lesspipe before 2.06 allows attackers to execute code via Perl Storable (pst) files, because of deserialized object destructor execution via a key/value pair in a hash.

**Bug 865631** \- <app-text/lesspipe-2.06: Perl storable (pst) files security fix

Summary: <app-text/lesspipe-2.06: Perl storable (pst) files security fix

Status:

IN\_PROGRESS

Alias:

None

Product:

Gentoo Security

Classification:

Unclassified

Component:

Vulnerabilities (show other bugs)

Hardware:

All Linux

Importance:

Normal normal (vote)

Assignee:

Gentoo Security

URL:

Whiteboard:

B2 \[glsa\]

Keywords:

Depends on:

872749

Blocks:

 

Show dependency tree

Reported:

2022-08-18 02:58 UTC by Sam James

Modified:

2022-10-31 15:37 UTC (History)

CC List:

1 user (show)

See Also:

Package list:

Runtime testing required:

\---

  

Attachments

Add an attachment (proposed patch, testcase, etc.)

  

Note You need to log in before you can comment on or make changes to this bug.

CVE-2022-44542: Perl storable (pst) files security fix

A vulnerability, which was classified as critical, has been found in Axiomatic Bento4. Affected by this issue is the function AP4_DataBuffer::SetDataSize of the component Avcinfo. The manipulation leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-212564.

Hi, developers of Bento4:  
I tested the binary Avcinfo with my fuzzer, and a crash incurred—heap-buffer-overflow. The following is the details. I think this error is different from both #731 and #610.

Detected heap-buffer-overflow in Avcinfo.

    root@4w41awdas71:/# ./Bento4/cmakebuild/avcinfo fuzz-avcinfo/out/crashes/POC_avcinfo_15644345
    =================================================================
    ==708228==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000011 at pc 0x0000004fb133 bp 0x7ffea9099cb0 sp 0x7ffea9099ca8
    READ of size 1 at 0x602000000011 thread T0
        #0 0x4fb132 in main (/Bento4/cmakebuild/avcinfo+0x4fb132)
        #1 0x7fa90b673c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #2 0x41d5a9 in _start (/Bento4/cmakebuild/avcinfo+0x41d5a9)
    
    0x602000000011 is located 0 bytes to the right of 1-byte region [0x602000000010,0x602000000011)
    allocated by thread T0 here:
        #0 0x4f58a8 in operator new[](unsigned long) /llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:102
        #1 0x4fb503 in AP4_DataBuffer::SetDataSize(unsigned int) (/Bento4/cmakebuild/avcinfo+0x4fb503)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/Bento4/cmakebuild/avcinfo+0x4fb132) in main
    Shadow bytes around the buggy address:
      0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c047fff8000: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==708228==ABORTING
    
    

Ubuntu 18.04.6 LTS (docker)  
clang 12.0.1  
clang++ 12.0.1  
Bento4 master branch(5b7cc25) && Bento4 release version(1.6.0-639)

CVE-2022-3785: A heap-buffer-overflow in Avcinfo · Issue #780 · axiomatic-systems/Bento4

rtf2html v0.2.0 was discovered to contain a heap overflow in the component /rtf2html/./rtf_tools.h.

**Version**

hjsz@hjsz:~/rtf2html$ ./rtf2html -v  
rtf2html version 0.2.0

**Command**

./rtf2html

**Crash output****Crash1: heap-buffer-overflow**

\=================================================================  
\==3467450==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63000000f401 at pc 0x0000004e744e bp 0x7ffc3c277010 sp 0x7ffc3c277008  
READ of size 1 at 0x63000000f401 thread T0  
#0 0x4e744d in void skip\_group<\_\_gnu\_cxx::\_\_normal\_iterator<char\*, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > > >(\_\_gnu\_cxx::\_\_normal\_iterator<char\*, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > >&) /home/hjsz/rtf2html/./rtf\_tools.h:27:15  
#1 0x4db43c in main /home/hjsz/rtf2html/rtf2html.cpp:158:16  
#2 0x7f7e99536082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16  
#3 0x41da0d in \_start (/home/hjsz/rtf2html/rtf2html+0x41da0d)  
0x63000000f401 is located 0 bytes to the right of 61441-byte region \[0x630000000400,0x63000000f401)  
allocated by thread T0 here:  
#0 0x4c58bd in operator new(unsigned long) (/home/hjsz/rtf2html/rtf2html+0x4c58bd)  
#1 0x7f7e999e635d in std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator >::\_M\_mutate(unsigned long, unsigned long, char const\*, unsigned long) (/lib/x86\_64-linux-gnu/libstdc++.so.6+0x14335d)  
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hjsz/rtf2html/./rtf\_tools.h:27:15 in void skip\_group<\_\_gnu\_cxx::\_\_normal\_iterator<char\*, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > > >(\_\_gnu\_cxx::\_\_normal\_iterator<char\*, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > >&)  
Shadow bytes around the buggy address:  
0x0c607fff9e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c607fff9e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c607fff9e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c607fff9e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c607fff9e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c607fff9e80:\[01\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c607fff9e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c607fff9ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c607fff9eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c607fff9ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c607fff9ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==3467450==ABORTING

