A stack-based buffer overflow vulnerability exists in the lookup_sequence function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.

\# ZBar Stack-based Buffer Overflow Vulnerability ### CVE Number CVE-xxxx-xxxxx (unassigned) ### Summary A stack-based buffer overflow vulnerability exists in the \*lookup\_sequence\* function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner. ### Tested Versions ZBar 0.23.90 ### Product URLs https://github.com/mchehab/zbar/releases/tag/0.23.90   ### Crash Information \`\`\`sh ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe8c2052b8 at pc 0x7fd25c0d6ba3 bp 0x7ffe8c205130 sp 0x7ffe8c205128 WRITE of size 4 at 0x7ffe8c2052b8 thread T0 #0 0x7fd25c0d6ba2 in lookup\_sequence /home/fuzzer/ramdisk\_fuzz/ZBar\_backup/zbar/decoder/databar.c:703:12 #1 0x7fd25c0d6ba2 in match\_segment\_exp /home/fuzzer/ramdisk\_fuzz/ZBar\_backup/zbar/decoder/databar.c:763 #2 0x7fd25c0d6ba2 in decode\_char /home/fuzzer/ramdisk\_fuzz/ZBar\_backup/zbar/decoder/databar.c:1086 #3 0x7fd25c0cda9b in decode\_finder /home/fuzzer/ramdisk\_fuzz/ZBar\_backup/zbar/decoder/databar.c:1222:14 #4 0x7fd25c0cda9b in \_zbar\_decode\_databar /home/fuzzer/ramdisk\_fuzz/ZBar\_backup/zbar/decoder/databar.c:1242 #5 0x7fd25c0c5c52 in zbar\_decode\_width /home/fuzzer/ramdisk\_fuzz/ZBar\_backup/zbar/decoder.c:270:15 #6 0x7fd25c0c378a in process\_edge /home/fuzzer/ramdisk\_fuzz/ZBar\_backup/zbar/scanner.c:173:16 #7 0x7fd25c0c378a in zbar\_scan\_y /home/fuzzer/ramdisk\_fuzz/ZBar\_backup/zbar/scanner.c:261 #8 0x7fd25c0c0a6f in zbar\_scan\_image /home/fuzzer/ramdisk\_fuzz/ZBar\_backup/zbar/img\_scanner.c:773:17 #9 0x5503cb in zbar::ImageScanner::scan(zbar::Image&) /usr/local/include/zbar/ImageScanner.h:113:16 #10 0x5503cb in LLVMFuzzerTestOneInput /home/fuzzer/ramdisk\_fuzz/libfuzz/src/fuzz.cpp:98 #11 0x42fb77 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const\*, unsigned long) (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x42fb77) #12 0x43a3e4 in fuzzer::Fuzzer::MutateAndTestOne() (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x43a3e4) #13 0x43ba4f in fuzzer::Fuzzer::Loop(std::vector<std::\_\_cxx11::basic\_string<char, std::char\_traits<char>, std::allocator<char> >, fuzzer::fuzzer\_allocator<std::\_\_cxx11::basic\_string<char, std::char\_traits<char>, std::allocator<char> > > > const&) (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x43ba4f) #14 0x42ae0c in fuzzer::FuzzerDriver(int\*, char\*\*\*, int (\*)(unsigned char const\*, unsigned long)) (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x42ae0c) #15 0x41dc82 in main (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x41dc82) #16 0x7fd257e53bf6 in \_\_libc\_start\_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310 #17 0x41dd49 in \_start (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x41dd49) Address 0x7ffe8c2052b8 is located in stack of thread T0 at offset 376 in frame #0 0x7fd25c0ce46f in decode\_char /home/fuzzer/ramdisk\_fuzz/ZBar\_backup/zbar/decoder/databar.c:955 This frame has 6 object(s): \[32, 120) 'bestsegs.i' (line 716) \[160, 248) 'segs.i333' (line 716) \[288, 376) 'seq.i' (line 716) <== Memory access at offset 376 overflows this variable \[416, 544) 'iseg.i' (line 718) \[576, 592) 'd.i' (line 645) \[608, 616) 'emin' (line 958) \`\`\`

CVE-2023-40890: ZBar Stack-based Buffer Overflow Vulnerability - HackMD

Xmlsoft Libxml2 v2.11.0 was discovered to contain a global buffer overflow via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file.

