Photoshop version 23.5.3 (and earlier), 24.1 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Photoshop | APSB23-11

**Bulletin ID**

**Date Published**

**Priority**

APSB23-11

February 14,  2023       

3

**Summary**

Adobe has released an update for Photoshop for Windows and macOS. This update resolves critical and important vulnerabilities.  Successful exploitation could lead to arbitrary code execution and memory leak.

**Affected Versions**

23.5.3 and earlier versions       

24.1 and earlier versions

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism.  For more information, please reference this help page.    

**Product**

**Updated versions**

**Platform**

**Priority**

Photoshop 2022  

23.5.4

Windows and macOS  

3  

Photoshop 2023

24.1.1

Windows and macOS

3

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.

**Vulnerability details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**   

**CVSS vector**  

**CVE Number**

Improper Input Validation (CWE-20)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-21574  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-21575  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-21576  

Out-of-bounds Read (CWE-125)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-21577  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-21578  

**Acknowledgments**

Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:   

*   Mat Powell of Trend Micro Zero Day Initiative - CVE-2023-21574, CVE-2023-21575, CVE-2023-21576, CVE-2023-21577, CVE-2023-21578

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2023-21578: Adobe Security Bulletin

Adobe InDesign versions ID18.1 (and earlier) and ID17.4 (and earlier) are affected by a NULL Pointer Dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Update Available for Adobe InDesign | APSB23-12

**Bulletin ID**

**Date Published**

**Priority**

APSB23-12  

February 14, 2023   

3

**Summary**

Adobe has released a security update for Adobe InDesign.  This update addresses an important vulnerability. Successful exploitation could lead to application denial-of-service.  

**Affected versions**

ID18.1 and earlier version.

ID17.4 and earlier version.                                           

**Solution**

Adobe categorizes these updates with the following priority rating and recommends users update their software installations via the Creative Cloud desktop app updater, or by navigating to the InDesign Help menu and clicking "Updates." For more information, please reference this help page.

**Product**

**Updated version**

**Platform**

**Priority rating**

Adobe InDesign

ID18.2

Windows and macOS

3

Adobe InDesign

ID17.4.1  

Windows and macOS

3

For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages. Refer to this help page for more information.

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**    

**CVSS vector**   

**CVE Number**

NULL Pointer Dereference (CWE-476)  

Application denial-of-service  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H  

CVE-2023-21593  

**Acknowledgments**

Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:   

*   CHEN QINGYANG (yjdfy)  - CVE-2023-21593

CVE-2023-21593: Adobe Security Bulletin

Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 10 and Feb. 17.

Threat Round up for February 10 to February 17

Millions of Americans receiving food assistance benefits just earned a new right that they can't yet enforce: The right to be reimbursed if funds on their Electronic Benefit Transfer (EBT) cards are stolen by card skimming devices secretly installed at cash machines and grocery store checkout lanes.

Millions of Americans receiving food assistance benefits just earned a new right that they can’t yet enforce: The right to be reimbursed if funds on their Electronic Benefit Transfer (EBT) cards are stolen by card skimming devices secretly installed at cash machines and grocery store checkout lanes.

On December 29, 2022, **President Biden** signed into law the **Consolidated Appropriations Act of 2023**, which — for the first time ever — includes provisions for the replacement of stolen EBT benefits. This is a big deal because in 2022, organized crime groups began massively targeting EBT accounts — often emptying affected accounts at ATMs immediately after the states disperse funds each month.

EBT cards can be used along with a personal identification number (PIN) to pay for goods at participating stores, and to withdraw cash from an ATM. However, EBT cards differ from debit cards issued to most Americans in two important ways. First, most states do not equip EBT cards with smart chip technology, which can make the cards more difficult and expensive for skimming thieves to clone.

More critically, EBT participants traditionally have had little hope of recovering food assistance funds when their cards were copied by card-skimming devices and used for fraud. That’s because while the EBT programs are operated by individually by the states, those programs are funded by the **U.S. Department of Agriculture** (USDA), which until late last year was barred from reimbursing states for stolen EBT funds.

The protections passed in the 2023 Appropriations Act allow states to use federal funds to replace stolen EBT benefits, and they permit states to seek reimbursement for any skimmed EBT funds they may have replaced from their own coffers (dating back to Oct. 1, 2022).

