Buffer Overflow vulnerability in LibRaw linux/unix v0.20.0 allows attacker to escalate privileges via the LibRaw_buffer_datastream::gets(char*, int) in /src/libraw/src/libraw_datastream.cpp.

@@ -287,6 +287,7 @@ INT64 LibRaw\_file\_datastream::tell()

  

char \*LibRaw\_file\_datastream::gets(char \*str, int sz)

{

if(sz<1) return NULL;

LR\_STREAM\_CHK();

std::istream is(f.get());

is.getline(str, sz);

@@ -421,6 +422,7 @@ INT64 LibRaw\_buffer\_datastream::tell()

  

char \*LibRaw\_buffer\_datastream::gets(char \*s, int sz)

{

if(sz<1) return NULL;

unsigned char \*psrc, \*pdest, \*str;

str = (unsigned char \*)s;

psrc = buf + streampos;

@@ -618,6 +620,7 @@ INT64 LibRaw\_bigfile\_datastream::tell()

  

char \*LibRaw\_bigfile\_datastream::gets(char \*str, int sz)

{

if(sz<1) return NULL;

LR\_BF\_CHK();

return fgets(str, sz, f);

}

CVE-2021-32142: check for input buffer size on datastream::gets · LibRaw/LibRaw@bc3aaf4

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crafter Studio on Linux, MacOS, Windows, x86, ARM, 64 bit allows SQL Injection.This issue affects CrafterCMS v4.0 from 4.0.0 through 4.0.1, and v3.1 from 3.1.0 through 3.1.26.

CrafterCMS

*   

**CV-2023021701**

 

**Date**

2023.02.17

**Affected Versions**

**4.0** <= 4.0.1, **3.1** =< 3.1.26

**Vulnerability Type**

CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

**Risk**

Medium

**Description**

Authenticated administrators can perform a SQL Injection attack against the authoring database that holds Studio users, groups, and item workflow states.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2023-26020

**Credit**

Gil Correia, gil.correia@devoteam.com

**CV-2022091302**

 

**Date**

2022.09.13

**Affected Versions**

**3.1** < 3.1.23

**Vulnerability Type**

CWE-913 Improper Control of Dynamically-Managed Code Resources

**Risk**

Medium

**Description**

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2022-40635

**Credit**

Matei “Mal” Badanoiu, https://github.com/mbadanoiu

**CV-2022091301**

 

**Date**

2022.09.13

**Affected Versions**

**3.1** < 3.1.23

**Vulnerability Type**

CWE-913 Improper Control of Dynamically-Managed Code Resources

**Risk**

Medium

**Description**

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2022-40634

**Credit**

Matei “Mal” Badanoiu, https://github.com/mbadanoiu

**CV-2022051603**

 

**Date**

2022.05.16

**Affected Versions**

**3.1** < 3.1.18

**Vulnerability Type**

CWE-913 Improper Control of Dynamically-Managed Code Resources

**Risk**

High

**Description**

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23267

**Credit**

Kai Zhao (ToTU Security Team), https://github.com/happyhacking-k

**CV-2022051602**

 

**Date**

2022.05.16

**Affected Versions**

**3.1** < 3.1.18

**Vulnerability Type**

CWE-117 Improper Output Neutralization for Logs

**Risk**

Medium

**Description**

An anonymous user can craft a URL with text that ends up in the log viewer as is.The text can then include textual messages to mislead the administrator.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23266

**Credit**

Faizan Wani, https://github.com/faizanw8

**CV-2021120106**

 

**Date**

2021.12.01

**Affected Versions**

**3.1** < 3.1.15

**Vulnerability Type**

CWE-402: Transmission of Private Resources into a New Sphere (‘Resource Leak’)

**Risk**

Medium

**Description**

Transmission of Private Resources into a New Sphere (‘Resource Leak’) in CrafterEngine

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23263

**Credit**

Carlos Ortiz, https://github.com/cortiz

**CV-2021120107**

 

**Date**

2021.12.01

**Affected Versions**

**3.1** < 3.1.15

**Vulnerability Type**

CWE-402: Transmission of Private Resources into a New Sphere (‘Resource Leak’) CWE-668 Exposure of Resource to Wrong Sphere

