GPAC 1.0.1 is affected by: Abort failed. The impact is: cause a denial of service (context-dependent).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   \[Yes \] I looked for a similar issue and couldn't find any.
*   \[ Yes\] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   \[ Yes\] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
     GPAC Filters: https://doi.org/10.1145/3339825.3394929
     GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: 
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB
    

**command:**

    ./bin/gcc/MP4Box -hint POC10
    

POC10.zip

**Result**

**bt**

    Program received signal SIGABRT, Aborted.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x7ffff697e740 (0x00007ffff697e740)
    RCX: 0x7ffff74fb18b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    RDX: 0x0 
    RSI: 0x7fffffff8060 --> 0x0 
    RDI: 0x2 
    RBP: 0x7fffffff83b0 --> 0x7ffff76a0b80 --> 0x0 
    RSP: 0x7fffffff8060 --> 0x0 
    RIP: 0x7ffff74fb18b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    R8 : 0x0 
    R9 : 0x7fffffff8060 --> 0x0 
    R10: 0x8 
    R11: 0x246 
    R12: 0x7fffffff82d0 --> 0x5555555eafa0 --> 0x7374626c ('lbts')
    R13: 0x10 
    R14: 0x7ffff7ffb000 --> 0x6565726600001000 
    R15: 0x1
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff74fb17f <__GI_raise+191>:	mov    edi,0x2
       0x7ffff74fb184 <__GI_raise+196>:	mov    eax,0xe
       0x7ffff74fb189 <__GI_raise+201>:	syscall 
    => 0x7ffff74fb18b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
       0x7ffff74fb193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
       0x7ffff74fb19c <__GI_raise+220>:	jne    0x7ffff74fb1c4 <__GI_raise+260>
       0x7ffff74fb19e <__GI_raise+222>:	mov    eax,r8d
       0x7ffff74fb1a1 <__GI_raise+225>:	add    rsp,0x118
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff8060 --> 0x0 
    0008| 0x7fffffff8068 --> 0x0 
    0016| 0x7fffffff8070 --> 0x5555555e7d50 --> 0x5555555eaa30 --> 0x100010000000006 
    0024| 0x7fffffff8078 --> 0xf6015b1303ad4900 
    0032| 0x7fffffff8080 --> 0x5 
    0040| 0x7fffffff8088 --> 0x5555555e83e0 --> 0x5555555ebe10 --> 0x5555555ebbb0 --> 0x0 
    0048| 0x7fffffff8090 --> 0x7fffffff81e0 --> 0x0 
    0056| 0x7fffffff8098 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGABRT
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    gdb-peda$ bt
    #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff74da859 in __GI_abort () at abort.c:79
    #2  0x00007ffff75453ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff766f285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
    #3  0x00007ffff754d47c in malloc_printerr (str=str@entry=0x7ffff7671600 "free(): invalid next size (fast)") at malloc.c:5347
    #4  0x00007ffff754ed2c in _int_free (av=0x7ffff76a0b80 <main_arena>, p=0x5555555e1640, have_lock=0x0) at malloc.c:4249
    #5  0x00007ffff78cc82b in stco_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #6  0x00007ffff78f8b6c in gf_isom_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #7  0x00007ffff78f8b9f in gf_isom_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #8  0x00007ffff78f8b9f in gf_isom_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #9  0x00007ffff78f8b9f in gf_isom_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #10 0x00007ffff78f8b9f in gf_isom_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #11 0x00007ffff78f8b9f in gf_isom_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #12 0x00007ffff78f9bc7 in gf_isom_box_array_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #13 0x00007ffff79031b7 in gf_isom_delete_movie () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #14 0x00007ffff79064c3 in gf_isom_close () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #15 0x000055555557bd12 in mp4boxMain ()
    #16 0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x3, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, 
        rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at ../csu/libc-start.c:308
    #17 0x000055555556d45e in _start ()
    gdb-peda$

CVE-2021-46045: Abort failed in MP4Box · Issue #2007 · gpac/gpac

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A denial of service (resource consumption) can be accomplished by searching for a very long key in a Language Name Search.

**

/w/api.php?action=languagesearch denial of service (CVE-2021-46149)

Closed, ResolvedPublicSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

While browsing Language team dashboard in Logstash, I came across a bunch of timeouts from the language search API:

