HGiga MailSherlockâ€™s specific function has insufficient filtering for user input. An unauthenticated remote attacker can exploit this vulnerability to inject JavaScript, conducting a reflected XSS attack.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202302007

CVE ID

CVE-2023-24839

CVSS

6.1 (Medium)  
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

影響產品

HGiga MailSherlock  
系統版本：v4.5  
系統套件：iSherlock-user-4.5 <= 4.5-161 & iSherlock-antispam-4.5 <=4.5-167

問題描述

MailSherlock特定功能未過濾URL參數中的特殊字元，遠端攻擊者不須權限，即可注入JavaScript語法進行攻擊，進行反射型XSS (Reflected Cross-site scripting)攻擊。

解決方法

更新MailSherlock之iSherlock-user及iSherlock-antispam系統套件至以下版本：  
iSherlock-user-4.5-162.386.rpm & iSherlock-antispam-4.5-168.386.rpm

漏洞通報者

Dong-Jie Chen (CHT Security)

公開日期

2023-02-24

CVE-2023-24839: HGiga MailSherlock - Reflected XSS

Openfind Mail2000 file uploading function has insufficient filtering for user input. An authenticated remote attacker with general user privilege can exploit this vulnerability to inject JavaScript, conducting an XSS attack.

:::

*   勒索軟體防護專區
*   遠距辦公資安專區
*   回首頁
*   網站導覽
*   訂閱電子報
*   English

****

*   資安通報
*   Wannacry
*   駭客
*   勒索
*   手機

*   新聞公告News
    *   公告事項
    *   資安新聞
    *   資安活動
    *   電子報
*   資安服務Services
    *   資安通報
        *   一般資安通報
    *   資安聯盟
        *   資安聯盟簡介
        *   規章及會員申請暨異動申請
    *   台灣漏洞揭露平台 (TVN)
        *   TVN (Taiwan Vulnerability Note) 漏洞公告
        *   漏洞揭露政策
        *   漏洞通報
    *   惡意檔案檢測服務 (Virus Check)
    *   網路釣魚通報 (Phishing Check)
        *   網路釣魚通報
        *   釣魚網站列表
*   資安宣導Advocacy
    *   勒索軟體威脅防護專區
    *   遠距辦公資安專區
    *   軟硬體漏洞警訊
    *   威脅分析報告
    *   資安小知識
    *   資訊安全宣導
    *   資安宣導影音
    *   公開文件
*   相關網站Links
    *   國內資安組織
    *   國際資安組織
    *   網路資源
*   關於我們About us
    *   中心簡介
    *   活動紀事
        *   歷年年會活動網站
        *   活動花絮
    *   PGP KEY
    *   聯絡我們
    *   合作夥伴

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202302001

CVE ID

CVE-2023-22902

CVSS

5.4 (Medium)  
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

影響產品

Openfind Mail2000 V7 & V8

問題描述

Mail2000檔案上傳功能未過濾內容中的特殊字元，遠端攻擊者以一般使用者權限登入後，即可注入JavaScript語法進行攻擊，進行XSS(Cross-site scripting)攻擊。

解決方法

Update Mail2000 version to latest

漏洞通報者

Openfind (由BCCS漢昕科技Lin HanChao通報)

公開日期

2023-02-24

CVE-2023-22902: Openfind Mail2000 - XSS

In GraphQL Java (aka graphql-java) before 20.1, an attacker can send a crafted GraphQL query that causes stack consumption. The fixed versions are 20.1, 19.4, 18.4, 17.5, and 0.0.0-2023-03-20T01-49-44-80e3135.

**GraphQL Java vulnerable to stack consumption**

Moderate severity GitHub Reviewed Published Mar 27, 2023 to the GitHub Advisory Database • Updated Mar 27, 2023

GHSA-p4qx-6w5p-4rj2: GraphQL Java vulnerable to stack consumption

The pullit package before 1.4.0 for Node.js allows OS Command Injection because eval is used on an attacker-supplied Git branch name.

**Arbitrary Command Execution Affecting pullit package, versions **<1.4.0****

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   Snyk ID **npm:pullit:20180214**
*   published **14 Feb 2018**
*   disclosed **13 Feb 2018**
*   credit **Liran Tal**

**How to fix?**

Upgrade pullit to version 1.4.0 or higher.

**Overview**

pullit is Display and pull branches from GitHub pull requests.

Affected versions of the package are vulnerable to Arbitrary Code Execution. due to an insecure use of the eval() function. Node.js provides the eval() function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands. pullit uses this function in order to call git commands, which originate from user input in terms of a carefully created remote branch name on GitHub, which pullit pulls branch names from.

