Buffer Overflow vulnerability found in Liblouis Lou_Trace v.3.24.0 allows a remote attacker to cause a denial of service via the resolveSubtable function at compileTranslationTabel.c.

CVE-2023-26769

Buffer Overflow vulnerability found in Liblouis v.3.24.0 allows a remote attacker to cause a denial of service via the compileTranslationTable.c and lou_setDataPath functions.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-26768: Check filename before coping to initialLogFileName by Marsman1996 · Pull Request #1302 · liblouis/liblouis

Buffer Overflow vulnerability found in Liblouis v.3.24.0 allows a remote attacker to cause a denial of service via the lou_logFile function at logginc.c endpoint.

When long path is given to API lou_setDataPath(), there will be a global-buffer-overflow.

Similar to #1291, because liblouis does not check the input length.

lou\_setDataPath(const char \*path) {

static char dataPath\[MAXSTRING\];

dataPathPtr = NULL;

if (path == NULL) return NULL;

strcpy(dataPath, path);

**Test Environment**

Ubuntu 16.04.3 LTS  
liblouis (master, 6223f21)

**How to trigger**

1.  Compile liblouis with AddressSanitizer
2.  Compile the fuzz driver and poc file
3.  Compile the fuzz driver: $ clang -g -fsanitize=address,fuzzer ./driver-API-6223f21-lou_setDataPath-BO.c ./bin_asan/lib/liblouis.a -I ./bin_asan/include/liblouis/ -o driver-API-6223f21-lou_setDataPath-BO
4.  run the compiled driver: $ ./driver-API-6223f21-lou_setDataPath-BO poc-API-6223f21-lou_setDataPath-BO

**ASAN report**

    $ ./driver-API-6223f21-lou_setDataPath-BO poc-API-6223f21-lou_setDataPath-BO
    Minimum size is 0
    INFO: Running with entropic power schedule (0xFF, 100).
    INFO: Seed: 1537783897
    INFO: Loaded 1 modules   (2848 inline 8-bit counters): 2848 [0x80bf40, 0x80ca60), 
    INFO: Loaded 1 PC tables (2848 PCs): 2848 [0x5b9668,0x5c4868), 
    ./driver-API-6223f21-lou_setDataPath-BO: Running 1 inputs 1 time(s) each.
    Running: poc-API-6223f21-lou_setDataPath-BO
    =================================================================
    ==29969==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000010e85a0 at pc 0x00000050dc38 bp 0x7ffed6135f90 sp 0x7ffed6135750
    WRITE of size 4098 at 0x0000010e85a0 thread T0
        #0 0x50dc37 in strcpy /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:423:5
        #1 0x553af6 in lou_setDataPath /opt/disk/marsman/liblouis/6223f21/build_asan/liblouis/../../code/liblouis/compileTranslationTable.c:62:2
        #2 0x553674 in AFG_func /opt/disk/marsman/liblouis/6223f21/./driver-API-6223f21-lou_setDataPath-BO.c:16:2
        #3 0x553890 in LLVMFuzzerTestOneInput /opt/disk/marsman/liblouis/6223f21/./driver-API-6223f21-lou_setDataPath-BO.c:43:2
        #4 0x459951 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
        #5 0x443612 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
        #6 0x449980 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
        #7 0x473902 in main /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
        #8 0x7fdb3926383f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
        #9 0x41e118 in _start (/opt/disk/marsman/liblouis/6223f21/driver-API-6223f21-lou_setDataPath-BO+0x41e118)
    
    0x0000010e85a0 is located 0 bytes to the right of global variable 'dataPath' defined in '../../code/liblouis/compileTranslationTable.c:59:14' (0x10e7da0) of size 2048
    SUMMARY: AddressSanitizer: global-buffer-overflow /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:423:5 in strcpy
    Shadow bytes around the buggy address:
      0x000080215060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080215070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080215080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080215090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000802150a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0000802150b0: 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000802150c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000802150d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000802150e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000802150f0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
      0x000080215100: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==29969==ABORTING

CVE-2023-26767: global-buffer-overflow in lou_setDataPath() when long path is given · Issue #1292 · liblouis/liblouis

An issue found in TCPprep v.4.4.3 allows a remote attacker to cause a denial of service via the parse_list function at the list.c:81 endpoint.

**Describe the bug**  
There is a NULL Pointer Dereference in parse_list() when the user passes specific size (i.e., 2) of include string to tcpprep with option --include.