**Description**

I found a poc which can cause libxml2 crash when fuzz testing.

AddressSanitizer report it as global-buffer-overflow at /libxml2/SAX2.c:1614 in xmlSAX2StartElement().

**Steps to reproduce the bug**

Normal

    $ ../master_libxml2/xmllint --recover --sax1 --sax poc2_min
    SAX.setDocumentLocator()
    SAX.error: parsing XML declaration: '?>' expected
    SAX.startDocument()
    fish: “../master_libxml2/xmllint --rec…” terminated by signal SIGSEGV (Address boundary error)

With ASAN

    $ ../master_asan_libxml2/xmllint --recover --sax1 --sax poc2_min
    SAX.setDocumentLocator()
    SAX.error: parsing XML declaration: '?>' expected
    SAX.startDocument()
    =================================================================
    ==371262==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55a1675264f0 at pc 0x55a167009956 bp 0x7ffc08cbc5e0 sp 0x7ffc08cbc5d0
    READ of size 8 at 0x55a1675264f0 thread T0
        #0 0x55a167009955 in xmlSAX2StartElement /home/oceane/fuzz_test/new_run_libxml2/master_asan_libxml2/SAX2.c:1614
        #1 0x55a166f639b5 in xmlParseStartTag /home/oceane/fuzz_test/new_run_libxml2/master_asan_libxml2/parser.c:8389
        #2 0x55a166f79f37 in xmlParseElementStart /home/oceane/fuzz_test/new_run_libxml2/master_asan_libxml2/parser.c:9780
        #3 0x55a166fb1674 in xmlParseElement /home/oceane/fuzz_test/new_run_libxml2/master_asan_libxml2/parser.c:9712
        #4 0x55a166fb36e2 in xmlParseDocument /home/oceane/fuzz_test/new_run_libxml2/master_asan_libxml2/parser.c:10569
        #5 0x55a166fd561b in xmlDoRead /home/oceane/fuzz_test/new_run_libxml2/master_asan_libxml2/parser.c:14596
        #6 0x55a166fd561b in xmlCtxtReadFile /home/oceane/fuzz_test/new_run_libxml2/master_asan_libxml2/parser.c:14829
        #7 0x55a166ebb02d in testSAX /home/oceane/fuzz_test/new_run_libxml2/master_asan_libxml2/xmllint.c:1651
        #8 0x55a166eaf9b0 in main /home/oceane/fuzz_test/new_run_libxml2/master_asan_libxml2/xmllint.c:3711
        #9 0x7f142169a0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
        #10 0x55a166eb650d in _start (/home/oceane/fuzz_test/new_run_libxml2/master_asan_libxml2/xmllint+0x8050d)
    
    0x55a1675264f0 is located 6 bytes to the right of global variable '*.LC113' defined in 'xmllint.c' (0x55a1675264e0) of size 10
      '*.LC113' is ascii string 'user_data'
    0x55a1675264f0 is located 48 bytes to the left of global variable '*.LC114' defined in 'xmllint.c' (0x55a167526520) of size 43
      '*.LC114' is ascii string '%s validation generated an internal error
    '
    SUMMARY: AddressSanitizer: global-buffer-overflow /home/oceane/fuzz_test/new_run_libxml2/master_asan_libxml2/SAX2.c:1614 in xmlSAX2StartElement
    Shadow bytes around the buggy address:
      0x0ab4ace9cc40: f9 f9 f9 f9 00 00 00 00 06 f9 f9 f9 f9 f9 f9 f9
      0x0ab4ace9cc50: 00 00 06 f9 f9 f9 f9 f9 00 00 00 00 01 f9 f9 f9
      0x0ab4ace9cc60: f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9 00 f9 f9 f9
      0x0ab4ace9cc70: f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 00 00 06 f9
      0x0ab4ace9cc80: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 00 06 f9
    =>0x0ab4ace9cc90: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 02[f9]f9
      0x0ab4ace9cca0: f9 f9 f9 f9 00 00 00 00 00 03 f9 f9 f9 f9 f9 f9
      0x0ab4ace9ccb0: 00 00 07 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
      0x0ab4ace9ccc0: 04 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
      0x0ab4ace9ccd0: 04 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9
      0x0ab4ace9cce0: 00 00 04 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==371262==ABORTING