**PoC**

*   Create a branch that could potentially terminate an exec() command and concatenate to it a new command: git checkout -b ";{echo,hello,world}>/tmp/c”
*   Push it to GitHub and create a pull request with this branch name
*   Run pullit from command line, select the relevant pull request to checkout locally
*   Read the contents of /tmp/c

**Disclosure Timeline**

*   Oct 24th, 2017 - Initial Disclosure
*   Jan 11th, 2018 - Second Reminder
*   Feb 14th, 2018 - Public GitHub issue opened
*   Feb 14th, 2018 - First response from maintainer
*   Feb 14th, 2018 - Vulnerability published
*   Feb 19th, 2018 - Vulnerability fixed

CVE-2018-25083: Snyk Vulnerability Database | Snyk

This puts in a limit on how deep grammar rules can get.

As ANLTR is a **recursive-descent parser** it will build up a call stack as it moves along. This stack is limited and can blow up with just the wrong input. Even if the max tokens checking is in place, it can still blow the JVM stack before the max tokens are reached.

Right now it's 500 deep as presented here. Is this the right value? More?? Less ?? I changed it from 1000

CVE-2023-28867: Preventing stack overflow exceptions via limiting the depth of the parser rules by bbakerman · Pull Request #3112 · graphql-java/graphql-java

In isBluetoothShareUri of BluetoothOppUtility.java, there is a possible incorrect file read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-225880741

_Published March 6, 2023 | Updated March 8, 2023_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-03-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2023-03-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-03-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege after updating an app to a higher Target SDK with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-20906

A-221040577

EoP

High

11, 12, 12L, 13

CVE-2023-20911

A-242537498

EoP

High

11, 12, 12L, 13

CVE-2023-20917

A-242605257 \[2\]

EoP

High

11, 12, 12L, 13

CVE-2023-20947

A-237405974

EoP

High

12, 12L, 13

CVE-2023-20963

A-220302519

EoP

High

11, 12, 12L, 13

CVE-2023-20956

A-240140929

ID

High

12, 12L, 13

CVE-2023-20958

A-254803162

ID

High

13

CVE-2023-20964

A-238177121 \[2\]

DoS

High

12, 12L, 13

**System**

The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-20951

A-258652631

RCE

Critical

11, 12, 12L, 13

CVE-2023-20954

A-261867748

RCE

Critical

11, 12, 12L, 13

CVE-2023-20926

A-253043058

EoP

High

12, 12L, 13

CVE-2023-20931

A-242535997

EoP

High

11, 12, 12L, 13

CVE-2023-20936

A-226927612

EoP

High

11, 12, 12L, 13

CVE-2023-20953

A-251778420

EoP

High

13

CVE-2023-20955

A-258653813

EoP

High

11, 12, 12L, 13

CVE-2023-20957

A-258422561

EoP

High

11, 12, 12L

CVE-2023-20959

A-249057848

EoP

High

13

CVE-2023-20960

A-250589026 \[2\] \[3\]

EoP

High

12L, 13

CVE-2023-20966

A-242299736

EoP

High

11, 12, 12L, 13

CVE-2022-4452

A-251802307

ID

High

13

CVE-2022-20467

A-225880741

ID

High

11, 12, 12L, 13

CVE-2023-20929

A-234442700

ID

High

13

CVE-2023-20952

A-186803518

ID

High

11, 12, 12L, 13

CVE-2023-20962

A-256590210

ID

High

13

CVE-2022-20499

A-246539931

DoS

High

12, 12L, 13

CVE-2023-20910

A-245299920

DoS

High

11, 12, 12L, 13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Subcomponent

CVE

Media Codecs

CVE-2023-20956

Permission Controller

CVE-2023-20947

Tethering

CVE-2023-20929

WiFi

CVE-2022-20499, CVE-2023-20910

**2023-03-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-03-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The vulnerability in this section could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Subcomponent

CVE-2021-33655

A-240019719  
Upstream kernel \[2\] \[3\]

EoP

High

Frame Buffer

**MediaTek components**

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

   

CVE

References

Severity

Subcomponent

CVE-2023-20620

A-264149248  
M-ALPS07554558 \*

High

adsp

CVE-2023-20621

A-264208866  
M-ALPS07664755\*

High

tinysys

CVE-2023-20623

A-264209787  
M-ALPS07559778 \*

High

ion

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

   

CVE

References

Severity

Subcomponent

CVE-2022-47459

A-264598465  
U-2032124 \*

High

Kernel

CVE-2022-47461

A-264834026  
U-2066617 \*

High

system

CVE-2022-47462

A-264834568  
U-2066754 \*

High

system

CVE-2022-47460

A-264831217  
U-2044606 \*

High

Kernel

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2022-22075

A-193434313  
QC-CR#3129138  
QC-CR#3112398 \[2\] \[3\]

High

Display

CVE-2022-40537

A-261468700  
QC-CR#3278869 \[2\] \[3\] \[4\]