/w/api.php?action=languagesearch&format=json&origin=\*&search=teuoyuepuuoiuuuuouuuiqpitouppotuouqtropuuyuyroopepupyotutqiuiuuuooqquypyouopptoiooupipyoouououuptyppuouuouytpeuouuuoiuoriupuouppuquupoiyrpuooypuupuopootpoieppppyrutpptptpiuqerppyuqrpupwoeuppuopouuoupuuuoouupuopupptuupootouuouuqouoeouuurpoowuquooyuuytppepriiuttupuetopuutuppuoppupoupuopouiuopupppuuteupiuuyuputiyootorqyoueeuuuuyptpuuuuyioiyuteupuypuoropqupuuorpputopouuuuttoiputyootooooyuuyuoqupytuoqpoooootuouuuoiouyppuwouyououuptrotuuupetyiiueuuoyuqyrquiouuqtuuouiyouoiupuoopeqtoueoeuopuuproouuoyupupouuttuuurutopuopotuuyuuyprpyureoieopuppouooooooyutyoouuiyqypyuruutiuouuutywuutuuuuiiuuropyuutuyuiuiuyupurioruypupiioitpppuqruyoooyopuouuiouuueuyiuppuuptppouuuepuyttuquuppuotuyutuoupppriupuquputuetypupooouueupuuporuouupurupueoupyiyurpuyuuooyytuuouyuupuouoqpupyuuoeioqoyuyuoupupupooopuyuoyuupouuppoooppoiipueuuruiouurouyupupouuouupqoyruqiuouoqtwteuoouupuuppuoqyuepopoupuueououurupuprppoptoupyuqepuouqttepioyuuuuurputoopttppyiyioiyuoriuuootuupuuyppuuuyyupoyiuuuuupuuouuquppiuyuyypeppptppipioutoieupytuwuuutoupuopuirtuuuuuoouuutoptpiuuuuiotyuuiutuuuoupopioitpurpopouputpuuoippuuyopitptouuuopiorutoitopputuqyuptiotipopouuooeiuuuouttuoiuuqppoottqioouuouuyipueuuouppruuprupewuiypuporoqupuyiiopoouuoputuoeyuoyyoppououutuwrooetuyoyyuouupiuuuuuuuruyutoiiuquypouopuuioyiuouituoppootyytuqypoupuiuuuuoupyoyuptooeuupuuuquuuuqiuprpuyiuuuuopottuppppiptuqypupypuopuwiuutpytuuyoouupuquouuyuoyuputyqrupuooutouuupuptuiiruqupoutpooupuopuprtuooouupuoooipipupoopruupuyppuequouryuuoptoouoouuowuouyuouuupoyeyrouoouuouuuoupuqupiupioupoptupuououououueueyoyoeuutepuypppouuuupiouuperpupuyuuytuouooqttuoutuppouuoiuutooopoeoootuquuuptrtoueepuyuouyuuitppiottupyeruppyooueuqqurqooituutupyuuuipyoouyuuyuutpryyouquooyuuuuptutuupppptqeutioqtotuyuqipuoyuyyquutwpuuuuqoupyooopouippoyutoupttprptripiurooopiuipootopeupyuuryueuuppuuuuuuoptppiuupiouuoupprpyorytiyopttuippptitortpooyeuooyppuuoiutuuyouuppuruuouuuputpiuuuupouuuuuyppiuiyuuuuyiuiupruupuuouyruoutuouoyuuueipoouuuuuuppppptitituuittuewpouiipppupyoytuiuioyuuuyopuyuruputruyuuuqyypuyoyuuyuopyuorupuoyuruuuppytpppiuuutuotoytuiquwpitytuuooopyoupeuuuyuuuuieyteippouuooutpuyoyuyupuiutpuuppuutytutputurptupuurptoyuuoputuuoquopoupyouutoupuioutuuuuuuopuuypueouiuuopuppyuuyyoetouurppuouuyupuuupuytoqupupuuytypopuitoyuupoouyuypyuuiryoeptououupouuiuopuuuiyopupyuruquppyupuuuuoupoupuuquiouriuuputppuiyuutuuyppiroouuoouoipuuoputuptioprpututouiuueopppuuqpypuupotuuutyoupuuptpuupyyouuwurutpotuytuuotipuuupueouopqppeotuurueippuurptpoyupuuoyeiiuuurouqippwoppurutuuuupututipiuuuouupououpqpipiopuyoupyuuuirpoupyuututrueouryuputqiuyyouttiutoeuuopuuuutqpouoyptuupotueyuuopptqouuuuiutieuoipttpoouuprouotwtuuuiyqeuuuotupiutuyruuyyyyouiruittuouuuyppoyyupeupuupuotuuppppuuoiuuouuooyruuuuuuuprtpttuuppuuupiuutiutooppuoyouopiuttropyuypouyyqoipupoupuuoqutpouuiqrrouuupptpupoppoyuyuuorutrpuyypuyopouuupuuoquuuuuutyopuupuouyeueotyupuuuieuuuyooiyuruoiupyiqpupuptyuypuryppoyuruuoorpooyuuuotpuuuuuiiiuutytupppoyopyuurupuyyupupppwuouipuyuyytwroioiuueyopyutoopupuepipououpttououoquupitrwuppupupuyoyouyputopuioioupptuouyeuouuouoiituutproupoppuupuyupuuupuipoyuoruypipuuuuoiouuiouorooyuououtouuuowuiootuutyuuqupuupyppyouyrquoqyqputouuoitooyriuruupywtouuiutuouuuttipyypouuputuuopetouoeiuuuurrqopuppyuyuuupiuoutopppppuypupututuutouypopyepuoooiupitytpptupyqirtuoruuwpuoooououeoruyouwuuqoupuuritutuuipuppuupitppppppirouypuoiuoqoopuuouuuuuuttuypuuoppputituutootpuupyuptyiotoooutqyupuuuuouitouwpotyuoiuyutptpoeoipuuuyruoouuioutuuippuoupptuupyuypoputyyuptupuyoyuuouypypopowoprpoppuprppuputopppupyypuupooeruyiouyopuyuuptuttuiquptyuupotopiuouuottouotpuuoutopqouuouopupoiypyoqouuyupoyppyopiquuippiuyyoitoiuuutyuuoqypwyppooopuouooiopppopuuyruytupopprroupirqtiotuuquowuuqtituiiqpouuppyuu&formatversion=2

from /srv/mediawiki/php-1.38.0-wmf.4/vendor/wikimedia/request-timeout/src/Detail/ExcimerTimerWrapper.php(97)
#0 /srv/mediawiki/php-1.38.0-wmf.4/vendor/wikimedia/request-timeout/src/Detail/ExcimerTimerWrapper.php(72): Wikimedia\\RequestTimeout\\Detail\\ExcimerTimerWrapper->onTimeout(integer)
#1 /srv/mediawiki/php-1.38.0-wmf.4/extensions/UniversalLanguageSelector/data/LanguageNameSearch.php(187): Wikimedia\\RequestTimeout\\Detail\\ExcimerTimerWrapper->Wikimedia\\RequestTimeout\\Detail\\{closure}(integer)
#2 /srv/mediawiki/php-1.38.0-wmf.4/extensions/UniversalLanguageSelector/data/LanguageNameSearch.php(179): LanguageNameSearch::levenshteinDistance(string, string)
#3 /srv/mediawiki/php-1.38.0-wmf.4/extensions/UniversalLanguageSelector/data/LanguageNameSearch.php(103): LanguageNameSearch::levenshteinDistance(string, string)
#4 /srv/mediawiki/php-1.38.0-wmf.4/extensions/UniversalLanguageSelector/data/LanguageNameSearch.php(70): LanguageNameSearch::matchNames(string, string, integer)
#5 /srv/mediawiki/php-1.38.0-wmf.4/extensions/UniversalLanguageSelector/includes/api/ApiLanguageSearch.php(29): LanguageNameSearch::search(string, integer, string)
#6 /srv/mediawiki/php-1.38.0-wmf.4/includes/api/ApiMain.php(1878): ApiLanguageSearch->execute()
#7 /srv/mediawiki/php-1.38.0-wmf.4/includes/api/ApiMain.php(857): ApiMain->executeAction()
#8 /srv/mediawiki/php-1.38.0-wmf.4/includes/api/ApiMain.php(828): ApiMain->executeActionWithErrorHandling()
#9 /srv/mediawiki/php-1.38.0-wmf.4/api.php(90): ApiMain->execute()
#10 /srv/mediawiki/php-1.38.0-wmf.4/api.php(45): wfApiMain()
#11 /srv/mediawiki/w/api.php(3): require(string)
#12 {main}

