Red Hat Security Advisory 2022-6610-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include buffer overflow and heap overflow vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:6610-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6610  
Issue date:        2022-09-20  
CVE Names:         CVE-2022-2078 CVE-2022-34918   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: heap overflow in nft_set_elem_init() (CVE-2022-34918)

* kernel: vulnerability of buffer overflow in nft_set_desc_concat_parse()  
(CVE-2022-2078)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* RDMA/mlx5: Fix number of allocated XLT entries (BZ#2092270)

* mlx5, Setup hanged when run test-route-nexthop-object.sh (BZ#2092535)

* many call traces from unchecked MSR access error: WRMSR to 0x199 in  
amazon i4.32xlarge instance (BZ#2099417)

* X86/platform/UV: Kernel Support Fixes for UV5 platform (BZ#2107732)

* block layer: fixes for md sync slow and softlockup at  
blk_mq_sched_dispatch_requests [9.0.0.z] (BZ#2111395)

* Fixes for NVMe/TCP dereferences an invalid, non-canonical pointer, kernel  
panic (BZ#2117755)

* Adding missing nvme fix to RHEL-9.1 (BZ#2117756)

* nvme/tcp mistakenly uses blk_mq_tag_to_rq(nvme_tcp_tagset(queue)  
(BZ#2118698)

* Important ice bug fixes (BZ#2119290)

* Power 9/ppc64le Incorrect Socket(s) & "Core(s) per socket" reported by  
lscpu command. (BZ#2121719)

Enhancement(s):

* lscpu does not show all of the support AMX flags (amx_int8, amx_bf16)   
(BZ#2108203)

* ice: Driver Update (BZ#2108204)

* iavf: Driver Update (BZ#2119477)

* i40e: Driver Update (BZ#2119479)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2096178 - CVE-2022-2078 kernel: Vulnerability of buffer overflow in nft_set_desc_concat_parse()  
2104423 - CVE-2022-34918 kernel: heap overflow in nft_set_elem_init()

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

aarch64:  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debug-devel-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debug-devel-matched-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-devel-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-devel-matched-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-headers-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
perf-5.14.0-70.26.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm

noarch:  
kernel-doc-5.14.0-70.26.1.el9_0.noarch.rpm

ppc64le:  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debug-devel-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debug-devel-matched-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-devel-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-devel-matched-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-headers-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
perf-5.14.0-70.26.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm

s390x:  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debug-devel-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debug-devel-matched-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-devel-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-devel-matched-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-headers-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-zfcpdump-devel-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-zfcpdump-devel-matched-5.14.0-70.26.1.el9_0.s390x.rpm  
perf-5.14.0-70.26.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm

x86_64:  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debug-devel-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debug-devel-matched-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-devel-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-devel-matched-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-headers-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
perf-5.14.0-70.26.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
kernel-5.14.0-70.26.1.el9_0.src.rpm

aarch64:  
bpftool-5.14.0-70.26.1.el9_0.aarch64.rpm  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-core-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debug-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debug-core-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debug-modules-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debug-modules-extra-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-modules-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-modules-extra-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-tools-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-tools-libs-5.14.0-70.26.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
python3-perf-5.14.0-70.26.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm

noarch:  
kernel-abi-stablelists-5.14.0-70.26.1.el9_0.noarch.rpm

ppc64le:  
bpftool-5.14.0-70.26.1.el9_0.ppc64le.rpm  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-core-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debug-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debug-core-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debug-modules-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debug-modules-extra-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-modules-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-modules-extra-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-tools-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-tools-libs-5.14.0-70.26.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
python3-perf-5.14.0-70.26.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm

s390x:  
bpftool-5.14.0-70.26.1.el9_0.s390x.rpm  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-core-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debug-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debug-core-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debug-modules-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debug-modules-extra-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-modules-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-modules-extra-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-tools-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-zfcpdump-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-zfcpdump-core-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-zfcpdump-modules-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-zfcpdump-modules-extra-5.14.0-70.26.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
python3-perf-5.14.0-70.26.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm

x86_64:  
bpftool-5.14.0-70.26.1.el9_0.x86_64.rpm  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-core-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debug-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debug-core-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debug-modules-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debug-modules-extra-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-modules-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-modules-extra-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-tools-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-tools-libs-5.14.0-70.26.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
python3-perf-5.14.0-70.26.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-cross-headers-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
kernel-tools-libs-devel-5.14.0-70.26.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.aarch64.rpm

ppc64le:  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-cross-headers-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
kernel-tools-libs-devel-5.14.0-70.26.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.ppc64le.rpm

s390x:  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-cross-headers-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.s390x.rpm