High

Bluetooth

CVE-2022-40540

A-261470730  
QC-CR#3280498

High

Kernel

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2022-33213

A-238106224 \*

Critical

Closed-source component

CVE-2022-33256

A-245402790 \*

Critical

Closed-source component

CVE-2022-25655

A-261469326 \*

High

Closed-source component

CVE-2022-25694

A-235102547 \*

High

Closed-source component

CVE-2022-25705

A-235102507 \*

High

Closed-source component

CVE-2022-25709

A-235102420 \*

High

Closed-source component

CVE-2022-33242

A-245402503 \*

High

Closed-source component

CVE-2022-33244

A-245402728 \*

High

Closed-source component

CVE-2022-33250

A-245403450 \*

High

Closed-source component

CVE-2022-33254

A-245403473 \*

High

Closed-source component

CVE-2022-33272

A-245403311 \*

High

Closed-source component

CVE-2022-33278  

A-245402730 \*

High

Closed-source component

CVE-2022-33309

A-261468683 \*

High

Closed-source component

CVE-2022-40515

A-261469638 \*

High

Closed-source component

CVE-2022-40527

A-261470448 \*

High

Closed-source component

CVE-2022-40530

A-261471028 \*

High

Closed-source component

CVE-2022-40531

A-261469091 \*

High

Closed-source component

CVE-2022-40535

A-261470732 \*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2023-03-01 or later address all issues associated with the 2023-03-01 security patch level.
*   Security patch levels of 2023-03-05 or later address all issues associated with the 2023-03-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-03-01\]
*   \[ro.build.version.security\_patch\]:\[2023-03-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-03-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2023-03-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2023-03-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

March 6, 2023

Bulletin Published

1.1

March 8, 2023

Bulletin revised to include AOSP links

CVE-2022-20467: Android Security Bulletin—March 2023

A heap-based buffer overflow was discovered in upx, during the generic pointer 'p' points to an inaccessible address in func get_le32(). The problem is essentially caused in PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5382.

**What's the problem (or question)?**

Multi heap-based buffer overflows were discovered in upx, during the genric pointer 'p' points to an inaccessible address in func get\_le32(). The issue can be triggered by different places, which can cause a denial of service. The issue is diff from issue365

ASAN reports:

\==112024==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001f3b1 at pc 0x0000005292cb bp 0x7fffc3995640 sp 0x7fffc3995630
READ of size 4 at 0x61d00001f3b1 thread T0
    #0 0x5292ca in get\_le32(void const\*) /home/test/Desktop/EVAULATION/upx/src/bele.h:164
    #1 0x5292ca in N\_BELE\_RTP::LEPolicy::get32(void const\*) const /home/test/Desktop/EVAULATION/upx/src/bele\_policy.h:192
    #2 0x4589c1 in Packer::get\_te32(void const\*) const /home/test/Desktop/EVAULATION/upx/src/packer.h:296
    #3 0x4589c1 in PackLinuxElf32::elf\_lookup(char const\*) const /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:5382
    #4 0x463d30 in PackLinuxElf32::PackLinuxElf32help1(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:315
    #5 0x464e96 in PackLinuxElf32Le::PackLinuxElf32Le(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.h:395
    #6 0x464e96 in PackLinuxElf32x86::PackLinuxElf32x86(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:4800
    #7 0x464e96 in PackBSDElf32x86::PackBSDElf32x86(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:4817
    #8 0x464e96 in PackFreeBSDElf32x86::PackFreeBSDElf32x86(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:4828
    #9 0x4f337a in PackMaster::visitAllPackers(Packer\* (\*)(Packer\*, void\*), InputFile\*, options\_t const\*, void\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:190
    #10 0x4f50f9 in PackMaster::getUnpacker(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:248
    #11 0x4f521f in PackMaster::unpack(OutputFile\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:266
    #12 0x52a1e6 in do\_one\_file(char const\*, char\*) /home/test/Desktop/EVAULATION/upx/src/work.cpp:160
    #13 0x52a69e in do\_files(int, int, char\*\*) /home/test/Desktop/EVAULATION/upx/src/work.cpp:271
    #14 0x403ace in main /home/test/Desktop/EVAULATION/upx/src/main.cpp:1538
    #15 0x7efc08e6182f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #16 0x404828 in \_start (/home/test/Desktop/EVAULATION/upx/src/upx.out+0x404828)

0x61d00001f3b1 is located 189 bytes to the right of 2164-byte region \[0x61d00001ea80,0x61d00001f2f4)
allocated by thread T0 here:
    #0 0x7efc09a55602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x42732a in MemBuffer::alloc(unsigned long long) /home/test/Desktop/EVAULATION/upx/src/mem.cpp:194

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/test/Desktop/EVAULATION/upx/src/bele.h:164 get\_le32(void const\*)
Shadow bytes around the buggy address:
  0x0c3a7fffbe20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
  0x0c3a7fffbe60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x0c3a7fffbe70: fa fa fa fa fa fa\[fa\]fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbe80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbe90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbeb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
\==112024\==ABORTING