**Crash2 : SEGV on unknown address**

\=================================================================  
AddressSanitizer:DEADLYSIGNAL  
\==3472093==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004d2be7 bp 0x7ffcfb04e1d0 sp 0x7ffcfb04d080 T0)  
\==3472093==The signal is caused by a READ memory access.  
\==3472093==Hint: this fault was caused by a dereference of a high value address (see register values below). Dissassemble the provided pc to learn which register was used.  
#0 0x4d2be7 in formatting\_options::operator=(formatting\_options const&) /home/hjsz/rtf2html/./fmt\_opts.h:96:19  
#1 0x4db0f9 in main /home/hjsz/rtf2html/rtf2html.cpp:572:21  
#2 0x7f2556f85082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16  
#3 0x41da0d in \_start (/home/hjsz/rtf2html/rtf2html+0x41da0d)

AddressSanitizer can not provide additional info.  
SUMMARY: AddressSanitizer: SEGV /home/hjsz/rtf2html/./fmt\_opts.h:96:19 in formatting\_options::operator=(formatting\_options const&)  
\==3472093==ABORTING

**POC**

POC.zip

**Report of Information Security Laboratory of Ocean University of China @OUC\_ISLOUC @OUC\_Blue\_Whale**

CVE-2022-43148: Some crashes occur when fuzzing rtf2html. · Issue #11 · lvu/rtf2html

timg v1.4.4 was discovered to contain a memory leak via the function timg::QueryBackgroundColor() at /timg/src/term-query.cc.

**Version**

timg v1.4.4  
afl-clang  
afl-clang++

**Description**

\=================================================================  
\==15159==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 8 byte(s) in 1 object(s) allocated from:  
#0 0x485b14 in strdup (/home/hjsz/fuzz\_software/timg/build/src/timg+0x485b14)  
#1 0x51afb7 in timg::QueryBackgroundColor() /home/hjsz/fuzz\_software/timg/src/term-query.cc:177:12  
#2 0x4d8802 in main::$\_1::operator()() const /home/hjsz/fuzz\_software/timg/src/timg.cc:775:43  
#3 0x4d8802 in std::\_Function\_handler<timg::rgba\_t (), main::$\_1>::\_M\_invoke(std::\_Any\_data const&) /usr/bin/../lib/gcc/x86\_64-linux-gnu/9/../../../../include/c++/9/bits/std\_function.h:285:9  
#4 0x4dd3a3 in std::function<void ()>::operator()() const /usr/bin/../lib/gcc/x86\_64-linux-gnu/9/../../../../include/c++/9/bits/std\_function.h:688:14  
#5 0x4dd3a3 in timg::ThreadPool::Runner() /home/hjsz/fuzz\_software/timg/src/thread-pool.h:76:13  
#6 0x7f5c047dcde3 (/lib/x86\_64-linux-gnu/libstdc++.so.6+0xd6de3)

Direct leak of 8 byte(s) in 1 object(s) allocated from:  
#0 0x4c8edd in operator new(unsigned long) (/home/hjsz/fuzz\_software/timg/build/src/timg+0x4c8edd)  
#1 0x4f2477 in timg::BufferedWriteSequencer::BufferedWriteSequencer(int, bool, int, bool, int const volatile&) /home/hjsz/fuzz\_software/timg/src/buffered-write-sequencer.cc:42:11  
#2 0x4d26e2 in main /home/hjsz/fuzz\_software/timg/src/timg.cc:826:34  
#3 0x7f5c04399082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: 16 byte(s) leaked in 2 allocation(s).

**Command**

./timg some.jpg  
./timg -g50x50 some.jpg  
When I want to fuzz the software and make it by afl,crashes occur.

