Inappropriate implementation in extensions in Google Chrome prior to 81.0.4044.92 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information via a crafted Chrome Extension.

**Chrome Releases**

Release updates from the Chrome team

CVE-2020-6440: Stable Channel Update for Desktop

Insufficient policy enforcement in extensions in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

CVE-2020-6433

Inappropriate implementation in cache in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2020-6442

Heap buffer overflow in media in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6452: Stable Channel Update for Desktop

Use after free in extensions in Google Chrome prior to 81.0.4044.92 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.

About Monorail User Guide Release Notes Feedback on Monorail Terms Privacy

CVE-2020-6454: 1019161 - chromium - An open-source project to help move the web forward.

Use after free in V8 in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6448: Stable Channel Update for Desktop

An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel 3.16 through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4.

Permalink

Browse files

slcan: Don't transmit uninitialized stack data in padding

struct can\_frame contains some padding which is not explicitly zeroed in
slc\_bump. This uninitialized data will then be transmitted if the stack
initialization hardening feature is not enabled (CONFIG\_INIT\_STACK\_ALL).

This commit just zeroes the whole struct including the padding.

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
Fixes: a1044e3 ("can: add slcan driver for serial/USB-serial CAN adapters")
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: linux-can@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: security@kernel.org
Cc: wg@grandegger.com
Cc: mkl@pengutronix.de
Cc: davem@davemloft.net
Acked-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>

*   Loading branch information

Showing with **1 addition** and **3 deletions**.

1.  +1 −3 drivers/net/can/slcan.c

CVE-2020-11494: slcan: Don't transmit uninitialized stack data in padding · torvalds/linux@b9258a2

In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash.

Sec Bug #79282

Use-of-uninitialized-value in exif

Submitted:

2020-02-19 09:31 UTC

Modified:

2020-03-17 05:39 UTC

From:

nikic@php.net

Assigned:

stas (profile)

Status:

Closed

Package:

EXIF related

PHP Version:

master-Git-2020-02-19 (Git)

OS:

Private report:

No

CVE-ID:

2020-7064

 **\[2020-02-19 09:31 UTC\] nikic@php.net**

Description:
------------
From https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19581.

<?php
var\_dump(exif\_read\_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg'));

Results in:

 	Uninitialized bytes in MemcmpInterceptorCommon at offset 1 inside \[0x7010000006e8, 2)
	==1==WARNING: MemorySanitizer: use-of-uninitialized-value
	    #0 0x5004dc in \_\_interceptor\_bcmp /src/llvm-project/compiler-rt/lib/sanitizer\_common/sanitizer\_common\_interceptors.inc:885:10
	    #1 0x86693b in exif\_process\_TIFF\_in\_JPEG php-src/ext/exif/exif.c:3596:6
	    #2 0x861b7e in exif\_scan\_JPEG\_header php-src/ext/exif/exif.c:3793:6
	    #3 0x8609eb in exif\_scan\_FILE\_header php-src/ext/exif/exif.c:4186:8
	    #4 0x8602bb in exif\_read\_from\_impl php-src/ext/exif/exif.c:4327:8
	    #5 0x858b52 in exif\_read\_from\_stream php-src/ext/exif/exif.c:4344:8
	    #6 0x856001 in zif\_exif\_read\_data php-src/ext/exif/exif.c:4434:9
	    #7 0x112596d in zend\_call\_function php-src/Zend/zend\_execute\_API.c:817:4
	    #8 0x11236e2 in \_call\_user\_function\_ex php-src/Zend/zend\_execute\_API.c:638:9
	    #9 0x1696c7a in fuzzer\_call\_php\_func\_zval php-src/sapi/fuzzer/fuzzer-sapi.c:247:2
	    #10 0x169596f in LLVMFuzzerTestOneInput php-src/sapi/fuzzer/fuzzer-exif.c:52:2
	    #11 0x481101 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const\*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
	    #12 0x46bc21 in fuzzer::RunOneTest(fuzzer::Fuzzer\*, char const\*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
	    #13 0x4718de in fuzzer::FuzzerDriver(int\*, char\*\*\*, int (\*)(unsigned char const\*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:774:9
	    #14 0x49b802 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
	    #15 0x7f3e6199882f in \_\_libc\_start\_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291
	    #16 0x445098 in \_start
	
	  Uninitialized value was created by a heap allocation
	    #0 0x4fc67d in malloc /src/llvm-project/compiler-rt/lib/msan/msan\_interceptors.cpp:925:3
	    #1 0x1088155 in \_\_zend\_malloc php-src/Zend/zend\_alloc.c:2975:14
	    #2 0x1082159 in \_emalloc php-src/Zend/zend\_alloc.c:2535:10
	    #3 0x865d76 in exif\_file\_sections\_add php-src/ext/exif/exif.c:2042:10
	    #4 0x8618c0 in exif\_scan\_JPEG\_header php-src/ext/exif/exif.c:3747:8
	    #5 0x8609eb in exif\_scan\_FILE\_header php-src/ext/exif/exif.c:4186:8
	    #6 0x8602bb in exif\_read\_from\_impl php-src/ext/exif/exif.c:4327:8
	    #7 0x858b52 in exif\_read\_from\_stream php-src/ext/exif/exif.c:4344:8
	    #8 0x856001 in zif\_exif\_read\_data php-src/ext/exif/exif.c:4434:9
	    #9 0x112596d in zend\_call\_function php-src/Zend/zend\_execute\_API.c:817:4
	    #10 0x11236e2 in \_call\_user\_function\_ex php-src/Zend/zend\_execute\_API.c:638:9
	    #11 0x1696c7a in fuzzer\_call\_php\_func\_zval php-src/sapi/fuzzer/fuzzer-sapi.c:247:2
	    #12 0x169596f in LLVMFuzzerTestOneInput php-src/sapi/fuzzer/fuzzer-exif.c:52:2
	    #13 0x481101 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const\*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
	    #14 0x46bc21 in fuzzer::RunOneTest(fuzzer::Fuzzer\*, char const\*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
	    #15 0x4718de in fuzzer::FuzzerDriver(int\*, char\*\*\*, int (\*)(unsigned char const\*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:774:9
	    #16 0x49b802 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
	    #17 0x7f3e6199882f in \_\_libc\_start\_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291

I can't reproduce under valgrind, so also can't tell which versions are affected.

**Patches**

Add a Patch

**Pull Requests**

Add a Pull Request

**History**

AllCommentsChangesGit/SVN commitsRelated reports

 **\[2020-02-19 10:08 UTC\] nikic@php.net**

\-Assigned To: +Assigned To: stas

 **\[2020-02-24 18:12 UTC\] stas@php.net**

\-CVE-ID: +CVE-ID: 2020-7064

 **\[2020-03-16 03:30 UTC\] stas@php.net**

I've verified that the fix fixes the issue on oss-fuzz setup.

 **\[2020-03-17 05:39 UTC\] stas@php.net**

\-Status: Assigned +Status: Closed

CVE-2020-7064: PHP :: Sec Bug #79282 :: Use-of-uninitialized-value in exif

Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.

Tag

#chrome