More specifically, there were 1757 such requests on viwiki on 2021-10-17, which was clearly intentional dos attempt.

Author Affiliation

WMF Product

*   Task Graph
*   Mentions

**Event Timeline**

Comment Actions

Doing some quick stats, longest language name is 154 bytes or 76 "mb\_strlen" characters long. But it's questionable whether doing a typo match at that long search query is useful. I propose we skip fuzzy search when mb\_strlen value is longer than say 25, or at most 76 if we want to avoid any user impact.

Comment Actions

The patch was made publicly by mistake. Hopefully the impact is limited, though, looking at Logstash I do not see it being actively exploited. The patch will ride this week's train and will included in our next MLEB release this week.

It should also be backported to supported release branches, I think.

Comment Actions

> The patch was made publicly by mistake. Hopefully the impact is limited, though, looking at Logstash I do not see it being actively exploited. The patch will ride this week's train and will included in our next MLEB release this week.

Well, we're probably close enough to the train cut that the gerrit patch can just go along with that and roll out this week. The commit message was fairly benign, so the only hint that this is a security issue is the linked private bug and the patch itself. ULS isn't bundled so there's no issue with the upcoming security release there, as this would just be included within the supplemental announcement, which often includes several already-public security issues. Anyhow, the Security-Team will chat about this today during our clinic and see if we have any additional guidance to provide.

> It should also be backported to supported release branches, I think.

Yes, it should. The Security-Team can start those picks.

Reedy closed this task as Resolved.Dec 10 2021, 8:20 PM

mmartorana renamed this task from /w/api.php?action=languagesearch denial of service to /w/api.php?action=languagesearch denial of service (CVE-2021-46149).Mon, Jan 10, 5:03 PM

Comment Actions

> The patch was made publicly by mistake. Hopefully the impact is limited, though, looking at Logstash I do not see it being actively exploited. The patch will ride this week's train and will included in our next MLEB release this week.
> 
> It should also be backported to supported release branches, I think.

In other words: If people are either using MLEB 2021.10, 2021.11 or preferably 2021.12 they are cool?!

Comment Actions

Cool, thanks for confirming. Thanks also for the tip. Never noticed this one.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2021-46149: ⚓ T293749 /w/api.php?action=languagesearch denial of service (CVE-2021-46149)

A Denial of Service vulnerability exists in Binaryen 104 due to an assertion abort in wasm::WasmBinaryBuilder::visitRethrow(wasm::Rethrow*).