Debug

Program received signal SIGSEGV, Segmentation fault.
0x000000000066f8f8 in get\_le32 (p=0xa1fffd) at bele.h:164
164        return ACC\_UA\_GET\_LE32(p);
\[ Legend: Modified register | Code | Heap | Stack | String \]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0               
$rbx   : 0xa7ce93          
$rcx   : 0x2               
$rdx   : 0xae              
$rsp   : 0x00007fffffffcc18  →  0x000000000051249b  →  <PackLinuxElf32::elf\_lookup(char+0> xor eax, ebp
$rbp   : 0x8e8223e2        
$rsi   : 0x0000000000a1fffd  →  0x0000000000a1fffd
$rdi   : 0x00000000009ed3c0  →  0x00000000007cd9c0  →  0x000000000066fe00  →  <N\_BELE\_RTP::LEPolicy::~LEPolicy()+0> lea rsp, \[rsp-0x98\]
$rip   : 0x000000000066f8f8  →  <N\_BELE\_RTP::LEPolicy::get32(void+0> mov eax, DWORD PTR \[rsi\]
$r8    : 0x1f              
$r9    : 0x3fdf            
$r10   : 0xae              
$r11   : 0x1d9577c0        
$r12   : 0x0000000000a00030  →  0x00000000007267a0  →  <vtable+0> add BYTE PTR \[rax\], al
$r13   : 0x0000000000a1fffd  →  0x0000000000a1fffd
$r14   : 0x0000000000a00a51  →  0x0000000000000000
$r15   : 0x00000000007cd9c0  →  0x000000000066fe00  →  <N\_BELE\_RTP::LEPolicy::~LEPolicy()+0> lea rsp, \[rsp-0x98\]
$eflags: \[carry PARITY adjust ZERO sign trap INTERRUPT direction overflow RESUME virtualx86 identification\]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffcc18│+0x0000: 0x000000000051249b  →  <PackLinuxElf32::elf\_lookup(char+0> xor eax, ebp     ← $rsp
0x00007fffffffcc20│+0x0008: 0x00000000006cdffe  →  "JNI\_OnLoad"
0x00007fffffffcc28│+0x0010: 0x0000000200000000
0x00007fffffffcc30│+0x0018: 0x000000000900457f
0x00007fffffffcc38│+0x0020: 0x0000000000000068 ("h"?)
0x00007fffffffcc40│+0x0028: 0x0000000000000000
0x00007fffffffcc48│+0x0030: 0x0000000000070000
0x00007fffffffcc50│+0x0038: 0x0000000000000000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
     0x66f8e7 <N\_BELE\_RTP::LEPolicy::get32(void+0> mov    rcx, QWORD PTR \[rsp+0x8\]
     0x66f8ec <N\_BELE\_RTP::LEPolicy::get32(void+0> mov    rdx, QWORD PTR \[rsp\]
     0x66f8f0 <N\_BELE\_RTP::LEPolicy::get32(void+0> lea    rsp, \[rsp+0x98\]
 →   0x66f8f8 <N\_BELE\_RTP::LEPolicy::get32(void+0> mov    eax, DWORD PTR \[rsi\]
     0x66f8fa <N\_BELE\_RTP::LEPolicy::get32(void+0> ret    
     0x66f8fb                  nop    DWORD PTR \[rax+rax\*1+0x0\]
     0x66f900 <N\_BELE\_RTP::LEPolicy::get64(void+0> lea    rsp, \[rsp-0x98\]
     0x66f908 <N\_BELE\_RTP::LEPolicy::get64(void+0> mov    QWORD PTR \[rsp\], rdx
     0x66f90c <N\_BELE\_RTP::LEPolicy::get64(void+0> mov    QWORD PTR \[rsp+0x8\], rcx
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:bele.h+164 ────
    159     }
    160     
    161     inline unsigned get\_le32(const void \*p)
    162     {
    163     #if defined(ACC\_UA\_GET\_LE32)
 →  164         return ACC\_UA\_GET\_LE32(p);
    165     #else
    166         return acc\_ua\_get\_le32(p);
    167     #endif
    168     }
    169     
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
\[#0\] Id 1, Name: "upx.out", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
\[#0\] 0x66f8f8 → get\_le32(p=0xa1fffd)
\[#1\] 0x66f8f8 → N\_BELE\_RTP::LEPolicy::get32(this=0x9ed3c0 <N\_BELE\_RTP::le\_policy>, p=0xa1fffd)
\[#2\] 0x51249b → Packer::get\_te32(this=0xa00030, p=0xa1fffd)
\[#3\] 0x51249b → PackLinuxElf32::elf\_lookup(this=0xa00030, name=0x6cdffe "JNI\_OnLoad")
\[#4\] 0x529509 → PackLinuxElf32::PackLinuxElf32help1(this=0xa00030, f=0x7fffffffce10)
\[#5\] 0x52c65e → PackLinuxElf32Le::PackLinuxElf32Le(f=0x7fffffffce10, this=0xa00030)
\[#6\] 0x52c65e → PackLinuxElf32x86::PackLinuxElf32x86(f=0x7fffffffce10, this=0xa00030)
\[#7\] 0x52c65e → PackBSDElf32x86::PackBSDElf32x86(f=0x7fffffffce10, this=0xa00030)
\[#8\] 0x52c65e → PackFreeBSDElf32x86::PackFreeBSDElf32x86(this=0xa00030, f=0x7fffffffce10)
\[#9\] 0x60448c → PackMaster::visitAllPackers(func=0x602c30 <try\_unpack(Packer\*, void\*)>, f=0x7fffffffce10, o=0x7fffffffcfc8, user=0x7fffffffce10)
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤  bt
#0  0x000000000066f8f8 in get\_le32 (p=0xa1fffd) at bele.h:164
#1  N\_BELE\_RTP::LEPolicy::get32 (this=0x9ed3c0 <N\_BELE\_RTP::le\_policy>, p=0xa1fffd) at bele\_policy.h:192
#2  0x000000000051249b in Packer::get\_te32 (this=0xa00030, p=0xa1fffd) at packer.h:296
#3  PackLinuxElf32::elf\_lookup (this=0xa00030, name=0x6cdffe "JNI\_OnLoad") at p\_lx\_elf.cpp:5382
#4  0x0000000000529509 in PackLinuxElf32::PackLinuxElf32help1 (this=this@entry=0xa00030, f=f@entry=0x7fffffffce10) at p\_lx\_elf.cpp:315
#5  0x000000000052c65e in PackLinuxElf32Le::PackLinuxElf32Le (f=0x7fffffffce10, this=0xa00030) at p\_lx\_elf.h:395
#6  PackLinuxElf32x86::PackLinuxElf32x86 (f=0x7fffffffce10, this=0xa00030) at p\_lx\_elf.cpp:4800
#7  PackBSDElf32x86::PackBSDElf32x86 (f=0x7fffffffce10, this=0xa00030) at p\_lx\_elf.cpp:4817
#8  PackFreeBSDElf32x86::PackFreeBSDElf32x86 (this=0xa00030, f=0x7fffffffce10) at p\_lx\_elf.cpp:4828
#9  0x000000000060448c in PackMaster::visitAllPackers (func=0x602c30 <try\_unpack(Packer\*, void\*)>, f=0x7fffffffce10, o=0x7fffffffcfc8, user=0x7fffffffce10) at packmast.cpp:190
#10 0x00000000006072ca in PackMaster::getUnpacker (f=<optimized out>) at packmast.cpp:248
#11 PackMaster::unpack (this=0x7fffffffcfb0, fo=0x7fffffffcee0) at packmast.cpp:266
#12 0x0000000000670dc5 in do\_one\_file (iname=iname@entry=0x7fffffffdf15 "id:000089,sig:11,src:001286,op:MOpt-core-havoc,rep:2", oname=oname@entry=0x7fffffffd550 "/dev/null") at work.cpp:160
#13 0x000000000067157c in do\_files (i=i@entry=0x4, argc=0x5, argv=0x7fffffffdac8) at work.cpp:271
#14 0x00000000004056a1 in main (argc=0x5, argv=0x7fffffffdac8) at main.cpp:1538