But first, all 50 states must each submit a plan for how they are going to protect and replace food benefits stolen via card skimming. Guidance for the states in drafting those plans was issued by the USDA on Jan. 31 (PDF), and states that don’t get them done before Feb. 27, 2023 risk losing the ability to be reimbursed for EBT fraud losses.

**Deborah Harris** is a staff attorney at **The Massachusetts Law Reform Institute** (MLRI), a nonprofit legal assistance organization that has closely tracked the EBT skimming epidemic. In November 2022, the MLRI filed a class-action lawsuit against Massachusetts on behalf of thousands of low-income families who were collectively robbed of more than $1 million in food assistance benefits by card skimming devices secretly installed at cash machines and grocery store checkout lanes across the state.

Harris said she’s pleased that the USDA guidelines were issued so promptly, and that the guidance for states was not overly prescriptive. For example, some security experts have suggested that adding contactless capability to EBT cards could help participants avoid skimming devices altogether. But Harris said contactless cards do not require a PIN, which is the only thing that stops EBT cards from being drained at the ATM when a participant’s card is lost or stolen.

Then again, nothing in the guidance even mentions chip-based cards, or any other advice for improving the physical security of EBT cards. Rather, it suggests states should seek to develop the capability to perform basic fraud detection and alerting on suspicious transactions, such as when an EBT card that is normally used only in one geographic area suddenly is used to withdraw cash at an ATM halfway across the country.

“Besides having the states move fast to approve their plans, we’d also like to see a focused effort to move states from magstripe-only cards to chip, and also assisting states to develop the algorithms that will enable them to identify likely incidents of stolen benefits,” Harris said.

Harris said Massachusetts has begun using algorithms to look for these suspicious transaction patterns throughout its EBT network, and now has the ability to alert households and verify transactions. But she said most states do not have this capability.

“We have heard that other states aren’t currently able to do that,” Harris said. “But encouraging states to more affirmatively identify instances of likely theft and assisting with the claims and verification process is critical. Most households can’t do that on their own, and in Massachusetts it’s very hard for a person to get a copy of their transaction history. Some states can do that through third-party apps, but something so basic should not be on the burden of EBT households.”

Some states aren’t waiting for direction from the federal government to beef up EBT card security. Like Maryland, which identified more than 1,400 households hit by EBT skimming attacks last year — a tenfold increase over 2021.

Advocates for EBT beneficiaries in Maryland are backing Senate Bill 401 (PDF), which would require the use of chip technology and ongoing monitoring for suspicious activity (a hearing on SB401 is scheduled in the Maryland Senate Finance Commission for Thursday, Feb. 23, at 1 p.m.).

**Michelle Salomon Madaio** is a director at the Homeless Persons Representation Project, a legal assistance organization based in Silver Spring, Md. Madaio said the bill would require the state Department of Human Services to replace skimmed benefits, not only after the bill goes into effect but also retroactively from January 2020 to the present.

Madaio said the bill also would require the state to monitor for patterns of suspicious activity on EBT cards, and to develop a mechanism to contact potentially affected households.

“For most of the skimming victims we’ve worked with, the fraudulent transactions would be pretty easy to spot because they mostly happened in the middle of the night or out of state, or both,” Madaio said. “To make matters worse, a lot of families whose benefits were scammed then incurred late fees on many other things as a result.”

It is not difficult to see why organized crime groups have pounced on EBT cards as easy money. In most traditional payment card transactions, there are usually several parties that have a financial interest in minimizing fraud and fraud losses, including the bank that issued the card, the card network (Visa, MasterCard, Discover, etc.), and the merchant.

But that infrastructure simply does not exist within state EBT programs, and it certainly isn’t a thing at the inter-state level. What that means is that the vast majority of EBT cards have zero fraud controls, which is exactly what continues to make them so appealing to thieves.

For now, the only fraud controls available to most EBT cardholders include being especially paranoid about where they use their cards, and frequently changing their PINs.

According to USDA guidance issued prior to the passage of the appropriations act, EBT cardholders _should consider changing their card PIN at least once a month_.

“By changing PINs frequently, at least monthly, and doing so before benefit issuance dates, households can minimize their risk of stolen benefits from a previously skimmed EBT card,” the USDA advised.

