Gentoo Linux Security Advisory 202212-2 - Multiple vulnerabilities have been discovered in Unbound, the worst of which could result in denial of service. Versions less than 1.16.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202212-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Unbound: Multiple Vulnerabilities  
     Date: December 19, 2022  
     Bugs: #872209, #866881  
       ID: 202212-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Unbound, the worst of  
which could result in denial of service.

Background  
=========  
Unbound is a validating, recursive, and caching DNS resolver.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-dns/unbound            < 1.16.3                    >= 1.16.3

Description  
==========  
Multiple vulnerabilities have been discovered in Unbound. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Unbound users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-dns/unbound-1.16.3"

References  
=========  
[ 1 ] CVE-2022-3204  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3204  
[ 2 ] CVE-2022-30698  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30698  
[ 3 ] CVE-2022-30699  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30699

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202212-02

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202212-02

Debian Linux Security Advisory 5303-1 - Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5303-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 16, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : thunderbirdCVE ID         : CVE-2022-46882 CVE-2022-46881 CVE-2022-46880 CVE-2022-46878                 CVE-2022-46874 CVE-2022-46872 CVE-2022-45414Multiple security issues were discovered in Thunderbird, which couldresult in the execution of arbitrary code or information disclosure.For the stable distribution (bullseye), this problem has been fixed inversion 1:102.6.0-1~deb11u1.We recommend that you upgrade your thunderbird packages.For the detailed security status of thunderbird please refer toits security tracker page at:https://security-tracker.debian.org/tracker/thunderbirdFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmOcwVkACgkQEMKTtsN8TjYhNA//e9mQQto3dcqum+DpkqlxnQ0oJZW90A4qnpdorbSH6AuQodiaMXYrhZ1y7LaCCZd2LgxwIOoW5ukYto7TGGWA+bU8VtdivVKEVJ52dwyzFhp1PMhn81Lr+DRgNf9vYTGO3MYnThKckNhkGPN2qQtxABoBA+opJJIFq7yJW34NEhhWNoH0ubGmCie/13l5msZmN1pYALhsDs1Li7yotVtIRU6r5/t4BUwI0hyfLaR0HDcpeT8iAnyuedMcXF+jFF0B8HQfkakNOc4fODcpiNVW6FAezRPprCTCqpuIr8Ic7yrYWYlAjayLRBbp277JXESFk16Oao/OR0Qf4SpfhDCw3IZwG6A0De4e7nVxunIkjShU9tfzjx5LPeiGqQkXiS2abklARfRUqFeqPFQJbF+CA7lHZiCWm/LXtOjArkIvZ7j1BNcdPmhe/OAJ04zi1j2aKxNxvKAwBK065N1pSn9iS9zvGva7rcenKYnd8kkdExHSnWCCuo79otgKWQ6az/zIdfwY8MU7xxCo04pNnBH+fUAk4sDZGzjfebuqWuUZQ6KK1uo0w6Ji10zriQ2bJ94eYuptBEZttovyjj7SbOAuAB2zpchHT2TlifpgoTmywRNsMceqDNvzbgTCwMEP30TYXOyiunxOs2AgL/6hFAfZ3oTfpxqjuscKCkfi1pwaYjM=YY+h-----END PGP SIGNATURE-----

Debian Security Advisory 5303-1

Debian Linux Security Advisory 5302-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5302-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 16, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2022-4436 CVE-2022-4437 CVE-2022-4438 CVE-2022-4439                 CVE-2022-4440Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 108.0.5359.124-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmOcwUwACgkQEMKTtsN8TjaEDhAAuNgbC9i9I5soJN7677urAmv/mzR20/hpcEx4WlrS5YlCMBISsolvytNClMnzfVIe8e0akdshGTtGmehUco7gxXRq7Ab+kCDMFgXrPCf+SDXFbECLR/xtrTGuahzPmrDBwz/5O3gOFcJaEhXoLUER1Xm2UX8MgMlV/pfv8UN0keXriJSS/nWVU5sp8UCfafYxa/cNB51k7VmQTEDL56zcE64zZxXmmfNDvNv9/FHiMHZyATZv499nfEVaI0qvLot/trilA2X6/Wn5aFJD7cRk7PWJR6fzMs36Ad4E9Ww5/mDy6ADKORyRhiHbpw+wRCgs253pkDvwExVTwu2BGsXp9ThnVIHRXflN0GaixsDUryA3x0IRCTiWpNU+armowtAS7I31kht91uPhJaaK3DoB/xgqRbNBHeZnl8NqAaf76ODSGAbjcoUxLXrEb+zD9dLbFuDnfapfeqKCDuZAkeBv9k9etvMTuBTb4KjvA/OfhFTYpF8EJ2+o4RTBqf2vNlEWhSLqXY/ehr6LygFnHlBnrR+SQPUfEQywHEMRa+4DqyWtf25mZKkVl1AdhMqXBF6Rsht0UBOUu2M2g4NOtk/1S34EhPeEhZLSh+Z3XhoIj/UfQLcOgMEQCBHuz1S5tXyLqQCwbpi/Pm+lSI99fPooTH5UoJpDj2cGygXfNysjKq0=kfqY-----END PGP SIGNATURE-----