**Poc**

POC.zip

Thanks for your time !

**Report of the Information Security Laboratory of Ocean University of China @OUC\_ISLOUC @OUC\_Blue\_Whale**

CVE-2022-43151: Detected memory leaks 16 byte(s) leaked in 2 allocation(s) · Issue #92 · hzeller/timg

xfig 3.2.7 is vulnerable to Buffer Overflow.

Toggle useless messages

**Report forwarded** to debian-bugs-dist@lists.debian.org, subin.kim@prosys.kr, Roland Rosenfeld <roland@debian.org>:  
Bug#992395; Package xfig. (Wed, 18 Aug 2021 06:15:03 GMT) (full text, mbox, link).

**Acknowledgement sent** to "Potential Buffer Overflow vulnerability in xfig-3.2.7b" <subin.kim@prosys.kr>:  
New Bug report received and forwarded. Copy sent to subin.kim@prosys.kr, Roland Rosenfeld <roland@debian.org>. (Wed, 18 Aug 2021 06:15:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: xfig
Version: xfig
Severity: important

Dear Maintainer,

It seems that there exists a potential Buffer Overflow.
(src/w\_help.c:55)
sprintf(filename, "%s/html/%s/index.html", XFIGDOCDIR, getenv("LANG"));

the length of getenv("LANG") may become very long and cause Buffer Overflow while executing sprintf(...).


-System Information:
Debian Release: 11.0
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86\_64)

Kernel: Linux 4.4.0-19041-Microsoft
Locale: LANG=en\_US.UTF-8, LC\_CTYPE=en\_US.UTF-8 (charmap=UTF-8), LANGUAGE=en\_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages xfig depends on:
pn  fig2dev | transfig  <none>
ii  libc6               2.31-13
ii  libjpeg62-turbo     1:1.5.2-2+deb10u1
ii  libpng16-16         1.6.36-6
ii  libx11-6            2:1.6.7-1+deb10u2
ii  libxi6              2:1.7.9-1
pn  libxpm4             <none>
ii  libxt6              1:1.1.5-1+b3
ii  sensible-utils      0.0.14
pn  xaw3dg              <none>

Versions of packages xfig recommends:
pn  xfig-libs  <none>

Versions of packages xfig suggests:
pn  cups-client | lpr  <none>
pn  ghostscript        <none>
pn  gimp               <none>
pn  gsfonts-x11        <none>
pn  netpbm             <none>
pn  spell              <none>
pn  xfig-doc           <none>

**Reply sent** to Roland Rosenfeld <roland@debian.org>:  
You have taken responsibility. (Fri, 20 Aug 2021 12:09:03 GMT) (full text, mbox, link).

**Notification sent** to "Potential Buffer Overflow vulnerability in xfig-3.2.7b" <subin.kim@prosys.kr>:  
Bug acknowledged by developer. (Fri, 20 Aug 2021 12:09:03 GMT) (full text, mbox, link).

Message #12 received at 992395-close@bugs.debian.org (full text, mbox, reply):

Source: xfig
Source-Version: 1:3.2.8a-1
Done: Roland Rosenfeld <roland@debian.org>