x86_64:  
bpftool-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-cross-headers-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
kernel-tools-libs-devel-5.14.0-70.26.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.26.1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2078  
https://access.redhat.com/security/cve/CVE-2022-34918  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYypfhdzjgjWX9erEAQjSpg//Y3ak+k0a3QlbNSwSEH9F0GLE0KOV9tk+  
xPp+xXuUzNJ7iQ3+UhgksBs1faIBtvNgpURFZ2xsvIY3Z1TtuK0G7bBLffd0yO9J  
6fTDVZmeeCrlmwrWtKCT/2rm10tAk/zQA2BftzG6M/1fcFjfKB1N/k+KXwp9Jt/n  
1WC19sEAZWAUGW2Fxe7500HvN6Q/24EWPn2OcYGdXzS/XNqJwdK148OYg0A6pBtT  
hk7NOXMJr8fTABdg3BPnEXly1udTUgJnF0gvOl0tB6WNLxnHxc/61XnWIAk9/OYp  
DchPL+f7G/lH+5O2EgJG5OaFaUrznkbu8U1zEGOS1rZCdP9kMrX552P60jD4br4/  
K1YASzwh6bp9UqJKtBEW6O2hX+s89o8Hzuyrdnz8Cy2AMD8Q0ceqnu8bTWhKHf/l  
daeLjh2vLXNRMeQZEpaYtiOOQNIGmVA1n/Zd1A+GoNcFmvGbQ4+G8l18GSvXc09V  
A0o5vL6fwssDeLCkuQi+pw5YBgvPC083Q9tQH9TS2Fr13unk5H3bj3duMzI4t0Ao  
g0E+jKR7VaVCA2B0syXr5XyWqKZ4pFIQZKq547LpdjivCLnvuD3WsTNwGxTkSm2u  
Aq0jQvXi2A2bZwd+PrsfWqAqVr9i7G3+vElmsPD9p6tajT4z/1iCbhC0YMqncE7P  
aCsumFjp/qg=  
=bwiS  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6610-01

Red Hat Security Advisory 2022-6634-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: webkit2gtk3 security update  
Advisory ID:       RHSA-2022:6634-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6634  
Issue date:        2022-09-20  
CVE Names:         CVE-2022-32893   
=====================================================================

1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

The following packages have been upgraded to a later upstream version:  
webkit2gtk3 (2.36.7).

Security Fix(es):

* webkitgtk: processing maliciously crafted web content may lead to  
arbitrary code execution (CVE-2022-32893)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2121645 - CVE-2022-32893 webkitgtk: processing maliciously crafted web content may lead to arbitrary code execution

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
webkit2gtk3-2.36.7-1.el9_0.src.rpm

aarch64:  
webkit2gtk3-2.36.7-1.el9_0.aarch64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_0.aarch64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_0.aarch64.rpm  
webkit2gtk3-devel-2.36.7-1.el9_0.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_0.aarch64.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_0.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_0.aarch64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_0.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_0.aarch64.rpm

ppc64le:  
webkit2gtk3-2.36.7-1.el9_0.ppc64le.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_0.ppc64le.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_0.ppc64le.rpm  
webkit2gtk3-devel-2.36.7-1.el9_0.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_0.ppc64le.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_0.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_0.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_0.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_0.ppc64le.rpm

s390x:  
webkit2gtk3-2.36.7-1.el9_0.s390x.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_0.s390x.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_0.s390x.rpm  
webkit2gtk3-devel-2.36.7-1.el9_0.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_0.s390x.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_0.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_0.s390x.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_0.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_0.s390x.rpm