Debian Security Advisory 5302-1

Ubuntu Security Notice 5783-1 - Tamás Koczka discovered that the Bluetooth L2CAP handshake implementation in the Linux kernel contained multiple use-after-free vulnerabilities. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5783-1December 16, 2022linux-oem-5.17 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:The system could be made to crash or run programs as an administrator.Software Description:- linux-oem-5.17: Linux kernel for OEM systemsDetails:Tamás Koczka discovered that the Bluetooth L2CAP handshake implementationin the Linux kernel contained multiple use-after-free vulnerabilities. Aphysically proximate attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.17.0-1025-oem     5.17.0-1025.26   linux-image-oem-22.04           5.17.0.1025.23   linux-image-oem-22.04a          5.17.0.1025.23After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5783-1   CVE-2022-42896Package Information:   https://launchpad.net/ubuntu/+source/linux-oem-5.17/5.17.0-1025.26

Ubuntu Security Notice USN-5783-1

An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_CHANNEL_LIST in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when parsing the operating channel attribute from Wi-Fi management frames.

Permalink

Browse files

wifi: wilc1000: validate length of IEEE80211\_P2P\_ATTR\_CHANNEL\_LIST at…

…tribute

Validate that the IEEE80211\_P2P\_ATTR\_CHANNEL\_LIST attribute contains
enough space for a 'struct wilc\_attr\_oper\_ch'. If the attribute is too
small then it can trigger an out-of-bounds write later in the function.

'struct wilc\_attr\_oper\_ch' is variable sized so also check 'attr\_len'
does not extend beyond the end of 'buf'.

Signed-off-by: Phil Turnbull <philipturnbull@github.com>
Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221123153543.8568-4-philipturnbull@github.com

*   Loading branch information

CVE-2022-47521: wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_CHANNEL_LIST at… · torvalds/linux@f9b62f9

An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_OPER_CHANNEL in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger an out-of-bounds write when parsing the channel list attribute from Wi-Fi management frames.

From: Phil Turnbull <philipturnbull@github.com>
To: linux-wireless@vger.kernel.org
Cc: ajay.kathat@microchip.com, claudiu.beznea@microchip.com,
	kvalo@kernel.org, Phil Turnbull <philipturnbull@github.com>
Subject: \[PATCH 2/4\] wifi: wilc1000: validate length of IEEE80211\_P2P\_ATTR\_OPER\_CHANNEL attribute
Date: Wed, 23 Nov 2022 10:35:41 -0500	\[thread overview\]
Message-ID: <20221123153543.8568-3-philipturnbull@github.com> (raw)
In-Reply-To: <20221123153543.8568-1-philipturnbull@github.com\>

Validate that the IEEE80211\_P2P\_ATTR\_OPER\_CHANNEL attribute contains
enough space for a 'struct struct wilc\_attr\_oper\_ch'. If the attribute is
too small then it triggers an out-of-bounds write later in the function.

Signed-off-by: Phil Turnbull <philipturnbull@github.com>
Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
---
 drivers/net/wireless/microchip/wilc1000/cfg80211.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/microchip/wilc1000/cfg80211.c b/drivers/net/wireless/microchip/wilc1000/cfg80211.c
index 9bbfff803357..aedf0e8b69b9 100644
--- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c
+++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c
@@ -959,14 +959,24 @@ static inline void wilc\_wfi\_cfg\_parse\_ch\_attr(u8 \*buf, u32 len, u8 sta\_ch)
 		return;
 
 	while (index + sizeof(\*e) <= len) {
+		u16 attr\_size;
+
 		e = (struct wilc\_attr\_entry \*)&buf\[index\];
+		attr\_size = le16\_to\_cpu(e->attr\_len);
+
+		if (index + sizeof(\*e) + attr\_size > len)
+			return;
+
 		if (e->attr\_type == IEEE80211\_P2P\_ATTR\_CHANNEL\_LIST)
 			ch\_list\_idx = index;
\-		else if (e->attr\_type == IEEE80211\_P2P\_ATTR\_OPER\_CHANNEL)
+		else if (e->attr\_type == IEEE80211\_P2P\_ATTR\_OPER\_CHANNEL &&
+			 attr\_size == (sizeof(struct wilc\_attr\_oper\_ch) - sizeof(\*e)))
 			op\_ch\_idx = index;
+
 		if (ch\_list\_idx && op\_ch\_idx)
 			break;
\-		index += le16\_to\_cpu(e->attr\_len) + sizeof(\*e);
+
+		index += sizeof(\*e) + attr\_size;
 	}
 
 	if (ch\_list\_idx) {
-- 
2.34.1

next prev parent reply	other threads:\[~2022-11-23 15:35 UTC|newest\]