We believe that the bug you reported is fixed in the latest version of
xfig, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 992395@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roland Rosenfeld <roland@debian.org> (supplier of updated xfig package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 20 Aug 2021 13:26:32 +0200
Source: xfig
Architecture: source
Version: 1:3.2.8a-1
Distribution: unstable
Urgency: medium
Maintainer: Roland Rosenfeld <roland@debian.org>
Changed-By: Roland Rosenfeld <roland@debian.org>
Closes: 992395
Changes:
 xfig (1:3.2.8a-1) unstable; urgency=medium
 .
   \* New upstream release 3.2.8a.
   \* 07\_missing-config.h, 08\_fig-format-doc, 09\_repair-table-doc are now
     incorporated upstream.
   \* Adapt file preservation to new upstream version.
   \* Update debian/copyright.
   \* Move xfig binary to /usr/libexec/xfig/xfig.
   \* Package test binaries and use them in autopkgtest.
   \* Update to Standards-Version 4.6.0 (no changes).
   \* 07\_LANG\_overflow: Avoid buffer overflow in LANG (Closes: #992395).
Checksums-Sha1:
 3c61e420b37da903f6a7e246fb0bacdab13c5ab8 2268 xfig\_3.2.8a-1.dsc
 0ac17ad33fdc8d570c187641e3d62ca9cd8faa2e 5380896 xfig\_3.2.8a.orig.tar.xz
 cd9de585ba1cf9f60cb888db8e6c23aedac8db8a 31736 xfig\_3.2.8a-1.debian.tar.xz
 7ec24ede8ad6c45982f1d6daecdf8eb2bbeb78db 8802 xfig\_3.2.8a-1\_source.buildinfo
Checksums-Sha256:
 5ccff8d437f6cca74c999902606c5288bc2faa3d4e369fbf5e9e41f06f528b83 2268 xfig\_3.2.8a-1.dsc
 ba43c0ea85b230d3efa5a951a3239e206d0b033d044c590a56208f875f888578 5380896 xfig\_3.2.8a.orig.tar.xz
 5bce4925951b4da43606ea0fdbc58e6d5bd586db5d3288f1b6abd2f69bc7dbe8 31736 xfig\_3.2.8a-1.debian.tar.xz
 8b72190e5c937543ef4692e84125a5bc816e234e68982b38f2c2d9f63e48f407 8802 xfig\_3.2.8a-1\_source.buildinfo
Files:
 47505378c399e92bd8320c9e7c3cfa26 2268 graphics optional xfig\_3.2.8a-1.dsc
 58dd2b6f9f17d7006c78156ce2da0073 5380896 graphics optional xfig\_3.2.8a.orig.tar.xz
 21becafff522811fd703ad707848b2c8 31736 graphics optional xfig\_3.2.8a-1.debian.tar.xz
 1ad72572a407e7d1ee3be3d287bbf4f4 8802 graphics optional xfig\_3.2.8a-1\_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErC+9sQSUPYpEoCEdAnE7z8pUELIFAmEfkesACgkQAnE7z8pU
ELK3ihAAjb2QzTyLRtUVTT50trBehzl8WJvfo7txeYBvJZup+j0hd0T46EFlpZ7M
gTFTN2zxWf7w8WUYQyfSqM7anzl3otEEaLSQ3kE3vzo+ZH9T0J98m2F/OQbEqF1u
QLbZxQF4f8M98s3TY3qBrE8Q+jN9CxcAaHMD4raoUw5LVz6FJ8c/l/xg8AQN2ekK
YWwwhZnxRWJjM3mu6hK7Cj9ihOsrs6f9q10t08q6sKVnuWLTUuvl5mGB3cDd/zHk
YNJ724pBwqUNPU1sDfGl6/DWiuWjmJwaQ1H/MnPEnV/7Utu3adfvF7AAodmxuV91
Jvx5Tb9VqnY84eRdCi2zFFyMKk4Kv6VXNLcOtFbpg7chFcWApIm+NY4Ql5s21yZg
JJZgrVHEo1rjqGbNQ9dnQHN8qZCANeKbJ44eGDgFnYPrUr963TWHhbDOOcwgU4sS
/HQf6aeq6OtXU5gSpLW2yfex2PAPustTmedREnSLuI3V5yiQxNa3Z8fQe3I36AKR
f0M4PU0c8JFEucA4ocwnzKflGsEqwGd/0OOSiPLShCdE+iaBrbz7FaOnQBO81Oyx
KUEXbL19EgBvSiz1oXIuVxgoObcEx2PK+W8uw1RkWq7Y2yjfx2N+kuDvTsJAEDzA
xYOtje3y6/VKKGWBVlDz8rFJSBA0hSY68XS+xQTzFPnNIU5wFPw=
=/r76
-----END PGP SIGNATURE-----

**Bug archived.** Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 18 Sep 2021 07:29:13 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Mon Oct 31 16:35:27 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2021-40241: #992395 - xfig: Potential Buffer Overflow vulnerability in src/w_help.c

Gentoo Linux Security Advisory 202210-33 - A vulnerability has been discovered in Libtirpc which could result in denial of service. Versions less than 1.3.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-33  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Libtirpc: Denial of Service  
     Date: October 31, 2022  
     Bugs: #859634  
       ID: 202210-33

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Libtirpc which could result in  
denial of service.

Background  
==========

Libtirpc is a port of Sun's Transport-Independent RPC library to Linux.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-libs/libtirpc          < 1.3.2                      >= 1.3.2

Description  
===========

Currently svc_run does not handle poll timeout and rendezvous_request  
does not handle EMFILE error returned from accept(2 as it used to.  
These two missing functionality were removed by commit b2c9430f46c4.