**Version:**

**command:**

POC8.zip

**Result**

**bt**

    Program received signal SIGABRT, Aborted.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x7ffff4416040 (0x00007ffff4416040)
    RCX: 0x7ffff446018b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    RDX: 0x0 
    RSI: 0x7fffffffb890 --> 0x0 
    RDI: 0x2 
    RBP: 0x7ffff45d5588 ("%s%s%s:%u: %s%sAssertion `%s' failed.\n%n")
    RSP: 0x7fffffffb890 --> 0x0 
    RIP: 0x7ffff446018b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    R8 : 0x0 
    R9 : 0x7fffffffb890 --> 0x0 
    R10: 0x8 
    R11: 0x246 
    R12: 0x7ffff799dc40 ("/home/zxq/CVE_testing/project/binaryen/src/wasm-builder.h")
    R13: 0x31 ('1')
    R14: 0x7ffff799dc00 ("type.isSignature()")
    R15: 0xfffff700 --> 0x0
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff446017f <__GI_raise+191>:	mov    edi,0x2
       0x7ffff4460184 <__GI_raise+196>:	mov    eax,0xe
       0x7ffff4460189 <__GI_raise+201>:	syscall 
    => 0x7ffff446018b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
       0x7ffff4460193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
       0x7ffff446019c <__GI_raise+220>:	jne    0x7ffff44601c4 <__GI_raise+260>
       0x7ffff446019e <__GI_raise+222>:	mov    eax,r8d
       0x7ffff44601a1 <__GI_raise+225>:	add    rsp,0x118
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffb890 --> 0x0 
    0008| 0x7fffffffb898 --> 0x49bba0 (<free>:	push   rbp)
    0016| 0x7fffffffb8a0 --> 0x7ffffbad8000 
    0024| 0x7fffffffb8a8 --> 0x6120000001c0 --> 0x7369642d69000001 
    0032| 0x7fffffffb8b0 --> 0x612000000225 ("on> wasm::Builder::makeFunction(wasm::Name, wasm::HeapType, std::vector<Type> &&, wasm::Expression *): Assertion `type.isSignature()' failed.\n")
    0040| 0x7fffffffb8b8 --> 0x6120000001c0 --> 0x7369642d69000001 
    0048| 0x7fffffffb8c0 --> 0x6120000001c0 --> 0x7369642d69000001 
    0056| 0x7fffffffb8c8 --> 0x6120000002b3 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGABRT
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    gdb-peda$ bt
    #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff443f859 in __GI_abort () at abort.c:79
    #2  0x00007ffff443f729 in __assert_fail_base (fmt=0x7ffff45d5588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7ffff799dc00 <str> "type.isSignature()", 
        file=0x7ffff799dc40 <str> "/home/zxq/CVE_testing/project/binaryen/src/wasm-builder.h", line=0x31, function=<optimized out>) at assert.c:92
    #3  0x00007ffff4450f36 in __GI___assert_fail (assertion=0x7ffff799dc00 <str> "type.isSignature()", file=0x7ffff799dc40 <str> "/home/zxq/CVE_testing/project/binaryen/src/wasm-builder.h", line=0x31, 
        function=0x7ffff799dca0 <__PRETTY_FUNCTION__._ZN4wasm7Builder12makeFunctionENS_4NameENS_8HeapTypeEOSt6vectorINS_4TypeESaIS4_EEPNS_10ExpressionE> "static std::unique_ptr<Function> wasm::Builder::makeFunction(wasm::Name, wasm::HeapType, std::vector<Type> &&, wasm::Expression *)") at assert.c:101
    #4  0x00007ffff51417c4 in wasm::Builder::makeFunction (name=..., type=..., vars=..., body=<optimized out>) at /home/zxq/CVE_testing/project/binaryen/src/wasm-builder.h:49
    #5  0x00007ffff6ea172f in wasm::WasmBinaryBuilder::readImports (this=<optimized out>) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-binary.cpp:2059
    #6  0x00007ffff6e9967e in wasm::WasmBinaryBuilder::read (this=0x7fffffffcce0) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-binary.cpp:1417
    #7  0x00007ffff7046785 in wasm::ModuleReader::readBinaryData (this=<optimized out>, input=..., wasm=..., sourceMapFilename=<incomplete type>) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-io.cpp:63
    #8  0x00007ffff7046f76 in wasm::ModuleReader::readBinary (this=<optimized out>, filename=<incomplete type>, wasm=..., sourceMapFilename=<incomplete type>)
        at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-io.cpp:74
    #9  0x00000000004cf7ca in main (argc=<optimized out>, argv=<optimized out>) at /home/zxq/CVE_testing/project/binaryen/src/tools/wasm-dis.cpp:65
    #10 0x00007ffff44410b3 in __libc_start_main (main=0x4cdef0 <main(int, char const**)>, argc=0x2, argv=0x7fffffffe348, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
        stack_end=0x7fffffffe338) at ../csu/libc-start.c:308
    #11 0x000000000042375e in _start () at /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/iostream:74

CVE-2021-46055: A abort failure in wasm::Builder::makeFunction · Issue #4413 · WebAssembly/binaryen

**Version:**

**command:**

    ./bin/wasm-ctor-eval POC5
    

POC5.zip

**Result**

**bt**

    Program received signal SIGABRT, Aborted.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x7ffff6d47fc0 (0x00007ffff6d47fc0)
    RCX: 0x7ffff6ee118b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    RDX: 0x0 
    RSI: 0x7fffffffcbe0 --> 0x0 
    RDI: 0x2 
    RBP: 0x7ffff7056588 ("%s%s%s:%u: %s%sAssertion `%s' failed.\n%n")
    RSP: 0x7fffffffcbe0 --> 0x0 
    RIP: 0x7ffff6ee118b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    R8 : 0x0 
    R9 : 0x7fffffffcbe0 --> 0x0 
    R10: 0x8 
    R11: 0x246 
    R12: 0x7ffff7e4e3d8 ("/home/zxq/CVE_testing/source/binaryen/src/wasm/wasm-binary.cpp")
    R13: 0x1964 
    R14: 0x7ffff7e4f588 ("curr->target != DELEGATE_CALLER_TARGET")
    R15: 0x5555555f7030 --> 0x30246c6562616c ('label$0')
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff6ee117f <__GI_raise+191>:	mov    edi,0x2
       0x7ffff6ee1184 <__GI_raise+196>:	mov    eax,0xe
       0x7ffff6ee1189 <__GI_raise+201>:	syscall 
    => 0x7ffff6ee118b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
       0x7ffff6ee1193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
       0x7ffff6ee119c <__GI_raise+220>:	jne    0x7ffff6ee11c4 <__GI_raise+260>
       0x7ffff6ee119e <__GI_raise+222>:	mov    eax,r8d
       0x7ffff6ee11a1 <__GI_raise+225>:	add    rsp,0x118
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffcbe0 --> 0x0 
    0008| 0x7fffffffcbe8 --> 0x7ffff6f38850 (<__GI___libc_free>:	endbr64)
    0016| 0x7fffffffcbf0 --> 0x7ffffbad8000 
    0024| 0x7fffffffcbf8 --> 0x5555555e7920 --> 0x0 
    0032| 0x7fffffffcc00 --> 0x5555555e7985 ("inaryBuilder::visitRethrow(wasm::Rethrow*): Assertion `curr->target != DELEGATE_CALLER_TARGET' failed.\n")
    0040| 0x7fffffffcc08 --> 0x5555555e7920 --> 0x0 
    0048| 0x7fffffffcc10 --> 0x5555555e7920 --> 0x0 
    0056| 0x7fffffffcc18 --> 0x5555555e79ec --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGABRT
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    gdb-peda$ 
    gdb-peda$ bt
    #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff6ec0859 in __GI_abort () at abort.c:79
    #2  0x00007ffff6ec0729 in __assert_fail_base (fmt=0x7ffff7056588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7ffff7e4f588 "curr->target != DELEGATE_CALLER_TARGET", 
        file=0x7ffff7e4e3d8 "/home/zxq/CVE_testing/source/binaryen/src/wasm/wasm-binary.cpp", line=0x1964, function=<optimized out>) at assert.c:92
    #3  0x00007ffff6ed1f36 in __GI___assert_fail (assertion=0x7ffff7e4f588 "curr->target != DELEGATE_CALLER_TARGET", file=0x7ffff7e4e3d8 "/home/zxq/CVE_testing/source/binaryen/src/wasm/wasm-binary.cpp", 
        line=0x1964, function=0x7ffff7e4f548 "void wasm::WasmBinaryBuilder::visitRethrow(wasm::Rethrow*)") at assert.c:101
    #4  0x00007ffff7c09ca1 in wasm::WasmBinaryBuilder::visitRethrow(wasm::Rethrow*) () from /home/zxq/CVE_testing/source/binaryen/build/bin/../lib/libbinaryen.so
    #5  0x00007ffff7c0b48c in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/source/binaryen/build/bin/../lib/libbinaryen.so
    #6  0x00007ffff7c0c17e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/source/binaryen/build/bin/../lib/libbinaryen.so
    #7  0x00007ffff7c0ff90 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/source/binaryen/build/bin/../lib/libbinaryen.so
    #8  0x00007ffff7c109bb in wasm::WasmBinaryBuilder::readFunctions() () from /home/zxq/CVE_testing/source/binaryen/build/bin/../lib/libbinaryen.so
    #9  0x00007ffff7c11f52 in wasm::WasmBinaryBuilder::read() () from /home/zxq/CVE_testing/source/binaryen/build/bin/../lib/libbinaryen.so
    #10 0x00007ffff7c3dec6 in wasm::ModuleReader::readBinaryData(std::vector<char, std::allocator<char> >&, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) ()
       from /home/zxq/CVE_testing/source/binaryen/build/bin/../lib/libbinaryen.so
    #11 0x00007ffff7c3e6cc in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) () from /home/zxq/CVE_testing/source/binaryen/build/bin/../lib/libbinaryen.so
    #12 0x00007ffff7c3eda1 in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) () from /home/zxq/CVE_testing/source/binaryen/build/bin/../lib/libbinaryen.so
    #13 0x000055555556943e in main ()
    #14 0x00007ffff6ec20b3 in __libc_start_main (main=0x5555555688c0 <main>, argc=0x2, argv=0x7fffffffe338, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe328)
        at ../csu/libc-start.c:308
    #15 0x0000555555569e5e in _start ()