**Thread overview:** 6+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
2022-11-23 15:35 \[PATCH 0/4\] wilc1000: Improve RSN and attribute parsing Phil Turnbull
2022-11-23 15:35 \` \[PATCH 1/4\] wifi: wilc1000: validate pairwise and authentication suite offsets Phil Turnbull
2022-11-24 16:11   \` Kalle Valo
**2022-11-23 15:35 \` Phil Turnbull \[this message\]**
2022-11-23 15:35 \` \[PATCH 3/4\] wifi: wilc1000: validate length of IEEE80211\_P2P\_ATTR\_CHANNEL\_LIST attribute Phil Turnbull
2022-11-23 15:35 \` \[PATCH 4/4\] wifi: wilc1000: validate number of channels Phil Turnbull

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20221123153543.8568-3-philipturnbull@github.com \\
    --to=philipturnbull@github.com \\
    --cc=ajay.kathat@microchip.com \\
    --cc=claudiu.beznea@microchip.com \\
    --cc=kvalo@kernel.org \\
    --cc=linux-wireless@vger.kernel.org \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2022-47519: [PATCH 2/4] wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_OPER_CHANNEL attribute

An issue was discovered in the Linux kernel before 6.0.11. Missing validation of the number of channels in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when copying the list of operating channels from Wi-Fi management frames.

From: Phil Turnbull <philipturnbull@github.com>
To: linux-wireless@vger.kernel.org
Cc: ajay.kathat@microchip.com, claudiu.beznea@microchip.com,
	kvalo@kernel.org, Phil Turnbull <philipturnbull@github.com>
Subject: \[PATCH 4/4\] wifi: wilc1000: validate number of channels
Date: Wed, 23 Nov 2022 10:35:43 -0500	\[thread overview\]
Message-ID: <20221123153543.8568-5-philipturnbull@github.com> (raw)
In-Reply-To: <20221123153543.8568-1-philipturnbull@github.com\>

There is no validation of 'e->no\_of\_channels' which can trigger an
out-of-bounds write in the following 'memset' call. Validate that the
number of channels does not extends beyond the size of the channel list
element.

Signed-off-by: Phil Turnbull <philipturnbull@github.com>
Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
---
 .../wireless/microchip/wilc1000/cfg80211.c    | 22 ++++++++++++++-----
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/drivers/net/wireless/microchip/wilc1000/cfg80211.c b/drivers/net/wireless/microchip/wilc1000/cfg80211.c
index c4d5a272ccc0..b545d93c6e37 100644
--- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c
+++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c
@@ -981,19 +981,29 @@ static inline void wilc\_wfi\_cfg\_parse\_ch\_attr(u8 \*buf, u32 len, u8 sta\_ch)
 	}
 
 	if (ch\_list\_idx) {
\-		u16 attr\_size;
-		struct wilc\_ch\_list\_elem \*e;
-		int i;
+		u16 elem\_size;
 
 		ch\_list = (struct wilc\_attr\_ch\_list \*)&buf\[ch\_list\_idx\];
\-		attr\_size = le16\_to\_cpu(ch\_list->attr\_len);
-		for (i = 0; i < attr\_size;) {
+		/\* the number of bytes following the final 'elem' member \*/
+		elem\_size = le16\_to\_cpu(ch\_list->attr\_len) -
+			(sizeof(\*ch\_list) - sizeof(struct wilc\_attr\_entry));
+		for (unsigned int i = 0; i < elem\_size;) {
+			struct wilc\_ch\_list\_elem \*e;
+
 			e = (struct wilc\_ch\_list\_elem \*)(ch\_list->elem + i);
+
+			i += sizeof(\*e);
+			if (i > elem\_size)
+				break;
+
+			i += e->no\_of\_channels;
+			if (i > elem\_size)
+				break;
+
 			if (e->op\_class == WILC\_WLAN\_OPERATING\_CLASS\_2\_4GHZ) {
 				memset(e->ch\_list, sta\_ch, e->no\_of\_channels);
 				break;
 			}
\-			i += e->no\_of\_channels;
 		}
 	}
 
-- 
2.34.1

     prev parent reply	other threads:\[~2022-11-23 15:36 UTC|newest\]

**Thread overview:** 6+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
2022-11-23 15:35 \[PATCH 0/4\] wilc1000: Improve RSN and attribute parsing Phil Turnbull
2022-11-23 15:35 \` \[PATCH 1/4\] wifi: wilc1000: validate pairwise and authentication suite offsets Phil Turnbull
2022-11-24 16:11   \` Kalle Valo
2022-11-23 15:35 \` \[PATCH 2/4\] wifi: wilc1000: validate length of IEEE80211\_P2P\_ATTR\_OPER\_CHANNEL attribute Phil Turnbull
2022-11-23 15:35 \` \[PATCH 3/4\] wifi: wilc1000: validate length of IEEE80211\_P2P\_ATTR\_CHANNEL\_LIST attribute Phil Turnbull
**2022-11-23 15:35 \` Phil Turnbull \[this message\]**

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20221123153543.8568-5-philipturnbull@github.com \\
    --to=philipturnbull@github.com \\
    --cc=ajay.kathat@microchip.com \\
    --cc=claudiu.beznea@microchip.com \\
    --cc=kvalo@kernel.org \\
    --cc=linux-wireless@vger.kernel.org \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2022-47518: [PATCH 4/4] wifi: wilc1000: validate number of channels

An issue was discovered in the Linux kernel before 6.0.11. Missing offset validation in drivers/net/wireless/microchip/wilc1000/hif.c in the WILC1000 wireless driver can trigger an out-of-bounds read when parsing a Robust Security Network (RSN) information element from a Netlink packet.

