Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems.
The issue, tracked as CVE-2023-28771, is rated 9.8 on the CVSS scoring system. Researchers from TRAPA Security have been credited with reporting the flaw.
"Improper error message handling in some firewall versions

Network Security / Vulnerability

Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems.

The issue, tracked as CVE-2023-28771, is rated 9.8 on the CVSS scoring system. Researchers from TRAPA Security have been credited with reporting the flaw.

"Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device," Zyxel said in an advisory on April 25, 2023.

Products impacted by the flaw are -

*   ATP (versions ZLD V4.60 to V5.35, patched in ZLD V5.36)
*   USG FLEX (versions ZLD V4.60 to V5.35, patched in ZLD V5.36)
*   VPN (versions ZLD V4.60 to V5.35, patched in ZLD V5.36), and
*   ZyWALL/USG (versions ZLD V4.60 to V4.73, patched in ZLD V4.73 Patch 1)

Zyxel has also addressed a high-severity post-authentication command injection vulnerability affecting select firewall versions (CVE-2023-27991, CVSS score: 8.8) that could permit an authenticated attacker to execute some OS commands remotely.

The shortcoming, which impacts ATP, USG FLEX, USG FLEX 50(W) / USG20(W)-VPN, and VPN devices, has been resolved in ZLD V5.36.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

Lastly, the company also shipped fixes for five high-severity flaws affecting several firewalls and access point (AP) devices (from CVE-2023-22913 to CVE-2023-22918) that could result in code execution and cause a denial-of-service (DoS) condition.

Nikita Abramov from Russian cybersecurity company Positive Technologies has been credited for reporting the issues. Abramov, earlier this year, also discovered four command injection and buffer overflow vulnerabilities in CPE, fiber ONTs, and WiFi extenders.

The most severe of the flaws is CVE-2022-43389 (CVSS score: 9.8), a buffer overflow vulnerability impacting 5G NR/4G LTE CPE devices.

"It did not require authentication to be exploited and led to arbitrary code execution on the device," Abramov explained at the time. "As a result, an attacker could gain remote access to the device and fully control its operation."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Zyxel Firewall Devices Vulnerable to Remote Code Execution Attacks — Patch Now

Categories: News
Tags: VMware

Tags:  workstation

Tags:  fusion

Tags:  virtual machine

Tags:  SCSI

Tags:  DVD

Tags:  CD

Tags:  virtualisation

Tags:  exploit

Tags:  vulnerability

Tags:  flaw

Tags:  CVE

VMWare has released fixes and mitigations for three Important and one Critical vulnerability in its Fusion and Workstation software.



(Read more...)




The post Update now: Critical flaw in VMWare Fusion and VMWare Workstation appeared first on Malwarebytes Labs.

Four vulnerabilities in virtualisation software have been fixed by VMware, including two which were exploited at the 20223 Pwn2Own contest. Three have been given the severity rating “Important”, with the last (CVE-2023-20869) is classed as “Critical”.

> Success! @starlabs\_sg used an uninitialized variable and UAF against VMWare Workstation. They earn $80,000 and 8 Master of Pwn points, pushing the prize total for #P2OVancouver past $1,000,000. #Pwn2Own pic.twitter.com/DEjgYcmphH
> 
> — Zero Day Initiative (@thezdi) March 24, 2023

The four vulnerabilities are:

*   CVE-2023-20869 is "Critical" flaw that affects Fusion and Workstation. It is a stack-based buffer overflow issue in the functionality for sharing host Bluetooth devices with the virtual machine. As per the advisory, "A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host." Needless to say, guest VMs are not supposed to be able to make the host machines they're running on do things.
*   **CVE-2023-20870 is an "Important" flaw that affects Fusion and Workstation. It's** another issue in the functionality for sharing host Bluetooth devices, but with this one an attacker can potentially read privileged information stored in the virtual machine’s hypervisor memory.
*   **CVE-2023-20871 is an "Important" flaw that only affects Fusion. It allows an** attacker who has read / write access to the host operating system to elevate their privileges to gain root access to the host operating system.
*   **CVE-2023-20872 is an "Important" flaw that affects Fusion and Workstation. It allows** virtual machines with a physical CD/DVD drive attached to execute code on the hypervisor, if the drive is configured to use a virtual SCSI controller.

**Workarounds and updates**

All four issues can be addressed by updating to the latest version of the affected software. At the time of writing these are VMware Fusion 13.0.2 and VMware Workstation 17.0.2. Workarounds are available for CVE-2023-20869, CVE-2023-20870, and CVE-2023-20872.

