Tor 0.4.7.x before 0.4.7.8 allows a denial of service via the wedging of RTT estimation.

**Name**

CVE-2022-33903

**Source**

CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

**Vulnerable and fixed packages**

The table below lists information on source packages.

Source Package

Release

Version

Status

tor (PTS)

buster, buster (security)

0.3.5.16-1

fixed

bullseye (security), bullseye

0.4.5.10-1~deb11u1

fixed

bookworm, sid

0.4.7.8-1

fixed

The information below is based on the following data on fixed versions.

Package

Type

Release

Fixed Version

Urgency

Origin

Debian Bugs

tor

source

stretch

(not affected)

tor

source

buster

(not affected)

tor

source

bullseye

(not affected)

tor

source

(unstable)

0.4.7.8-1

**Notes**

\[bullseye\] - tor <not-affected> (Only affects 0.4.7.x)  
\[buster\] - tor <not-affected> (Only affects 0.4.7.x)  
\[stretch\] - tor <not-affected> (Only affects 0.4.7.x)  
https://bugzilla.redhat.com/show\_bug.cgi?id=2099227  
https://gitlab.torproject.org/tpo/core/tor/-/issues/40626  
https://lists.torproject.org/pipermail/tor-announce/2022-June/000242.html  
https://github.com/torproject/tor/commit/b0496d40197dd5b4fb7b694c1410082d4e34dda6 (tor-0.4.7.8)

CVE-2022-33903: CVE-2022-33903

An issue was discovered in Open Design Alliance Drawings SDK before 2023.3. An Out-of-Bounds Read vulnerability exists when reading a DWG file with an invalid vertex number in a recovery mode. An attacker can leverage this vulnerability to execute code in the context of the current process.

CVE-2022-28809: ODA Security Advisories | Open Design Alliance

Pexip Infinity before 28.1 allows remote attackers to trigger a software abort via G.719.

CVE-2022-32263: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27 before 28.0 allows remote attackers to trigger excessive resource consumption and termination because of registrar resource mishandling.

CVE-2022-29286: Pexip security bulletins | Pexip Infinity Docs

In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses.

Date: 2022-04-18 13:42:36 +0000 Improve handling of Gopher responses (#1022) diff --git a/src/gopher.cc b/src/gopher.cc index c4d1aeaad..6a77d9aaf 100644 --- a/src/gopher.cc +++ b/src/gopher.cc @@ -365,7 +365,6 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len) char \*lpos = NULL; char \*tline = NULL; LOCAL\_ARRAY(char, line, TEMP\_BUF\_SIZE); - LOCAL\_ARRAY(char, tmpbuf, TEMP\_BUF\_SIZE); char \*name = NULL; char \*selector = NULL; char \*host = NULL; @@ -375,7 +374,6 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len) char gtype; StoreEntry \*entry = NULL; - memset(tmpbuf, '\\0', TEMP\_BUF\_SIZE); memset(line, '\\0', TEMP\_BUF\_SIZE); entry = gopherState->entry; @@ -410,7 +408,7 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len) return; } - String outbuf; + SBuf outbuf; if (!gopherState->HTML\_header\_added) { if (gopherState->conversion == GopherStateData::HTML\_CSO\_RESULT) @@ -582,37 +580,34 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len) break; } - memset(tmpbuf, '\\0', TEMP\_BUF\_SIZE); - if ((gtype == GOPHER\_TELNET) || (gtype == GOPHER\_3270)) { if (strlen(escaped\_selector) != 0) - snprintf(tmpbuf, TEMP\_BUF\_SIZE, " %s\\n", - icon\_url, escaped\_selector, rfc1738\_escape\_part(host), - \*port ? ":" : "", port, html\_quote(name)); + outbuf.appendf(" %s\\n", + icon\_url, escaped\_selector, rfc1738\_escape\_part(host), + \*port ? ":" : "", port, html\_quote(name)); else - snprintf(tmpbuf, TEMP\_BUF\_SIZE, " %s\\n", - icon\_url, rfc1738\_escape\_part(host), \*port ? ":" : "", - port, html\_quote(name)); + outbuf.appendf(" %s\\n", + icon\_url, rfc1738\_escape\_part(host), \*port ? ":" : "", + port, html\_quote(name)); } else if (gtype == GOPHER\_INFO) { - snprintf(tmpbuf, TEMP\_BUF\_SIZE, "\\t%s\\n", html\_quote(name)); + outbuf.appendf("\\t%s\\n", html\_quote(name)); } else { if (strncmp(selector, "GET /", 5) == 0) { /\* WWW link \*/ - snprintf(tmpbuf, TEMP\_BUF\_SIZE, " %s\\n", - icon\_url, host, rfc1738\_escape\_unescaped(selector + 5), html\_quote(name)); + outbuf.appendf(" %s\\n", + icon\_url, host, rfc1738\_escape\_unescaped(selector + 5), html\_quote(name)); } else if (gtype == GOPHER\_WWW) { - snprintf(tmpbuf, TEMP\_BUF\_SIZE, " %s\\n", - icon\_url, rfc1738\_escape\_unescaped(selector), html\_quote(name)); + outbuf.appendf(" %s\\n", + icon\_url, rfc1738\_escape\_unescaped(selector), html\_quote(name)); } else { /\* Standard link \*/ - snprintf(tmpbuf, TEMP\_BUF\_SIZE, " %s\\n", - icon\_url, host, gtype, escaped\_selector, html\_quote(name)); + outbuf.appendf(" %s\\n", + icon\_url, host, gtype, escaped\_selector, html\_quote(name)); } } safe\_free(escaped\_selector); - outbuf.append(tmpbuf); } else { memset(line, '\\0', TEMP\_BUF\_SIZE); continue; @@ -645,13 +640,12 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len) break; if (gopherState->cso\_recno != recno) { - snprintf(tmpbuf, TEMP\_BUF\_SIZE, "

**Record# %d  
_%s_**\\n

", recno, html\_quote(result));
+                    outbuf.appendf("

**Record# %d  
_%s_**\\n

", recno, html\_quote(result));
                     gopherState->cso\_recno = recno;
                 } else {
-                    snprintf(tmpbuf, TEMP\_BUF\_SIZE, "%s\\n", html\_quote(result));
+                    outbuf.appendf("%s\\n", html\_quote(result));
                 }
 
-                outbuf.append(tmpbuf);
                 break;
             } else {
                 int code;
@@ -679,8 +673,7 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len)
 
                 case 502: { /\* Too Many Matches \*/
                     /\* Print the message the server returns \*/
-                    snprintf(tmpbuf, TEMP\_BUF\_SIZE, "

**%s**\\n

", html\_quote(result));
-                    outbuf.append(tmpbuf);
+                    outbuf.appendf("

**%s**\\n

", html\_quote(result));
                     break;
                 }
 
@@ -696,13 +689,12 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len)
 
     }               /\* while loop \*/
 
-    if (outbuf.size() > 0) {
-        entry->append(outbuf.rawBuf(), outbuf.size());
+    if (outbuf.length() > 0) {
+        entry->append(outbuf.rawContent(), outbuf.length());
         /\* now let start sending stuff to client \*/
         entry->flush();
     }
 
-    outbuf.clean();
     return;
 }

CVE-2021-46784

Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via single-sign-on if a random Universally Unique Identifier is guessed.

CVE-2022-27930: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.

CVE-2022-27931: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via H.323.

CVE-2022-27936: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.

Tag

#dos