Permalink

Browse files

wifi: wilc1000: validate pairwise and authentication suite offsets

There is no validation of 'offset' which can trigger an out-of-bounds
read when extracting RSN capabilities.

Signed-off-by: Phil Turnbull <philipturnbull@github.com>
Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221123153543.8568-2-philipturnbull@github.com

*   Loading branch information

CVE-2022-47520: wifi: wilc1000: validate pairwise and authentication suite offsets · torvalds/linux@cd21d99

An issue was discovered in drachtio-server before 0.8.20. It allows remote attackers to cause a denial of service (daemon crash) via a long message in a TCP request that leads to std::length_error.

Hi,

the following remote request is able to crash drachtio:

    nc -w 5 PUBLIC_IP 5060 < file
    
    terminate called after throwing an instance of 'std::length_error'
      what():  basic_string::_M_replace_aux
    Aborted
    

A bit of backtrace here:

    terminate called after throwing an instance of 'std::length_error'
      what():  basic_string::_M_replace_aux
    
    Thread 1 "drachtio" received signal SIGABRT, Aborted.
    0x00007ffff6cc9ce1 in raise () from /lib/x86_64-linux-gnu/libc.so.6
    (gdb) bt
    #0  0x00007ffff6cc9ce1 in raise () from /lib/x86_64-linux-gnu/libc.so.6
    #1  0x00007ffff6cb3537 in abort () from /lib/x86_64-linux-gnu/libc.so.6
    #2  0x00007ffff705e7ec in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
    #3  0x00007ffff7069966 in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
    #4  0x00007ffff70699d1 in std::terminate() () from /lib/x86_64-linux-gnu/libstdc++.so.6
    #5  0x00007ffff7069c65 in __cxa_throw () from /lib/x86_64-linux-gnu/libstdc++.so.6
    #6  0x00007ffff706109a in std::__throw_length_error(char const*) () from /lib/x86_64-linux-gnu/libstdc++.so.6
    #7  0x00007ffff70f82cf in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_replace_aux(unsigned long, unsigned long, unsigned long, char) ()
       from /lib/x86_64-linux-gnu/libstdc++.so.6
    #8  0x00000000004f10f5 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::resize (__n=<optimized out>, this=0x617000004418)
        at /usr/include/c++/10/bits/basic_string.h:940
    #9  drachtio::StackMsg::appendLine (szLine=<optimized out>, complete=true, this=0x617000004310) at ../src/controller.cpp:276
    #10 drachtio::StackMsg::appendLine (this=0x617000004310, szLine=<optimized out>, complete=<optimized out>) at ../src/controller.cpp:272
    #11 0x00000000004f4230 in (anonymous namespace)::__sofiasip_logger_func(void *, const char *, typedef __va_list_tag __va_list_tag *) (logarg=<optimized out>, 
        fmt=0xc27e40 "%s   ", '-' <repeats 72 times>, "\n", ap=0x7fffffffb4e0) at ../src/controller.cpp:132
    #12 0x00000000009f0304 in su_log (fmt=fmt@entry=0xc27e40 "%s   ", '-' <repeats 72 times>, "\n") at su_log.c:95
    #13 0x0000000000a30504 in tport_log_msg (self=self@entry=0x615000004e00, msg=msg@entry=0x619000011d80, what=what@entry=0xc24480 "recv", via=via@entry=0xc24440 "from", now=...)
        at tport_logging.c:901
    #14 0x0000000000a21d47 in tport_deliver (self=self@entry=0x615000004e00, msg=msg@entry=0x619000011d80, next=next@entry=0x0, sc=<optimized out>, now=...) at tport.c:3081
    #15 0x0000000000a224d0 in tport_parse (self=self@entry=0x615000004e00, complete=0, now=...) at tport.c:3015
    #16 0x0000000000a23ee0 in tport_recv_event (self=0x615000004e00) at tport.c:2954
    #17 0x0000000000a2a2e0 in tport_base_wakeup (self=0x615000004e00, events=1) at tport.c:2855
    #18 0x0000000000a83e3c in su_epoll_port_wait_events (self=0x611000001e40, tout=<optimized out>) at su_epoll_port.c:510
    #19 0x0000000000a82a45 in su_base_port_run (self=0x611000001e40) at su_base_port.c:349
    #20 0x00000000004dc07c in drachtio::DrachtioController::run (this=<optimized out>) at ../src/controller.cpp:1336
    #21 0x00000000004647af in main (argc=9, argv=0x7fffffffe898) at ../src/main.cpp:47
    

