Red Hat Security Advisory 2023-7851-03 - Updated Satellite 6.14 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include cross site scripting and local file inclusion vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7851.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Satellite 6.14.1 Async Security Update  
Advisory ID:        RHSA-2023:7851-03  
Product:            Red Hat Satellite 6  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7851  
Issue date:         2023-12-14  
Revision:           03  
CVE Names:          CVE-2023-4886  
====================================================================

Summary: 

Updated Satellite 6.14 packages that fixes Important security bugs and several  
regular bugs are now available for Red Hat Satellite.

Description:

Red Hat Satellite is a system management solution that allows organizations  
to configure and maintain their systems without the necessity to provide  
public Internet access to their servers or other client systems. It  
performs provisioning and configuration management of predefined standard  
operating environments.

Security fix(es):

* rubygem-actionpack: actionpack: Possible XSS via User Supplied Values to redirect_to [rhn_satellite_6.14] (CVE-2023-28362)

* foreman: World readable file containing secrets [rhn_satellite_6.14] (CVE-2023-4886)

* python-urllib3: urllib3: Request body not stripped after redirect from 303 status changes request method to GET [rhn_satellite_6-default] (CVE-2023-45803 )

*  python-gitpython: GitPython: Blind local file inclusion [rhn_satellite_6-default] (CVE-2023-41040)

This update fixes the following bugs:

2250342 - REX job finished with exit code 0 but the script failed on client side due to no space.  
2250343 - Selinux denials are reported after following \"Chapter 13. Managing Custom File Type Content\" chapter step by step  
2250344 - Long running postgres threads during content-export  
2250345 - Upgrade django-import-export package to at least 3.1.0  
2250349 - After upstream repo switched to zst compression, Satellite 6.12.5.1 unable to sync  
2250350 - Slow generate applicability for Hosts with multiple modulestreams installed  
2250352 - Recalculate button for Errata is not available on Satellite 6.13/ Satellite 6.14 if no errata is present  
2250351 - Actions::ForemanLeapp::PreupgradeJob fails with null value in column \"preupgrade_report_id\" violates not-null constraint when run with non-admin user  
2251799 - REX Template for 'convert2rhel analyze' command  
2254085 - Getting '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] ERROR while trying to upgrade Satellite 6.13 to 6.14   
2254080 - satellite-convert2rhel-toolkit rpm v1.0.0 in 6.14.z

Users of Red Hat Satellite are advised to upgrade to these updated  
packages, which fix these bugs.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-4886

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.14/html/upgrading_red_hat_satellite_to_6.14/index  
https://bugzilla.redhat.com/show_bug.cgi?id=2217785  
https://bugzilla.redhat.com/show_bug.cgi?id=2230135  
https://bugzilla.redhat.com/show_bug.cgi?id=2246840  
https://bugzilla.redhat.com/show_bug.cgi?id=2247040  
https://bugzilla.redhat.com/show_bug.cgi?id=2250342  
https://bugzilla.redhat.com/show_bug.cgi?id=2250343  
https://bugzilla.redhat.com/show_bug.cgi?id=2250344  
https://bugzilla.redhat.com/show_bug.cgi?id=2250345  
https://bugzilla.redhat.com/show_bug.cgi?id=2250349  
https://bugzilla.redhat.com/show_bug.cgi?id=2250350  
https://bugzilla.redhat.com/show_bug.cgi?id=2250351  
https://bugzilla.redhat.com/show_bug.cgi?id=2250352  
https://bugzilla.redhat.com/show_bug.cgi?id=2251799  
https://bugzilla.redhat.com/show_bug.cgi?id=2254080  
https://bugzilla.redhat.com/show_bug.cgi?id=2254085

Red Hat Security Advisory 2023-7851-03

Red Hat Security Advisory 2023-7845-03 - Red Hat Integration Camel for Spring Boot 3.20.4 release and security update is now available.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7845.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Integration Camel for Spring Boot 3.20.4 release and security updateAdvisory ID:        RHSA-2023:7845-03Product:            Red Hat IntegrationAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7845Issue date:         2023-12-14Revision:           03CVE Names:          CVE-2023-5072====================================================================Summary: Red Hat Integration Camel for Spring Boot 3.20.4 release and security update is now available.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:A security update for 3.20.4 is now available.The purpose of this text-only errata is to inform you about the security issues fixed.Security Fix(es):* JSON-java: parser confusion leads to OOM (CVE-2023-5072)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5072References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q4https://bugzilla.redhat.com/show_bug.cgi?id=2246417