**Risk**

High

**Description**

Transmission of Private Resources into a New Sphere (‘Resource Leak’) and Exposureof Resource to Wrong Sphere in Crafter Search

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23264

**Credit**

Sparsh Kulshrestha, https://github.com/sparshkulshrestha

**CV-2020080102**

 

**Date**

2020.08.01

**Affected Versions**

**3.0** < 3.0.27  
**3.1** < 3.1.7

**Vulnerability Type**

RCE

**Risk**

Medium

**Description**

Authenticated attackers with developer privileges in Crafter Studio may execute OS commands via deep inspection of FreeMarker template exposed objects.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2020-25803

**Credit**

Alvaro Muñoz (GitHub), https://github.com/pwntester

**CV-2017061502**

 

**Date**

2017.06.15

**Affected Versions**

**3.0** < 3.0.1

**Vulnerability Type**

Directory Traversal

**Risk**

Critical

**Description**

A directory traversal vulnerability exists which allows unauthenticated attackers to overwrite files from the operating system which can lead to RCE.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2017-15681

**Credit**

Jasmin Landry, https://github.com/JR0ch17

CVE-2023-26020: Security Advisories — CrafterCMS 4.0.2 documentation

An issue in HTACG HTML Tidy v5.7.28 allows attacker to execute arbitrary code via the -g option of the CleanNode() function in gdoc.c.

CVE-2021-33391: Heap use-after-free in the CleanNode() function · Issue #946 · htacg/tidy-html5

IBM Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 is vulnerable to an Information Disclosure as sensitive information may be included in a log file. IBM X-Force ID: 241677.

  

**Summary**

IBM® Db2® is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file.

**Vulnerability Details**

**CVEID:**   CVE-2022-43930  
**DESCRIPTION:**   IBM Db2 is vulernable to an Information Disclosure as sensitive information may be included in a log file.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241677 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

All fix pack levels of IBM Db2  V10.5, V11.1, and V11.5  editions on Windows are affected.  Linux, and Unix are not impacted.  

  

**Remediation/Fixes**

Customers running any vulnerable fixpack level of an affected Program,  V10.5, v11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release:  V10.5 FP11, V11.1.4 FP7, and V11.5.8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

**Release**

**Fixed in fix pack**

**APAR**

**Download URL**

V10.5

TBD

DT174059

Special Build for V10.5 FP11:

Windows 32-bit, x86  
Windows 64-bit, x86

V11.1

TBD

DT174059

Special Build for V11.1.4 FP7:

Windows 32-bit, x86  
Windows 64-bit, x86

V11.5

TBD

DT174059

Special Build for V11.5.8:

Windows 32-bit, x86  
Windows 64-bit, x86

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

08 Feb 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"}\],"Version":"10.5, 11.1, 10.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2022-43930: IBM® Db2® is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file. (CVE-2022-43930)

Buffer Overflow vulnerability in Dvidelabs flatcc v.0.6.0 allows local attacker to execute arbitrary code via the fltacc execution of the error_ref_sym function.

in parser.c  
k seems like the size of the rest of buffer on stack(var 'buf' which type is char\[\]).  
n is memcpy size as 3rd para.  
while condition k>0 to keep buffer is not full.  
if enter in if(k<n) branch n=k,var n is assigned the value of k  
then k -=n ,var k is assigned the value 0  
then --k, var k is assigned the value 0xffffffffffffffff while var k's type is size\_t.  
so the while conditionk > 0 not make sense.  
next memcpy will lead to stack overflow