    # drachtio -v
    v0.8.20-rc1
    

Attaching the testcase as zipped, but to reproduce you need to unzip. No need to do replacements into the file, but please note that it is a tcp request and not udp like previous bugs.  
length\_error.zip

CVE-2022-47515: terminate called after throwing an instance of 'std::length_error' · Issue #245 · drachtio/drachtio-server

An XML external entity (XXE) injection vulnerability in XML-RPC.NET before 2.5.0 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, as demonstrated by a pingback.aspx POST request.

**Downloads****Current Production Release**

XML-RPC.NET 2.5.0 is the current production release.

xml-rpc.net.2.5.0.zip      documentation

New features, changes, and fixed issues:

*   Added <i8> to support 64-bit long integer values.
*   Added support for more ISO8601 date formats. AllowNonStandardDateTime flag is now deprecated. The following formats are now accepted by default, with the '-' and ':' separators being optional.
    *   yyyy-mm-ddThh:mm:ss
    *   yyyy-mm-ddThh:mm:ssZ
    *   yyyy-mm-ddThh:mm:ss�hh
    *   yyyy-mm-ddThh:mm:ss�hh:mmNote: the XML-RPC spec describes the format as 19980717T14:08:55.
*   Added AllowAutoRedirect property to IXmlRpcProxy. Default behaviour remains the same (property set to true).
*   Moved to Visual Studio 2008.
*   Discontinued support for .NET 1.0 and 1.1.
*   Fixed issues:
    *   Issue 55 : change XmlRpcProxyGen so that FileIOPermission is not required for calls to Create.
    *   Issue 56: Maintain XML-RPC struct member ordering in XmlRpcStruct after deserialization.
    *   Issue 65: When deserializing request, check that the number of parameters is consistent with the method signature.
    *   Issue 70: Allow structs/classes to have members or arrays of the same type as the parent type.

**Work in Progress**

This is a snapshot of work in progress.

xml-rpc.net.3.0.0.270-snapshot.zip      documentation

**Build 270**

*   More graceful handling of case where illegal XML characters are rejected during serialization and deserialization.
*   Added generic EndInvoke method to XmlRpcClientProtocol so return type can be used for deserialization.
*   Added support for cookie and response headers for Silverlight and Windows Phone.

**Build 266**

*   Support for easier logging of request and response XML.
*   Support for mapping .NET enums to/from XML-RPC string values using XmlRpcEnumMapping attribute.
*   Fixed problem with logging and decompression of response stream.
*   Fixed problem with return type in XmlRpcClientProtocol.EndInvoke.
*   Added unit testing for Silverlight build.
*   Switch to Silverlight 4 only in order to support credentials using ClientHttp stack.
*   Now throws XmlRpcUnsupportedTypeException when a type has an indexer property.

**Build 241**

*   Fixes problem with mapping <nil /> onto type Object.

**Build 238**

*   Support for <nil> XML-RPC extension.
*   Support for Silverlight 3 and 4.
*   Support for Windows Phone 7.
*   .NET enum types can be mapped to/from XML-RPC <i4> and <i8> values. (more)
*   New UseEmptyElementTags property on IXmlRpcProxy. If this is set to true full element tags will be generated, for example <string></string> instead of <string />. The default setting of false for this property results is consistent with previous releases. This new feature provides compatibility with servers implemented with XML-RPC libraries which don't support empty tags, such XMLRPC++.
*   New UseNagleAlgorithm property on IXmlRpcProxy. With its default value of false calls will be quicker where small XML-RPC requests are being sent.
*   Separate client and server assemblies � client assembly compatible with .NET Client Profile.
*   Changed directory structure within distribution zip file to avoid problem when opening the file in Windows Explorer.
*   Moved to Visual Studio 2010.
*   Fixed issues:
    *   Issue 55 : change XmlRpcProxyGen so that FileIOPermission is not required for calls to Create.
    *   Issue 56: Maintain XML-RPC struct member ordering in XmlRpcStruct after deserialization.
    *   Issue 65: When deserializing request, check that the number of parameters is consistent with the method signature.
    *   Issue 70: Allow structs/classes to have members or arrays of the same type as the parent type.
    *   Issue 74: Fixed case where if a proxy call is made with a ResponseEvent assigned, the call crashes with a "Stream Closed" error.
    *   Issue 77: Fixed exception when AllowStringFaultCode is set to true. Now string fault codes are handled as well as integer fault code by default.
    *   Issue 78: XmlRpcServiceInfo.GetXmlRpcType now handles case of NonSerializedAttribute on all types.
    *   Issue 83: Change to prevent internal server error when viewing auto-generated help on Mono based servers.
    *   Issue 86: XmlRpcDocWriter.WriteStruct now writes XmlRpcMember.Description.
    *   Issue 89: Workaround on XmlRpcListenerService for cases where closing the request stream was resulting in an InvalidOperationException.
*   Changes:
    *   Custom nullable types � XmlRpcBoolean, XmlRpcDateTime, XmlRpcDouble, XmlRpcInt � have been discontinued. Use the standard nullable types bool?, DateTime?, double?, int?.
    *   A server implementation now needs to reference the CookComputing.XmlRpcServer assembly in addition to the CookComputing.XmlRpc assembly.
    *   Default value for new UseNagleAlgorithm. By default it was previously always false.