CVE-2021-46054: A abort failure in wasm::WasmBinaryBuilder::visitRethrow(wasm::Rethrow*) · Issue #4410 · WebAssembly/binaryen

A Pointer Dereference vulnerability exists in Vim 8.2.3883 via the vim_regexec_multi function at regexp.c, which causes a denial of service.

**Description**

Untrusted Pointer Dereference leading to a segmentation fault Segmentation fault in vim\_regexec\_multi () at regexp.c:2896

**Proof of Concept**

    ./vim -u NONE -X -Z -e -s -S POC1 -c ':qa!
    

\[POC1\]\[https://drive.google.com/file/d/1VOS93VSakO96z2rnvId\_WDYRM9KAEIgC/view?usp=sharing\]

**bt**

    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x14 
    RBX: 0x7fffffff8520 --> 0x9 ('\t')
    RCX: 0x14 
    RDX: 0x2 
    RSI: 0x10007fff7000 --> 0x0 
    RDI: 0x7fffffff87e0 --> 0x0 
    RBP: 0x7fffffff87a0 --> 0x7fffffff8b70 --> 0x7fffffffa0d0 --> 0x7fffffffb150 --> 0x7fffffffb980 --> 0x7fffffffb9f0 (--> ...)
    RSP: 0x7fffffff8420 --> 0x41b58ab3 
    RIP: 0xa54c3b (<vim_regexec_multi+635>: cmp    DWORD PTR [rax],0x0)
    R8 : 0x625000002900 --> 0x3e8 
    R9 : 0x625000005100 --> 0x9 ('\t')
    R10: 0x4 
    R11: 0x0 
    R12: 0x0 
    R13: 0xffffffff0fc --> 0x0 
    R14: 0x0 
    R15: 0x0
    EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0xa54c28 <vim_regexec_multi+616>:    mov    rdi,QWORD PTR [rbx+0x148]
       0xa54c2f <vim_regexec_multi+623>:    call   0x49c430 <__asan_report_load4>
       0xa54c34 <vim_regexec_multi+628>:    mov    rax,QWORD PTR [rbx+0x148]
    => 0xa54c3b <vim_regexec_multi+635>:    cmp    DWORD PTR [rax],0x0
       0xa54c3e <vim_regexec_multi+638>:    je     0xa54c75 <vim_regexec_multi+693>
       0xa54c44 <vim_regexec_multi+644>:    movabs rdi,0x1172840
       0xa54c4e <vim_regexec_multi+654>:    call   0x41d310 <gettext@plt>
       0xa54c53 <vim_regexec_multi+659>:    mov    rdi,rax
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff8420 --> 0x41b58ab3 
    0008| 0x7fffffff8428 --> 0x100b3cb ("1 32 160 13 rex_save:2892")
    0016| 0x7fffffff8430 --> 0xa549c0 (<vim_regexec_multi>: push   rbp)
    0024| 0x7fffffff8438 --> 0x7fffffffb180 --> 0x615000000d00 --> 0xbebebebefbad2488 
    0032| 0x7fffffff8440 --> 0x7fffffff8480 --> 0x7fffffff8980 --> 0x7fffffff8b70 --> 0x7fffffffa0d0 --> 0x7fffffffb150 (--> ...)
    0040| 0x7fffffff8448 --> 0x4c5d0e (<lalloc+174>:    mov    QWORD PTR [rbp-0x20],rax)
    0048| 0x7fffffff8450 --> 0x614000000840 --> 0x619024800004 --> 0x0 
    0056| 0x7fffffff8458 --> 0xfffffc4300000001 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x0000000000a54c3b in vim_regexec_multi (rmp=0x7fffffff87e0, win=0x625000002900, buf=0x625000005100, lnum=0x4, col=0x0, tm=0x0, timed_out=0x0) at regexp.c:2896
    2896        if (rmp->regprog->re_in_use)
    gdb-peda$ bt
    #0  0x0000000000a54c3b in vim_regexec_multi (rmp=0x7fffffff87e0, win=0x625000002900, buf=0x625000005100, lnum=0x4, col=0x0, tm=0x0, timed_out=0x0) at regexp.c:2896
    #1  0x00000000006b45ab in ex_global (eap=0x7fffffff8bc0) at ex_cmds.c:4976
    #2  0x00000000006cdd66 in do_one_cmd (cmdlinep=0x7fffffffa100, flags=0x7, cstack=0x7fffffffa120, fgetline=0xb26990 <getsourceline>, cookie=0x7fffffffb180) at ex_docmd.c:2572
    #3  0x00000000006c0a9d in do_cmdline (cmdline=0x611000000680 "", fgetline=0xb26990 <getsourceline>, cookie=0x7fffffffb180, flags=0x7) at ex_docmd.c:994
    #4  0x0000000000b25523 in do_source (fname=0x60b000000ca3 "../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2", check_other=0x0, 
        is_vimrc=0x0, ret_sid=0x0) at scriptfile.c:1420
    #5  0x0000000000b228eb in cmd_source (fname=0x60b000000ca3 "../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2", eap=0x7fffffffba60)
        at scriptfile.c:985
    #6  0x0000000000b22641 in ex_source (eap=0x7fffffffba60) at scriptfile.c:1011
    #7  0x00000000006cdd66 in do_one_cmd (cmdlinep=0x7fffffffcfa0, flags=0xb, cstack=0x7fffffffcfc0, fgetline=0x0, cookie=0x0) at ex_docmd.c:2572
    #8  0x00000000006c0a9d in do_cmdline (cmdline=0x60b000000a90 "so ../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2", fgetline=0x0, 
        cookie=0x0, flags=0xb) at ex_docmd.c:994
    #9  0x00000000006c40b4 in do_cmdline_cmd (cmd=0x60b000000a90 "so ../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2")
        at ex_docmd.c:588
    #10 0x0000000000f39719 in exe_commands (parmp=0x1a99e80 <params>) at main.c:3080
    #11 0x0000000000f36873 in vim_main2 () at main.c:774
    #12 0x0000000000f2f64d in main (argc=0xb, argv=0x7fffffffe2d8) at main.c:426
    #13 0x00007ffff7be10b3 in __libc_start_main (main=0xf2ee20 <main>, argc=0xb, argv=0x7fffffffe2d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
        stack_end=0x7fffffffe2c8) at ../csu/libc-start.c:308
    #14 0x000000000041da9e in _start ()
    