The effect of not handling poll timeout allows idle TCP conections  
to remain ESTABLISHED indefinitely. When the number of connections  
reaches the limit of the open file descriptors (ulimit -n) then  
accept(2) fails with EMFILE. Since there is no handling of EMFILE  
error this causes svc_run() to get in a tight loop calling accept(2).  
This resulting in the RPC service of svc_run is being down, it's  
no longer able to service any requests.

Due to a lack of handling of certain error cases, connections to  
Libtirpc could remain ESTABLISHED indefinitely.

Impact  
======

Denial of service can be achieved via establishing enough connections to  
Libtirpc to reach the limit of open file descriptors for the process.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Libtirpc users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-libs/libtirpc-1.3.2"

References  
==========

[ 1 ] CVE-2021-46828  
      https://nvd.nist.gov/vuln/detail/CVE-2021-46828

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-33

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-33

Debian Linux Security Advisory 5267-1 - Nicky Mouha discovered a buffer overflow in 'sha3', a Python library for the SHA-3 hashing functions.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5267-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 30, 2022                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : pysha3CVE ID         : CVE-2022-37454Debian Bug     : 1023030Nicky Mouha discovered a buffer overflow in 'sha3', a Python library forthe SHA-3 hashing functions.For the stable distribution (bullseye), this problem has been fixed inversion 1.0.2-4.1+deb11u1.We recommend that you upgrade your pysha3 packages.For the detailed security status of pysha3 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/pysha3Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmNeydYACgkQEMKTtsN8TjZM0RAAk28/0iK+MlZR4EtgLm8chSw8YsaDjyCC6yVv82fz5yjYRhNkCteunkH0ffN2B8EXRJN8pqRV89ptnwOkwW3KjaJ6un3new3Zg4sPFB2DULd3yoxD3YGlzbh/EmHsnDSN88M8TSSi6IGErBIrMNqKt0FORg9/whpujDOJToo5np8uV7/SZNEMo2BOLtLIoXjMB4erlaI5pEE9/mEr6hzXJNsiVy82GtGZESuFo0XWu3hsD6BCzBvWKvZIOuALuTE9BEPGWJBPAIAqDS48yEd8KXiSEex9zsxdAa2vhsFHJ3U1LvwxZY0DvjG5JSjImc9U/p7DrwHhSyuS/pUFkR47Hl+d5i6+9IcU3lvFjszrq9bX019HuF2/U9ZfgvNQL/LmUpxFEyEziE3xkMG/SBP809fJ+UAU1XRV4qj6Yd/dN9TBZXE4eTcjzVCnjxjEzJKjaMcNl1qMM5JanG69iuGdy61ubTA/vEjxNH3qQOnJmITc1RuLlpkiU7TVA6ggNJ59xPQLLvgJ0lTY0oOQ0+pGh8aTHixHQFa35ynES6i+gKULv6M+fa/oayRLpw+06fGoSxdPmM8LHp9c54pLN3KgPIIcb/Aimkl+ReUYnrSXsaerfmyXS3f0LEjfhSxozXAooTxRr3eh5pUpTd3fuooodn9Zh3o5E5QcTbK82UGkTLI==p4UM-----END PGP SIGNATURE-----

Debian Security Advisory 5267-1

The Qualys Research Team has discovered authorization bypass and symlink vulnerabilities in multipathd. The authorization bypass was introduced in version 0.7.0 and the symlink vulnerability was introduced in version 0.7.7.

