Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives -- which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction -- state that the user's account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.

Scammers are using invoices sent through **PayPal.com** to trick recipients into calling a number to dispute a pending charge. The missives — _which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction_ — state that the user’s account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.

KrebsOnSecurity recently heard from a reader who received an email from paypal.com that he immediately suspected was phony. The message’s subject read, “Billing Department of PayPal updated your invoice.”

A copy of the phishing message included in the PayPal.com invoice.

While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam. For starters, all of the links in the email lead to paypal.com. Hovering over the “View and Pay Invoice” button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com.

Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal.

Both the email and the invoice state that “there is evidence that your PayPal account has been accessed unlawfully.” The message continues:

“$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number….”

Here’s the invoice that popped up when the “View and Pay Invoice” button was clicked:

The phony PayPal invoice, which was sent and hosted by PayPal.com.

The reader who shared this phishing email said he logged into his PayPal account and could find no signs of the invoice in question. A call to the toll-free number listed in the invoice was received by a man who answered the phone as generic “customer service,” instead of trying to spoof PayPal or Walmart. Very quickly into the conversation he suggested visiting a site called globalquicksupport\[.\]com to download a remote administration tool. It was clear then where the rest of this call was going.

I can see this scam tricking a great many people, especially since both the email and invoice are sent through PayPal’s systems — which practically guarantees that the message will be successfully delivered. The invoices appear to have been sent from a compromised or fraudulent PayPal Business account, which allows users to send invoices like the one shown above. Details of this scam were shared Wednesday with PayPal’s anti-abuse (phishing@paypal.com) and media relations teams.

PayPal said in a written statement that phishing attempts are common and can take many forms.

“We have a zero-tolerance policy on our platform for attempted fraudulent activity, and our teams work tirelessly to protect our customers,” PayPal said. “We are aware of this well-known phishing scam and have put additional controls in place to mitigate this specific incident. Nonetheless, we encourage customers to always be vigilant online and to contact Customer Service directly if they suspect they are a target of a scam.”

It’s remarkable how well today’s fraudsters have adapted to hijacking the very same tools that financial institutions have long used to make their customers feel safe transacting online. It’s no accident that one of the most prolific scams going right now — the Zelle Fraud Scam — starts with a text message about an unauthorized payment that appears to come from your bank. After all, financial institutions have spent years encouraging customers to sign up for mobile alerts via SMS about suspicious transactions, and to expect the occasional inbound call about possibly fraudulent transactions.

Also, today’s scammers are less interested in stealing your PayPal login than they are in phishing your entire computer and online life with remote administration software, which seems to be the whole point of so many scams these days. Because why rob just one online account when you can plunder them all?

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.

PayPal Phishing Scam Uses Invoices Sent Via PayPal

SOS.dev initiative will combat software supply chain attacks by encouraging researchers to suggest security improvements to key projects

Stephen Pritchard 18 August 2022 at 12:09 UTC  
Updated: 18 August 2022 at 12:19 UTC

SOS.dev initiative will combat software supply chain attacks by encouraging researchers to suggest security improvements to key projects

A new program is aiming to reward developers and security researchers who make improvements to critical infrastructure based on open source technology.

The Secure Open Source Rewards (SOS.dev) scheme will be broader than current bug bounty programs, according to its backers.

The program will “harden critical open source projects” and help protect against application and software supply chain attacks by encouraging researchers and developers to suggest security improvements.

Rewards range from $505 for small improvements up to $10,000 or more for “complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities”.

**Save Our Software**

Secure Open Source Rewards will pick eligible projects based on the NIST definition of ‘critical software’, as well as the extent of the security improvements and the number of users who stand to benefit.

The backers will also consider the seriousness of any compromise of the project, and where the project ranks in open source criticality research, including the Harvard 2 Census Study of most-used packages, and the OpenSSF Criticality Score project rankings.

**RELATED** Developers still struggling with security issues during code reviews, study finds

Secure Open Source Rewards are looking for supply chain security improvements, improvement that give higher OpenSSF Criticality Scorecard results, adopt software artifact signing and verification, and other best practise measures.