void error\_ref\_sym(fb\_parser\_t \*P, fb\_ref\_t \*ref, const char \*msg, fb\_symbol\_t \*s2)
{
    fb\_ref\_t \*p;
    char buf\[FLATCC\_MAX\_IDENT\_SHOW + 1\];
    size\_t k = FLATCC\_MAX\_IDENT\_SHOW;
    size\_t n = 0;
    size\_t n0 = 0;
    p = ref;
    while (p && k > 0) {
        n = (size\_t)p->ident\->len;
        if (k < n) {
            n = k;
        }
        memcpy(buf + n0, p->ident\->text, n);
        k -= n;
        n0 += n;
        buf\[n0\] = '.';
        --k; //overflow here when k = 0
        ++n0;
        p = p->link;
    }
    buf\[n0\] = '\\0';
    if (n0 > 0) {
        --n0;
    }
    if (k <= 0) {
        memcpy(buf + FLATCC\_MAX\_IDENT\_SHOW + 1 - 4, "...\\0", 4);
        n0 = FLATCC\_MAX\_IDENT\_SHOW;
    }
    error\_report(P, ref->ident, msg, s2 ? s2->ident : 0, buf, n0);
}

poc:

    ➜  fuzz_test cat test9
    struct tsj{
            damage:shortllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllve.tlllllllllllllllllllllllllllllllllllllll;
    }
    ➜  fuzz_test ../flatcc/bin/flatcc test9
    test9:2:9: error: 'shortlllllllllllllllllllllllllllllllllllllllllllll.tlllllllllllllllllllllllllllllllllllllll': unknown type reference used with struct field: test9:2:2: 'damage'
    *** stack smashing detected ***: terminated
    [1]    3685 abort (core dumped)  ../flatcc/bin/flatcc test9
    ➜  fuzz_test
    

    ➜  fuzz_test gdb ../flatcc/bin/flatcc
    GNU gdb (Ubuntu 9.2-0ubuntu1~20.04) 9.2
    Copyright (C) 2020 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    Type "show copying" and "show warranty" for details.
    This GDB was configured as "x86_64-linux-gnu".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    <http://www.gnu.org/software/gdb/bugs/>.
    Find the GDB manual and other documentation resources online at:
        <http://www.gnu.org/software/gdb/documentation/>.
    
    For help, type "help".
    Type "apropos word" to search for commands related to "word"...
    pwndbg: loaded 196 commands. Type pwndbg [filter] for a list.
    pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
    Reading symbols from ../flatcc/bin/flatcc...
    pwndbg> set args test9
    pwndbg> r
    Starting program: /mnt/c/Users/tsj/Desktop/flatcc/bin/flatcc test9
    test9:2:9: error: 'shortlllllllllllllllllllllllllllllllllllllllllllll.tlllllllllllllllllllllllllllllllllllllll': unknown type reference used with struct field: test9:2:2: 'damage'
    *** stack smashing detected ***: terminated
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ─────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────────────────
     RAX  0x0
     RBX  0x7fffff7e13c0 ◂— 0x7fffff7e13c0
     RCX  0x8
     RDX  0x0
     RDI  0x2
     RSI  0x7ffffffed990 ◂— 0x0
     R8   0x0
     R9   0x7ffffffed990 ◂— 0x0
     R10  0x8
     R11  0x8
     R12  0x7ffffffedc10 ◂— 0x642ccf000a276567 /* "ge'\n" */
     R13  0x20
     R14  0x7fffff510000 ◂— 0x202a2a2a00001000
     R15  0x1
     RBP  0x7ffffffedd10 —▸ 0x7fffff76a07c ◂— '*** %s ***: terminated\n'
     RSP  0x7ffffffed990 ◂— 0x0
     RIP  0x7fffff5f618b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
    ───────────────────────────────────────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────────────────────────────────────
     ► 0x7fffff5f618b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7fffff5f6193 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7fffff5f619c <raise+220>    jne    raise+260 <raise+260>
        ↓
       0x7fffff5f61c4 <raise+260>    call   __stack_chk_fail <__stack_chk_fail>
    
       0x7fffff5f61c9                nop    dword ptr [rax]
       0x7fffff5f61d0 <killpg>       endbr64
       0x7fffff5f61d4 <killpg+4>     test   edi, edi
       0x7fffff5f61d6 <killpg+6>     js     killpg+16 <killpg+16>
    
       0x7fffff5f61d8 <killpg+8>     neg    edi
       0x7fffff5f61da <killpg+10>    jmp    kill <kill>
    