New Protections for Food Benefits Stolen by Skimmers

BEC gangs Midnight Hedgehog and Mandarin Capybara show how online marketing and translation tools are making it easy for these threat groups to scale internationally.

Business email compromise (BEC) attacks involve impersonating an executive or business partner in order to convince a corporate target to wire large sums of cash to an attacker-controlled bank account. Mounting a successful international version of this cyberattack typically requires a lot of effort and resources. Necessary steps include researching the target thoroughly enough to make phishing lures convincing and hiring native speakers to translate scams into multiple languages. But that's all changing as threat groups avail themselves of free, online tools that take some of the legwork out of the process.

A report from Abnormal Security released this week identified two BEC groups that exemplify the trend: Midnight Hedgehog and Mandarin Capybara. Both are leveraging Google Translate, which lets threat actors whip up a plausible phishing lure, in almost any language, in an instant.

Researchers in the report also warned that tools like commercial business marketing services are also making it easier than ever for less-sophisticated and less-resourced BEC threat groups to succeed. These, mostly used by sales and marketing departments to identify "leads," make it simple to track down the best targets regardless of their region. 

It's all bad news for defenders given that BEC attacks are already lucrative, racking up $2.4 billion in losses in 2021 alone, according to the FBI's Crime Report — and the number of BEC attacks continues to explode. Now, with some of the cost being driven out of performing them, volumes are only likely to go up.

**BEC Groups Scale Fast With Translation, Marketing Tools**

Abnormal Security's Crane Hassold, director of threat intelligence who wrote the report, noted that Midnight Hedgehog has been around since January 2021 and impersonates CEOs as its specialty, according to the report.

So far, the firm has observed two distinct phishing emails from the group translated into 11 different languages: Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Spanish, and Swedish. Thanks to Google Translate's effectiveness, the emails are missing the simple errors users are trained to look out for and view as suspicious.

    

Source: devee via Adobe Stock

"We've taught our users to look for spelling mistakes and grammatical errors to better identify when they may have received an attack," the report added. "When these are not present, there are fewer alarm bells to alert native speakers that something isn't right."

Requested payments from Midnight Hedgehog range anywhere from $17,000 to $45,000, the report said.

The second BEC threat group the report highlights, Mandarin Capybara, also sends emails purporting to be from company executives, but uses a twist: It contacts payroll to have direct-deposited paychecks sent to an account they control.

Abnormal Security has observed Mandarin Capybara targeting companies around the globe with phishing lures in Dutch, English, French, German, Italian, Polish, Portuguese, Spanish, and Swedish, but it also targets companies outside of Europe with phishing emails aimed at English speakers in the US and Australia, unlike Midnight Hedgehog, which the report said sticks to non-English-speaking victims in Europe.

**Lowering the Barriers to BEC Entry**

Extending campaigns across any language with translation tools and using online services to identify "leads" of their own on who to victimize with their next cyberattack makes it easier than ever to scale operations across borders for BEC cyberattackers.

"As email marketing and translation tools become more accurate, effective, and accessible, we will continue to see hackers exploiting them to scam companies with increasing success," the report explained. "Not only that, because these emails sound legitimate and rely on behavioral manipulation instead of malware-infected files, Midnight Hedgehog, Mandarin Capybara, and other similar BEC groups will be able to easily bypass legacy security systems and spam filters."

The answer to defending against the rising number and increased sophistication of BEC attacks, Hassold explains to Dark Reading, is a two-pronged approach.

"As social engineering attacks become more sophisticated and it becomes more difficult to distinguish them from legitimate emails, it becomes even more important to prevent them from reaching their destination," he tells Dark Reading. "Security awareness training certainly has a role in defending against phishing attacks, but the best way to prevent employees from falling for these attacks is simply to ensure that they never receive them in the first place."

That means implementing behavioral-based machine learning and AI tools tuned to detect anything outside "normal" behavior will be a key to stopping this new supercharged version of international BEC attacks, the report said.

Google Translate Helps BEC Groups Scam Companies in Any Language

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crafter Studio on Linux, MacOS, Windows, x86, ARM, 64 bit allows SQL Injection.This issue affects CrafterCMS v4.0 from 4.0.0 through 4.0.1, and v3.1 from 3.1.0 through 3.1.26.

