Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVE-2022-23263

xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.

CVE-2022-24130: XTERM - Change Log

An incorrect setting of UXN bits within mmu_flags_to_s1_pte_attr lead to privileged executable pages being mapped as executable from an unprivileged context. This can be leveraged by an attacker to bypass executability restrictions of kernel-mode pages from user-mode. An incorrect setting of PXN bits within mmu_flags_to_s1_pte_attr lead to unprivileged executable pages being mapped as executable from a privileged context. This can be leveraged by an attacker to bypass executability restrictions of user-mode pages from kernel-mode. Typically this allows a potential attacker to circumvent a mitigation, making exploitation of potential kernel-mode vulnerabilities easier. We recommend updating kernel beyond commit 7d731b4e9599088ac3073956933559da7bca6a00 and rebuilding.

)\]}' { "commit": "7d731b4e9599088ac3073956933559da7bca6a00", "tree": "22482985c7dac6dfd52e418d423880cad15437d9", "parents": \[ "85cf47932359ea76deef555e5ee0c79422c5ae98" \], "author": { "name": "Travis Geiselbrecht", "email": "travisg@google.com", "time": "Tue Dec 07 03:27:16 2021 +0000" }, "committer": { "name": "Commit Bot", "email": "commit-bot@chromium.org", "time": "Tue Dec 07 03:27:16 2021 +0000" }, "message": "\[kernel\]\[arm64\]\[mmu\] Fix bug where privileged executable pages are executable from EL0\\n\\nPreviously, was always setting UXN and PXN bits on pages explicitly\\nmapped as non executable, not taking into account that user (EL0) code\\ncould access a privileged page because UXN wasn\\u0027t set.\\n\\nChange the logic to appropriately set PXN and UXN bits on user and\\nprivleged executable pages, appropriately:\\n\\nuser/privileged non-executable page: UXN\\u003d1, PXN\\u003d1\\nuser executable page: UXN\\u003d0, PXN\\u003d1\\nprivileged executable page: UXN\\u003d1, PXN\\u003d0\\n\\nEL2 mappings for the kernel interpret these bits slightly differently,\\nso simply map the non executable code as XN\\u003d1 (bit 54).\\n\\nAdd kernel unit test to validate that pages mapped this way at least\\nappear to be in sync with the aspace.Query() api.\\n\\nBug: 88451\\nChange-Id: Icea7a3c5b5effa8b8fe828b3ed6d8e27433caaf0\\nReviewed-on: https://fuchsia-review.googlesource.com/c/fuchsia/+/614141\\nReviewed-by: Marco Vanotti \\u003cmvanotti@google.com\\u003e\\nCommit-Queue: Travis Geiselbrecht \\u003ctravisg@google.com\\u003e\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "8f9bd269084c4f0ed59f59ff1cc1f0b1f7f1102d", "old\_mode": 33188, "old\_path": "zircon/kernel/arch/arm64/BUILD.gn", "new\_id": "73eceeef22e02c038da866b32eddd648f03c4215", "new\_mode": 33188, "new\_path": "zircon/kernel/arch/arm64/BUILD.gn" }, { "type": "modify", "old\_id": "f76caad50d77d8e4c5a20f5e5bcc954b9342948d", "old\_mode": 33188, "old\_path": "zircon/kernel/arch/arm64/include/arch/arm64/mmu.h", "new\_id": "09a7ed3e1b92c4a936e824193161755188ae9e20", "new\_mode": 33188, "new\_path": "zircon/kernel/arch/arm64/include/arch/arm64/mmu.h" }, { "type": "modify", "old\_id": "8f8d3e259fb43135bfcc5a9573d33cceb0959f44", "old\_mode": 33188, "old\_path": "zircon/kernel/arch/arm64/mmu.cc", "new\_id": "c864fd16c104a7f439b6f877c49d526462c02207", "new\_mode": 33188, "new\_path": "zircon/kernel/arch/arm64/mmu.cc" }, { "type": "add", "old\_id": "0000000000000000000000000000000000000000", "old\_mode": 0, "old\_path": "/dev/null", "new\_id": "c7b9d3e7e83ebef9382ca822438eeca93dc13e37", "new\_mode": 33188, "new\_path": "zircon/kernel/arch/arm64/mmu\_tests.cc" }, { "type": "modify", "old\_id": "20510c1382cbc1ac1e1cb9c58124df2bd451e254", "old\_mode": 33188, "old\_path": "zircon/kernel/arch/arm64/start.S", "new\_id": "0f914ea906d887d297770dfa6e687e9dbd1fc135", "new\_mode": 33188, "new\_path": "zircon/kernel/arch/arm64/start.S" } \] }

CVE-2021-22566

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21954.

CVE-2022-21970

A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-motion.cc in function put_epel_hv_fallback when running program dec265.

Hello,  
A stack-buffer-overflow has occurred when running program dec265  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

Dec265 v1.0.8

poc (4).zip

Verification steps：  
1.Get the source code of libde265  
2.Compile

    cd libde265
    mkdir build && cd build
    cmake ../ -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_CXX_FLAGS="fsanitize=address"
    make -j 32
    