Deferencing a generic poniter 'p' trigger the overflow.

gef➤  p \*p
Attempt to dereference a generic pointer.
gef➤  p p
$1 = (const void \*) 0xa1fffd

Essentially, the problem is caused in PackLinuxElf32::elf\_lookup() at p\_lx\_elf.cpp:5382

do if (0\==((h ^ get\_te32(hp))>>1)) {
    unsigned st\_name = get\_te32(&dsp->st\_name);
    char const \*const p = get\_str\_name(st\_name, (unsigned)-1);
    if (0\==strcmp(name, p)) {
        return dsp;
    }
} while (++dsp, 0\==(1u& get\_te32(hp++)));

Several locations will also trigger vulnerabilities:  
PackLinuxElf32::elf\_lookup() at p\_lx\_elf.cpp:5368

unsigned const w = get\_te32(&bitmask\[(n\_bitmask -1) & (h>>5)\]);

PackLinuxElf64::elf\_lookup() at p\_lx\_elf.cpp:5404

for (si= get\_te32(&buckets\[m\]); 0!=si; si= get\_te32(&chains\[si\]))

PackLinuxElf32::elf\_lookup() at p\_lx\_elf.cpp:5349

for (si= get\_te32(&buckets\[m\]); 0!=si; si= get\_te32(&chains\[si\])) {
            char const \*const p= get\_dynsym\_name(si, (unsigned)-1);
            if (0\==strcmp(name, p)) {
                return &dynsym\[si\];
            }
        }

**What should have happened?**

Decompress a crafted/suspicious file.

**Do you have an idea for a solution?**

We are very grateful to @jreiser for patching the bucket in p\_lx\_elf.cpp in the issue 365. However, in fact, all places involving get\_te32 () should be strengthened in upx, especially in p\_lx\_elf.cpp. The four positions we reported should be patched at least:

1.  p\_lx\_elf.cpp:5382
2.  p\_lx\_elf.cpp:5368
3.  p\_lx\_elf.cpp:5404
4.  p\_lx\_elf.cpp:5349

**How can we reproduce the issue?**

1.  compile upx with address-sanitize
2.  execute cmd

upx.out -df $PoC -o /dev/null

p\_lx\_elf.cpp:5382  
Poc can be found here.

p\_lx\_elf.cpp:5368  
Poc can be found here.

p\_lx\_elf.cpp:5404  
Poc can be found here.

p\_lx\_elf.cpp:5349  
Poc can be found here.