CVE-2023-20869 and CVE-2023-20870 can be mitigated by turning off Bluetooth support by unchecking the “**Share Bluetooth devices with the virtual machine**” option. The relevant support documents for each product are VMware Workstation Pro, VMware Workstation Player, and VMware Fusion.

CVE-2023-20872 can be mitigated by removing the CD/DVD device from the virtual machine. Alternatively, you can configure the virtual machine so that it does not use a virtual SCSI controller. After shutting down the virtual machine, the steps are:

To remove the CD/DVD device in VMWare Workstation:

*   Select VM > Settings
*   Click the Hardware tab
*   Select the CD/DVD and click Remove

To remove the CD/DVD device in VMWare Fusion:

*   Select a virtual machine in the Virtual Machine Library window
*   Click on Virtual Machine menu
*   Click Settings
*   Under Removable Devices in the Settings window, select CD/DVD > Advanced Options > Remove CD/DVD Drive.

To configure VMWare Workstation not to use a virtual SCSI controller:

*   Select VM > Settings
*   Click the Hardware tab
*   Select the CD/DVD > Advanced > CD/DVD Advanced Settings > Virtual device node
*   You can configure the Bus type

To configure VMWare Fusion not to use a virtual SCSI controller:

*   Select a virtual machine in the Virtual Machine Library window
*   Click on Virtual Machine menu
*   Click on Settings
*   Under Removable Devices in the Settings window, Select CD/DVD > Advanced options > Bus type
*   You can configure the Bus type.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Update now: Critical flaw in VMWare Fusion and VMWare Workstation

swfrender v0.9.2 was discovered to contain a heap buffer overflow in the function enumerateUsedIDs_fillstyle at modules/swftools.c

**1.heap-buffer-overflow****env**

ubuntu20.04

gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)

swfrender - part of swftools 0.9.2

**sample**

id7\_heap-buffer-overflow.zip

**crash**

    ./swfrender id7_heap-buffer-overflow -o /dev/null
    ==1106906==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000003eb at pc 0x557c2e072578 bp 0x7ffd975b4940 sp 0x7ffd975b4930
    READ of size 1 at 0x6070000003eb thread T0
        #0 0x557c2e072577 in enumerateUsedIDs_fillstyle modules/swftools.c:509
        #1 0x557c2e0728d1 in enumerateUsedIDs_styles modules/swftools.c:565
        #2 0x557c2e05c7d9 in swf_ParseShapeData modules/swfshape.c:692
        #3 0x557c2e06020d in swf_ShapeToShape2 modules/swfshape.c:884
        #4 0x557c2e04c298 in extractDefinitions readers/swf.c:375
        #5 0x557c2e04c298 in swf_open readers/swf.c:736
        #6 0x557c2e04800a in main /mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender.c:174
        #7 0x7f8c197fa082 in __libc_start_main ../csu/libc-start.c:308
        #8 0x557c2e046ecd in _start (/mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender+0x24ecd)
    
    0x6070000003eb is located 0 bytes to the right of 75-byte region [0x6070000003a0,0x6070000003eb)
    allocated by thread T0 here:
        #0 0x7f8c19c40808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x557c2e0e4ab9 in rfx_alloc /mnt/hgfs/ubuntu/cve/swftools/swftools-master/lib/mem.c:30
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow modules/swftools.c:509 in enumerateUsedIDs_fillstyle
    Shadow bytes around the buggy address:
      0x0c0e7fff8020: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
      0x0c0e7fff8030: 00 00 00 00 00 00 03 fa fa fa fa fa 00 00 00 00
      0x0c0e7fff8040: 00 00 00 00 03 fa fa fa fa fa 00 00 00 00 00 00
      0x0c0e7fff8050: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c0e7fff8060: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 04
    =>0x0c0e7fff8070: fa fa fa fa 00 00 00 00 00 00 00 00 00[03]fa fa
      0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1106906==ABORTING
    

**2.negative-size-param****env**

ubuntu20.04

gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)

swfrender - part of swftools 0.9.2

**sample**

id107\_negative-size-param.zip

**crash**

    ./swfrender id107_negative-size-param -o /dev/null
    =1148866==ERROR: AddressSanitizer: negative-size-param: (size=-21465837888)
        #0 0x7fe31237dfdd in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
        #1 0x559b516b3c75 in memset /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
        #2 0x559b516b3c75 in newclip devices/render.c:538
        #3 0x559b516b41e1 in render_startpage devices/render.c:936
        #4 0x559b516348e1 in main /mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender.c:217
        #5 0x7fe311fdd082 in __libc_start_main ../csu/libc-start.c:308
        #6 0x559b51632ecd in _start (/mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender+0x24ecd)
    