    

**Impact**

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

CVE-2021-46059: Untrusted Pointer Dereference in vim

A NULL Pointer Dereference vulnerability exists in GNU inetutils 2.2 via the setcmd function at commands.c, which causes a denial of service.

Copyright (C) 2021 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

\[POC1\](https://drive.google.com/file/d/1snLElamVgMu5SO1vkKvSQqOByBlX0zxb/view?usp=sharing)

Program received signal SIGSEGV, Segmentation fault.

\[----------------------------------registers-----------------------------------\]

RAX: 0x10 

RBX: 0x3 

RCX: 0x3 

RDX: 0x0 

RSI: 0x55555556d0c5 --> 0x6572207325006666 ('ff')

RDI: 0x555555577068 --> 0xa001c23 

RBP: 0x555555576ea0 --> 0x555555577060 --> 0x100b002000746553 

RSP: 0x7fffffffe1b0 --> 0x555555577060 --> 0x100b002000746553 

RIP: 0x55555555b7cd (<setcmd+701>: mov    BYTE PTR \[rdx\],al)

R8 : 0x555555577067 --> 0xa001c2310 

R9 : 0x0 

R10: 0x55555556d439 --> 0x69626d413f00203e ('> ')

R11: 0x7fffffffe65c --> 0x550074656e6c6574 ('telnet')

R12: 0x555555575b60 --> 0x55555556f7fb --> 0x4341492073250020 (' ')

R13: 0x7fffffffe380 --> 0x1 

R14: 0x0 

R15: 0x0

EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)

\[-------------------------------------code-------------------------------------\]

   0x55555555b7bf <setcmd+687>: cmove  eax,edx

   0x55555555b7c2 <setcmd+690>: nop    WORD PTR \[rax+rax\*1+0x0\]

   0x55555555b7c8 <setcmd+696>: mov    rdx,QWORD PTR \[r12+0x18\]

\=> 0x55555555b7cd <setcmd+701>: mov    BYTE PTR \[rdx\],al

   0x55555555b7cf <setcmd+703>: mov    rax,QWORD PTR \[r12+0x18\]

   0x55555555b7d4 <setcmd+708>: movzx  edi,BYTE PTR \[rax\]

   0x55555555b7d7 <setcmd+711>: call   0x55555555aed0 <control>

   0x55555555b7dc <setcmd+716>: mov    rdx,QWORD PTR \[r12\]

\[------------------------------------stack-------------------------------------\]

0000| 0x7fffffffe1b0 --> 0x555555577060 --> 0x100b002000746553 

0008| 0x7fffffffe1b8 --> 0x5555555754e0 --> 0x55555556d48c --> 0x67676f7400746573 ('set')

0016| 0x7fffffffe1c0 --> 0x0 

0024| 0x7fffffffe1c8 --> 0x1 

0032| 0x7fffffffe1d0 --> 0x7fffffffe380 --> 0x1 

0040| 0x7fffffffe1d8 --> 0x55555555dadb (<command+411>: test   eax,eax)

0048| 0x7fffffffe1e0 --> 0x0 

0056| 0x7fffffffe1e8 --> 0x7fffffffe390 --> 0x0 

\[------------------------------------------------------------------------------\]

Legend: code, data, rodata, value

Stopped reason: SIGSEGV

0x000055555555b7cd in setcmd (argc=0x3, argv=0x555555576ea0 <margv>) at commands.c:1152