**Please tell us details about your environment.**

*   UPX version used (upx --version):

upx 4.0.0-git-c6b9e3c62d15 (latest-devel-branch)
UCL data compression library 1.03
zlib data compression library 1.2.8
LZMA SDK version 4.43

*   Host Operating System and version:  
    Ubuntu 16.04 64-bit
*   Host CPU architecture:  
    Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz with 8GB
*   Target Operating System and version:  
    same as Host
*   Target CPU architecture:  
    same as Host

CVE-2021-43311: [bug] multi heap buffer overflows in get_le32() · Issue #380 · upx/upx

Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a `op_spawn_child` or `op_kill` prompt and replace it with any desired text. This works with any command on the respective platform, giving the program the full ability to choose what program they wanted to run. This problem can not be exploited on systems that do not attach an interactive prompt (for example headless servers). This issue has been patched in version 1.31.2.

// Copyright 2018-2023 the Deno authors. All rights reserved. MIT license. const core \= globalThis.Deno.core; const ops \= core.ops; const primordials \= globalThis.\_\_bootstrap.primordials; const { ArrayPrototypeMap, ArrayPrototypeSlice, TypeError, ObjectEntries, SafeArrayIterator, String, ObjectPrototypeIsPrototypeOf, PromisePrototypeThen, SafePromiseAll, SymbolFor, Symbol, } \= primordials; import { FsFile } from "internal:runtime/30\_fs.js"; import { readAll } from "internal:deno\_io/12\_io.js"; import { pathFromURL } from "internal:runtime/06\_util.js"; import { assert } from "internal:deno\_web/00\_infra.js"; import \* as abortSignal from "internal:deno\_web/03\_abort\_signal.js"; import { readableStreamCollectIntoUint8Array, readableStreamForRidUnrefable, readableStreamForRidUnrefableRef, readableStreamForRidUnrefableUnref, ReadableStreamPrototype, writableStreamForRid, } from "internal:deno\_web/06\_streams.js"; function opKill(pid, signo, apiName) { ops.op\_kill(pid, signo, apiName); } function kill(pid, signo \= "SIGTERM") { opKill(pid, signo, "Deno.kill()"); } function opRunStatus(rid) { return core.opAsync("op\_run\_status", rid); } function opRun(request) { assert(request.cmd.length \> 0); return ops.op\_run(request); } async function runStatus(rid) { const res \= await opRunStatus(rid); if (res.gotSignal) { const signal \= res.exitSignal; return { success: false, code: 128 + signal, signal }; } else if (res.exitCode != 0) { return { success: false, code: res.exitCode }; } else { return { success: true, code: 0 }; } } class Process { constructor(res) { this.rid \= res.rid; this.pid \= res.pid; if (res.stdinRid && res.stdinRid \> 0) { this.stdin \= new FsFile(res.stdinRid); } if (res.stdoutRid && res.stdoutRid \> 0) { this.stdout \= new FsFile(res.stdoutRid); } if (res.stderrRid && res.stderrRid \> 0) { this.stderr \= new FsFile(res.stderrRid); } } status() { return runStatus(this.rid); } async output() { if (!this.stdout) { throw new TypeError("stdout was not piped"); } try { return await readAll(this.stdout); } finally { this.stdout.close(); } } async stderrOutput() { if (!this.stderr) { throw new TypeError("stderr was not piped"); } try { return await readAll(this.stderr); } finally { this.stderr.close(); } } close() { core.close(this.rid); } kill(signo \= "SIGTERM") { opKill(this.pid, signo, "Deno.Process.kill()"); } } function run({ cmd, cwd \= undefined, clearEnv \= false, env \= {}, gid \= undefined, uid \= undefined, stdout \= "inherit", stderr \= "inherit", stdin \= "inherit", }) { if (cmd\[0\] != null) { cmd \= \[ pathFromURL(cmd\[0\]), ...new SafeArrayIterator(ArrayPrototypeSlice(cmd, 1)), \]; } const res \= opRun({ cmd: ArrayPrototypeMap(cmd, String), cwd, clearEnv, env: ObjectEntries(env), gid, uid, stdin, stdout, stderr, }); return new Process(res); } const illegalConstructorKey \= Symbol("illegalConstructorKey"); const promiseIdSymbol \= SymbolFor("Deno.core.internalPromiseId"); function spawnChildInner(opFn, command, apiName, { args \= \[\], cwd \= undefined, clearEnv \= false, env \= {}, uid \= undefined, gid \= undefined, stdin \= "null", stdout \= "piped", stderr \= "piped", signal \= undefined, windowsRawArguments \= false, } \= {}) { const child \= opFn({ cmd: pathFromURL(command), args: ArrayPrototypeMap(args, String), cwd: pathFromURL(cwd), clearEnv, env: ObjectEntries(env), uid, gid, stdin, stdout, stderr, windowsRawArguments, }, apiName); return new ChildProcess(illegalConstructorKey, { ...child, signal, }); } function spawnChild(command, options \= {}) { return spawnChildInner( ops.op\_spawn\_child, command, "Deno.Command().spawn()", options, ); } function collectOutput(readableStream) { if ( !