**To Reproduce**  
Steps to reproduce the behavior:

1.  Get the Tcpreplay source code and compile it.

2.  Run Command $ ./tcpprep --include="P "

**Expected behavior**  
Program crashes with Segmentation fault.

    $ gdb --args ./bin_normal/bin/tcpprep --include="P "
    
    (gdb) r
    Starting program: /home/ubuntu178/cvelibf/test/tcpreplay/latest/bin_normal/bin/tcpprep --include=P\ 
    
    Program received signal SIGSEGV, Segmentation fault.
    __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
    65      ../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory.
    (gdb) bt
    #0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
    #1  0x00007ffff7e4982b in __GI___regexec (preg=0x7fffffffd650, string=0x0, nmatch=0, pmatch=0x0, eflags=0) at regexec.c:210
    #2  0x000055555555ed19 in parse_list (listdata=0x55555556db38, ourstr=0x55555558dbf2 "") at list.c:81
    #3  0x00005555555614a7 in parse_xX_str (xX=0x55555556db30, str=0x55555558dbf2 "", bpf=0x55555556db50) at xX.c:84
    #4  0x00005555555581fc in doOptInclude (pOptions=0x55555556bc00 <tcpprepOptions>, pOptDesc=0x55555556b3c8 <optDesc+936>) at tcpprep_opts.c:1411
    #5  0x00007ffff7f4011e in ?? () from /lib/x86_64-linux-gnu/libopts.so.25
    #6  0x00007ffff7f48964 in ?? () from /lib/x86_64-linux-gnu/libopts.so.25
    #7  0x00007ffff7f4b7c8 in optionProcess () from /lib/x86_64-linux-gnu/libopts.so.25
    #8  0x000055555555899c in main (argc=2, argv=0x7fffffffde88) at tcpprep.c:89
    

**System (please complete the following information):**

*   OS: Ubuntu
*   OS version: 20.04, 64 bit
*   Tcpreplay Version: master bcb107a

    $ ./bin_normal/bin/tcprewrite -V
    tcprewrite version: 4.4.3 (build git:v4.4.3)
    Copyright 2013-2022 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
    Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
    The entire Tcpreplay Suite is licensed under the GPLv3
    Cache file supported: 04
    Not compiled with libdnet.
    Compiled against libpcap: 1.9.1
    64 bit packet counters: enabled
    Verbose printing via tcpdump: enabled
    Fragroute engine: disabled

CVE-2023-27787: [Bug] NULL Pointer Dereference in parse_list() at list.c:81 · Issue #788 · appneta/tcpreplay

An issue found in TCPprep v.4.4.3 allows a remote attacker to cause a denial of service via the macinstring function.

CVE-2023-27786: Fix bugs caused by strtok_r by Marsman1996 · Pull Request #783 · appneta/tcpreplay

An issue found in TCPreplay tcprewrite v.4.4.3 allows a remote attacker to cause a denial of service via the tcpedit_dlt_cleanup function at plugins/dlt_plugins.c.

CVE-2023-27783: dlt_jnpr_ether_cleanup: check subctx before cleanup by Marsman1996 · Pull Request #781 · appneta/tcpreplay

An issue found in TCPReplay v.4.4.3 allows a remote attacker to cause a denial of service via the read_hexstring function at the utils.c:309 endpoint.

**Describe the bug**  
There is a NULL Pointer Dereference in read_hexstring() when the user passes empty user dlink string to tcprewrite with option --user-dlink when the program process the pcap file whose data link type is DLT\_USER0.

**To Reproduce**  
Steps to reproduce the behavior:

1.  Get the Tcpreplay source code and compile it.

2.  Run Command $ ./tcprewrite --user-dlink="" -i $POC -o /dev/null  
    The POC file could be downloaded in POC file

**Expected behavior**  
Program crashes with Segmentation fault.

The GDB report is:

    $ gdb --args ./bin_normal/bin/tcprewrite --user-dlink="" -i ./poc-tcprewrite-bcb107a-read_hexstring-SEGV -o /dev/null
    
    (gdb) r
    Starting program: /home/ubuntu178/cvelibf/test/tcpreplay/latest/bin_normal/bin/tcprewrite --user-dlink= -i ./poc-tcprewrite-bcb107a-read_hexstring-SEGV -o /dev/null
    