1152       \*(ct->charp) = (cc\_t) value;

gdb-peda$ bt

#0  0x000055555555b7cd in setcmd (argc=0x3, argv=0x555555576ea0 <margv>) at commands.c:1152

#1  0x000055555555dadb in command (top=0x1, tbuf=0x0, cnt=<optimized out>) at commands.c:3047

#2  0x0000555555559fe4 in main (argc=0x0, argc@entry=0x1, argv=0x7fffffffe390, argv@entry=0x7fffffffe388) at main.c:426

#3  0x00007ffff7db60b3 in \_\_libc\_start\_main (main=0x555555559d60 <main>, argc=0x1, argv=0x7fffffffe388, init=<optimized out>, fini=<optimized out>, 

    rtld\_fini=<optimized out>, stack\_end=0x7fffffffe378) at ../csu/libc-start.c:308

#4  0x000055555555a01e in \_start () at main.c:426

CVE-2021-46060: NULL Pointer Dereference in setcmd () at commands.c:1152

Z-Wave devices based on Silicon Labs 500 series chipsets using S0 authentication are susceptible to uncontrolled resource consumption leading to battery exhaustion. As an example, the Schlage BE468 version 3.42 door lock is vulnerable and fails open at a low battery level.

**VFuzz-public**

> Summary

VFuzz is a fuzzing approach for finding vulnerabilities in the Z-Wave smart home devices. VFuzz found flaws in major Z-Wave chipsets series. These vulnerabilities allow an attacker to inject malicious Z-Wave packets that can control, impersonate, or cause a denial-of-service (DoS) on vulnerable devices. A DoS on the Z-Wave controller can disable intrusion and event notifications to the remote house owner resulting in illegal house access without the security systems being activated.

> Impact

Depending on the chipset and device, an attacker within Z-Wave radio range can deny service, cause devices to crash, deplete batteries, intercept, observe, and replay traffic, and control vulnerable devices.

> Demo video of found vulnerabilities' impact

We provide a demo video highlighting found vulnerabilities’ impact on smart home devices at https://ieeexplore.ieee.org/document/9663293 below the Abstract.

> Journal paper

VFuzz details, implementations, and experimental results are available in our paper published in IEEE Access Journal at https://ieeexplore.ieee.org/document/9663293.

C. K. Nkuba, S. Kim, S. Dietrich and H. Lee, "Riding the IoT Wave With VFuzz: Discovering Security Flaws in Smart Homes," in IEEE Access, vol. 10, pp. 1775-1789, 2022, doi: 10.1109/ACCESS.2021.3138768.

> Responsible disclosure

We filed several vulnerability reports to the US CERT/CC division in order to work with the respective chipsets and device manufacturers to fix and mitigate the threats that we discovered.

Below are the CVE references:

1.  CERT/CC CVEs SUMMARY: https://kb.cert.org/vuls/id/142629
2.  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9057
3.  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9058
4.  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9059
5.  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9060
6.  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9061
7.  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10137

> How to stop the attacks?

Z-Wave devices with 100, 200, 300 series chipsets are one-time-programmable and cannot be updated to fix the vulnerabilities. For the above-listed devices, we are developing an intrusion detection system to mitigate these external attacks.

For devices with 500 and 700 chipset series, the above-mentioned vulnerabilities can be mitigated through firmware updates.

We also advise house owners to have a diversified set of smart home devices with different technologies such as Z-Wave, ZigBee, Thread, etc. so that when the former is attacked, the latter can capture the intrusion, activate security systems, and notify the remote user via mobile app.

> Ethical considerations

The VFuzz public version WILL provide source code for core Z-Wave fuzzing functionalities while reducing advanced features that could be misused by bad actors to attack smart home devices. For the same ethical considerations, we are not releasing the VFuzz PoC exploit code.

> About

This repository is maintained by Carlos Nkuba. For reporting bugs, you can submit an issue to the GitHub repository.

CVE-2020-9059: GitHub - CNK2100/VFuzz-public

A Stack-based buffer overflow in the SonicOS SessionID HTTP response header allows a remote authenticated attacker to cause Denial of Service (DoS) and potentially results in code execution in the firewall. This vulnerability affected SonicOS Gen 5, Gen 6 and Gen 7 firmware versions.

CVE-2021-20048

A Stack-based buffer overflow in the SonicOS HTTP Content-Length response header allows a remote authenticated attacker to cause Denial of Service (DoS) and potentially results in code execution in the firewall. This vulnerability affected SonicOS Gen 5, Gen 6 and Gen 7 firmware versions.

CVE-2021-20046

IBM Security Verify 10.0.0, 10.0.1.0, and 10.0.2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 210067.

**CVEID:**   CVE-2021-3520  
**DESCRIPTION:**   lz4 could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow. By sending a specially crafted file, an attacker could invoke memmove() on a negative size argument leading to memory corruption and trigger an out-of-bounds write or cause the library to crash.  
CVSS Base score: 8.6  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202592 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)