       0x7fffff5f61df <killpg+15>    nop
    ───────────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7ffffffed990 ◂— 0x0
    01:0008│            0x7ffffffed998 —▸ 0x7ffffffedb48 ◂— 0x3000000030 /* '0' */
    02:0010│            0x7ffffffed9a0 —▸ 0x7ffffffedb60 ◂— "test9:2:9: error: 'shortlllllllllllllllllllllllllllllllllllllllllllll.tlllllllllllllllllllllllllllllllll"
    03:0018│            0x7ffffffed9a8 —▸ 0x7fffff63f11a (__vsnprintf_internal+170) ◂— mov    r9, qword ptr [rsp + 8]
    04:0020│            0x7ffffffed9b0 ◂— 0x3
    05:0028│            0x7ffffffed9b8 —▸ 0x7ffffffedab0 ◂— 0x20 /* ' ' */
    06:0030│            0x7ffffffed9c0 ◂— 0xfbad8001
    07:0038│            0x7ffffffed9c8 —▸ 0x7ffffffedb60 ◂— "test9:2:9: error: 'shortlllllllllllllllllllllllllllllllllllllllllllll.tlllllllllllllllllllllllllllllllll"
    ─────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────────────
     ► f 0   0x7fffff5f618b raise+203
       f 1   0x7fffff5d5859 abort+299
       f 2   0x7fffff6403ee __libc_message+670
       f 3   0x7fffff6e2b4a __fortify_fail+42
       f 4   0x7fffff6e2b16
       f 5        0x8073af9
       f 6        0x80976b9 __flatcc_fb_build_schema+21961
       f 7        0x80976b9 __flatcc_fb_build_schema+21961
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg>

CVE-2021-33983: found a integer overflow leads to stack_overflow  · Issue #188 · dvidelabs/flatcc

Buffer Overflow vulnerability in Saltstack v.3003 and before allows attacker to execute arbitrary code via the func variable in salt/salt/modules/status.py file.

CVE-2021-33226: salt/status.py at master · saltstack/salt

An issue in MPV v.0.29.1 fixed in v0.30 allows attackers to execute arbitrary code and crash program via the ao_c parameter.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

3kyo0 opened this issue

Jul 15, 2019

· 6 comments

Closed

**race condition in audio.c on uninit #6808**

3kyo0 opened this issue

Jul 15, 2019

· 6 comments

**Comments**

Can't reproduce on Linux with mpv 0.29.0-353-g65b1c2d065 and ffmpeg N-94185-gca576833e4.  
For fuzzing you might want to use --no-config to ensure the crash doesn't depend on any of your local configuration.

> Can't reproduce on Linux with mpv 0.29.0-353-g65b1c2d065 and ffmpeg N-94185-gca576833e4.  
> For fuzzing you might want to use --no-config to ensure the crash doesn't depend on any of your local configuration.

Only MacOS

seems ao\_c->filter pointer broken.there is two debug info.  
1、Normal info:  
Playing: ./SIGSEGV.EXC\_BAD\_ACCESS.PC.000000010ed954bf.STACK.0000000f38a4c8be.ADDR.000000004d555462.fuzz  
\[mkv\] SeekHead position beyond end of file - incomplete file?  
(+) Video --vid=1 (_) (h264 720x432 25.000fps)  
(+) Audio --aid=1 --alang=fre (_) (ac3 2ch)  
(+) Subs --sid=1 --slang=fre (\*) (dvd\_subtitle)  
\[vo/gpu\] opengl cocoa backend is deprecated, use vo=libmpv instead  
\[debug\]ao\_c->filter->f->pins\[1\]:0x7f8e2f5418d0  
\[debug\]mpctx:0x7f8e32004840  
\[debug\]ao\_c:0x7f8e2f5351b0  
\[debug\]ao\_c->filter:0x7f8e2f5414f8  
\[debug\]ao\_c->filter->got\_output\_eof:0x0  
\[debug\]mpctx->audio\_status:0x0  
\[debug\]  
\[mkv\] Invalid EBML length at position 13124  
\[mkv\] Corrupt file detected. Trying to resync starting from position 13124...  
\[ffmpeg/audio\] ac3: expacc 126 is out-of-range  
\[ffmpeg/audio\] ac3: error decoding the audio block  
No video PTS! Making something up. Using 25.000000 FPS.  
\[debug\]ao\_c->filter->f->pins\[1\]:0x7f8e2f5418d0  
Audio: no audio  
\[debug\]mpctx:0x7f8e32004840  
\[debug\]ao\_c:0x7f8e2f5351b0  
\[debug\]ao\_c->filter:0x7f8e2f5414f8  
\[debug\]ao\_c->filter->got\_output\_eof:0x0  
\[debug\]mpctx->audio\_status:0x5  
\[debug\]  
VO: \[gpu\] 720x432 => 1455x432 yuv420p  
V: -00:00:00 / 00:00:00 (0%)

