Buffer overflow in mg_resolve_from_hosts_file in Mongoose 6.18, when reading from a crafted hosts file.

Buffer overflow in mg\_resolve\_from\_hosts\_file function (line 124) in mongoose/src/mg\_resolv.c in Mongoose 6.18, where sscanf copies data from p to alias without limiting the size of the copied data not to exceed the alias array size, which is 256. Note that p can be up to 1024 (minus the IP digits) and is copied from a tainted file. This bug can be triggered by a malformed hosts file that includes a hostname that is larger than 256.

One way to fix this bug is by adding the format width specifier

for (p = line + len; sscanf(p, "%**255**ss%n", alias, &len) == 1; p += len) {

CVE-2020-25887: Buffer overflow in mg_resolve_from_hosts_file function  · Issue #1140 · cesanta/mongoose

A Use After Free vulnerability in Fedora Linux kernel 5.9.0-rc9 allows attackers to obatin sensitive information via vgacon_invert_region() function.

Submitted by Zhang Xiaoxu on March 4, 2020, 2:24 a.m.

**Details**

**Not browsing as part of any series.**

**Commit Message****Patch hide | download patch | download mbox**

diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
index de7b8382aba9..998b0de1812f 100644
\--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -1316,6 +1316,9 @@  static int vgacon\_font\_get(struct vc\_data \*c, struct console\_font \*font)
 static int vgacon\_resize(struct vc\_data \*c, unsigned int width,
 			 unsigned int height, unsigned int user)
 {
+	if ((width << 1) \* height > vga\_vram\_size)
+		return -EINVAL;
+
 	if (width % 2 || width > screen\_info.orig\_video\_cols ||
 	    height > (screen\_info.orig\_video\_lines \* vga\_default\_font\_height)/
 	    c->vc\_font.height)

**Comments**

CVE-2020-27418: [v4] vgacon: Fix a UAF in vgacon_invert_region

Cross Site Scripting (XSS) vulnerability in Cacti 1.2.21 via crafted POST request to graphs_new.php.

XSS vulnerability in Cacti https://github.com/Cacti/cacti version v1.2.21

The path of the vulnerability. In file https://github.com/Cacti/cacti/blob/develop/graphs\_new.php

//line 40
switch (get\_request\_var('action')) {
              case 'save':
                            form\_save();
 
//line 117 the source in $\_POST
function form\_save() {
              if (isset\_request\_var('save\_component\_graph')) {
                            /\* summarize the 'create graph from host template/snmp index' stuff into an array \*/
                            foreach ($\_POST as $var => $val) {
                            //…..
                           if (strpos($var, 'sgg\_') !== false) {
                                                         // Note: the source in $snmp\_query\_id then function store\_get\_selected\_dq\_index will be called
                                                         $snmp\_query\_id = str\_replace('sgg\_', '', $var);
                                                        store\_get\_selected\_dq\_index($snmp\_query\_id);
                                          }
                            }
            //…….
}
// line 100
Note the source in $snmp\_query\_id
function store\_get\_selected\_dq\_index($snmp\_query\_id) {
              // ….
              } elseif (isset\_request\_var('sgg\_' . $snmp\_query\_id)) {
                             // Note: get\_filter\_request\_var will be called
                            $selected = get\_filter\_request\_var('sgg\_' . $snmp\_query\_id);
              }
//….
}

In file https://github.com/Cacti/cacti/blob/develop/lib/html\_utility.php

//line 424
// the source in the argument $name
function get\_filter\_request\_var($name, $filter = FILTER\_VALIDATE\_INT, $options = array()) {
//….
//line 503
if ($value === false) {
                                          if ($filter == FILTER\_VALIDATE\_IS\_REGEX) {
                                                         //….
                                          } else {
                                                         // Note: function die\_html\_input\_error will be called
                                                         die\_html\_input\_error($name, get\_nfilter\_request\_var($name));
                                          }
                            }

In file https://github.com/Cacti/cacti/blob/develop/lib/html\_validate.php

//line 47
// Note: the source in $variable
function die\_html\_input\_error($variable = '', $value = '', $message = '') {
              //….
 
              if ($message == '') {
              // Note: the $message will include the $variable as I will explain later, then it will be printed
              $message = \_\_('Validation error for variable %s with a value of %s.  See backtrace below for more details.', $variable, $value);
              }
              //Note: the print of the $message
             $variable = ($variable != '' ? ', Variable:' . $variable : '');
              $value    = ($value    != '' ? ', Value:'    . $value    : '');
 
              if (defined('CACTI\_CLI\_ONLY')) {
                            cacti\_debug\_backtrace('Validation Error' . $variable . $value, false);
                            print $message . PHP\_EOL;
                            exit(1);
              } elseif (isset\_request\_var('json')) {
                            cacti\_debug\_backtrace('Validation Error' . $variable . $value, false);
                            print json\_encode(
                                          array(
                                                         'status' => '500',
                                                         'statusText' => \_\_('Validation Error'),
                                                         'responseText' => $message
                                          )
                            );
              } else {
                            cacti\_debug\_backtrace('Validation Error' . $variable . $value, true);
 