    0x7fe2fef21800 is located 0 bytes inside of 8998592-byte region [0x7fe2fef21800,0x7fe2ff7b66c0)
    allocated by thread T0 here:
        #0 0x7fe312423a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
        #1 0x559b516d0bc1 in rfx_calloc /mnt/hgfs/ubuntu/cve/swftools/swftools-master/lib/mem.c:69
    
    SUMMARY: AddressSanitizer: negative-size-param ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset
    ==1148866==ABORTING
    

**3.heap-buffer-overflow****env**

ubuntu20.04

gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)

swfrender - part of swftools 0.9.2

**sample**

id157\_heap-buffer-overflow.zip

**crash**

    ./swfrender id157_heap-buffer-overflow -o /dev/null
    =1167329==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb50bafcc00 at pc 0x7fb50f696f3d bp 0x7fffa3c52d40 sp 0x7fffa3c524e8
    WRITE of size 16 at 0x7fb50bafcc00 thread T0
        #0 0x7fb50f696f3c in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
        #1 0x55ca7b7620cc in memset /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
        #2 0x55ca7b7620cc in render_startpage devices/render.c:922
        #3 0x55ca7b6e28e1 in main /mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender.c:217
        #4 0x7fb50f2f6082 in __libc_start_main ../csu/libc-start.c:308
        #5 0x55ca7b6e0ecd in _start (/mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender+0x24ecd)
    
    0x7fb50bafcc00 is located 0 bytes to the right of 13906944-byte region [0x7fb50adb9800,0x7fb50bafcc00)
    allocated by thread T0 here:
        #0 0x7fb50f73c808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x55ca7b77eab9 in rfx_alloc /mnt/hgfs/ubuntu/cve/swftools/swftools-master/lib/mem.c:30
        #2 0x7fb50f2f6082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset
    Shadow bytes around the buggy address:
      0x0ff721757930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff721757940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff721757950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff721757960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff721757970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0ff721757980:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff721757990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff7217579a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff7217579b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff7217579c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff7217579d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1167329==ABORTING

CVE-2023-29950: bug report -- swfrender · Issue #198 · matthiaskramm/swftools

The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated attacker to read the system files and to retrieve the password of the supervisor from the encrypted file.

Summary

Zyxel is aware of multiple vulnerabilities reported by our security consultancy partner, SEC Consult, and advises users to install the applicable firmware updates for optimal protection.

 

What are the vulnerabilities?

There are eight vulnerabilities, identified as follows.

1.  Multiple buffer overflow vulnerabilities were discovered in the web server of the affected devices.
2.  The CGI program lacks a proper permission control mechanism, which could allow an attacker to read sensitive files on the devices.
3.  Insufficiently protected credentials in the configuration file of the devices could allow an attacker to retrieve the passwords.
4.  Command injection vulnerabilities were found in the diagnostic tool and the certificate upload interface of the devices.
5.  Access control vulnerabilities in the devices could allow a less privileged user to access functionality of a more privileged role.
6.  The improper symbolic links processing vulnerability in the FTP server could allow an attacker to get read access to the root file system.
7.  A security flaw was found in API of the devices that could be abused without authentication in order to obtain a new session key.
8.  A cross-site scripting vulnerability was identified in the printer name field of the print server menu within the web interface of the devices.

 

What versions are vulnerable-and what should you do?

After a thorough investigation, we’ve identified the affected products that are within their warranty and support period, as shown in the link here. If a product is not listed, it is not affected or has reached end-of-life. We encourage users to install the applicable updates for optimal protection.

Please note that the table in the link provided does NOT include customized models for internet service providers (ISPs).

If you are an ISP, please contact your Zyxel sales or service representative for further details.

If you are an end-user who received your Zyxel device from an ISP, please reach out to the ISP’s support team directly, as the device may have custom-built settings.

If you are an end-user who purchased your Zyxel device yourself, please contact your local Zyxel support team or visit our forum for further assistance.

 

Got a question?

Please contact your local service rep or visit Zyxel’s forum for further information or assistance.

 

Acknowledgment

Thanks to SEC Consult for reporting the issues to us.