    Qualys Security AdvisoryLeeloo Multipath: Authorization bypass and symlink attack in multipathd(CVE-2022-41974 and CVE-2022-41973)========================================================================Contents========================================================================SummaryCVE-2022-41974: Authorization bypassCVE-2022-41973: Symlink attackAcknowledgmentsTimeline========================================================================Summary========================================================================We discovered two local vulnerabilities (an authorization bypass and asymlink attack) in multipathd, a daemon that is running as root in thedefault installation of (for example) Ubuntu Server:https://ubuntu.com/server/docs/device-mapper-multipathing-introductionhttps://github.com/opensvc/multipath-toolsWe combined these two vulnerabilities with a third vulnerability, inanother package that is also installed by default on Ubuntu Server, andobtained full root privileges on Ubuntu Server 22.04; other releases areprobably also exploitable. We will publish this third vulnerability, andthe complete details of this local privilege escalation, in an upcomingadvisory.The authorization bypass (CVE-2022-41974) was introduced in February2017 (version 0.7.0) by commit 9acda0c ("Perform socket client uid checkon IPC commands"), but earlier versions perform no authorization checksat all: any unprivileged local user can issue any privileged command tomultipathd.The symlink attack (CVE-2022-41973) was introduced in May 2018 (version0.7.7) by commit 65d0a63 ("functions to indicate mapping failure in/dev/shm"); the vulnerable code was hardened significantly in May 2020(version 0.8.5) by commit 40ee3ea ("simplify failed wwid code"), but itremains exploitable nonetheless.========================================================================CVE-2022-41974: Authorization bypass========================================================================The multipathd daemon listens for client connections on an abstract Unixsocket (conveniently, the multipathd binary itself can act as a client,if executed with non-option arguments; we use this feature extensivelyin this advisory to connect and send commands to the multipathd daemon):------------------------------------------------------------------------$ ps -ef | grep 'multipath[d]'root         377       1  0 13:55 ?        00:00:00 /sbin/multipathd -d -s$ ss -l -x | grep 'multipathd'u_str LISTEN 0      4096        @/org/kernel/linux/storage/multipathd 18105------------------------------------------------------------------------The commands sent by a client to multipathd are composed of keywords,and internally, each keyword is identified by a different bit; forexample, "list" is 1 (1<<0), "add" is 2 (1<<1), and "path" (whichrequires a parameter) is 65536 (1<<16):------------------------------------------------------------------------155 load_keys (void)...163         r += add_key(keys, "list", LIST, 0);164         r += add_key(keys, "show", LIST, 0);165         r += add_key(keys, "add", ADD, 0);...183         r += add_key(keys, "path", PATH, 1);------------------------------------------------------------------------ 53 #define LIST            (1ULL << __LIST) 54 #define ADD             (1ULL << __ADD) .. 69 #define PATH            (1ULL << __PATH)------------------------------------------------------------------------  6 enum {  7         __LIST,                 /*  0 */  8         __ADD, .. 23         __PATH,------------------------------------------------------------------------In turn, each command is associated with a handler (a C function) by itsfingerprint -- the bitwise OR of its constituent keywords; for example,the command "list path PARAM" is associated with cli_list_path() by thefingerprint 65537 (LIST+PATH=1+65536), and the command "add path PARAM"is associated with cli_add_path() by the fingerprint 65538(ADD+PATH=2+65536):------------------------------------------------------------------------1522 void init_handler_callbacks(void)....1527         set_handler_callback(LIST+PATH, cli_list_path);....1549         set_handler_callback(ADD+PATH, cli_add_path);------------------------------------------------------------------------321 static uint64_t322 fingerprint(const struct _vector *vec)...325         uint64_t fp = 0;...331         vector_foreach_slot(vec, kw, i)332                 fp += kw->code;333 334         return fp;------------------------------------------------------------------------ 89 static struct handler * 90 find_handler (uint64_t fp) .. 95         vector_foreach_slot (handlers, h, i) 96                 if (h->fingerprint == fp) 97                         return h; 98  99         return NULL;------------------------------------------------------------------------When multipathd receives a command from a client, it first performs anauthentication check and an authorization check (both at line 491):------------------------------------------------------------------------431 static int client_state_machine(struct client *c, struct vectors *vecs,...485         case CLT_PARSE:486                 c->error = parse_cmd(c);487                 if (!c->error) {...491                         if (!c->is_root && kw->code != LIST) {492                                 c->error = -EPERM;...495                         }496                 }497                 if (c->error)...501                 else502                         set_client_state(c, CLT_WORK);...522         case CLT_WORK:523                 c->error = execute_handler(c, vecs);------------------------------------------------------------------------- Authentication: if the client's UID (obtained from SO_PEERCRED) is 0  (i.e., if is_root is true), then the client is privileged; otherwise,  it is unprivileged.