**CVEID:**   CVE-2021-38957  
**DESCRIPTION:**   IBM Security Verify could disclose sensitive information due to hazardous input validation during QR code generation.  
CVSS Base score: 3.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212040 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2020-13434  
**DESCRIPTION:**   SQLite is vulnerable to a denial of service, caused by an integer overflow in the sqlite3\_str\_vappendf function. By sending a specially-crafted request, a remote attacker could overflow a buffer and cause a denial of service.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182405 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2020-15358  
**DESCRIPTION:**   SQLite is vulnerable to a denial of service, caused by a heap-based buffer overflow in the mishandling of query-flattener optimization in select.c. By sending a specially-crafted query, a local authenticated attacker could overflow a buffer and cause the application to crash.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184103 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2019-13012  
**DESCRIPTION:**   GNOME GLib could allow a local attacker to bypass security restrictions, caused by improper permission control in the keyfile settings backend. An attacker could exploit this vulnerability to bypass access restrictions.  
CVSS Base score: 3.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/166666 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2021-27218  
**DESCRIPTION:**   GNOME GLib is vulnerable to a denial of service, caused by an error when invoking g\_byte\_array\_new\_take() with a buffer of 4GB or more on a 64-bit platform. An attacker could exploit this vulnerability to cause unintended length truncation.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196784 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2021-27219  
**DESCRIPTION:**   GNOME GLib could allow a remote attacker to cause a denial of service, caused by an integer overflow in the g\_bytes\_new function. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196782 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2020-8927  
**DESCRIPTION:**   Brotli is vulnerable to buffer overflow. By controlling the input length of a "one-shot" decompression request to a script, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/188304 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2020-24977  
**DESCRIPTION:**   GNOME libxml2 is vulnerable to a buffer overflow, caused by improper bounds checking by the xmlEncodeEntitiesInternal function in libxml2/entities.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system.  
CVSS Base score: 7.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/187847 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2021-3516  
**DESCRIPTION:**   libxml2 could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in xmlEncodeEntitiesInternal() in entities.c. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 7.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202838 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2021-3517  
**DESCRIPTION:**   GNOME libxml2 is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by xmlEncodeEntitiesInternal() in entities.c. By sending a specially crafted file, a remote attacker could trigger an out-of-bounds read and execute arbitrary code on the system or cause a denial of service.  
CVSS Base score: 8.6  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202526 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)

**CVEID:**   CVE-2021-3518  
**DESCRIPTION:**   GNOME libxml2 could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free flaw in the xmlXIncludeDoProcess() function in xinclude.c. By sending a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 8.6  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203144 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)

**CVEID:**   CVE-2021-3537  
**DESCRIPTION:**   GNOME libxml2 is vulnerable to a denial of service, caused by a NULL pointer dereference flaw when parsing XML mixed content in recovery mode and post-validated. A remote attacker could exploit this vulnerability to cause the application to crash.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203084 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2021-3541  
**DESCRIPTION:**   GNOME libxml2 is vulnerable to a denial of service, caused by an exponential entity expansion attack which bypasses all existing protection mechanisms. A remote authenticated attacker could exploit this vulnerability to consume all available resources.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204818 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2021-38894  
**DESCRIPTION:**   IBM Security Verify could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.  
CVSS Base score: 2.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209515 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2021-38921  
**DESCRIPTION:**   IBM Security Access Manager Appliance uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210067 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2021-3449  
**DESCRIPTION:**   OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in signature\_algorithms processing. By sending a specially crafted renegotiation ClientHello message from a client, a remote attacker could exploit this vulnerability to cause the TLS server to crash.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198752 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2021-3450  
**DESCRIPTION:**   OpenSSL could allow a remote attacker to bypass security restrictions, caused by a missing check in the validation logic of X.509 certificate chains by the X509\_V\_FLAG\_X509\_STRICT flag. By using any valid certificate or certificate chain to sign a specially crafted certificate, an attacker could bypass the check that non-CA certificates must not be able to issue other certificates and override the default purpose.  
CVSS Base score: 7.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198754 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H)

**CVEID:**   CVE-2021-38956  
**DESCRIPTION:**   IBM Security Verify could disclose sensitive version information in HTTP response headers that could aid in further attacks against the system.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212038 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2016-10228  
**DESCRIPTION:**   GNU C Library (glibc) is vulnerable to a denial of service, caused by an error in the iconv program. By processing invalid multi-byte input sequences, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/124078 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2019-9169  
**DESCRIPTION:**   GNU glibc is vulnerable to a heap-based buffer overflow, caused by a buffer over-read flaw in the proceed\_next\_node function in posix/regexec.c. By sending a specially-crafted argument using a case-insensitive regular-expression match, a remote attacker could overflow a buffer and execute arbitrary code on the system.  
CVSS Base score: 7.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/157800 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**   CVE-2019-25013  
**DESCRIPTION:**   GNU glibc is vulnerable to a denial of service, caused by a buffer over-read in iconv feature. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a SIGSEGV.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/194579 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2020-27618  
**DESCRIPTION:**   GNU C Library (aka glibc or libc6) is vulnerable to a denial of service, caused by an error when processing some invalid inputs from several IBM character sets in the iconv function. By sending invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, IBM1399 encodings, a local authenticated attacker could exploit this vulnerability to cause the application to enter into an infinite loop.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196446 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2021-3326  
**DESCRIPTION:**   GNU C Library (aka glibc or libc6) is vulnerable to a denial of service, caused by an assertion failure when processing invalid input sequences in the ISO-2022-JP-3 encoding in the iconv function. By sending specially-crafted input, a remote attacker could exploit this vulnerability to cause the application to crash.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195732 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2021-20305  
**DESCRIPTION:**   Nettle could allow a remote attacker to bypass security restrictions, caused by a flaw related to several signature verification functions result in the Elliptic Curve Cryptography point (ECC) multiply function being invoked with out-of-range scalers. An attacker could exploit this vulnerability to force an invalid signature, causing an assertion failure or possible validation.  
CVSS Base score: 8.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199653 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2021-38895  
**DESCRIPTION:**   IBM Security Verify is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209563 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N)

**CVEID:**   CVE-2021-32027  
**DESCRIPTION:**   PostgreSQL could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an integer overflow while modifying certain SQL array values. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202823 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2021-32028  
**DESCRIPTION:**   PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by a memory disclosure vulnerability when using an INSERT … ON CONFLICT … DO UPDATE command on a purpose-crafted table. By creating prerequisite objects, an attacker could exploit this vulnerability to read arbitrary bytes of server memory.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203616 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2021-32029  
**DESCRIPTION:**   PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by an error when using an UPDATE…RETURNING command on a purpose-crafted table. An attacker could exploit this vulnerability to read arbitrary bytes of server memory.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207909 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2021-3393  
**DESCRIPTION:**   PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the error messages. By sending a specially-crafted query, an attacker could exploit this vulnerability to obtain sensitive information from a column they have UPDATE permission but not SELECT permission to, and use this information to launch further attacks against the affected system.  
CVSS Base score: 3.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199296 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Tag

#dos