 

Revision history

2022-2-15: Initial release

CVE-2023-28770: Zyxel security advisory for multiple vulnerabilities | Zyxel Networks

Buffer Overflow vulnerability found in Netgear R6900 v.1.0.2.26, R6700v3 v.1.0.4.128, R6700 v.1.0.0.26 allows a remote attacker to execute arbitrary code and cause a denial ofservice via the getInputData parameter of the fwSchedule.cgi page.

\[09:43:36\] Starting 'watch-extension:vscode-api-tests' ...

\[09:43:36\] Finished 'clean-extension:typescript-language-features' after 248 ms

\[09:43:36\] Starting 'watch-extension:typescript-language-features' ...

\[09:43:36\] Finished 'clean-extension:php-language-features' after 384 ms

\[09:43:36\] Starting 'watch-extension:php-language-features' ...

\[09:43:40\] Finished 'clean-extension:html-language-features-server' after 4.66 s

\[09:43:40\] Starting 'watch-extension:html-language-features-server' ...

\[09:43:43\] Finished 'clean-client' after 7.33 s

\[09:43:43\] Starting 'watch-client' ...

CVE-2023-30280: GitHub: Let’s build from here

Buffer Overflow vulnerability found in ByronKnoll Cmix v.19 allows an attacker to execute arbitrary code and cause a denial of service via the paq8 function.

**Crash Inputs**

Here is the crash file that trigger the error

cmix\_asan\_crash\_mem\_overlap.zip

**Bug Description:**

When executing cmix (new release version) with the file inputs and parameter "-n", the ASan (Memory Sanitizer ) instrumented program terminates with Nonfatal Error shown below.

    ==102390==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x619000041c63,0x619000041c67) and [0x619000041c64, 0x619000041c68) overlap
        #0 0x4ca038 in __asan_memcpy (/cmix/cmix_asan+0x4ca038)
        #1 0x656a09 in paq8::FrenchStemmer::ConvertUTF8(paq8::Word*) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:2502:11
        #2 0x65569b in paq8::FrenchStemmer::Stem(paq8::Word*) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:2782:5
        #3 0x558c65 in paq8::TextModel::Update(paq8::Buf&, paq8::ModelStats*) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:3258:28
        #4 0x63978b in paq8::TextModel::Predict(paq8::Mixer&, paq8::Buf&, paq8::ModelStats*) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:3160:7
        #5 0x615679 in paq8::contextModel2(paq8::ModelStats*) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:8183:13
        #6 0x61867b in paq8::Predictor::update() /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:8277:11
        #7 0x6c0d24 in Predictor::Perceive(int) /data/Deter-Study/temp/benchmark/crash/cmix/src/predictor.cpp:394:12
        #8 0x4fed5c in Encoder::Encode(int) /data/Deter-Study/temp/benchmark/crash/cmix/src/coder/encoder.cpp:23:7
        #9 0x6ef0d0 in Compress(unsigned long long, std::basic_ifstream<char, std::char_traits<char> >*, std::basic_ofstream<char, std::char_traits<char> >*, unsigned long long*, Predictor*) /data/Deter-Study/temp/benchmark/crash/cmix/src/runner.cpp:106:9
        #10 0x6f06d3 in RunCompression(bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, _IO_FILE*, unsigned long long*, unsigned long long*) /data/Deter-Study/temp/benchmark/crash/cmix/src/runner.cpp:203:3
        #11 0x6f3b13 in main /data/Deter-Study/temp/benchmark/crash/cmix/src/runner.cpp:298:10
        #12 0x7f0cc1be9c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #13 0x41f819 in _start (/cmix/cmix_asan+0x41f819)
    
    0x619000041c63 is located 483 bytes inside of 960-byte region [0x619000041a80,0x619000041e40)
    allocated by thread T0 here:
        #0 0x4cb3ba in calloc (/cmix/cmix_asan+0x4cb3ba)
        #1 0x654691 in paq8::Array<paq8::Word, 0>::create(unsigned int) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:118:16
        #2 0x654691 in paq8::Array<paq8::Word, 0>::Array(unsigned int) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:76
        #3 0x654691 in paq8::Cache<paq8::Word, 8u>::Cache() /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:3013
    
    0x619000041c64 is located 484 bytes inside of 960-byte region [0x619000041a80,0x619000041e40)
    allocated by thread T0 here:
        #0 0x4cb3ba in calloc (/cmix/cmix_asan+0x4cb3ba)
        #1 0x654691 in paq8::Array<paq8::Word, 0>::create(unsigned int) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:118:16
        #2 0x654691 in paq8::Array<paq8::Word, 0>::Array(unsigned int) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:76
        #3 0x654691 in paq8::Cache<paq8::Word, 8u>::Cache() /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:3013
    
    SUMMARY: AddressSanitizer: memcpy-param-overlap (/cmix/cmix_asan+0x4ca038) in __asan_memcpy
    

**Step to reproduce**

*   download the cmix from github and build it with ASAN
*   Execute cmix with provide files and given parameters "-n".