x86_64:  
webkit2gtk3-2.36.7-1.el9_0.i686.rpm  
webkit2gtk3-2.36.7-1.el9_0.x86_64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_0.i686.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_0.x86_64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_0.i686.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_0.x86_64.rpm  
webkit2gtk3-devel-2.36.7-1.el9_0.i686.rpm  
webkit2gtk3-devel-2.36.7-1.el9_0.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_0.i686.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_0.x86_64.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_0.i686.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_0.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_0.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_0.x86_64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_0.i686.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_0.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_0.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-32893  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYypfctzjgjWX9erEAQjA2g//RRYnsrJwmLSw/YoPS09EbxgsAaJ1RtRo  
qkrYvpnvgUUcR8R9DBzn7BLmPq2t/2sQBO7xI5i0Kl1c1EszV3+Zy8gLhNWc0A0+  
KPdWKbrE2pEd7SCI171Jmphq62q6leogd53Wj0KHaVIjjxO6pnoQqwlKWAELpk0f  
6jd9TQqvdiynZuHTELTj2AlkqYDP/Lola+hsNAfAm0klKs+QMPujtqP02t8pd4NA  
NL0Jn4EjSXQHKp/2xDIw04SX+ZaBhONmnxe9BP+oD7xrdO1MiENph+SRrIH0kIGV  
kE2aOvOymNe2g1VIW3a3flbt73XP7/wBi6fY61vh8wu3vrIgarUFDsVTuXUbqON6  
REw36NZP67ypl83h7odbLVPa0BQ7LHb1ALlZqQ0q717tbeTu/vzRhpyqzlEdJ3/v  
tpqzLbwYpmWM9l5a7WRAgEGBk/5n/wSP0hSWvM16nT/E+F4gmf6DsaTMVdhlxbRI  
Y+pSNtUHMRm7d3CA/VsfS7cAyLMiqrLE7StwSj0DkPT/Tz4LCUXy5TkCy4rTB7Bg  
cwNdK2d/JB0zpKmi1K1YguA5dYAClxMF4SEy2EwwlbL62wZUzsyMuOOyXq9aStlE  
ILicD7q9fjhDKEAodB5y2/XoB6xUpbszrT7dOjvwMs9FrthdNLeOvB91/aCt/tcF  
wRVOZr938yc=  
=OoQv  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6634-01

Red Hat Security Advisory 2022-6602-01 - The GNU Privacy Guard is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. Issues addressed include a spoofing vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: gnupg2 security update  
Advisory ID:       RHSA-2022:6602-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6602  
Issue date:        2022-09-20  
CVE Names:         CVE-2022-34903   
=====================================================================

1. Summary:

An update for gnupg2 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and  
creating digital signatures, compliant with OpenPGP and S/MIME standards.

Security Fix(es):

* gpg: Signature spoofing via status line injection (CVE-2022-34903)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2102868 - CVE-2022-34903 gpg: Signature spoofing via status line injection

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

aarch64:  
gnupg2-debuginfo-2.3.3-2.el9_0.aarch64.rpm  
gnupg2-debugsource-2.3.3-2.el9_0.aarch64.rpm  
gnupg2-smime-2.3.3-2.el9_0.aarch64.rpm  
gnupg2-smime-debuginfo-2.3.3-2.el9_0.aarch64.rpm

ppc64le:  
gnupg2-debuginfo-2.3.3-2.el9_0.ppc64le.rpm  
gnupg2-debugsource-2.3.3-2.el9_0.ppc64le.rpm  
gnupg2-smime-2.3.3-2.el9_0.ppc64le.rpm  
gnupg2-smime-debuginfo-2.3.3-2.el9_0.ppc64le.rpm

s390x:  
gnupg2-debuginfo-2.3.3-2.el9_0.s390x.rpm  
gnupg2-debugsource-2.3.3-2.el9_0.s390x.rpm  
gnupg2-smime-2.3.3-2.el9_0.s390x.rpm  
gnupg2-smime-debuginfo-2.3.3-2.el9_0.s390x.rpm

x86_64:  
gnupg2-debuginfo-2.3.3-2.el9_0.x86_64.rpm  
gnupg2-debugsource-2.3.3-2.el9_0.x86_64.rpm  
gnupg2-smime-2.3.3-2.el9_0.x86_64.rpm  
gnupg2-smime-debuginfo-2.3.3-2.el9_0.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
gnupg2-2.3.3-2.el9_0.src.rpm

aarch64:  
gnupg2-2.3.3-2.el9_0.aarch64.rpm  
gnupg2-debuginfo-2.3.3-2.el9_0.aarch64.rpm  
gnupg2-debugsource-2.3.3-2.el9_0.aarch64.rpm  
gnupg2-smime-debuginfo-2.3.3-2.el9_0.aarch64.rpm

ppc64le:  
gnupg2-2.3.3-2.el9_0.ppc64le.rpm  
gnupg2-debuginfo-2.3.3-2.el9_0.ppc64le.rpm  
gnupg2-debugsource-2.3.3-2.el9_0.ppc64le.rpm  
gnupg2-smime-debuginfo-2.3.3-2.el9_0.ppc64le.rpm

s390x:  
gnupg2-2.3.3-2.el9_0.s390x.rpm  
gnupg2-debuginfo-2.3.3-2.el9_0.s390x.rpm  
gnupg2-debugsource-2.3.3-2.el9_0.s390x.rpm  
gnupg2-smime-debuginfo-2.3.3-2.el9_0.s390x.rpm

