C\_IN;  
ret = \_dns\_encode\_rr\_head(context, domain, qtype, qclass, ttl, 0, &rr\_len\_ptr); if (ret < 0) { return -1; Expand All @@ -1954,6 +2001,10 @@ static int \_dns\_encode\_HTTPS(struct dns\_context \*context, struct dns\_rrs \*rrs) return -1; }  
if (param->len + 4 > \_dns\_left\_len(context)) { return -1; }  
\_dns\_write\_short(&context->ptr, param->key); \_dns\_write\_short(&context->ptr, param->len); switch (param->key) { Expand All @@ -1974,6 +2025,10 @@ static int \_dns\_encode\_HTTPS(struct dns\_context \*context, struct dns\_rrs \*rrs) } }  
if (\_dns\_left\_len(context) < 2) { return -1; }  
\_dns\_write\_short(&rr\_len\_ptr, context->ptr - rr\_start);  
return 0; Expand Down

CVE-2023-31470: dns: fix crash issue · pymumu/smartdns@56d0332

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Remote Code Execution.

**hp-concentra-wrapper-portlet**

 Actions

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Remote Code Execution.

Severity

High

HP Reference

HPSBPI03840 rev. 1

Release date

April 6, 2023

Last updated

April 6, 2023

Category

Print

Potential Security Impact

Potential Buffer Overflow, Remote Code Execution

**Relevant Common Vulnerabilities and Exposures (CVE) List**

**Reported by**: Angelboy (@scwuaptx) from DEVCORE Research Team working with Trend Micro Zero Day Initiative

List of CVE IDs    

CVE ID

CVSS 3.0

Severity

Vector

CVE-2023-27972

8.8

High

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2023-0019

**Resolution**

Update the printer firmware.

HP has provided an updated firmware resolution for potentially affected products listed in the table below. To obtain the updated firmware, go to the HP Customer Support - Software and Driver Downloads, and then search for your printer model.

**Affected products**

Find the products affected and the firmware version that resolves the vulnerabilities.

Affected products    

Product Name

Model Number

Updated Firmware Version

HP Color LaserJet MFP M478-M479 series

W1A75A, W1A76A, W1A77A, W1A81A, W1A82A, W1A79A, W1A80A, W1A78A

002\_2310A or higher

HP Color LaserJet Pro M453-M454 series

W1Y40A, W1Y41A, W1Y46A, W1Y47A, W1Y44A, W1Y45A, W1Y43A

002\_2310A or higher

HP LaserJet Pro M304-M305 Printer series

W1A66A, W1A46A, W1A47A, W1A48A

002\_2310A or higher

HP LaserJet Pro M404-M405 Printer series

W1A51A, W1A53A, W1A56A, W1A63A, W1A52A, 93M22A, W1A58A, W1A59A, W1A60A, W1A57A

002\_2310A or higher

HP LaserJet Pro MFP M428-M429 f series

W1A29A, W1A32A, W1A30A, W1A38A, W1A34A, W1A35A

002\_2310A or higher

HP LaserJet Pro MFP M428-M429 series

W1A28A, W1A31A, W1A33A

002\_2310A or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial release

April 6, 2023

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2023 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2023-27972: Certain HP LaserJet Pro Print Products - Potential Buffer Overflow, Remote Code Execution

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Elevation of Privilege.

**hp-concentra-wrapper-portlet**

 Actions

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Elevation of Privilege.

Severity

High

HP Reference

HPSBPI03839 rev. 1

Release date

April 6, 2023

Last updated

April 6, 2023

Category

Print

Potential Security Impact

Potential Buffer Overflow, Elevation of Privilege

**Relevant Common Vulnerabilities and Exposures (CVE) List**

**Reported by**: Neodyme working with Trend Micro Zero Day Initiative

List of CVE IDs    

CVE ID

CVSS

Severity

Vector

CVE-2023-27971

8.8

High

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2023-0018

**Resolution**

Update the printer firmware.

HP has provided an updated firmware resolution for potentially affected products listed in the table below. To obtain the updated firmware, go to the HP Customer Support - Software and Driver Downloads, and then search for your printer model.

**Affected products**

Find the products affected and the firmware version that resolves the vulnerabilities.

Affected products    

Product Name

Model Number

Updated Firmware Version

HP Color LaserJet MFP M478-M479 series

W1A75A, W1A76A, W1A77A, W1A81A, W1A82A, W1A79A, W1A80A, W1A78A

002\_2310A or higher

HP Color LaserJet Pro M453-M454 series

W1Y40A, W1Y41A, W1Y46A, W1Y47A, W1Y44A, W1Y45A, W1Y43A

002\_2310A or higher

HP LaserJet Pro M304-M305 Printer series

W1A66A, W1A46A, W1A47A, W1A48A

002\_2310A or higher

HP LaserJet Pro M404-M405 Printer series

W1A51A, W1A53A, W1A56A, W1A63A, W1A52A, 93M22A, W1A58A, W1A59A, W1A60A, W1A57A

002\_2310A or higher

HP LaserJet Pro MFP M428-M429 f series

W1A29A, W1A32A, W1A30A, W1A38A, W1A34A, W1A35A

002\_2310A or higher

HP LaserJet Pro MFP M428-M429 series

W1A28A, W1A31A, W1A33A

002\_2310A or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial release

April 6, 2023

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2023 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Tag

#buffer_overflow