CVE-2023-29596: [BUG]: ERROR memcpy-param-overlap · Issue #54 · byronknoll/cmix

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via the PDFDoc malloc in the pdftotext.cc function.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-26930: GitHub - huanglei3/xpdf_aborted

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via the TextOutputDev.cc function.

CVE-2023-26931

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via SharedFile::readBlock at /xpdf/Stream.cc.

XPDF v4.04

pdftotext poc

Syntax Warning: PDF file is damaged - attempting to reconstruct xref table... Syntax Error (2711): Dictionary key must be a name object Syntax Error (2715): Dictionary key must be a name object Syntax Error (2720): Dictionary key must be a name object Syntax Error: Dictionary key must be a name object Syntax Error: End of file inside dictionary Syntax Error (393): Illegal character <3d> in hex string Syntax Error (398): Illegal character <80> in hex string Syntax Error (399): Illegal character <67> in hex string Syntax Error (400): Illegal character <74> in hex string Syntax Error (401): Illegal character <68> in hex string Syntax Error (409): Illegal character '>' Syntax Error (172): Dictionary key must be a name object Syntax Error (393): Illegal character <3d> in hex string Syntax Error (398): Illegal character <80> in hex string Syntax Error (399): Illegal character <67> in hex string Syntax Error (400): Illegal character <74> in hex string Syntax Error (401): Illegal character <68> in hex string Syntax Error (409): Illegal character '>' Syntax Error (887): Illegal character ')' Syntax Error (1296): Illegal character ')' Syntax Error (1781): Illegal character ')' Syntax Error (2386): Dictionary key must be a name object Syntax Error (2390): Dictionary key must be a name object Syntax Error: Unterminated string Syntax Error: End of file inside dictionary Syntax Error: End of file inside array Syntax Error: End of file inside dictionary

Program received signal SIGSEGV, Segmentation fault.

(gdb) bt

#0 0x00007ffff7a989df in \_IO\_new\_file\_seekoff (fp=0x555555b81c30, offset=1446, dir=0, mode=) at fileops.c:976 #1 0x00007ffff7a967cd in \_\_fseeko (fp=0x555555b81c30, offset=offset@entry=1446, whence=whence@entry=0) at fseeko.c:40 #2 0x0000555555848c19 in gfseek (f=, offset=offset@entry=1446, whence=whence@entry=0) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/goo/gfile.cc:733 #3 0x00005555557ec8c1 in SharedFile::readBlock (this=0x555555b81fd0, buf=buf@entry=0x555555b832b8 "6 0 objnt 3 0 R\\r\\n/Resources <<\\r\\n/Font <<\\r\\n/F1 9 0 R \\r\\n>>\\r\\n/ProcSet 8 0 R\\r\\n>>\\r\\n/MediaBo\\202 \[0 0 612.0000 792.0000\]\\r\\n\\r\\n7 0 obj\\r\\n<< /Length 676 >> 00000 Name /ream\\r\\n2 J\\r\\nBT\\r\\n0\\r\\n57.3750 722.2800 Td\\r\\n( Simpl"..., pos=1446, size=256) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Stream.cc:739 #4 0x00005555557ecfe8 in FileStream::fillBuf (this=this@entry=0x555555b83280) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Stream.cc:842 #5 0x0000555555813d23 in FileStream::getChar (this=0x555555b83280) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Stream.h:324 #6 0x00005555557b1153 in Object::streamGetChar (this=0x555555b833f0) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Object.h:300 #7 Lexer::getChar (this=this@entry=0x555555b833e0) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Lexer.cc:93 #8 0x00005555557b13fa in Lexer::getObj (this=0x555555b833e0, obj=obj@entry=0x555555b838e8) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Lexer.cc:125 #9 0x00005555557d078d in Parser::Parser (this=0x555555b838d0, xrefA=, lexerA=, allowStreamsA=) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Parser.cc:35 #10 0x000055555582c0e2 in XRef::fetch (this=0x555555b83990, num=6, gen=0, obj=0x7fffff7ff330, recursion=) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/XRef.cc:1231 #11 0x00005555556754a0 in Object::arrayGet (this=0x7fffff7ff320, recursion=0, obj=0x7fffff7ff330, i=1) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Object.h:243 #12 Catalog::countPageTree (this=0x555555b5d4a0, pagesObj=) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:566

CVE-2023-26935: GitHub - huanglei3/xpdf_heapoverflow

libming 0.4.8 0.4.8 is vulnerable to Buffer Overflow. In getInt() in decompile.c unknown type may lead to denial of service. This is a different vulnerability than CVE-2018-9132 and CVE-2018-20427.

Tag

#buffer_overflow