Exiting... (End of file)

2、Crashed info  
Playing: ./SIGSEGV.EXC\_BAD\_ACCESS.PC.000000010ed954bf.STACK.0000000f38a4c8be.ADDR.000000004d555462.fuzz  
\[mkv\] SeekHead position beyond end of file - incomplete file?  
(+) Video --vid=1 (_) (h264 720x432 25.000fps)  
(+) Audio --aid=1 --alang=fre (_) (ac3 2ch)  
(+) Subs --sid=1 --slang=fre (\*) (dvd\_subtitle)  
\[vo/gpu\] opengl cocoa backend is deprecated, use vo=libmpv instead  
\[debug\]ao\_c->filter->f->pins\[1\]:0x7f8ebc1211c0  
\[debug\]mpctx:0x7f8ebe000040  
\[debug\]ao\_c:0x7f8ebc120d30  
\[debug\]ao\_c->filter:0x7f8ebc120858  
\[debug\]ao\_c->filter->got\_output\_eof:0x0  
\[debug\]mpctx->audio\_status:0x0  
\[debug\]  
\[mkv\] Invalid EBML length at position 13124  
\[mkv\] Corrupt file detected. Trying to resync starting from position 13124...  
No video PTS! Making something up. Using 25.000000 FPS.  
\[ffmpeg/audio\] ac3: expacc 126 is out-of-range  
\[ffmpeg/audio\] ac3: error decoding the audio block  
\[debug\]ao\_c->filter->f->pins\[1\]:0x7f8ebc1211c0  
Audio: no audio  
\[debug\]mpctx:0x7f8ebe000040  
\[debug\]ao\_c:0x7f8ebc120d30  
\[debug\]ao\_c->filter:0x312d320a6572662d  
UndefinedBehaviorSanitizer:DEADLYSIGNAL  
\==3033==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0001012bb3f9 bp 0x7000039f3dc0 sp 0x7000039f3d00 T61145)

After debugging I think this is an Use after free Vulnerability.  
audio.c:425 uinit\_audio\_chain(mpctx); this line free the ao\_c  
audio.c:810 if(ao\_c->filter->got\_output\_eof && . this line reuse it

 Akemi changed the title crash on MacOS race condition in audio.c on uninit

Jul 21, 2019

i don't think the uninit in line 425 is the culprit. it's called in order and before the code in line 810. it's some race condition in another part of the code.

I think @3kyo0 was right, that's exactly what I observed.

CVE-2020-19824: race condition in audio.c on uninit · Issue #6808 · mpv-player/mpv

IBM Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 is vulnerable to information Disclosure due to improper privilege management when a specially crafted table access is used. IBM X-Force ID: 241671.

CVE-2022-43927: IBM Db2 for Linux, UNIX and Windows information disclosure CVE-2022-43927 Vulnerability Report

IBM Db2 for Linux, UNIX and Windows 11.1 and 11.5 may be vulnerable to a Denial of Service when executing a specially crafted 'Load' command. IBM X-Force ID: 241676.

  

**Summary**

IBM® Db2® may be vulnerable to a denial of service when executing a specially crafted 'Load' command.

**Vulnerability Details**

**CVEID:**   CVE-2022-43929  
**DESCRIPTION:**   IBM Db2 may be vulnerable to a Denial of Service when executing a specially crafted 'Load' command.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241676 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

All fix pack levels of IBM Db2  V11.1, and V11.5 server editions on all platforms are affected. 

IBM Db2 V10.5 is not affected.