**Older Releases****2.4.0**

xml-rpc.net.2.4.0.zip

New feature and fixed issues:

*   New StructParams property on XmlRpcMethodAttribute which provides supports for APIs which use a struct to provide named parameters to a method call. (more).
*   NonSerialized attribute can be applied to struct members to prevent them being serialized and deserialized. (more).
*   Fixed issues:
    *   Issue 25: NullReferenceException when struct member name is an empty string. Now throws XmlRpcInvalidXmlRpcException.
    *   Issue 26: Auto-Documentation does not work with HttpListener.
    *   Issue 27: XmlRpcListenerService.ProcessRequest may not close stream in case of exception.
    *   Issue 28: XmlRpcSerializer.GetStructName does not check for Properties.
    *   Issue 31: UseIntTag is being ignored.
    *   Issue 32: XmlRpcClientProtocol problem with response from void method.
    *   Issue 34: XmlRpcServerProtocol should be derived from MarshalByRefObject. The system.\* methods do not work with remoting object.
    *   Issue 35: UseEmptyParamsTag property on the proxy doesn�t work unless you are making asynchronous calls.
    *   Issue 36: Fixed SelectSingleNode and using statement in XmlRpcFaultException for Compact Framework version.
    *   Issue 38: Check of ParamArrayAttribute causes crash under Mono/Linux.
    *   Issue 40: Deserialization performance enhancement.

**2.3.2**

xml-rpc.net.2.3.2.zip

Changes:

*   Issue 22: XmlRpcTypeMismatchException thrown if an XML-RPC array is mistakenly mapped onto a .Net struct (was throwing MissingMethodException).
*   Issue 23: Fixes problem where XML-RPC string values containing just one or more spaces were deserialized as an empty .Net string value.
*   Issue 24: XmlRpcV2 assembly is now built with a strong name.

**2.3.1**

xml-rpc.net.2.3.1.zip

Changes:

*   Issue 20: Fixes problem where XML-RPC service implemented as HttpHandler returns 500 server error.
*   Issue 21: Fixes problem with StateNameServer sample which returns fault response because of duplicate XML-RPC method names.

**2.3.0**

xml-rpc.net.2.3.0.zip

New features and changes:

*   Issue 15: Support for accessing response headers and cookies. (more).
*   Issue 17: Support for not sending a params element if no method parameters. (more).
*   Changes:
    *   Issue 16: Content type set before writing to response stream (fixes Mono issue).
    *   Issue 18: Modified proxy code generation so that it verifies - prevents �Operation could destabilize the runtime" problem.
    *   Issue 19: XmlRpcListenerService now sets Content Length header and does not use chunked content by default.

**2.2.0**

xml-rpc.net.2.2.0.zip

New features and changes:

*   Support for using System.Net.HttpListener to implement an XML-RPC server. (more).
*   Allow client to configure that <string> tag is not used for string values. (more).
*   Server configuration using XmlRpcServiceAttribute. (more).
*   Client support for Accept-Encoding - gzip and deflate. (more).
*   Changes:
    *   Fixed null exception if acquiring request stream fails while logging.
    *   Fixed stack overflow in GetXmlRpcType if invalid types such as DBNull passed in.
    *   Fixed handling of params method parameter if it is first parameter of method.
    *   Improved error reporting when processing params parameters.
    *   Throw XmlRpcDupXmlRpcMethodNames if same XML-RPC name applied to two methods.
    *   Handle zero offset timezones when AllowNonStandardDateTime flag set.

**2.1.0**

xml-rpc.net.2.1.0.zip

New features and changes:

*   Add support for proxy interfaces with overloaded methods. (more).
*   Add support for the int?, bool?, double?, and DateTime? nullable types to represent struct member types (.NET 2.0 version). These can be used to support optional struct members of int, boolean, double, and dateTime.iso8601 types. (more).