**POC**

poc2\_min

**Platform(s)**

    gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
    g++ (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
    Ubuntu 20.04.4 LTS
    Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz

**Version**

    $ git log --oneline -1
    d6882f64 (HEAD -> master, origin/master, origin/HEAD) threads: Fix startup crash with weak symbol hack
    
    $ ../master_asan_libxml2/xmllint --version
    ../master_asan_libxml2/xmllint: using libxml version 21200-GITv2.11.0-33-gd6882f64
       compiled with: Threads Tree Output Push Reader Patterns Writer SAXv1 HTTP DTDValid HTML C14N Catalog XPath XPointer XInclude Iconv ISO8859X Unicode Regexps Automata Schemas Schematron Modules Debug Zlib Lzma

CVE-2023-39615: Global-buffer-overflow at /libxml2/SAX2.c:1614 in xmlSAX2StartElement() (SIGSEGV) (#535) · Issues · GNOME / libxml2 · GitLab

Buffer Overflow vulnerability in Libming Libming v.0.4.8 allows a remote attacker to cause a denial of service via a crafted .swf file to the makeswf function.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Comments**

A heap buffer overflow occurs when makeswf parse a invalid swf file, and the filename extension is .swf.

**Test Environment**

Ubuntu 20.04, 64 bit  
libming (master 04aee52)

**Steps to reproduce**

1.  compile libming with ASAN

    $ CC="clang -fsanitize=address,fuzzer-no-link -g" CFLAGS+=" -fcommon" ./configure 
    $ make
    

2.  Download the poc file from here and run cmd  
    $ makeswf $POC

**ASAN report**

    $ ./bin_asan/bin/makeswf ./poc-makeswf-04aee52-r_readc-HBO.swf
    Output file name: out.swf
    Output compression level: 9
    Output SWF version: 6
    =================================================================
    ==5625==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000013f at pc 0x0000004f15b5 bp 0x7fff376560d0 sp 0x7fff376560c8
    WRITE of size 1 at 0x60800000013f thread T0
        #0 0x4f15b4 in r_readc /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:264:34
        #1 0x4f1a37 in getbits /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:143:18
        #2 0x4f1656 in rect /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:169:9
        #3 0x4efe15 in openswf /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:303:2
        #4 0x4eedbe in newSWFPrebuiltClip_fromInput /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:1302:8
        #5 0x4cbea3 in embed_swf /opt/disk/marsman/libming/04aee52/build_asan/util/makeswf.c:699:14
        #6 0x4ca4d9 in main /opt/disk/marsman/libming/04aee52/build_asan/util/makeswf.c:401:4
        #7 0x7f0aa6b3d83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
        #8 0x41c5a8 in _start (/opt/disk/marsman/libming/04aee52/bin_asan/bin/makeswf+0x41c5a8)
    
    0x60800000013f is located 199 bytes to the right of 88-byte region [0x608000000020,0x608000000078)
    allocated by thread T0 here:
        #0 0x4975fd in malloc /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
        #1 0x4ef8d8 in openswf /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:271:41
        #2 0x4eedbe in newSWFPrebuiltClip_fromInput /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:1302:8
        #3 0x4cbea3 in embed_swf /opt/disk/marsman/libming/04aee52/build_asan/util/makeswf.c:699:14
        #4 0x4ca4d9 in main /opt/disk/marsman/libming/04aee52/build_asan/util/makeswf.c:401:4
        #5 0x7f0aa6b3d83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:264:34 in r_readc
    Shadow bytes around the buggy address:
      0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c107fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
      0x0c107fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c107fff8020: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
      0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==5625==ABORTING
    

1 participant

CVE-2023-40781: heap-buffer-overflow in r_readc() at fromswf.c:264 · Issue #288 · libming/libming

Buffer Overflow vulnerability in VirusTotal yara v.4.3.2 allows a remote attacker to execute arbtirary code via the yr_execute_cod function in the exe.c component.