    Program received signal SIGSEGV, Segmentation fault.
    __rawmemchr_avx2 () at ../sysdeps/x86_64/multiarch/memchr-avx2.S:65
    65      ../sysdeps/x86_64/multiarch/memchr-avx2.S: No such file or directory.
    (gdb) bt
    #0  __rawmemchr_avx2 () at ../sysdeps/x86_64/multiarch/memchr-avx2.S:65
    #1  0x00007ffff7dddf36 in _IO_str_init_static_internal (sf=sf@entry=0x7fffffffbe30, ptr=ptr@entry=0x0, size=size@entry=0, pstart=pstart@entry=0x0) at strops.c:41
    #2  0x00007ffff7dad4c3 in _IO_strfile_read (string=0x0, sf=0x7fffffffbe30) at ../libio/strfile.h:95
    #3  __GI___isoc99_sscanf (s=0x0, format=0x555555576598 "%x") at isoc99_sscanf.c:28
    #4  0x000055555556e7cf in read_hexstring (l2string=0x55555557e2a0 "", hex=0x555555581367 "", hexlen=255) at utils.c:309
    #5  0x00005555555656ae in dlt_user_parse_opts (ctx=0x555555580890) at plugins/dlt_user/user.c:194
    #6  0x000055555556169c in tcpedit_dlt_parse_opts (ctx=0x555555580890) at plugins/dlt_utils.c:39
    #7  0x0000555555560ca5 in tcpedit_dlt_post_args (tcpedit=0x55555557ffe0) at plugins/dlt_plugins.c:210
    #8  0x000055555555b575 in tcpedit_post_args (tcpedit=0x55555557ffe0) at parse_args.c:252
    #9  0x0000555555558c23 in main (argc=0, argv=0x7fffffffc2e8) at tcprewrite.c:89
    

**System (please complete the following information):**

*   OS: Ubuntu
*   OS version: 20.04, 64 bit
*   Tcpreplay Version: master bcb107a

    $ ./bin_normal/bin/tcprewrite -V
    tcprewrite version: 4.4.3 (build git:v4.4.3)
    Copyright 2013-2022 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
    Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
    The entire Tcpreplay Suite is licensed under the GPLv3
    Cache file supported: 04
    Not compiled with libdnet.
    Compiled against libpcap: 1.9.1
    64 bit packet counters: enabled
    Verbose printing via tcpdump: enabled
    Fragroute engine: disabled

CVE-2023-27784: [Bug] NULL Pointer Dereference in read_hexstring() at utils.c:309 · Issue #787 · appneta/tcpreplay

An issue found in TCPreplay TCPprep v.4.4.3 allows a remote attacker to cause a denial of service via the parse endpoints function.

**Describe the bug**  
There is a NULL Pointer Dereference in parse_endpoints() when the user passes empty endpoints string to tcprewrite with option --endpoints.

**To Reproduce**  
Steps to reproduce the behavior:

1.  Get the Tcpreplay source code and compile it.

2.  Generate cache file $ ./tcpprep --port --pcap=./test.pcap --cachefile=./test.cache  
    The file test.pcap is from tcpreplay codebase, which is located in test/test.pcap.
3.  Run Command $ ./tcprewrite --endpoints="" -i ./test.pcap -o /dev/null --cachefile=./test.cache

**Expected behavior**  
Program crashes with Segmentation fault.

The GDB report is:

    $ gdb --args ./bin_normal/bin/tcprewrite --endpoints="" -i ./code/test/test.pcap -o /dev/null --cachefile=./test.cache
    
    For help, type "help".
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from ./bin_normal/bin/tcprewrite...
    (gdb) r
    Starting program: /home/ubuntu178/cvelibf/test/tcpreplay/latest/bin_normal/bin/tcprewrite --endpoints= -i ./code/test/test.pcap -o /dev/null --cachefile=./test.cache
    
    Program received signal SIGSEGV, Segmentation fault.
    0x000055555556fde2 in strlcat (dst=0x7fffffffc0aa "", src=0x0, dsize=92) at strlcat.c:45
    45              while (*src != '\0') {
    (gdb) bt
    #0  0x000055555556fde2 in strlcat (dst=0x7fffffffc0aa "", src=0x0, dsize=92) at strlcat.c:45
    #1  0x000055555556b6f0 in parse_endpoints (cidrmap1=0x555555580850, cidrmap2=0x555555580858, optarg=0x7fffffffc654 "") at cidr.c:367
    #2  0x000055555555b51c in tcpedit_post_args (tcpedit=0x55555557fff0) at parse_args.c:243
    #3  0x0000555555558c23 in main (argc=0, argv=0x7fffffffc2f0) at tcprewrite.c:89
    

**System (please complete the following information):**

*   OS: Ubuntu
*   OS version: 20.04, 64 bit
*   Tcpreplay Version: master bcb107a

    $ ./bin_normal/bin/tcprewrite -V
    tcprewrite version: 4.4.3 (build git:v4.4.3)
    Copyright 2013-2022 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
    Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
    The entire Tcpreplay Suite is licensed under the GPLv3
    Cache file supported: 04
    Not compiled with libdnet.
    Compiled against libpcap: 1.9.1
    64 bit packet counters: enabled
    Verbose printing via tcpdump: enabled
    Fragroute engine: disabled

CVE-2023-27785: [Bug] NULL Pointer Dereference in parse_endpoints() at cidr.c:367 · Issue #785 · appneta/tcpreplay

An issue found in TCPrewrite v.4.4.3 allows a remote attacker to cause a denial of service via the ports2PORT function at the portmap.c:69 endpoint.

**Describe the bug**  
There is a reachable assertion in ports2PORT() when the user passes empty portmap string to tcprewrite with option --portmap.