3.run dec265

asan info

    =================================================================
    ==1262407==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffeacbd65e3 at pc 0x7ff9ff7de308 bp 0x7ffeacbd3f00 sp 0x7ffeacbd3ef0
    READ of size 2 at 0x7ffeacbd65e3 thread T0
        #0 0x7ff9ff7de307 in void put_epel_hv_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, int, int, short*, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/fallback-motion.cc:352
        #1 0x7ff9ff830067 in acceleration_functions::put_hevc_epel_hv(short*, long, void const*, long, int, int, int, int, short*, int) const /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/acceleration.h:328
        #2 0x7ff9ff830067 in void mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/motion.cc:254
        #3 0x7ff9ff8262ab in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/motion.cc:388
        #4 0x7ff9ff828626 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/motion.cc:2107
        #5 0x7ff9ff89c8aa in read_coding_unit(thread_context*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:4314
        #6 0x7ff9ff8a48f2 in read_coding_quadtree(thread_context*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:4652
        #7 0x7ff9ff8a4e43 in read_coding_quadtree(thread_context*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:4638
        #8 0x7ff9ff8a4ace in read_coding_quadtree(thread_context*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:4645
        #9 0x7ff9ff8a4db9 in read_coding_quadtree(thread_context*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:4641
        #10 0x7ff9ff8a6564 in decode_substream(thread_context*, bool, bool) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:4741
        #11 0x7ff9ff8a8ddb in read_slice_segment_data(thread_context*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:5054
        #12 0x7ff9ff78dd75 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/decctx.cc:843
        #13 0x7ff9ff790c0f in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/decctx.cc:945
        #14 0x7ff9ff791715 in decoder_context::decode_some(bool*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/decctx.cc:730
        #15 0x7ff9ff7949bb in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/decctx.cc:688
        #16 0x7ff9ff795839 in decoder_context::decode_NAL(NAL_unit*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/decctx.cc:1230
        #17 0x7ff9ff796e1e in decoder_context::decode(int*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/decctx.cc:1318
        #18 0x5573510028fd in main /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/dec265/dec265.cc:764
        #19 0x7ff9ff2e50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #20 0x55735100576d in _start (/home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/out/dec265-afl+++0xa76d)
    
    Address 0x7ffeacbd65e3 is located in stack of thread T0 at offset 9315 in frame
        #0 0x7ff9ff82e67f in void mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/motion.cc:174
    
      This frame has 2 object(s):
        [32, 9120) 'mcbuffer' (line 200)
        [9392, 14752) 'padbuf' (line 222) <== Memory access at offset 9315 underflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/fallback-motion.cc:352 in void put_epel_hv_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, int, int, short*, int)
    Shadow bytes around the buggy address:
      0x100055972c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972ca0: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
    =>0x100055972cb0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2[f2]f2 f2 f2
      0x100055972cc0: f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
      0x100055972cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1262407==ABORTING

CVE-2021-36410: stack-buffer-overflow in fallback-motion.cc when decoding file · Issue #301 · strukturag/libde265

GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::CPCIDSKFile::ReadFromFile (called from PCIDSK::CPCIDSKSegment::ReadFromFile and PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment).

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-45943: PCIDSK: fix write heap-buffer-overflow. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41993 by rouault · Pull Request #4944 · OSGeo/gdal

HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertible_t::set (called from hb_sparseset_t<hb_bit_set_invertible_t>::set and hb_set_copy).

id: OSV-2021-1159

summary: UNKNOWN WRITE in hb\_bit\_set\_invertible\_t::set

details: |

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37425

\`\`\`

Crash type: UNKNOWN WRITE

Crash state:

hb\_bit\_set\_invertible\_t::set

hb\_sparseset\_t<hb\_bit\_set\_invertible\_t>::set

hb\_set\_copy

\`\`\`

modified: '2022-04-13T03:04:33.060992Z'

published: '2021-08-22T00:00:24.931714Z'

references:

\- type: REPORT

url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37425

affected:

\- package:

name: harfbuzz

ecosystem: OSS-Fuzz

ranges:

\- type: GIT

repo: https://github.com/harfbuzz/harfbuzz.git

events:

\- introduced: 48ad9eef1eb5e5226fcfdb86f3cf5be925456a57

\- fixed: d3e09bf4654fe5478b6dbf2b26ebab6271317d81

versions:

\- 2.9.0

ecosystem\_specific:

severity: HIGH

CVE-2021-45931: oss-fuzz-vulns/OSV-2021-1159.yaml at main · google/oss-fuzz-vulns

UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation.

id: OSV-2021-955

summary: Stack-buffer-overflow in Buffer\_AppendIndentUnchecked

details: |

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009

\`\`\`

Crash type: Stack-buffer-overflow WRITE 1

Crash state:

Buffer\_AppendIndentUnchecked

encode

encode

\`\`\`

modified: '2022-05-19T00:45:08.957102Z'

published: '2021-07-11T00:01:05.153778Z'

references:

\- type: REPORT

url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009

affected:

\- package:

name: ujson

ecosystem: PyPI

ranges:

\- type: GIT

repo: https://github.com/ultrajson/ultrajson.git

events:

\- introduced: 0c52200eb4e2d97e548a765d5f089858c41967b0

\- fixed: f6860f1f3d8d4e92b9be0e5815355a8976c6e75b

\- fixed: 5525f8c9ef8bb879dadd0eb942d524827d1b0362

versions:

\- 2.0.0

\- 2.0.1

\- 2.0.2

\- 2.0.3

\- 3.0.0

\- 3.1.0

\- 3.2.0

\- 4.0.0

\- 4.0.1

\- 4.0.2

\- 4.1.0

\- 4.2.0

\- 4.3.0

\- 5.0.0

\- 5.1.0

\- v1.34

\- v1.35

ecosystem\_specific:

severity: HIGH

CVE-2021-45958: oss-fuzz-vulns/OSV-2021-955.yaml at main · google/oss-fuzz-vulns

Use after free in web apps in Google Chrome prior to 96.0.4664.93 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.

**Chrome Releases**

Release updates from the Chrome team

CVE-2021-4052: Stable Channel Update for Desktop

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘host_alt_filter’ parameter. This can be done as any authenticated user or through cross-site request forgery.

Tag

#chrome