CrafterCMS

*   

**CV-2023021701**

 

**Date**

2023.02.17

**Affected Versions**

**4.0** <= 4.0.1, **3.1** =< 3.1.26

**Vulnerability Type**

CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

**Risk**

Medium

**Description**

Authenticated administrators can perform a SQL Injection attack against the authoring database that holds Studio users, groups, and item workflow states.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2023-26020

**Credit**

Gil Correia, gil.correia@devoteam.com

**CV-2022091302**

 

**Date**

2022.09.13

**Affected Versions**

**3.1** < 3.1.23

**Vulnerability Type**

CWE-913 Improper Control of Dynamically-Managed Code Resources

**Risk**

Medium

**Description**

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2022-40635

**Credit**

Matei “Mal” Badanoiu, https://github.com/mbadanoiu

**CV-2022091301**

 

**Date**

2022.09.13

**Affected Versions**

**3.1** < 3.1.23

**Vulnerability Type**

CWE-913 Improper Control of Dynamically-Managed Code Resources

**Risk**

Medium

**Description**

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2022-40634

**Credit**

Matei “Mal” Badanoiu, https://github.com/mbadanoiu

**CV-2022051603**

 

**Date**

2022.05.16

**Affected Versions**

**3.1** < 3.1.18

**Vulnerability Type**

CWE-913 Improper Control of Dynamically-Managed Code Resources

**Risk**

High

**Description**

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23267

**Credit**

Kai Zhao (ToTU Security Team), https://github.com/happyhacking-k

**CV-2022051602**

 

**Date**

2022.05.16

**Affected Versions**

**3.1** < 3.1.18

**Vulnerability Type**

CWE-117 Improper Output Neutralization for Logs

**Risk**

Medium

**Description**

An anonymous user can craft a URL with text that ends up in the log viewer as is.The text can then include textual messages to mislead the administrator.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23266

**Credit**

Faizan Wani, https://github.com/faizanw8

**CV-2021120106**

 

**Date**

2021.12.01

**Affected Versions**

**3.1** < 3.1.15

**Vulnerability Type**

CWE-402: Transmission of Private Resources into a New Sphere (‘Resource Leak’)

**Risk**

Medium

**Description**

Transmission of Private Resources into a New Sphere (‘Resource Leak’) in CrafterEngine

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23263

**Credit**

Carlos Ortiz, https://github.com/cortiz

**CV-2021120107**

 

**Date**

2021.12.01

**Affected Versions**

**3.1** < 3.1.15

**Vulnerability Type**

CWE-402: Transmission of Private Resources into a New Sphere (‘Resource Leak’) CWE-668 Exposure of Resource to Wrong Sphere

**Risk**

High

**Description**

Transmission of Private Resources into a New Sphere (‘Resource Leak’) and Exposureof Resource to Wrong Sphere in Crafter Search

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23264

**Credit**

Sparsh Kulshrestha, https://github.com/sparshkulshrestha

**CV-2020080102**

 

**Date**

2020.08.01

**Affected Versions**

**3.0** < 3.0.27  
**3.1** < 3.1.7

**Vulnerability Type**

RCE

**Risk**

Medium

**Description**

Authenticated attackers with developer privileges in Crafter Studio may execute OS commands via deep inspection of FreeMarker template exposed objects.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2020-25803

**Credit**

Alvaro Muñoz (GitHub), https://github.com/pwntester

**CV-2017061502**

 

**Date**

2017.06.15

**Affected Versions**

**3.0** < 3.0.1

**Vulnerability Type**

Directory Traversal

**Risk**

Critical

**Description**

A directory traversal vulnerability exists which allows unauthenticated attackers to overwrite files from the operating system which can lead to RCE.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2017-15681

**Credit**

Jasmin Landry, https://github.com/JR0ch17

CVE-2023-26020: Security Advisories — CrafterCMS 4.0.2 documentation

Buffer Overflow vulnerability in Saltstack v.3003 and before allows attacker to execute arbitrary code via the func variable in salt/salt/modules/status.py file.

CVE-2021-33226: salt/status.py at master · saltstack/salt

An issue in MPV v.0.29.1 fixed in v0.30 allows attackers to execute arbitrary code and crash program via the ao_c parameter.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

3kyo0 opened this issue

Jul 15, 2019

· 6 comments

Closed

**race condition in audio.c on uninit #6808**

3kyo0 opened this issue

Jul 15, 2019

· 6 comments

**Comments**

Can't reproduce on Linux with mpv 0.29.0-353-g65b1c2d065 and ffmpeg N-94185-gca576833e4.  
For fuzzing you might want to use --no-config to ensure the crash doesn't depend on any of your local configuration.