- Authorization: if the client is privileged, it is allowed to execute  any commands; otherwise, only unprivileged LIST commands are allowed  (i.e., commands whose first keyword is either "list" or "show").Attentive readers may have noticed that multipathd does not, in fact,calculate the fingerprint of a command by bitwise-ORing its constituentkeywords, but by arithmetic-ADDing them (at line 332). While these twooperations are equivalent if no keyword is repeated, we (attackers) cansend a seemingly unprivileged command (whose first keyword is "list")but whose fingerprint matches a privileged command (by repeating the"list" keyword): we can exploit this flaw to bypass multipathd'sauthorization check.For example, we are not allowed to execute "add path PARAM" (whosefingerprint is 2+65536=65538) because the first keyword is not "list",but we are allowed to execute the equivalent "list list path PARAM"(whose fingerprint is also 1+1+65536=65538, instead of 1|1|65536=65537)because the first keyword is "list" (the multipathd daemon below replies"blacklisted" because PARAM is an invalid path, not because the commandis denied):------------------------------------------------------------------------$ multipathd add path PARAMpermission deny: need to be root$ multipathd list list path PARAMblacklisted------------------------------------------------------------------------This authorization bypass greatly enlarges the attack surface ofmultipathd: 34 privileged command handlers become available to localattackers, in addition to the 23 unprivileged command handlers that arenormally available. We audited only a few of these command handlers,because we quickly discovered a low-hanging vulnerability (a symlinkattack) in one of them.========================================================================CVE-2022-41973: Symlink attack========================================================================multipathd operates insecurely, as root, in /dev/shm (a sticky,world-writable directory similar to /tmp). The vulnerable code (inmark_failed_wwid()) may be executed during the normal lifetime ofmultipathd, but a local attacker can force its execution by exploitingthe authorization bypass CVE-2022-41974; for example, by adding a"whitelisted, unmonitored" device to multipathd:------------------------------------------------------------------------$ multipathd list devices | grep 'whitelisted, unmonitored'    sda1 devnode whitelisted, unmonitored    ...$ multipathd list list path sda1fail------------------------------------------------------------------------This command, which is equivalent to "add path sda1", results in thefollowing system-call trace (strace) of the multipathd daemon:------------------------------------------------------------------------386 openat(AT_FDCWD, "/dev/shm/multipath/failed_wwids", O_RDONLY|O_DIRECTORY) = -1 ENOENT (No such file or directory)387 mkdir("/dev", 0700)                     = -1 EEXIST (File exists)388 mkdir("/dev/shm", 0700)                 = -1 EEXIST (File exists)389 mkdir("/dev/shm/multipath", 0700)       = 0390 mkdir("/dev/shm/multipath/failed_wwids", 0700) = 0391 openat(AT_FDCWD, "/dev/shm/multipath/failed_wwids", O_RDONLY|O_DIRECTORY) = 12392 getpid()                                = 375393 openat(12, "VBOX_HARDDISK_VB60265ca5-df119cb6.177", O_RDONLY|O_CREAT|O_EXCL, 0400) = 13394 close(13)                               = 0395 linkat(12, "VBOX_HARDDISK_VB60265ca5-df119cb6.177", 12, "VBOX_HARDDISK_VB60265ca5-df119cb6", 0) = 0396 unlinkat(12, "VBOX_HARDDISK_VB60265ca5-df119cb6.177", 0) = 0397 close(12)                               = 0------------------------------------------------------------------------- at line 389, the directory "/dev/shm/multipath" is created, if it does  not exist already;- at line 390, the directory "/dev/shm/multipath/failed_wwids" is  created, if it does not exist already;- at lines 391-397, the empty file  "/dev/shm/multipath/failed_wwids/VBOX_HARDDISK_VB60265ca5-df119cb6" is  created, if it does not exist already (its name is the "World Wide ID"  of the added device).multipathd is therefore vulnerable to two different symlink attacks:1/ if we (attackers) create an arbitrary symlink "/dev/shm/multipath",then we can create a directory named "failed_wwids" (user root, grouproot, mode 0700) anywhere in the filesystem;2/ if we create an arbitrary symlink "/dev/shm/multipath/failed_wwids",then we can create a file named "VBOX_HARDDISK_VB60265ca5-df119cb6"(user root, group root, mode 0400, size 0) anywhere in the filesystem.These two symlink attacks are very weak, because we do not control thename, user, group, mode, or contents of the directory or file that wecreate; only its location. Despite these limitations, we were able tocombine multipathd's vulnerabilities (authorization bypass and symlinkattack) with a third vulnerability (in another package), and obtainedfull root privileges on Ubuntu Server 22.04; we will publish this thirdvulnerability in an upcoming advisory.Side note: initially, we thought that the symlink attack 1/ would fail,because /dev/shm is a sticky world-writable directory, and the kernel'sfs.protected_symlinks is 1 by default; to our great surprise, however,it succeeded. Eventually, we understood that only the final component ofa path is protected, not its intermediate components; for example, if/tmp/foo is a symlink, then an access to /tmp/foo itself is protected,but an access to /tmp/foo/bar is not. Interestingly, this weakness wasalready pointed out in 2017 by Solar Designer, and the originalOpenwall, grsecurity, and Yama protections are not affected:https://www.openwall.com/lists/kernel-hardening/2017/06/06/74========================================================================Acknowledgments========================================================================We thank Martin Wilck and Benjamin Marzinski for their hard work on thisrelease, and the SUSE Security Team for their help with this disclosure.We also thank the members of linux-distros@openwall.========================================================================Timeline========================================================================2022-08-24: Advisory sent to security@suse.2022-10-10: Advisory and patches sent to linux-distros@openwall.2022-10-24: Coordinated Release Date (15:00 UTC).