Other improvements will be added to the aims as SOS.dev evolves.

**Million-dollar funding**

The Secure Open Source Rewards scheme differs from conventional bug bounty programs as it covers security improvements by project developers rather than just vulnerabilities.

It will also offer a limited amount of upfront funding for projects looking to make longer-term security improvements.

The initiative comes as organizations move to upgrade security for critical infrastructure and applications. More attention is being focused on software supply chains, including the role of vital open source components across the ecosystem.

“A lot of commercial and open source solutions, including those used by CNI, operate critical infrastructure relying on open source libraries including OpenSSL and Log4j, of which we have seen repeated attacks in the past,” Steven Sim, president of the ISACA Singapore chapter and chair of the OT-ISAC executive committee, told _The Daily Swig_.

“If we don’t do anything right now about these Achilles’ heels, we will continue to see massive breaches as a result of software supply chain attacks.”

Read more of the latest software supply chain security news

Andrew Martin, CEO at ControlPlane and CISO at OpenUK, added: “Supply chain security starts with the initial contributor and the security of their coding practices, computing environment, and build systems.

“Organizations need to be aware of all the components in development and production systems, including open source.

“The Linux Foundation’s OpenSSF and CNCF TAG Security groups are focused on critical and cloud native software respectively, and SOS.dev occupies a more developer-focused space, and is additionally supported by Google GOSST team.

“The latter is also supporting the Kubernetes-based kCTF Vulnerability Rewards Program (VRP), which looks to pay researchers for escaping containers and attacking the Linux Kernel.

“These initiatives are seeing dramatically increasing payouts commensurate with the level of skill required to escape these sandboxes and applications, and together are shining a light of the risk of untrusted third-party code making its way past the scrutiny of vulnerability researchers.”

SOS.dev is run by the Linux Foundation with sponsorship from the Google Open Source Security Team, with $1 million of initial funding.

**YOU MIGHT ALSO LIKE** Swiss Post relaunches e-voting bug bounty program

Secure Open Source Rewards program launched to help protect critical upstream software

In Sony Xperia series 1, 5, and Pro, an out of bound memory access can occur due to lack of validation of the number of frames being passed during music playback.

May 18, 2022

**Research by:** Slava Makkaveev, Netanel Ben Simon

**Introduction**

The Apple Lossless Audio Codec (ALAC) is an audio coding format developed by Apple Inc. in 2004 for lossless data compression of digital music. After initially keeping it proprietary, in late 2011 Apple made the codec open source. Since then, the ALAC format has been embedded in many non-Apple audio playback devices and programs, including Android-based smartphones, and Linux and Windows media players and converters.

The open source ALAC decoder contains serious vulnerabilities. Apple keeps updating the proprietary version of the decoder and fixing security issues, but the shared code has not been patched since 2011. Many third-party vendors use the Apple-supplied code as the basis for their own ALAC implementations, and it’s fair to assume that many of them do not maintain the external code.

We discovered that MediaTek and Qualcomm, the two largest mobile chipset makers, ported the vulnerable ALAC code into their audio decoders, which are used in more than half of all smartphones worldwide. The ALAC issues we found could be used by an attacker for RCE on a mobile device through a malformed audio file. In addition, an unprivileged Android app can use these vulnerabilities to escalate its privileges and gain access to media data and user conversations.

Our goal was not to find all the projects that integrate the ALAC decoder, but we easily found several popular Ubuntu packages in the Universe repository that are also based on the vulnerable ALAC code and can be targeted by an attacker for RCE on an Ubuntu machine.

In this study, we focus on mobile devices.

**OpenMAX Codecs**

Open Media Acceleration (OpenMAX or OMX) is the set of C-language programming interfaces that provides abstractions useful for multimedia processing.

On Android devices, the Stagefright media playback engine integrates OpenMAX to recognize and use custom hardware-based multimedia codecs.