> Can't reproduce on Linux with mpv 0.29.0-353-g65b1c2d065 and ffmpeg N-94185-gca576833e4.  
> For fuzzing you might want to use --no-config to ensure the crash doesn't depend on any of your local configuration.

Only MacOS

seems ao\_c->filter pointer broken.there is two debug info.  
1、Normal info:  
Playing: ./SIGSEGV.EXC\_BAD\_ACCESS.PC.000000010ed954bf.STACK.0000000f38a4c8be.ADDR.000000004d555462.fuzz  
\[mkv\] SeekHead position beyond end of file - incomplete file?  
(+) Video --vid=1 (_) (h264 720x432 25.000fps)  
(+) Audio --aid=1 --alang=fre (_) (ac3 2ch)  
(+) Subs --sid=1 --slang=fre (\*) (dvd\_subtitle)  
\[vo/gpu\] opengl cocoa backend is deprecated, use vo=libmpv instead  
\[debug\]ao\_c->filter->f->pins\[1\]:0x7f8e2f5418d0  
\[debug\]mpctx:0x7f8e32004840  
\[debug\]ao\_c:0x7f8e2f5351b0  
\[debug\]ao\_c->filter:0x7f8e2f5414f8  
\[debug\]ao\_c->filter->got\_output\_eof:0x0  
\[debug\]mpctx->audio\_status:0x0  
\[debug\]  
\[mkv\] Invalid EBML length at position 13124  
\[mkv\] Corrupt file detected. Trying to resync starting from position 13124...  
\[ffmpeg/audio\] ac3: expacc 126 is out-of-range  
\[ffmpeg/audio\] ac3: error decoding the audio block  
No video PTS! Making something up. Using 25.000000 FPS.  
\[debug\]ao\_c->filter->f->pins\[1\]:0x7f8e2f5418d0  
Audio: no audio  
\[debug\]mpctx:0x7f8e32004840  
\[debug\]ao\_c:0x7f8e2f5351b0  
\[debug\]ao\_c->filter:0x7f8e2f5414f8  
\[debug\]ao\_c->filter->got\_output\_eof:0x0  
\[debug\]mpctx->audio\_status:0x5  
\[debug\]  
VO: \[gpu\] 720x432 => 1455x432 yuv420p  
V: -00:00:00 / 00:00:00 (0%)

Exiting... (End of file)

2、Crashed info  
Playing: ./SIGSEGV.EXC\_BAD\_ACCESS.PC.000000010ed954bf.STACK.0000000f38a4c8be.ADDR.000000004d555462.fuzz  
\[mkv\] SeekHead position beyond end of file - incomplete file?  
(+) Video --vid=1 (_) (h264 720x432 25.000fps)  
(+) Audio --aid=1 --alang=fre (_) (ac3 2ch)  
(+) Subs --sid=1 --slang=fre (\*) (dvd\_subtitle)  
\[vo/gpu\] opengl cocoa backend is deprecated, use vo=libmpv instead  
\[debug\]ao\_c->filter->f->pins\[1\]:0x7f8ebc1211c0  
\[debug\]mpctx:0x7f8ebe000040  
\[debug\]ao\_c:0x7f8ebc120d30  
\[debug\]ao\_c->filter:0x7f8ebc120858  
\[debug\]ao\_c->filter->got\_output\_eof:0x0  
\[debug\]mpctx->audio\_status:0x0  
\[debug\]  
\[mkv\] Invalid EBML length at position 13124  
\[mkv\] Corrupt file detected. Trying to resync starting from position 13124...  
No video PTS! Making something up. Using 25.000000 FPS.  
\[ffmpeg/audio\] ac3: expacc 126 is out-of-range  
\[ffmpeg/audio\] ac3: error decoding the audio block  
\[debug\]ao\_c->filter->f->pins\[1\]:0x7f8ebc1211c0  
Audio: no audio  
\[debug\]mpctx:0x7f8ebe000040  
\[debug\]ao\_c:0x7f8ebc120d30  
\[debug\]ao\_c->filter:0x312d320a6572662d  
UndefinedBehaviorSanitizer:DEADLYSIGNAL  
\==3033==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0001012bb3f9 bp 0x7000039f3dc0 sp 0x7000039f3d00 T61145)