  

**Remediation/Fixes**

Customers running any vulnerable fixpack level of an affected Program,  v11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release:  V11.1.4 FP7, and V11.5.8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

**Release**

**Fixed in fix pack**

**APAR**

**Download URL**

V11.1

TBD

DT173007

Special Build for V11.1.4 FP7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Solaris 64-bit, SPARC  
Windows 32-bit, x86  
Windows 64-bit, x86

V11.5

TBD

DT173007

Special Build for V11.5.8:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

08 Feb 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF010","label":"HP-UX"},{"code":"PF002","label":"AIX"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}\],"Version":"11.1, 11.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2022-43929: IBM® Db2® may be vulnerable to a denial of service when executing a specially crafted 'Load' command. (CVE-2022-43929)

IBM Aspera Faspex 4.4.1 could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.

**Security Bulletin**

  

**Summary**

This Security Bulletin addresses security vulnerabilities that have been remediated in IBM Aspera Faspex 4.4.2 PL2.

**Vulnerability Details**

**CVEID:**   CVE-2022-28330  
**DESCRIPTION:**   Apache HTTP Server could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to read beyond bounds when configured to process requests with the mod\_isapi module.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228341 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2023-22868  
**DESCRIPTION:**   IBM Aspera Faspex is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/244117 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

**CVEID:**   CVE-2022-30556  
**DESCRIPTION:**   Apache HTTP Server could allow a remote attacker to obtain sensitive information, caused by an error in mod\_lua with websockets. An attacker could exploit this vulnerability to return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228336 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2022-31813  
**DESCRIPTION:**   Apache HTTP Server could allow a remote attacker to bypass security restrictions, caused by the failure to send the X-Forwarded-\* headers to the origin server based on client side Connection header hop-by-hop mechanism. An attacker could exploit this vulnerability to bypass IP based authentication on the origin server/application.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228337 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2022-30522  
**DESCRIPTION:**   Apache HTTP Server is vulnerable to a denial of service when configured to do transformations with mod\_sed in contexts where the input to mod\_sed may be very large. By making excessively large memory allocations, a remote attacker could exploit this vulnerability to trigger an abort.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228338 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2022-47986  
**DESCRIPTION:**   IBM Aspera Faspex could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2.  
CVSS Base score: 8.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/243512 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2022-28615  
**DESCRIPTION:**   Apache HTTP Server could allow a remote attacker to obtain sensitive information, caused by a read beyond bounds in ap\_strcmp\_match() when provided with an extremely large input buffer. An attacker could exploit this vulnerability to crash or disclose information.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228340 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

**CVEID:**   CVE-2022-26377  
**DESCRIPTION:**   Apache HTTP Server is vulnerable to HTTP request smuggling, caused by an inconsistent Interpretation of HTTP Requests vulnerability in mod\_proxy\_ajp. An attacker could exploit this vulnerability to smuggle requests to the AJP server it forwards requests to.  
CVSS Base score: 7.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228343 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**   CVE-2018-25032  
**DESCRIPTION:**   Zlib is vulnerable to a denial of service, caused by a memory corruption in the deflate operation. By using many distant matches, a remote attacker could exploit this vulnerability to cause the application to crash.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222615 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-2068  
**DESCRIPTION:**   OpenSSL could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input by the c\_rehash script. By sending a specially-crafted request using shell metacharacters, an attacker could exploit this vulnerability to execute arbitrary commands with the privileges of the script on the system.  
CVSS Base score: 7.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226018 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

**Affected Products and Versions**

IBM Aspera Faspex 4.4.1 and earlier

**Remediation/Fixes**

It is recommended to apply the fix as soon as possible, see link below.

**Product(s)**

**Fixing VRM**

**Platform**

**Link to Fix**

IBM Aspera Faspex

4.4.2 PL2

Windows

click here

IBM Aspera Faspex

4.4.2 PL2

Linux

click here

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

CVE-2023-22868 and CVE-2022-47986 were reported to IBM by Max Garrett - Assetnote

**Change History**

26 Jan 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSGPEF","label":"IBM Aspera Faspex"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}\],"Version":"4.4.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2022-47986: IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-

Tag

#linux