Red Hat Security Advisory 2023-7845-03

Red Hat Security Advisory 2023-7842-03 - Red Hat Integration Camel for Spring Boot 4.0.2 release and security update is now available.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7842.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Integration Camel for Spring Boot 4.0.2 release security updateAdvisory ID:        RHSA-2023:7842-03Product:            Red Hat IntegrationAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7842Issue date:         2023-12-14Revision:           03CVE Names:          CVE-2023-5072====================================================================Summary: Red Hat Integration Camel for Spring Boot 4.0.2 release and security update is now available.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Integration Camel for Spring Boot 4.0.2 release and security update is now available.The purpose of this text-only errata is to inform you about the security issues fixed.Security Fix(es):* JSON-java: parser confusion leads to OOM (CVE-2023-5072)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5072References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q4https://bugzilla.redhat.com/show_bug.cgi?id=2246417

Red Hat Security Advisory 2023-7842-03

Red Hat Security Advisory 2023-7841-03 - An update for gstreamer1-plugins-bad-free is now available for Red Hat Enterprise Linux 8. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7841.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: gstreamer1-plugins-bad-free security updateAdvisory ID:        RHSA-2023:7841-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7841Issue date:         2023-12-14Revision:           03CVE Names:          CVE-2023-44446====================================================================Summary: An update for gstreamer1-plugins-bad-free is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package contains a collection of plug-ins for GStreamer.Security Fix(es):* gstreamer: MXF demuxer use-after-free vulnerability (CVE-2023-44446)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44446References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2250249

Red Hat Security Advisory 2023-7841-03

Red Hat Security Advisory 2023-7840-03 - An update for gstreamer1-plugins-bad-free is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7840.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: gstreamer1-plugins-bad-free security updateAdvisory ID:        RHSA-2023:7840-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7840Issue date:         2023-12-14Revision:           03CVE Names:          CVE-2023-44446====================================================================Summary: An update for gstreamer1-plugins-bad-free is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package contains a collection of plug-ins for GStreamer.Security Fix(es):* gstreamer: MXF demuxer use-after-free vulnerability (CVE-2023-44446)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44446References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2250249

Red Hat Security Advisory 2023-7840-03

Red Hat Security Advisory 2023-7836-03 - An update for avahi is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7836.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: avahi security update  
Advisory ID:        RHSA-2023:7836-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7836  
Issue date:         2023-12-14  
Revision:           03  
CVE Names:          CVE-2021-3468  
====================================================================

Summary: 

An update for avahi is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for Zero Configuration Networking. It facilitates service discovery on a local network. Avahi and Avahi-aware applications allow you to plug your computer into a network and, with no configuration, view other people to chat with, view printers to print with, and find shared files on other computers.

Security Fix(es):

* avahi: Local DoS by event-busy-loop from writing long lines to /run/avahi-daemon/socket (CVE-2021-3468)

* avahi: Reachable assertion in avahi_dns_packet_append_record (CVE-2023-38469)

* avahi: Reachable assertion in avahi_escape_label (CVE-2023-38470)

* avahi: Reachable assertion in dbus_set_host_name (CVE-2023-38471)

* avahi: Reachable assertion in avahi_rdata_parse (CVE-2023-38472)

* avahi: Reachable assertion in avahi_alternative_host_name (CVE-2023-38473)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-3468

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=1939614  
https://bugzilla.redhat.com/show_bug.cgi?id=2191687  
https://bugzilla.redhat.com/show_bug.cgi?id=2191690  
https://bugzilla.redhat.com/show_bug.cgi?id=2191691  
https://bugzilla.redhat.com/show_bug.cgi?id=2191692  
https://bugzilla.redhat.com/show_bug.cgi?id=2191694

Red Hat Security Advisory 2023-7836-03

### Impact

The clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources.

TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter.

The code to reproduce it. The server side application:

```ts
import { Hono } from 'hono'
import { TrieRouter } from 'hono/router/trie-router'

const wait = async (ms: number) => {
  return new Promise((resolve) => {
    setTimeout(resolve, ms)
  })
}

const app = new Hono({ router: new TrieRouter() })

app.use('*', async (c, next) => {
  await wait(Math.random() * 200)
  return next()
})

app.get('/modules/:id/versions/:version', async (c) => {
  const id = c.req.param('id')
  const version = c.req.param('version')

  console.log('path', c.req.path)
  console.log('version', version)

  return c.json({
    id,
    version,
  })
})

export default app
```