After debugging I think this is an Use after free Vulnerability.  
audio.c:425 uinit\_audio\_chain(mpctx); this line free the ao\_c  
audio.c:810 if(ao\_c->filter->got\_output\_eof && . this line reuse it

 Akemi changed the title crash on MacOS race condition in audio.c on uninit

Jul 21, 2019

i don't think the uninit in line 425 is the culprit. it's called in order and before the code in line 810. it's some race condition in another part of the code.

I think @3kyo0 was right, that's exactly what I observed.

CVE-2020-19824: race condition in audio.c on uninit · Issue #6808 · mpv-player/mpv

Red Hat Security Advisory 2023-0728-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.3.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.12.3 security update  
Advisory ID:       RHSA-2023:0728-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0728  
Issue date:        2023-02-16  
CVE Names:         CVE-2021-4238 CVE-2022-41717   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.12.3 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.12.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.12.3. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHSA-2023:0727

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

Security Fix(es):

* goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as  
random as they should be (CVE-2021-4238)

* golang: net/http: An attacker can cause excessive memory growth in a Go  
server accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.12 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

You may download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
may be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

      The sha values for the release are

      (For x86_64 architecture)  
The image digest is  
sha256:382f271581b9b907484d552bd145e9a5678e9366330059d31b007f4445d99e36

      (For s390x architecture)  
The image digest is  
sha256:529e7aa3a821892575abeecd4971dff194f48943ce364a01d93c599c27d2ef9c

      (For ppc64le architecture)  
The image digest is  
sha256:8db6cb445bdf1534860a1a47f8c50bc73d99dfdd196f06184acbcea5d7bc112f

      (For aarch64 architecture)  
The image digest is  
sha256:4657924fc2720f48932dec10380428804e9d82194f8ac748b7329f7c18021ef8

All OpenShift Container Platform 4.12 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be  
2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-213 - base image quay.io/operator-framework/ansible-operator. After moving to tag v1.20.0, it breaks the task to update k8s_status in an FIPS enabled cluster   
OCPBUGS-2210 - ZTP with converged flow is too slow  
OCPBUGS-298 - Make ovnkube-trace work on hypershift deployments  
OCPBUGS-3095 - IPI for Power VS: Deploy fails when there is are certain preexisting resources  
OCPBUGS-3399 - ovn-k behaviour for service CIDR that doesn't match existing svc ip+port  
OCPBUGS-3941 - Whereabouts CNI timesout while iterating exclude range [backport 4.12]  
OCPBUGS-4238 - Hosted ovnkubernetes pods are not being spread among workers evenly  
OCPBUGS-4281 - Metrics are not available when running console in development mode  
OCPBUGS-4862 - Deletion of BYOH Windows node hangs in Ready,SchedulingDisabled  
OCPBUGS-5093 - After entering valid git repo url on Import from git page, throwing warning message instead Validated  
OCPBUGS-5841 - [4.12] Modifying node_mgmt_port_netdev_flags on OVN-K node will crash  
OCPBUGS-5960 - [4.12] Bootimage bump tracker  
OCPBUGS-5996 - [vsphere] installation errors out when missing topology in a failure domain  
OCPBUGS-6066 - Released operator versions are disappearing  
OCPBUGS-6076 - AMQ reconnect for 7 minutes  floods linuxptp daemon with socket connection error  
OCPBUGS-6085 - Editing Pipeline in the ocp console to get information error  
OCPBUGS-6494 - One old machine stuck in Deleting and many co get degraded when doing master replacement on the cluster with OVN network  
OCPBUGS-6669 - Do not show UpdateInProgress when status is Failing  
OCPBUGS-6703 - oc-mirror heads-only does not work with target name  
OCPBUGS-6758 - `create a project` link not backed by RBAC check  
OCPBUGS-6764 - Add Git Repository form shows empty permission content and non-working help link until a git url is entered  
OCPBUGS-6766 - "Delete dependent objects of this resource" might cause confusions  
OCPBUGS-6805 - MCO reconcile fails if user replace the pull secret to empty one  
OCPBUGS-6823 - [release-4.12] Egress FW ACL rules are invalid in dualstack mode  
OCPBUGS-6850 - admin ack test nondeterministically does a check post-upgrade  
OCPBUGS-6913 - PipelineRun task status overlaps status text  
OCPBUGS-6928 - Update OWNERS_ALIASES in release-4.12 branch  
OCPBUGS-6969 - User Preferences - Applications : Resource type drop-down i18n misses  
OCPBUGS-6997 - Update 4.12 ose-machine-config-operator image to be consistent with ART  
OCPBUGS-7025 - Bundle Unpacker Using "Always" ImagePullPolicy for digests  
OCPBUGS-7103 - Agent ISO does not respect proxy settings