(ObjectPrototypeIsPrototypeOf(ReadableStreamPrototype, readableStream)) ) { return null; } return readableStreamCollectIntoUint8Array(readableStream); } class ChildProcess { #rid; #waitPromiseId; #unrefed \= false; #pid; get pid() { return this.#pid; } #stdin \= null; get stdin() { if (this.#stdin \== null) { throw new TypeError("stdin is not piped"); } return this.#stdin; } #stdoutRid; #stdout \= null; get stdout() { if (this.#stdout \== null) { throw new TypeError("stdout is not piped"); } return this.#stdout; } #stderrRid; #stderr \= null; get stderr() { if (this.#stderr \== null) { throw new TypeError("stderr is not piped"); } return this.#stderr; } constructor(key \= null, { signal, rid, pid, stdinRid, stdoutRid, stderrRid, } \= null) { if (key !== illegalConstructorKey) { throw new TypeError("Illegal constructor."); } this.#rid \= rid; this.#pid \= pid; if (stdinRid !== null) { this.#stdin \= writableStreamForRid(stdinRid); } if (stdoutRid !== null) { this.#stdoutRid \= stdoutRid; this.#stdout \= readableStreamForRidUnrefable(stdoutRid); } if (stderrRid !== null) { this.#stderrRid \= stderrRid; this.#stderr \= readableStreamForRidUnrefable(stderrRid); } const onAbort \= () \=> this.kill("SIGTERM"); signal?.\[abortSignal.add\](onAbort); const waitPromise \= core.opAsync("op\_spawn\_wait", this.#rid); this.#waitPromiseId \= waitPromise\[promiseIdSymbol\]; this.#status \= PromisePrototypeThen(waitPromise, (res) \=> { this.#rid \= null; signal?.\[abortSignal.remove\](onAbort); return res; }); } #status; get status() { return this.#status; } async output() { if (this.#stdout?.locked) { throw new TypeError( "Can't collect output because stdout is locked", ); } if (this.#stderr?.locked) { throw new TypeError( "Can't collect output because stderr is locked", ); } const { 0: status, 1: stdout, 2: stderr } \= await SafePromiseAll(\[ this.#status, collectOutput(this.#stdout), collectOutput(this.#stderr), \]); return { success: status.success, code: status.code, signal: status.signal, get stdout() { if (stdout \== null) { throw new TypeError("stdout is not piped"); } return stdout; }, get stderr() { if (stderr \== null) { throw new TypeError("stderr is not piped"); } return stderr; }, }; } kill(signo \= "SIGTERM") { if (this.#rid \=== null) { throw new TypeError("Child process has already terminated."); } ops.op\_kill(this.#pid, signo, "Deno.Child.kill()"); } ref() { this.#unrefed \= false; core.refOp(this.#waitPromiseId); if (this.#stdout) readableStreamForRidUnrefableRef(this.#stdout); if (this.#stderr) readableStreamForRidUnrefableRef(this.#stderr); } unref() { this.#unrefed \= true; core.unrefOp(this.#waitPromiseId); if (this.#stdout) readableStreamForRidUnrefableUnref(this.#stdout); if (this.#stderr) readableStreamForRidUnrefableUnref(this.#stderr); } } function spawn(command, options) { if (options?.stdin \=== "piped") { throw new TypeError( "Piped stdin is not supported for this function, use 'Deno.Command().spawn()' instead", ); } return spawnChildInner( ops.op\_spawn\_child, command, "Deno.Command().output()", options, ) .output(); } function spawnSync(command, { args \= \[\], cwd \= undefined, clearEnv \= false, env \= {}, uid \= undefined, gid \= undefined, stdin \= "null", stdout \= "piped", stderr \= "piped", windowsRawArguments \= false, } \= {}) { if (stdin \=== "piped") { throw new TypeError( "Piped stdin is not supported for this function, use 'Deno.Command().spawn()' instead", ); } const result \= ops.op\_spawn\_sync({ cmd: pathFromURL(command), args: ArrayPrototypeMap(args, String), cwd: pathFromURL(cwd), clearEnv, env: ObjectEntries(env), uid, gid, stdin, stdout, stderr, windowsRawArguments, }); return { success: result.status.success, code: result.status.code, signal: result.status.signal, get stdout() { if (result.stdout \== null) { throw new TypeError("stdout is not piped"); } return result.stdout; }, get stderr() { if (result.stderr \== null) { throw new TypeError("stderr is not piped"); } return result.stderr; }, }; } class Command { #command; #options; constructor(command, options) { this.#command \= command; this.#options \= options; } output() { if (this.#options?.stdin \=== "piped") { throw new TypeError( "Piped stdin is not supported for this function, use 'Deno.Command.spawn()' instead", ); } return spawn(this.#command, this.#options); } outputSync() { if (this.#options?.stdin \=== "piped") { throw new TypeError( "Piped stdin is not supported for this function, use 'Deno.Command.spawn()' instead", ); } return spawnSync(this.#command, this.#options); } spawn() { const options \= { ...(this.#options ?? {}), stdout: this.#options?.stdout ?? "inherit", stderr: this.#options?.stderr ?? "inherit", stdin: this.#options?.stdin ?? "inherit", }; return spawnChild(this.#command, options); } } export { ChildProcess, Command, kill, Process, run };