**2.0.0**

xml-rpc.net.2.0.0.zip

New features and changes:

*   Add generic form of XmlRpcProxyGen.Create() to remove need to cast the result of Create to the relevant interface (v2 assembly only) (more).
*   Add support for XmlRpcNonStandard.AllowInvalidHttpContent to handle HTTP response content which has whitespace before the start of the XML-RPC response (more).
*   Switch from NAnt to MSBuild and now builds a .NET 2.0 assembly as well as a .NET 1.0 assembly. Note that the 1.0 assembly can be used on all versions of the .NET runtime and should be used where backwards compatibility is required. The 2.0 assembly contains enhancements which rely on features of .NET 2.0 such as generics and can only be used on the .NET 2.0 and later versions of the runtime (more).
*   Error handling
    *   Throws XmlRpcInvalidParametersException if the parameters array passed to XmlRpcClientProtocol.Invoke contains more parameters than are defined for the method being invoked.
    *   Throws XmlRpcInvalidXmlRpcException if a struct member is missing its name or value child element or if it has a duplicate name or value child element.
    *   Attempt to serialize type with one or more properties that cannot be serialized to an XML-RPC type now results in the correct exception being thrown: XmlRpcUnsupportedTypeException.
*   Samples:
    *   Modify samples to use IXmlRpcProxy interface.
    *   Fix threading issue in AsyncBettyApplication sample.

**1.0.0**

xml-rpc.net.1.0.0.zip

New features and changes:

*   IXmlRpcProxy interface to simplify setting proxy properties (more).
*   Expect100Continue property on XmlRpcClientProtocol to configure "Expect: 100-continue" header; default is header not sent (more).
    *   Note: default behavior in previous versions of XML-RPC.NET was to send this header.
*   Support for variable number of method parameters using params (more).
*   Configurable client support for server which don't comply with XML-RPC standard:
    *   UseIntTag proxy property to use <int> instead of <i4>.
    *   Support dateTime with all zeroes (e.g. eGroupWare).
    *   Support empty dateTime values.
    *   Support fault code returned as string.
    *   Support for non-standard dateTime formats
    *   Note: default is standard XML-RPC only. Existing code which relies on non-standard behaviour will need to configure the proxy NonStandard property (more).
*   Support for sending cookies with request (thanks to JC Bertin) (more).
*   Changes:
    *   Fix for when passing zero-length byte array as base64 value.
    *   Removed large switch statements to circumvent Microsoft .NET bug when running in version 2.0 of the .NET runtime with medium trust.
    *   Uses invariant DateTimeFormatInfo when parsing dateTime.iso8601 so parsing works in all locales
    *   Check for recursive data structures when serializing.
    *   Fix to allow XmlRpcStruct member to be set more than once.
    *   Prevent types which cannot be serialized from being added to XmlRpcStruct.
    *   Improved error handling for null values when serializing.
    *   Fix to XmlRpcServerFormatterSink suggested by Sean Rohead.
*   Sample code:
    *   Updates on sample blogging interfaces from Sam Schillace and Mikahosi.
    *   Sample code for accessing OpenDHT (thanks to Michel Foucault).

**0.9.2**

xml-rpc.net.0.9.2.zip

*   Fixed parsing struct containing an enum member.
*   Lock around generation of proxy type.
*   When generating proxy from interface now includes methods from base interfaces.
*   Added RequestEvent and ResponseEvent events to XmlRpcClientProtocol.
*   Added XmlRpcLogger class for ease of use of RequestEvent and ResponseEvent events.
*   Adding LoggingEample sample.
*   Support for XmlRpcMissingMapping attribute on properties.
*   Invalid struct elements ignored if mapping action is Ignore.
*   Fixed dateTime issue with Wareki calendar.
*   Fixed problem with serializing void return.
*   Modified call to DeserializeResponse in DeserializeMessage.
*   Handles case when server incorrectly returns fault code as a string.
*   XmlRpcStruct restricted to string keys.

**0.9.1**

xml-rpc.net.0.9.1.zip

*   Distribution includes version of library which runs on .NET Compact Framework.
*   DateTime parsing bug fixed (caused problems in particular with it-IT locale)
*   XmlRpcProxyGen caches generated assemblies to avoid leakage if XmlRpcProxyGen is called multiple times for the same interface.

**0.9.0**

xml-rpc.net.0.9.0.zip

*   XmlRpcServiceAttribute has a new AutoDocumentation property which allows automatic documentation to be switched off.
*   Handles XML-RPC response encodings other than UTF-8.
*   XmlRpcMemberAttribute fixed.
*   XmlRpcClientProtocol has new ProtocolVersion property to allow HTTP v1.0 to be specified.
*   XmlRpcClientProtocol has new KeepAlive property (default is true). With some servers it may be necessary to set this to false when running with the current beta of the 2.0 CLR, for example if you start seeing the "Underlying Connection Was Closed" exception or the second call on a proxy appears to hang.
*   Multi-dimensional arrays handled correctly.
*   dateTime parsing supports "yyyy-MM-ddTHH:mm:ss" to handle blog service providers which return invalid XML-RPC dateTime values in this format.
*   Includes Joe Bork's xmlrpcgen utility to generate source code for proxies.
*   Release runs on version 1.0 of CLR upwards.

**0.8.0**

xml-rpc.net.0.8.0.zip

*   optional struct members
*   The zip file contains a bin directory containing:

*   **CookComputing.XmlRpc.dll**
*   **bettyapp.exe** (A WinForms application which calls the UserLand betty example server.)
*   **asyncbettyapp.exe** (Another WinForms app illustrating how to make async calls.)
*   **mathservice.exe** (A simple XML-RPC service.)
*   **mathapp.exe** (A WinForms application which calls MathService.)