x86_64:  
gnupg2-2.3.3-2.el9_0.x86_64.rpm  
gnupg2-debuginfo-2.3.3-2.el9_0.x86_64.rpm  
gnupg2-debugsource-2.3.3-2.el9_0.x86_64.rpm  
gnupg2-smime-debuginfo-2.3.3-2.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-34903  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYypfX9zjgjWX9erEAQiOvhAAhVRPZMa292T4ShXZAj/q0CrQorvNe2nQ  
yvOLbVmhP1hoGNczgXjCCaO8j72n2ZW4jDW1Y+iTIwdthKUWBp8+OjAJOeVjUuex  
8BWX36sbIND6cNaRPhdayAaMt23nTkOqEKOHZQiAVkGdZefRQm0NCEnutsaGxc4f  
9zg90wOrO3NCpIY5BbSqoa/yRPShL9c/myjeqngmaeviuDY435+cH+mRJtHiIEee  
RJld/ltoOoGwJSMiNr4fXLoFuPAYlSKvKYf4NPehRve3ykdgm492NIZgtSFcZs5I  
XkjmMJGqNHP6Q0a5+3Z89j1sFZR8uXH+sV0ZpW7RsdRqnzZULuXjBIv/8d3sZywM  
mxruNtaYOsmIh8uUzvkd2c/2gUKjKv9pO2o/Au4nq6dE1axWy1WLEvTUztk5sZ8N  
d0/y4t904ABz6u5aYADoObmCyULEkjY75FAcyzl6Zvayw9/SJH52pOPgYLzqR8Tu  
wOOgVdFtQju+5/ASzpuVnN6AjxcrBsTvEKOBI8zHTqlzaq6QpaZlO8etdcc2TXHV  
eVdSzlBbt0aZuqxhJD+y0N4N9/Oapq2JFjyaF6pac8wrcRrX8/j5FoOQPE/P4OOI  
qBGwF5WhU53uRoXYEMGT4GrgQfyuQypCbUUjTSkxcI4bidX3U2e5iT0cg4Kjv7qK  
tqtXxkGaWqc=  
=ep9h  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6602-01

In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release.

Age

Commit message (Expand)

Author

Files

Lines

2021-11-19

media: dvb-core: Convert to SPDX identifier

Cai Huoqing

1

\-11/+1

2021-11-19

media: dmxdev: fix UAF when dvb\_register\_device() fails

Wang Hai

1

\-3/+15

2021-06-09

media: dmxdev: change the check for problems allocing secfeed

Mauro Carvalho Chehab

1

\-1/+1

2019-02-18

media: dvb-core: fix epoll() by calling poll\_wait first

Hans Verkuil

1

\-4/+4

2018-09-12

media: dvb: dmxdev: move compat\_ioctl handling to dmxdev.c

Arnd Bergmann

1

\-0/+1

2018-06-12

treewide: Use array\_size() in vmalloc()

Kees Cook

1

\-1/+2

2018-05-09

media: Revert cleanup ktime\_set() usage

Jasmin Jessich

1

\-1/+1

2018-02-23

media: dvb: update buffer mmaped flags and frame counter

Mauro Carvalho Chehab

1

\-9/+15

2018-02-23

media: dmxdev: Fix the logic that enables DMA mmap support

Mauro Carvalho Chehab

1

\-33/+42

2018-02-23

media: dmxdev: fix error code for invalid ioctls

Mauro Carvalho Chehab

1

\-1/+1

2018-02-23

media: dvb: fix DVB\_MMAP symbol name

Arnd Bergmann

1

\-15/+15

2018-02-11

vfs: do bulk POLL\* -> EPOLL\* replacement

Linus Torvalds

1

\-7/+7

2018-02-06

Merge tag 'media/v4.16-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mc...

Linus Torvalds

1

\-21/+211

2017-12-28

media: move dvb kAPI headers to include/media

Mauro Carvalho Chehab

1

\-2/+2

2017-12-28

media: dvb-core: make DVB mmap API optional

Mauro Carvalho Chehab

1

\-8/+58

2017-12-28

media: videobuf2: Add new uAPI for DVB streaming I/O

Satendra Singh Thakur

1

\-28/+168

2017-11-27

media: annotate ->poll() instances

Al Viro

1

\-4/+4

2017-10-31

media: dvb-core: Convert timers to use timer\_setup()

Kees Cook

1

\-5/+3

2017-09-05

media: get rid of removed DMX\_GET\_CAPS and DMX\_SET\_SOURCE leftovers

Mauro Carvalho Chehab

1

\-20/+0

2017-09-05

media: dmx.h: split typedefs from structs

Mauro Carvalho Chehab

1

\-2/+2

2017-02-03

\[media\] media: dvb: dmx: fixed coding style issues of spacing

devendra sharma

1

\-5/+7

2017-01-27

\[media\] media: Drop FSF's postal address from the source code files

Sakari Ailus

1

\-4/+0

2016-12-25

ktime: Cleanup ktime\_set() usage

Thomas Gleixner

1

\-1/+1

2016-12-24

Replace <asm/uaccess.h> with <linux/uaccess.h> globally

Linus Torvalds

1

\-1/+1

2016-10-21

\[media\] dvb-core: get rid of demux optional circular buffer

Mauro Carvalho Chehab

1

\-2/+2

2016-10-21

\[media\] dvb-core: use pr\_foo() instead of printk()