                            print "<table style='width:100%;text-align:center;'><tr><td>$message</td></tr></table>";
                            bottom\_footer();
              }
 
              exit;
}
}

In file https://github.com/Cacti/cacti/blob/develop/include/global\_languages.php

//line 432
function \_\_() {
              global $l10n;
 
              $args = func\_get\_args();
              $num  = func\_num\_args();
 
              //….
                            else{
                                          $args\[0\] = \_\_gettext($args\[0\]);
                            }
 
                            /\* process return string against input arguments \*/
                            return \_\_uf(call\_user\_func\_array('sprintf', $args));
              }
}
 
//line 393
function \_\_gettext($text, $domain = 'cacti') {
              //….
 
              if (!isset($translated)) {
                            $translated = $text;
              } 
 
              //…..
              return \_\_uf($translated);
}
 
//line 428
function \_\_uf($text) {
              return str\_replace('%%', '%', $text);
}

The vulnerability is confirmed by the developers. The email sent on 18/06/2022.

CVE-2022-41444: XSS vulnerability in Cacti

p7zip 16.02 was discovered to contain a heap-buffer-overflow vulnerability via the function NArchive::NZip::CInArchive::FindCd(bool) at CPP/7zip/Archive/Zip/ZipIn.cpp.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets ▾
    *   Bugs
    *   Support Requests
    *   Patches
    *   Feature Requests
*   Discussion

Menu ▾ ▴

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2022-12-09

Created: 2022-12-09

Private: No

**Description**

Heap-buffer-overflow in CPP/7zip/Archive/Zip/ZipIn.cpp:1116 in NArchive::NZip::CInArchive::FindCd(bool)

**Verison**

$ ./7za   
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,64 CPUs x64)

**Replay**

./7za t poc.zip

**POC**

https://github.com/17ssDP/fuzzer\_crashes/raw/main/zip/poc.zip

**ASAN**

$./7zatpoc.zip

7-Zip(a)[64]16.02:Copyright(c)1999-2016IgorPavlov:2016-05-21
p7zipVersion16.02(locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64bits,64CPUsx64)

Scanningthedriveforarchives:
1file,4340bytes(5KiB)

Testingarchive:poc.zip
=================================================================
==65213==ERROR:AddressSanitizer:heap-buffer-overflowonaddress0x6210000000ffatpc0x55b8f9dd0731bp0x7ffd13599890sp0x7ffd13599880
READofsize4at0x6210000000ffthreadT0
#00x55b8f9dd0730inNArchive::NZip::CInArchive::FindCd(bool)../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:1116
#10x55b8f9dd5f00inNArchive::NZip::CInArchive::ReadVols()../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:1578
#20x55b8f9e01d9binNArchive::NZip::CInArchive::Open(IInStream*,unsignedlonglongconst*,IArchiveOpenCallback*,CObjectVector<NArchive::NZip::CItemEx>&)../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:2135
#30x55b8f9d4c294inNArchive::NZip::CHandler::Open(IInStream*,unsignedlonglongconst*,IArchiveOpenCallback*)../../../../CPP/7zip/Archive/Zip/ZipHandler.cpp:474
#40x55b8fa46890binCArc::OpenStream2(COpenOptionsconst&)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:1878
#50x55b8fa47fb6ainCArc::OpenStream(COpenOptionsconst&)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:2901
#60x55b8fa481451inCArc::OpenStreamOrFile(COpenOptions&)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:2993
#70x55b8fa48437ainCArchiveLink::Open(COpenOptions&)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3169
#80x55b8fa48ccf5inCArchiveLink::Open2(COpenOptions&,IOpenCallbackUI*)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3292
#90x55b8fa48f2a5inCArchiveLink::Open3(COpenOptions&,IOpenCallbackUI*)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3356
#100x55b8fa409e7einExtract(CCodecs*,CObjectVector<COpenType>const&,CRecordVector<int>const&,CObjectVector<UString>&,CObjectVector<UString>&,NWildcard::CCensorNodeconst&,CExtractOptionsconst&,IOpenCallbackUI*,IExtractCallbackUI*,IHashCalc*,UString&,CDecompressStat&)../../../../CPP/7zip/UI/Common/Extract.cpp:362
#110x55b8fa5cc0b6inMain2(int,char**)../../../../CPP/7zip/UI/Console/Main.cpp:923
#120x55b8f9819ef8inmain../../../../CPP/7zip/UI/Console/MainAr.cpp:66
#130x7fa675178c86in__libc_start_main(/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#140x55b8f981c069in_start(/home/p7zip/7za+0x41069)