**0.7.1**

xml-rpc.net.0.7.1.zip

*   License change.
*   Fixed problem in XmlRpcServerFormatterSink.cs whereby an exception was thrown if the XML-RPC and .NET method names are different.

**0.7.0**

xml-rpc.net.0.7.0.zip

*   error reporting of parsing errors using parse stack
*   support for async proxy method generation
*   contiuning work on auto-generated documentation
*   params keywords used in XmlRpcClientProtocol.Invoke
*   server method can return void (return empty string in XML-RPC response)
*   proxy method can return void (return value in XML-RPC response discarded)
*   deserializer throws exception if an XML-RPC struct is missing one or more expected members
*   fixed irritating warning when compiling XmlRpcStruct
*   add version of BeginInvoke taking correct params as per docs
*   Close always called on WebResponse
*   fixed usage of XmlRpcClientProtocol Proxy property when used in VS designer (Drew Marsh)
*   fixed handling of response without Content-Length during async calls (Dmitry Jemerov)
*   fixed case when zero-length string in default string value is passed as <value/> (Drew Marsh)
*   The zip file contains a bin directory containing:

*   **CookComputing.XmlRpc.dll**
*   **bettyapp.exe** (A WinForms application which calls the UserLand betty example server.)
*   **asyncbettyapp.exe** (Another WinForms app illustrating how to make async calls.)
*   **mathservice.exe** (A simple XML-RPC service.)
*   **mathapp.exe** (A WinForms application which calls MathService.)

**Limitations of Current Release**

*   Auto-documentation generation not fully implemented.
*   No tracing/logging functionality.

**0.6.0**

xml-rpc.net.0.6.0.zip

*   Fixed UserAgent property of XmlRpcClientProtocol.
*   Added Proxy property to XmlRpcClientProtocol.
*   Default for XML-RPC request XML document is no explicit encoding, i.e. implicitly UTF-8.
*   Added Encoding property to XmlRpcClientProtocol to set explicit encoding on XML-RPC request XML document
*   Can now use interface to define XML-RPC methods. For example can use same interface to implement both server and client. MathService changed to illustrate use of interface.
*   Added XmlRpcProxyGen class to dynamically create a proxy object from an interface, i.e. makes hand-coding of proxies unnecessary in most cases. bettyapp sample changed to illustrate this.
*   Fixed parsing of double type to be culture independent.
*   Fault response XML document now generated in same way as ordinary response, i.e. will be in same format and encoding.

**0.5.5**

xml-rpc.net.0.5.5.zip

*   Added ClientCertificates property to XmlRpcClientProtocol  
    
*   The zip file contains a bin directory containing:

*   **CookComputing.XmlRpc.dll**
*   **bettyapp.exe** (A WinForms application which calls the UserLand betty example server.)
*   **asyncbettyapp.exe** (Another WinForms app illustrating how to make async calls.)
*   **mathservice.exe** (A simple XML-RPC service.)
*   **mathapp.exe** (A WinForms application which calls MathService.)

**Limitations of Current Release  
**

*   Auto-documentation generation not fully implemented.
*   No tracing/logging functionality.

**0.5.4**

xml-rpc.net.0.5.4.zip

*   Added Headers property to XmlRpcClientProtocol.
*   Added XmlRpcMemberAttribute.
*   Modified deserialization of arrays to return more specific array type when all elements are of the same type.

**0.5.3**

xml-rpc.net.0.5.3.zip

*   Fixed problem with deserializing arrays.

**0.5.2**

xml-rpc.net.0.5.2.zip

*   Improved handling of XmlRpcFaultException in server formatter sink..

**0.5.1**

xml-rpc.net.0.5.1.zip

*   Improved handling of XmlRpcFaultException in server formatter sink..

**0.5.0**

xml-rpc.net.0.5.0.zip

*   Interim release containing preliminary code for client and server NET Remoting formatter sinks.
*   A Remoting sample, with assemblies and config files.

**0.4.3**

xml-rpc.net.0.4.3.zip

*   Interim release containing bug fixes, mainly in the serialization/deserialization code.
*   Some restructuring in preparation for some major changes in the 0.5 series of releases.

**0.4.2**

xml-rpc.net.0.4.2.zip

*   Build for .NET RTM.
*   Added preliminary support for Introspection API.

**0.4.1**

xml-rpc.net.0.4.1.zip

*   Major changes to XmlRpcClientProtocol class to support async calls, working but coding not completed.
*   Extra sample - AsyncBettyApp - to illustrate async calls.

**0.4.0**

Initial release for .NET beta 2.

xml-rpc.net.0.4.0.zip

**0.3.0**

Initial release for .NET beta 1.

**Developers**

Lead Developer - Charles Cook.

Tag

#linux