Mauro Carvalho Chehab

1

\-9/+15

2016-07-08

\[media\] dvb: use ktime\_t for internal timeout

Arnd Bergmann

1

\-1/+1

2016-01-11

\[media\] dvb: modify core to implement interfaces/entities at MC new gen

Mauro Carvalho Chehab

1

\-2/+2

2015-10-06

\[media\] dvb: get rid of enum dmx\_success

Mauro Carvalho Chehab

1

\-4/+2

2015-10-06

\[media\] dvb: don't keep support for undocumented features

Mauro Carvalho Chehab

1

\-0/+4

2015-02-26

\[media\] dvb core: rename the media controller entities

Mauro Carvalho Chehab

1

\-2/+2

2015-02-13

\[media\] dmxdev: add support for demux/dvr nodes at media controller

Mauro Carvalho Chehab

1

\-3/+8

2014-09-03

\[media\] dmxdev: don't use before checking file->private\_data

Mauro Carvalho Chehab

1

\-2/+1

2014-09-02

\[media\] media: check status of dmxdev->exit in poll functions of demux&dvr

Changbing Xiong

1

\-1/+5

2014-09-02

\[media\] media: correct return value in dvb\_demux\_poll

Changbing Xiong

1

\-1/+1

2013-10-24

dmxdev: get rid of pointless clearing ->f\_op

Al Viro

1

\-4/+0

2013-06-19

\[media\] media: dmxdev: remove dvb\_ringbuffer\_flush() on writer side

Soeren Moch

1

\-6/+2

2013-04-08

\[media\] demux.h: Remove duplicated enum

Mauro Carvalho Chehab

1

\-1/+1

2013-03-04

\[media\] mb86a20s: change AGC tuning parameters

Mauro Carvalho Chehab

1

\-1/+2

2012-10-28

\[media\] dmxdev: fix a comparition of unsigned expression warning

Mauro Carvalho Chehab

1

\-1/+1

2012-08-13

\[media\] dvb: move the dvb core one level up

Mauro Carvalho Chehab

1

\-0/+1275

CVE-2022-41218: git/torvalds/linux.git - Linux kernel source tree

SWFTools commit 772e55a2 was discovered to contain a heap-buffer overflow via __asan_memcpy at /asan/asan_interceptors_memintrinsics.cpp:.

Permalink

**Product Link**

https://github.com/matthiaskramm/swftools

**POC file**

https://github.com/matthiaskramm/swftools/files/9034327/id1\_HEAP\_BUFFER\_OVERFLOW.zip

**Command to reproduce**

    ./gif2swf -o /dev/null [sample file]
    

**Product name & version**

last github commit code : 772e55a

**Problem Type****Crash Detail**

    ==32466==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000964 at pc 0x0000004ae3e4 bp 0x7ffce30cd590 sp 0x7ffce30ccd40
    WRITE of size 8 at 0x619000000964 thread T0
        #0 0x4ae3e3 in __asan_memcpy /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
        #1 0x4f8002 in MovieAddFrame /home/bupt/Desktop/swftools/src/gif2swf.c:328:25
        #2 0x4fb951 in main /home/bupt/Desktop/swftools/src/gif2swf.c:728:17
        #3 0x7f9f1d7dec86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #4 0x41cfb9 in _start (/home/bupt/Desktop/swftools/build/bin/gif2swf+0x41cfb9)
    
    0x619000000964 is located 4 bytes to the right of 992-byte region [0x619000000580,0x619000000960)
    allocated by thread T0 here:
        #0 0x4af580 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x4f698e in MovieAddFrame /home/bupt/Desktop/swftools/src/gif2swf.c:310:29
        #2 0x4fb951 in main /home/bupt/Desktop/swftools/src/gif2swf.c:728:17
        #3 0x7f9f1d7dec86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0c327fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c327fff8120: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
      0x0c327fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==32466==ABORTING
    

**Crash summary**

    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy

CVE-2022-35090: Poc/CVE-2022-35090.md at main · Cvjark/Poc

SWFTools commit 772e55a2 was discovered to contain a heap-buffer-overflow via getTransparentColor at /home/bupt/Desktop/swftools/src/gif2swf.