The client code which makes requests to the server application:

```ts
const examples = [
  'http://localhost:8787/modules/first/versions/first',
  'http://localhost:8787/modules/second/versions/second',
  'http://localhost:8787/modules/third/versions/third',
]

const test = () => {
  for (const example of examples) {
    fetch(example)
      .then((response) => response.json())
      .then((data) => {
        const splitted = example.split('/')
        const expected = splitted[splitted.length - 1]

        if (expected !== data.version) {
          console.error(`Error: exprected ${expected} but got ${data.version} - url was ${example}`)
        }
      })
  }
}

test()
```

The results:

```txt
Error: exprected second but got third - url was http://localhost:8787/modules/second/versions/second
Error: exprected first but got third - url was http://localhost:8787/modules/first/versions/first
```

### Patches

"v3.11.7" includes the change to fix this issue.

### Workarounds

Don't use TrieRouter directly.

```ts
// DON'T USE TrieRouter
import { TrieRouter } from 'hono/router/trie-router'
const app = new Hono({ router: new TrieRouter() })
```

### References

Router options on the Hono website: https://hono.dev/api/hono#router-option

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-50710

**Named path parameters can be overridden in TrieRouter**

Moderate severity GitHub Reviewed Published Dec 14, 2023 in honojs/hono • Updated Dec 15, 2023

**Affected versions**

< 3.11.7

**Impact**

The clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources.

TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter.

The code to reproduce it. The server side application:

import { Hono } from 'hono'
import { TrieRouter } from 'hono/router/trie-router'

const wait \= async (ms: number) \=> {
  return new Promise((resolve) \=> {
    setTimeout(resolve, ms)
  })
}

const app \= new Hono({ router: new TrieRouter() })

app.use('\*', async (c, next) \=> {
  await wait(Math.random() \* 200)
  return next()
})

app.get('/modules/:id/versions/:version', async (c) \=> {
  const id \= c.req.param('id')
  const version \= c.req.param('version')

  console.log('path', c.req.path)
  console.log('version', version)

  return c.json({
    id,
    version,
  })
})

export default app

The client code which makes requests to the server application:

const examples \= \[
  'http://localhost:8787/modules/first/versions/first',
  'http://localhost:8787/modules/second/versions/second',
  'http://localhost:8787/modules/third/versions/third',
\]

const test \= () \=> {
  for (const example of examples) {
    fetch(example)
      .then((response) \=> response.json())
      .then((data) \=> {
        const splitted \= example.split('/')
        const expected \= splitted\[splitted.length \- 1\]

        if (expected !== data.version) {
          console.error(\`Error: exprected ${expected} but got ${data.version} - url was ${example}\`)
        }
      })
  }
}

test()

The results:

Error: exprected second but got third - url was http://localhost:8787/modules/second/versions/second
Error: exprected first but got third - url was http://localhost:8787/modules/first/versions/first

**Patches**

"v3.11.7" includes the change to fix this issue.

**Workarounds**

Don't use TrieRouter directly.

// DON'T USE TrieRouter
import { TrieRouter } from 'hono/router/trie-router'
const app \= new Hono({ router: new TrieRouter() })

**References**

Router options on the Hono website: https://hono.dev/api/hono#router-option

**References**

*   GHSA-f6gv-hh8j-q8vq
*   https://nvd.nist.gov/vuln/detail/CVE-2023-50710
*   honojs/hono@8e2b6b0
*   https://github.com/honojs/hono/releases/tag/v3.11.7

Published to the GitHub Advisory Database

Dec 15, 2023

Last updated

Dec 15, 2023

GHSA-f6gv-hh8j-q8vq: Named path parameters can be overridden in TrieRouter

A recently patched Apache Struts 2 vulnerability has been spotted in worldwide exploitation attempts. Users and admins should update ASAP.

Attackers are exploiting a critical vulnerability in Apache Struts 2 that was patched recently. Struts is a very popular open source platform to develop applications and websites.

On December 7, 2023, Apache announced versions 6.3.0.2 and 2.5.33 of Struts were now available to address a potential security vulnerability listed as CVE-2023-50164.

The vulnerability affects Apache Struts versions:

*   2.0.0 through 2.5.32
*   6.0.0 through 6.3.0.1
*   2.0.0 through 2.3.37 (EOL, no longer supported)

The vulnerability that has a CVSS score of 9.8 out of 10, lies in the frameworks’ file upload functionality and can be exploited to achieve remote code execution (RCE). There is an easy to follow proof-of-concept (PoC) available, which makes it easier for cybercriminals to exploit the vulnerability.