Leeloo Multipath Authorization Bypass / Symlink Attack

Gentoo Linux Security Advisory 202210-32 - An integer overflow has been found in hiredis which could result in arbitrary code execution. Versions less than 1.0.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-32  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: hiredis, hiredis-py: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #873079, #816318  
       ID: 202210-32

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

An integer overflow has been found in hiredis which could result in  
arbitrary code execution.

Background  
==========

hiredis is a minimalistic C client library for the Redis database.

hiredis-py is a Python extension that wraps hiredis.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/hiredis           < 1.0.1                      >= 1.0.1  
  2  dev-python/hiredis         < 2.0.0                      >= 2.0.0

Description  
===========

Hiredis is vulnerable to integer overflow if provided maliciously  
crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing  
`multi-bulk` (array-like) replies, hiredis fails to check if `count *  
sizeof(redisReply*)` can be represented in `SIZE_MAX`. If it can not,  
and the `calloc()` call doesn't itself make this check, it would result  
in a short allocation and subsequent buffer overflow.

Impact  
======

Malicious Redis commands could result in remote code execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All hiredis users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-libs/hiredis-1.0.1"

All hiredis-py users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/hiredis-2.0.0"

References  
==========

[ 1 ] CVE-2021-32765  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32765

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-32

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-32

Debian Linux Security Advisory 5266-1 - A heap use-after-free vulnerability after overeager destruction of a shared DTD in the XML_ExternalEntityParserCreate function in Expat, an XML parsing C library, may result in denial of service or potentially the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5266-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoOctober 30, 2022                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : expatCVE ID         : CVE-2022-43680Debian Bug     : 1022743A heap use-after-free vulnerability after overeager destruction of ashared DTD in the XML_ExternalEntityParserCreate function in Expat, anXML parsing C library, may result in denial of service or potentiallythe execution of arbitrary code.For the stable distribution (bullseye), this problem has been fixed inversion 2.2.10-2+deb11u5.We recommend that you upgrade your expat packages.For the detailed security status of expat please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/expatFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmNehABfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TT5RAAiDBqtdgoagQspAsmWvoT1IJw0fsx2IFA4ynzyAI33nXegNKfDUGmc9wWKVm4APPaFWvy9s4hlA7HeMUdRQRxuW2iL5q3Jnkbjcnm1kISTgxPymt0HFeJWr9TVRSQt0OqUtzzOvNAz2lSd86551EMPa/oS0fvLq/vDTC3mTL1WsoMsouJR+l7potTMtJf43G10AmfLx+XgSsfmHU2Hvf5S2PO7aEmNHic9HW7bwUqm6KF2lZs5Qo4IVykqQ3eKufLg0HZcOi+QMWxpKYzxOR/tnzYHjLAzTI7yjugBBufcaux1kYnB0ULnDLfOc+uHXuhttfji4sbEzGB9uWDX+rhtBszcaM/Ww53J8tDy3chnv93pi5em1ABQljrPjFz/+N4g4tsNgdCTvMjT332kPi6W9zFUA/iB21LP4H7xc3stGCVubZW0UVcvOu2ubCabr/XQBOtlnc4tj/L9UyQW+Rfqe9x1WHkhwTuHMg8/YcqWljv3LwTz1DXfyFF0vmSlliOr0POP7I0iJvrw647rVBaNEsVPNqFhPu5Ro5jd5y3gt+f763J692JXfTPQJc3PaJz37NCdupga7lPu1W5cSLAYtze5JxqH4XJaKFprpaGfo3OFIDas0Z5yIs8DxMbjmY9VlpMQ8vKfHYPgoKV+NRv9bKKpBLxYI/o4bq8uA4JgpE==bLU+-----END PGP SIGNATURE-----

Tag

#linux