Permalink

Cannot retrieve contributors at this time

**Product Link**

https://github.com/matthiaskramm/swftools

**POC file**

https://github.com/matthiaskramm/swftools/files/9034336/id47\_HEAP\_BUFFER\_OVERFLOW.zip

**Command to reproduce**

    ./gif2swf -o /dev/null [sample file]
    

**Product name & version**

last github commit code : 772e55a

**Problem Type****Crash Detail**

    ==117675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000065f3 at pc 0x0000004f95d9 bp 0x7ffe740a8c50 sp 0x7ffe740a8c48
    READ of size 1 at 0x6020000065f3 thread T0
        #0 0x4f95d8 in getTransparentColor /home/bupt/Desktop/swftools/src/gif2swf.c:141:20
        #1 0x4f95d8 in MovieAddFrame /home/bupt/Desktop/swftools/src/gif2swf.c:269:20
        #2 0x4fb9d9 in main /home/bupt/Desktop/swftools/src/gif2swf.c:730:21
        #3 0x7f7d9a8e5c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #4 0x41cfb9 in _start (/home/bupt/Desktop/swftools/build/bin/gif2swf+0x41cfb9)
    
    0x6020000065f3 is located 0 bytes to the right of 3-byte region [0x6020000065f0,0x6020000065f3)
    allocated by thread T0 here:
        #0 0x4af580 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7f7d9c21919a in GifAddExtensionBlock (/usr/lib/x86_64-linux-gnu/libgif.so.7+0x519a)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/swftools/src/gif2swf.c:141:20 in getTransparentColor
    Shadow bytes around the buggy address:
      0x0c047fff8c60: fa fa 06 fa fa fa 04 fa fa fa fd fd fa fa 00 04
      0x0c047fff8c70: fa fa 00 00 fa fa 06 fa fa fa 04 fa fa fa 00 00
      0x0c047fff8c80: fa fa 06 fa fa fa 04 fa fa fa 04 fa fa fa 00 00
      0x0c047fff8c90: fa fa 06 fa fa fa 04 fa fa fa 04 fa fa fa 00 03
      0x0c047fff8ca0: fa fa 03 fa fa fa 04 fa fa fa 00 00 fa fa 01 fa
    =>0x0c047fff8cb0: fa fa 06 fa fa fa 04 fa fa fa 03 fa fa fa[03]fa
      0x0c047fff8cc0: fa fa 01 fa fa fa 06 fa fa fa 04 fa fa fa 04 fa
      0x0c047fff8cd0: fa fa 00 00 fa fa 06 fa fa fa 04 fa fa fa fa fa
      0x0c047fff8ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==117675==ABORTING
    

**Crash summary**

    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/swftools/src/gif2swf.c:141:20 in getTransparentColor

CVE-2022-35089: Poc/CVE-2022-35089.md at main · Cvjark/Poc

SWFTools commit 772e55a2 was discovered to contain a memory leak via /lib/mem.c.

Permalink

**Product Link**

https://github.com/matthiaskramm/swftools

**POC file**

https://github.com/matthiaskramm/swftools/files/9034341/id15\_memory\_leak.zip

**Command to reproduce**

    ./gif2swf -o /dev/null [sample file]
    