6. References:

https://access.redhat.com/security/cve/CVE-2021-4238  
https://access.redhat.com/security/cve/CVE-2022-41717  
https://access.redhat.com/security/updates/classification/#important  
https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+7KQtzjgjWX9erEAQiMxRAAhNd1a5zjOKI7HsdHjAAnON9zEuxOn1tn  
VW+fAYkyUgQRIrTrXyabzAgf4mJmy6YeKxYJiWCDmQGAkfTZb9QvfHm8rJQCJ4Zk  
lI6aVAlkouPHk5HAY10yV1rPmRPeWviycfljtPZ+fXrR7KDY61JWEt/VFN8F/zt8  
cJ1uM7NmOUndLDfttHlEj2a35a6iBJxAtTJ9e2/s+3HqTNiiQzT9ghkeyJnUUglB  
g5aHttjkL6blxnIjeeSytUCmRS0CpqMAUdyfQft2zLM0vN58JPChy/t14acEaKQ/  
+MqVRtjPI6NtmLWu6WCwuhMqU0BLFVKp8nk7Ue1tvnyC/egBpD9mjM9sxD5SrRg1  
wFMXgQ17tioPdValyakjxc3+I9GdNu6mKD7AaqKIlZxmFZoR5kCH3pykuw2Pcx9i  
/4b2iLc4USyMJSAssuoLhljS/3jli5VZRLSm2LEOCchAjo1nES1nUh6d2ePcH9YP  
s/E+x4Li3EML+tAxiqgr4KeI5fwg7nDdP5hvltFgVdD1y+D2JrCz+7vhmSnSPej+  
AbwM5n+T5IkiQRGwnFf5KUqSpGPd3IvVLinCKPWEkYRezGhbUzAhc3V5PvtR0Tl2  
Tao8dMVBvvttlLf5jcvJaiw3VBdOcOIHx5JJSUiZ6HomMGBYva8Gfj4F57WnnEK2  
PbL5ln8DF7w=  
=LpVM  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0728-01

Infoblox BloxOne Endpoint for Windows through 2.2.7 allows DLL injection that can result in local privilege escalation.

**January 19, 2023**

**Question/Summary:**

CVE-2022-32972: Infoblox BloxOne Endpoint for Windows local privilege escalation.

**Customer Environment:**

Customers who are running BloxOne Endpoint on their host devices.

**Overview and Impact:** 

A vulnerability was found in the executable run by the Infoblox BloxOne Endpoint agent, enabling a low-privileged attacker to execute any program as the highly-privileged system user. Versions 2.3.2 and below are vulnerable to a dynamic-link library (DLL) injection attack that can result in local privilege escalation.

CVSS: 6.7 (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/MAC:H)

**Affected Versions:**

BloxOne Endpoint for Windows **Version 2.3.2** and below is affected by a security vulnerability that may lead to a local privilege escalation.

**Resolution:**

BloxOne Endpoint **Version 2.3.3** and later fix the vulnerability. A new BloxOne Endpoint **Version 2.3.6** will also be released that fixes the vulnerability along with a few minor issues.

**Note:** If the BloxOne Endpoint group is configured with Scheduling/Defer updates, make sure that it is configured properly so that the BloxOne Endpoint version that fixes the vulnerability is pushed to the agent as soon as possible. Kindly refer to the below document for a detailed understanding of **"Scheduling Endpoint Group Updates"**

https://docs.infoblox.com/space/BloxOneThreatDefense/35374562/Scheduling+Endpoint+Group+Updates

Tag

#mac