**To Reproduce**  
Steps to reproduce the behavior:

1.  Get the Tcpreplay source code and compile it.

2.  Run Command $ ./tcprewrite --portmap="" -i ./test.pcap -o /dev/null  
    The file test.pcap is from tcpreplay codebase, which is located in test/test.pcap.

**Expected behavior**  
Program reports assertion failure and is terminated.

The GDB report:

    $ gdb --args ./bin_normal/bin/tcprewrite --portmap="" -i ./code/test/test.pcap -o /dev/null
    
    (gdb) r
    Starting program: /home/ubuntu178/cvelibf/test/tcpreplay/latest/bin_normal/bin/tcprewrite --portmap= -i ./code/test/test.pcap -o /dev/null
    tcprewrite: portmap.c:69: ports2PORT: Assertion `ports' failed.
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    (gdb) bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff7d6d859 in __GI_abort () at abort.c:79
    #2  0x00007ffff7d6d729 in __assert_fail_base (fmt=0x7ffff7f03588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x55555557242a "ports", file=0x555555572420 "portmap.c", line=69, function=<optimized out>)
        at assert.c:92
    #3  0x00007ffff7d7ef36 in __GI___assert_fail (assertion=0x55555557242a "ports", file=0x555555572420 "portmap.c", line=69, function=0x5555555725c0 <__PRETTY_FUNCTION__.6999> "ports2PORT") at assert.c:101
    #4  0x000055555555e28d in ports2PORT (ports=0x0) at portmap.c:69
    #5  0x000055555555e83a in parse_portmap (portmap=0x555555580848, ourstr=0x55555557e2a0 "") at portmap.c:197
    #6  0x000055555555b2e3 in tcpedit_post_args (tcpedit=0x55555557ffc0) at parse_args.c:191
    #7  0x0000555555558c23 in main (argc=0, argv=0x7fffffffc2f8) at tcprewrite.c:89
    

**System (please complete the following information):**

*   OS: Ubuntu
*   OS version: 20.04, 64 bit
*   Tcpreplay Version: master bcb107a

    $ ./bin_normal/bin/tcprewrite -V
    tcprewrite version: 4.4.3 (build git:v4.4.3)
    Copyright 2013-2022 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
    Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
    The entire Tcpreplay Suite is licensed under the GPLv3
    Cache file supported: 04
    Not compiled with libdnet.
    Compiled against libpcap: 1.9.1
    64 bit packet counters: enabled
    Verbose printing via tcpdump: enabled
    Fragroute engine: disabled

CVE-2023-27788: [Bug] Reachable assertion in ports2PORT() at portmap.c:69 · Issue #786 · appneta/tcpreplay

Ubuntu Security Notice 5954-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Lukas Bernhard discovered that Firefox did not properly manage memory when invalidating JIT code while following an iterator. An attacker could potentially exploits this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5954-1March 15, 2023firefox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in Firefox.Software Description:- firefox: Mozilla Open Source web browserDetails:Multiple security issues were discovered in Firefox. If a user weretricked into opening a specially crafted website, an attacker couldpotentially exploit these to cause a denial of service, obtain sensitiveinformation across domains, or execute arbitrary code. (CVE-2023-25750,CVE-2023-25752, CVE-2023-28162, CVE-2023-28176, CVE-2023-28177)Lukas Bernhard discovered that Firefox did not properly manage memorywhen invalidating JIT code while following an iterator. An attacker couldpotentially exploits this issue to cause a denial of service.(CVE-2023-25751)Rob Wu discovered that Firefox did not properly manage the URLs whenfollowing a redirect to a publicly accessible web extension file. Anattacker could potentially exploits this to obtain sensitive information.(CVE-2023-28160)Luan Herrera discovered that Firefox did not properly manage cross-originiframe when dragging a URL. An attacker could potentially exploit thisissue to perform spoofing attacks. (CVE-2023-28164)Khiem Tran discovered that Firefox did not properly manage one-timepermissions granted to a document loaded using a file: URL. An attackercould potentially exploit this issue to use granted one-time permissionson the local files came from different sources. (CVE-2023-28161)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  firefox                         111.0+build2-0ubuntu0.20.04.1Ubuntu 18.04 LTS:  firefox                         111.0+build2-0ubuntu0.18.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-5954-1  CVE-2023-25750, CVE-2023-25751, CVE-2023-25752, CVE-2023-28160,  CVE-2023-28161, CVE-2023-28162, CVE-2023-28164, CVE-2023-28176,  CVE-2023-28177Package Information:  https://launchpad.net/ubuntu/+source/firefox/111.0+build2-0ubuntu0.20.04.1  https://launchpad.net/ubuntu/+source/firefox/111.0+build2-0ubuntu0.18.04.1

Tag

#dos