**Product name & version**

last github commit code : 772e55a

**Problem Type****Crash Detail**

    ==32723==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 56 byte(s) in 1 object(s) allocated from:
        #0 0x4af748 in calloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:154
        #1 0x588b93 in rfx_calloc /home/bupt/Desktop/swftools/lib/mem.c:69:9
        #2 0x4fb951 in main /home/bupt/Desktop/swftools/src/gif2swf.c:728:17
        #3 0x7fb865a10c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    Direct leak of 56 byte(s) in 1 object(s) allocated from:
        #0 0x4af748 in calloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:154
        #1 0x588b93 in rfx_calloc /home/bupt/Desktop/swftools/lib/mem.c:69:9
        #2 0x4fb9d9 in main /home/bupt/Desktop/swftools/src/gif2swf.c:730:21
        #3 0x7fb865a10c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    Indirect leak of 64 byte(s) in 1 object(s) allocated from:
        #0 0x4af580 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x58897e in rfx_alloc /home/bupt/Desktop/swftools/lib/mem.c:30:9
        #2 0x51e69a in swf_ShapeAddBitmapFillStyle /home/bupt/Desktop/swftools/lib/modules/swfshape.c:312:10
        #3 0x4fb9d9 in main /home/bupt/Desktop/swftools/src/gif2swf.c:730:21
        #4 0x7fb865a10c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    Indirect leak of 64 byte(s) in 1 object(s) allocated from:
        #0 0x4af580 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x58897e in rfx_alloc /home/bupt/Desktop/swftools/lib/mem.c:30:9
        #2 0x51e69a in swf_ShapeAddBitmapFillStyle /home/bupt/Desktop/swftools/lib/modules/swfshape.c:312:10
        #3 0x4fb951 in main /home/bupt/Desktop/swftools/src/gif2swf.c:728:17
        #4 0x7fb865a10c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: 240 byte(s) leaked in 4 allocation(s).
    info: No menu item '=' in node '(dir)Top'==32723==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 56 byte(s) in 1 object(s) allocated from:
        #0 0x4af748 in calloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:154
        #1 0x588b93 in rfx_calloc /home/bupt/Desktop/swftools/lib/mem.c:69:9
        #2 0x4fb951 in main /home/bupt/Desktop/swftools/src/gif2swf.c:728:17
        #3 0x7fb865a10c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    Direct leak of 56 byte(s) in 1 object(s) allocated from:
        #0 0x4af748 in calloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:154
        #1 0x588b93 in rfx_calloc /home/bupt/Desktop/swftools/lib/mem.c:69:9
        #2 0x4fb9d9 in main /home/bupt/Desktop/swftools/src/gif2swf.c:730:21
        #3 0x7fb865a10c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    Indirect leak of 64 byte(s) in 1 object(s) allocated from:
        #0 0x4af580 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x58897e in rfx_alloc /home/bupt/Desktop/swftools/lib/mem.c:30:9
        #2 0x51e69a in swf_ShapeAddBitmapFillStyle /home/bupt/Desktop/swftools/lib/modules/swfshape.c:312:10
        #3 0x4fb9d9 in main /home/bupt/Desktop/swftools/src/gif2swf.c:730:21
        #4 0x7fb865a10c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    Indirect leak of 64 byte(s) in 1 object(s) allocated from:
        #0 0x4af580 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x58897e in rfx_alloc /home/bupt/Desktop/swftools/lib/mem.c:30:9
        #2 0x51e69a in swf_ShapeAddBitmapFillStyle /home/bupt/Desktop/swftools/lib/modules/swfshape.c:312:10
        #3 0x4fb951 in main /home/bupt/Desktop/swftools/src/gif2swf.c:728:17
        #4 0x7fb865a10c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: 240 byte(s) leaked in 4 allocation(s).
    
    

**Crash summary**

    SUMMARY: AddressSanitizer: 240 byte(s) leaked in 4 allocation(s).

CVE-2022-35085: Poc/CVE-2022-35085.md at main · Cvjark/Poc

SWFTools commit 772e55a2 was discovered to contain a heap buffer-overflow via getGifDelayTime at /home/bupt/Desktop/swftools/src/src/gif2swf.c.

Permalink

**Product Link**

https://github.com/matthiaskramm/swftools

**POC file**

https://github.com/matthiaskramm/swftools/files/9034335/id39\_HEAP\_BUFFER\_OVERFLOW.zip

**Command to reproduce**

    ./gif2swf -o /dev/null [sample file]
    

**Product name & version**

last github commit code : 772e55a

**Problem Type****Crash Detail**

    ==117565==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000271 at pc 0x0000004f9626 bp 0x7ffd465ed6d0 sp 0x7ffd465ed6c8
    READ of size 1 at 0x602000000271 thread T0
        #0 0x4f9625 in getGifDelayTime /home/bupt/Desktop/swftools/src/gif2swf.c:127:20
        #1 0x4f9625 in MovieAddFrame /home/bupt/Desktop/swftools/src/gif2swf.c:451:17
        #2 0x4fb9d9 in main /home/bupt/Desktop/swftools/src/gif2swf.c:730:21
        #3 0x7ff0fa7dbc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #4 0x41cfb9 in _start (/home/bupt/Desktop/swftools/build/bin/gif2swf+0x41cfb9)
    
    0x602000000271 is located 0 bytes to the right of 1-byte region [0x602000000270,0x602000000271)
    allocated by thread T0 here:
        #0 0x4af580 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7ff0fc10f19a in GifAddExtensionBlock (/usr/lib/x86_64-linux-gnu/libgif.so.7+0x519a)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/swftools/src/gif2swf.c:127:20 in getGifDelayTime
    Shadow bytes around the buggy address:
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff8000: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
      0x0c047fff8010: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
      0x0c047fff8020: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8030: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 04
    =>0x0c047fff8040: fa fa 00 03 fa fa 03 fa fa fa 04 fa fa fa[01]fa
      0x0c047fff8050: fa fa 06 fa fa fa 04 fa fa fa 01 fa fa fa fa fa
      0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==117565==ABORTING
    

**Crash summary**

    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/swftools/src/gif2swf.c:127:20 in getGifDelayTime

CVE-2022-35088: Poc/CVE-2022-35088.md at main · Cvjark/Poc

SWFTools commit 772e55a was discovered to contain a heap-use-after-free via the function grow_unicode at /lib/ttf.c.