CVE-2023-28446: deno/40_process.js at 7d13d65468c37022f003bb680dfbddd07ea72173 · denoland/deno

A heap-based buffer overflow was discovered in upx, during the generic pointer 'p' points to an inaccessible address in func get_le64().

**What's the problem (or question)?**

A heap-based buffer overflow was discovered in upx, during the genric pointer 'p' points to an inaccessible address in func get\_le64(). The issue can cause a denial of service. The issue is diff from issue367 and issue368

ASAN reports:

ASAN:SIGSEGV
=================================================================
==113201==ERROR: AddressSanitizer: SEGV on unknown address 0x630011d04b20 (pc 0x0000005292e0 bp 0x000000000022 sp 0x7ffebc640bc8 T0)
    #0 0x5292df in get\_le64(void const\*) /home/test/Desktop/EVAULATION/upx/src/bele\_policy.h:193
    #1 0x5292df in N\_BELE\_RTP::LEPolicy::get64(void const\*) const /home/test/Desktop/EVAULATION/upx/src/bele\_policy.h:194
    #2 0x45784b in Packer::get\_te64(void const\*) const /home/test/Desktop/EVAULATION/upx/src/packer.h:297
    #3 0x45784b in PackLinuxElf64::elf\_lookup(char const\*) const /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:5423
    #4 0x46f7eb in PackLinuxElf64::PackLinuxElf64help1(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:805
    #5 0x470479 in PackLinuxElf64Le::PackLinuxElf64Le(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.h:407
    #6 0x470479 in PackLinuxElf64amd::PackLinuxElf64amd(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:1008
    #7 0x4f34b2 in PackMaster::visitAllPackers(Packer\* (\*)(Packer\*, void\*), InputFile\*, options\_t const\*, void\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:194
    #8 0x4f50f9 in PackMaster::getUnpacker(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:248
    #9 0x4f521f in PackMaster::unpack(OutputFile\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:266
    #10 0x52a1e6 in do\_one\_file(char const\*, char\*) /home/test/Desktop/EVAULATION/upx/src/work.cpp:160
    #11 0x52a69e in do\_files(int, int, char\*\*) /home/test/Desktop/EVAULATION/upx/src/work.cpp:271
    #12 0x403ace in main /home/test/Desktop/EVAULATION/upx/src/main.cpp:1538
    #13 0x7fc4129b682f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x404828 in \_start (/home/test/Desktop/EVAULATION/upx/src/upx.out+0x404828)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/test/Desktop/EVAULATION/upx/src/bele\_policy.h:193 get\_le64(void const\*)
==113201==ABORTING

The essential cause of the bug is at PackLinuxElf64 :: elf\_lookup () at p\_lx\_elf: 5423:

upx\_uint64\_t const w = get\_te64(&bitmask\[(n\_bitmask -1) & (h>>6)\]);

**What should have happened?**

Decompress a crafted/suspicious file.

**Do you have an idea for a solution?**

We are very grateful to @jreiser for patching the bucket in p\_lx\_elf.cpp in the issue 367. However, in fact, all places involving get\_te64 () should be strengthened in upx, especially in p\_lx\_elf.cpp. The position we reported should be patched at least:  
position in PackLinuxElf64::elf\_lookup() at p\_lx\_elf:5423

upx\_uint64\_t const w = get\_te64(&bitmask\[(n\_bitmask -1) & (h>>6)\]);

**How can we reproduce the issue?**

1.  compile upx with address-sanitize
2.  execute cmd

upx.out -df $PoC -o /dev/null

Poc can be found here.

**Please tell us details about your environment.**

*   UPX version used (upx --version):

upx 4.0.0-git-c6b9e3c62d15 (latest-devel-branch)
UCL data compression library 1.03
zlib data compression library 1.2.8
LZMA SDK version 4.43

*   Host Operating System and version:  
    Ubuntu 16.04 64-bit
*   Host CPU architecture:  
    Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz with 8GB
*   Target Operating System and version:  
    same as Host
*   Target CPU architecture:  
    same as Host

CVE-2021-43316: [bug] segv fault in get_le64() · Issue #381 · upx/upx

An issue was discovered in Independentsoft JSpreadsheet before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file.

**Tutorial**

Java examples

**Evaluation version (version 1.0)**

Download 30 days evaluation version

**Need help? Ask our developers:**

Name\* Email\* Message\*

Tag

#java