0x6210000000ffislocated1bytestotheleftof4340-byteregion[0x621000000100,0x6210000011f4)
allocated by thread T0 here:
    #0 0x7fa675e6c608 in operator new[](unsignedlong)(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0608)
#10x55b8f9dce590inCObjArray<unsignedchar>::CObjArray(unsignedlong)../../../../CPP/7zip/Archive/Zip/../../../Common/MyBuffer.h:141
#20x55b8f9dce590inNArchive::NZip::CInArchive::FindCd(bool)../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:1066

SUMMARY:AddressSanitizer:heap-buffer-overflow../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:1116inNArchive::NZip::CInArchive::FindCd(bool)
Shadowbytesaroundthebuggyaddress:
0x0c427fff7fc0:00000000000000000000000000000000
0x0c427fff7fd0:00000000000000000000000000000000
0x0c427fff7fe0:00000000000000000000000000000000
0x0c427fff7ff0:00000000000000000000000000000000
0x0c427fff8000:fafafafafafafafafafafafafafafafa
=>0x0c427fff8010:fafafafafafafafafafafafafafafa[fa]
0x0c427fff8020:00000000000000000000000000000000
0x0c427fff8030:00000000000000000000000000000000
0x0c427fff8040:00000000000000000000000000000000
0x0c427fff8050:00000000000000000000000000000000
0x0c427fff8060:00000000000000000000000000000000
Shadowbytelegend(oneshadowbyterepresents8applicationbytes):
Addressable:00
Partiallyaddressable:01020304050607
Heapleftredzone:fa
Freedheapregion:fd
Stackleftredzone:f1
Stackmidredzone:f2
Stackrightredzone:f3
Stackafterreturn:f5
Stackuseafterscope:f8
Globalredzone:f9
Globalinitorder:f6
Poisonedbyuser:f7
Containeroverflow:fc
Arraycookie:ac
Intraobjectredzone:bb
ASaninternal:fe
Leftallocaredzone:ca
Rightallocaredzone:cb
==65213==ABORTING

**Environment**

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2022-47069: p7zip / Bugs / #241 Heap-buffer-overflow in ZipIn.cpp:1116

An issue was discovered in spice-server spice-server-0.14.0-6.el7_6.1.x86_64 of Redhat's VDI product. There is a security vulnerablility that can restart KVMvirtual machine without any authorization. It is not yet known if there will be other other effects.

**Spice-Security-Issues**

I found a security issue on spice Server when I was fuzzing Spice server.

**Introduce**

A handshake is required before the spice-server and spice-client can establish communication, spice-client will send a request containing some information that the server needs. This TCP request requires only host and port. So I constructed a malformed TCP packet that caused the vm to crash and the QEMu-KVM process to be restarted.

**How to run**

#1. Send a malformed TCP packet(Observe the packets intercepted by Wirshark)  #2. check qemu-kvm process && kvm instance state

Before sending a malformed TCP packet  
  After sending a malformed TCP packet  

#3. Check libvirt's log that the virtual machine crashed  #4. Observe the virtual machine through virt-manage, found that the virtual machine has been restarted 

**Vulnerability Code**

Code Address: https://gitlab.freedesktop.org/spice/spice/-/blob/master/server/red-stream.cpp  
Function：async\_read\_handler Description: The function async\_READ\_handler caused a deadlock while processing the data stream. 

**Related component version**

Centos: Linux version 3.10.0-957.10.2.el7.x86\_64  
Qemu-kvm: QEMU emulator version 2.10.0(qemu-kvm-ev-2.10.0-21.el7\_5.7.1)  
Spice-server rpm: spice-server-0.14.0-6.el7\_6.1.x86\_64

CVE-2020-23793: GitHub - zelat/spice-security-issues

Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1100 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2020-19187: fuzzpoc/infotocap_poc3.md at master · zjuchenyuan/fuzzpoc

Buffer Overflow vulnerability in one_one_mapping function in progs/dump_entry.c:1373 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

CVE-2020-19185: fuzzpoc/infotocap_poc1.md at master · zjuchenyuan/fuzzpoc

Buffer Overflow vulnerability in _nc_find_entry function in tinfo/comp_hash.c:66 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

CVE-2020-19186: fuzzpoc/infotocap_poc2.md at master · zjuchenyuan/fuzzpoc

Buffer Overflow vulnerability in function H5S_close in H5S.c in HDF5 1.10.4 allows remote attackers to run arbitrary code via creation of crafted file.

Tag

#git