    =================================================================
    ==26408==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000017c at pc 0x0000004942df bp 0x7ffdd79c0b40 sp 0x7ffdd79c0308
    WRITE of size 48 at 0x60300000017c thread T0
        #0 0x4942de in __asan_memset (/project/models/swftools/src/ttftool+0x4942de)
        #1 0x4cd29a in memset /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71:10
        #2 0x4cd29a in grow_unicode /project/models/swftools/lib/ttf.c:1235:2
        #3 0x4cd29a in cmap_parse /project/models/swftools/lib/ttf.c:1283:6
        #4 0x4eb056 in ttf_parse_tables /project/models/swftools/lib/ttf.c:1901:2
        #5 0x4eb056 in ttf_load /project/models/swftools/lib/ttf.c:2180:9
        #6 0x51054c in ttf_open /project/models/swftools/lib/ttf.c:2435:17
        #7 0x4c51da in main /project/models/swftools/src/ttftool.c:91:19
        #8 0x7fe8b7a25082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #9 0x41c43d in _start (/project/models/swftools/src/ttftool+0x41c43d)
    
    0x60300000017c is located 0 bytes to the right of 28-byte region [0x603000000160,0x60300000017c)
    freed by thread T0 here:
        #0 0x494e99 in realloc (/project/models/swftools/src/ttftool+0x494e99)
        #1 0x517e2d in rfx_realloc /project/models/swftools/lib/mem.c:50:11
    
    previously allocated by thread T0 here:
        #0 0x494cf2 in calloc (/project/models/swftools/src/ttftool+0x494cf2)
        #1 0x518011 in rfx_calloc /project/models/swftools/lib/mem.c:69:9
    
    SUMMARY: AddressSanitizer: heap-use-after-free (/project/models/swftools/src/ttftool+0x4942de) in __asan_memset
    Shadow bytes around the buggy address:
      0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c067fff8000: fa fa 00 00 00 04 fa fa 00 00 00 06 fa fa fd fd
      0x0c067fff8010: fd fa fa fa fd fd fd fd fa fa 00 00 02 fa fa fa
    =>0x0c067fff8020: 00 00 00 02 fa fa fd fd fd fd fa fa fd fd fd[fd]
      0x0c067fff8030: fa fa 00 00 00 04 fa fa fa fa fa fa fa fa fa fa
      0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==26408==ABORTING

CVE-2022-40009: heap-use-after-free exists in the function grow_unicode in /lib/ttf.c · Issue #190 · matthiaskramm/swftools

SWFTools commit 772e55a was discovered to contain a heap-buffer overflow via the function readU8 at /lib/ttf.c.

    =================================================================
    ==26368==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000086 at pc 0x0000004edfd2 bp 0x7ffe607a9f10 sp 0x7ffe607a9f08
    READ of size 1 at 0x603000000086 thread T0
        #0 0x4edfd1 in readU8 /project/models/swftools/lib/ttf.c:83:12
        #1 0x4edfd1 in os2_parse /project/models/swftools/lib/ttf.c:467:30
        #2 0x4edfd1 in ttf_parse_tables /project/models/swftools/lib/ttf.c:1849:13
        #3 0x4edfd1 in ttf_load /project/models/swftools/lib/ttf.c:2180:9
        #4 0x51054c in ttf_open /project/models/swftools/lib/ttf.c:2435:17
        #5 0x4c51da in main /project/models/swftools/src/ttftool.c:91:19
        #6 0x7f84d73a1082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #7 0x41c43d in _start (/project/models/swftools/src/ttftool+0x41c43d)
    
    0x603000000086 is located 0 bytes to the right of 22-byte region [0x603000000070,0x603000000086)
    allocated by thread T0 here:
        #0 0x494b7d in malloc (/project/models/swftools/src/ttftool+0x494b7d)
        #1 0x4e083a in ttf_load /project/models/swftools/lib/ttf.c:2160:15
        #2 0x51054c in ttf_open /project/models/swftools/lib/ttf.c:2435:17
        #3 0x7f84d73a1082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /project/models/swftools/lib/ttf.c:83:12 in readU8
    Shadow bytes around the buggy address:
      0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c067fff8000: fa fa 00 00 00 04 fa fa 00 00 00 06 fa fa 00 00
    =>0x0c067fff8010:[06]fa fa fa 00 00 06 fa fa fa fd fd fd fd fa fa
      0x0c067fff8020: 00 00 02 fa fa fa 00 00 00 02 fa fa fa fa fa fa
      0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==26368==ABORTING

Tag

#linux