**Describe the bug**  
AddressSanitizer: heap-buffer-overflow libyara/exec.c:1426 in yr\_execute\_code

**To Reproduce**  
Steps to reproduce the behavior:  
1, compile yara with asan: ./configure CC=gcc CXX=g++ CFLAGS="-g -O0 -fsanitize=address" CXXFLAGS="-g -O0 -fsanitize=address" LDFLAGS="-g -O0 -fsanitize=address"  
2, run this command: ./yara -C PoC binFile

**Please complete the following information:**

*   OS: ubuntu 20.04
*   YARA version: 4.3.2

****Additional context**  
ASAN reprot:**

\==1855158==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000248 at pc 0x7f168933dfaf bp 0x7ffd229d5530 sp 0x7ffd229d5520  
READ of size 8 at 0x604000000248 thread T0  
#0 0x7f168933dfae in yr\_execute\_code libyara/exec.c:1426  
#1 0x7f16893a1cd8 in yr\_scanner\_scan\_mem\_blocks libyara/scanner.c:526  
#2 0x7f16893a27a0 in yr\_scanner\_scan\_mem libyara/scanner.c:670  
#3 0x7f16893a2b3e in yr\_scanner\_scan\_fd libyara/scanner.c:706  
#4 0x55aa2e6ed11a in scan\_file cli/yara.c:736  
#5 0x55aa2e6f1444 in main cli/yara.c:1654  
#6 0x7f1688c22082 in \_\_libc\_start\_main ../csu/libc-start.c:308  
#7 0x55aa2e6e9ced in \_start (/home/root/latestFiles/yara-4.3.2/.libs/yara+0x7ced)

0x604000000248 is located 8 bytes to the left of 48-byte region \[0x604000000250,0x604000000280)  
allocated by thread T0 here:  
#0 0x7f1689535a06 in \_\_interceptor\_calloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cc:153  
#1 0x7f168936db41 in yr\_calloc libyara/mem.c:127  
#2 0x7f168939fe48 in yr\_scanner\_create libyara/scanner.c:242  
#3 0x55aa2e6f12af in main cli/yara.c:1640  
#4 0x7f1688c22082 in \_\_libc\_start\_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow libyara/exec.c:1426 in yr\_execute\_code  
Shadow bytes around the buggy address:  
0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c087fff8000: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa  
0x0c087fff8010: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa  
0x0c087fff8020: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa  
0x0c087fff8030: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa  
\=>0x0c087fff8040: fa fa 00 00 00 00 00 00 fa\[fa\]00 00 00 00 00 00  
0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==1855158==ABORTING

CVE-2023-40857: heap-buffer-overflow libyara/exec.c:1426 in yr_execute_code · Issue #1945 · VirusTotal/yara

Buffer Overflow vulnerability in O-RAN Software Community ric-plt-lib-rmr v.4.9.0 allows a remote attacker to cause a denial of service via a crafted packet.

Hello,

I would like to report an issue related to the incorrect format in the rmr library (ric-plt-lib-rmr).

When RMR service receives a packet in an incorrect format, it crash during the packet parsing process

*   First, the header is extracted from the received packet. Due to the packet's incorrect format, the header value becomes abnormal.
*   Then, a memory location is calculated, leading to an illegal access in **d1**, as shown in the attached image.

This is my initial analysis, and there might be errors. Please kindly forgive any mistakes.

Through xApp, we can send packets of this nature to services that utilize this RMR library, leading to the disruption of the services.

This problem can be found in components that utilize the RMR library.

CVE-2023-40997: [RIC-991] RMR: Crashes caused by improperly formatted packets

Buffer Overflow vulnerability in O-RAN Software Community ric-plt-lib-rmr v.4.9.0 allows a remote attacker to cause a denial of service via the packet size component.

Hello,

I would like to report an issue related to the packet size in the rmr library (ric-plt-lib-rmr).