Basically it’s a path traversal flaw that allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like ../ into file or directory paths. The flaw is caused by parameter confusion, where an attacker can first capitalize a parameter in the request and then submit an additional parameter (in lowercase) that overrides an internal file name variable. That allows an attacker to bypass the built-in check and leave the path traversal payload in the final filename.

This allows a successful attacker to plant a web shell, a malicious script used by an attacker that allows them to escalate and maintain persistent access. In this case, the attacker gets the ability to write a server-side rendered file, such as a JSP (Jakarta Server Pages) file, into a target directory. The JSP payload is executed as soon as the attacker requests the file from the server and the server is compromised. Several international organizations like the Australian Cyber Security Centre (ACSC), the French Computer Emergency Response Team (CERT-FR), and content delivery giant Akamai are warning that they are seeing active exploitation.

_Tweet by Akamai_

Because of the relative ease-of-use, we can expect to see a lot more of these attacks.

**Update now**

Users and administrators are encouraged to review the Apache Security Bulletin and upgrade to Struts 2.5.33 or Struts 6.3.0.2 or greater. There are no workarounds.

According to Apache this is a drop-in replacement and upgrade should be straightforward. The new versions can be found on the Struts download page.

Besides updating, additional measures may include:

*   Sanitization checks on uploaded file data.
*   Limit server application permissions to allowed directories.
*   Track which applications in use within your environments are using Struts frameworks.
*   On internet facing Java systems monitor for newly created files outside directories where they are expected.
*   Continue to monitor the situation and respond to new information as it comes to light.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Recently-patched Apache Struts vulnerability used in worldwide attacks 

cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_SetValuestring at cJSON.c.

**Description**

If the the object passed in cJSON\_SetValuestring dont have valuestring, the object->valuestringwill be null. The null pointer dereference will cause SEGV in function cJSON\_SetValuestring cJSON.c:408

**Version**

    commit cb8693b058ba302f4829ec6d03f609ac6f848546 (HEAD -> master, tag: v1.7.16, origin/master, origin/HEAD)
    Author: Alan Wang <wp_scut@163.com>
    Date:   Wed Jul 5 11:22:19 2023 +0800
    

**Related Code**

CJSON\_PUBLIC(char\*) cJSON\_SetValuestring(cJSON \*object, const char \*valuestring)
{
    char \*copy \= NULL;
    /\* if object's type is not cJSON\_String or is cJSON\_IsReference, it should not set valuestring \*/
    if (!(object\->type & cJSON\_String) || (object\->type & cJSON\_IsReference))
    {
        return NULL;
    }
    if (strlen(valuestring) <= strlen(object\->valuestring)) // <== here
    {
        strcpy(object\->valuestring, valuestring);
        return object\->valuestring;
    }
    copy \= (char\*) cJSON\_strdup((const unsigned char\*)valuestring, &global\_hooks);
    if (copy \== NULL)
    {
        return NULL;
    }
    if (object\->valuestring != NULL)
    {
        cJSON\_free(object\->valuestring);
    }
    object\->valuestring \= copy;

    return copy;
}

**Impact**

Potentially causing DoS

CVE-2023-50472: bug for cJSON_SetValuestring · Issue #803 · DaveGamble/cJSON

cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_InsertItemInArray at cJSON.c.

**Description**

If the the newitem passed in cJSON\_InsertItemInArray dont have prev, the newitem->prevwill be null. The null pointer dereference will cause SEGV in function cJSON\_InsertItemInArray cJSON.c:2287

**Version**

    commit cb8693b058ba302f4829ec6d03f609ac6f848546 (HEAD -> master, tag: v1.7.16, origin/master, origin/HEAD)
    Author: Alan Wang <wp_scut@163.com>
    Date:   Wed Jul 5 11:22:19 2023 +0800
    

**Related Code**

CJSON\_PUBLIC(cJSON\_bool) cJSON\_InsertItemInArray(cJSON \*array, int which, cJSON \*newitem)
{
    cJSON \*after\_inserted \= NULL;

    if (which < 0)
    {
        return false;
    }

    after\_inserted \= get\_array\_item(array, (size\_t)which);
    if (after\_inserted \== NULL)
    {
        return add\_item\_to\_array(array, newitem);
    }

    newitem\->next \= after\_inserted;
    newitem\->prev \= after\_inserted\->prev;
    after\_inserted\->prev \= newitem;
    if (after\_inserted \== array\->child)
    {
        array\->child \= newitem;
    }
    else
    {
        newitem\->prev\->next \= newitem; // <== here
    }
    return true;
}

**Impact**

Potentially causing DoS

Tag

#js