When processing received packets, the library decodes the first 4 bytes as the packet size.

However, if the decoding result is a negative value, it leads to a subsequent core dump during the memcpy operation.

Through xApp, we can send packets of this nature to services that utilize this RMR library, leading to the disruption of the services.

This problem can be found in components that utilize the RMR library. For example, in the e2term, when receiving a packet with a decoded negative packet size on port 4561, it triggers this crash.

I have attached images of the packets that led to the crash and the decoded packets.

CVE-2023-40998: [RIC-989] RMR: Negative Packet Size Causes Crash

Tenda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01.bin is vulnerable to Buffer Overflow via function sub_90998.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-40846: Digging/Tenda/AC6/bof/9/9.md at main · XYIYM/Digging

Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to global buffer read overflow in `CharDistributionAnalysis::HandleOneChar`. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information. As of time of publication, no known patches are available in existing versions of Notepad++.

CVE-2023-40036: GHSL-2023-112, GHSL-2023-102, GHSL-2023-103, GHSL-2023-092: Buffer Overflows in Notepad++ - CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166

Tenda AX3 v16.03.12.11 has a stack buffer overflow vulnerability detected at function form_fast_setting_wifi_set. This vulnerability allows attackers to cause a Denial of Service (DoS) via the ssid parameter.

CVE-2023-40915: IoT_vuln/Tenda/AX3/form_fast_setting_wifi_set.md at main · Korey0sh1/IoT_vuln

giflib v5.2.1 was discovered to contain a segmentation fault via the component getarg.c.

Notify CVE about a publication

\[CVE ID\]

CVE-2023-39741

\[Vulnerability Type\]

\> Buffer Overflow

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> the development group

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> lrzip - 0.651

\>

\> ------------------------------------------

\>

\> \[Affected Component\]

\> lrzip 0.651

\>

\> ------------------------------------------

\>

\> \[Impact Denial of Service\]

\> true

\>

\> ------------------------------------------

\>

\> \[Attack Vectors\]

\> a crafted file

\> \[Suggested description\]

\>lrzip v0.651 was discovered to contain a heap overflow via the libzpaq::PostProcessor::write(int) function at /libzpaq/libzpaq.cpp.

This vulnerability allows attackers to cause a Denial of Service (DoS)> via a crafted file.

\>\[CVE ID\]

\>CVE-2023-39742

\> ------------------------------------------

\>

\> \[Vulnerability Type\]

\> Buffer Overflow

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> the development group

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> giflib - 5.2.1

\>

\> ------------------------------------------

\>

\> \[Affected Component\]

\> giflib

\>

\> ------------------------------------------

\>

\> \[Attack Type\]

\> Local

\>

\> ------------------------------------------

\>

\> \[Impact Denial of Service\]

\> true

\>

\> ------------------------------------------

\>

\> \[Attack Vectors\]

\> invalid args

\>

\> ------------------------------------------

\>

\> \[Reference\]

\> https://sourceforge.net/p/giflib/bugs/166/

\>

\> ------------------------------------------

\> \[Suggested description\]

\> giflib v5.2.1 was discovered to contain a segmentation fault via the component getarg.c.

\>

\[CVE ID\]

CVE-2023-39743

\> ------------------------------------------

\>

\> \[VulnerabilityType Other\]

\> Access Violation

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> the development group

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> lrzip-next - LZMA 23.01

\>

\> ------------------------------------------

\>

\> \[Affected Component\]

\> lrzip-next

\>

\> ------------------------------------------

\>

\> \[Impact Denial of Service\]

\> true

\>

\> ------------------------------------------

\>

\> \[Attack Vectors\]

\> a crafted lrz file

\>

\> ------------------------------------------

\>

\> \[Reference\]

\> https://github.com/huanglei3/lrzip-next-poc/tree/main

\> https://github.com/pete4abw/lrzip-next/issues/132

\>

\> ------------------------------------------

\> \[Suggested description\]

\> lrzip-next LZMA v23.01 was discovered to contain an access violation via the component /bz3\_decode\_block src/libbz3.c.

Tag

#buffer_overflow