**Figure 1:** OpenMAX in Android media.

While Android provides built-in software codecs for common media formats, a hardware manufacturer can add an OpenMAX codec to decode/encode a specific one.

All media codecs presented on the device are listed in the /vendor/etc/media_codecs.xml file. According to the OpenMax specification, the codec name and content type must be declared for each codec.

**Figure 2:** Built-in software codecs.

An OpenMAX codec is a dynamic library that implements the corresponding decoding/encoding logic. The relationship table between the codec name and the library name is built into the OpenMAX Core library /vendor/lib/libOmxCore.so. On MediaTek devices, the /vendor/etc/mtk_omx_core.cfg configuration file contains this table in text format.

**Figure 3:** Core configuration.

Both MediaTek and Qualcomm provide custom OpenMAX decoders for the ALAC format. The ALAC declaration is shown in Figure 4, where the first line refers to MediaTek devices and the second line to those belonging to Qualcomm.

**Figure 4:** ALAC decoder declaration.

/vendor/lib/libMtkOmxAlacDec.so is the OpenMAX ALAC library on MediaTek devices and /vendor/lib/libOmxAlacDecSw.so is the library on Qualcomm. Media service /vendor/bin/hw/[email protected] loads the ALAC library when requested by an Android app, and then calls it to decode the supplied frames.

A malicious .m4a audio file can be used to attack a device even when played in a safe app based on the Android media framework. In addition, a malicious app can use a harmful frame to attack the privileged [email protected] service.

**Requesting frame decoding from the app**

The Android framework provides the android.media.MediaCodec class to access low-level media codecs.

We can create the ALAC decoder by using its name.

The configure method can be used to tune the decoder. A Codec-specific Data (csd-0) array allows us to set the frame length and bit depth parameters that we want to control in order to exploit the vulnerabilities.

To pass an arbitrary frame to the decoder for processing:

The Android app does not require any permissions to initiate decoding. To attack the media service, all we need to do is to prepare a malformed frame that causes the vulnerability.

**The ALAC vulnerabilities****MediaTek**

A quick look at the libMtkOmxAlacDec.so library showed that it is more likely based on the Shairport source code than on the code published by Apple. In fact, both sources are quite similar and have the same security issues.

The MtkOmxAlacDec::InitAlacDecoder method is responsible for initializing the ALAC decoder based on the csd-0 information provided by the app or included in the audio file header. The method calls the alac_init function, which fills an internal object with the audio parameters and allocates working buffers to store the decoded data.

The setinfo_max_samples_per_frame field of the alac object is initialized with the frame length (the first DWORD of the csd-0), and the setinfo_sample_size field is initialized with the bit depth.

The frame length times 4 of the heap memory is allocated as the outputsamples_buffer_a buffer. No integer overflow check is performed. In the 32-bit media server, if the provided frame length is greater than or equal to 0x40000000, the wrong amount of memory is allocated.

The MtkOmxAlacDec::DecodeAudio method is responsible for decoding the audio frame. It calls the alac_decode_frame function passing the alac object, the decoding frame, and an output buffer for decoded data as arguments.

The variable outputsamples is the number of samples to decode. As you can see, it is initialized with the setinfo_max_samples_per_frame at the beginning of the function, which is the maximum possible value of samples per frame. However, this variable can be corrected by the actual number of samples, the value of which is encoded in the frame itself. There are no validations associated with the outputsamples, so an invalid number could be provided. For example, in the frame in Figure 5, the number of samples is 0x41414141.

**Figure 5:** Malformed ALAC frame.

Several code snippets like the one shown below are implemented in the alac_decode_frame function to decode the frame data.

As you can see, outputsamples \* setinfo_sample_size bits are decoded from the input frame into the outputsamples_buffer_a buffer, the size of which is setinfo_max_samples_per_frame \* 4. We control all the involved values: the outputsamples, the setinfo_sample_size, the setinfo_max_samples_per_frame, and the decoding content.

For a heap data leak, we set the outputsamples and the setinfo_max_samples_per_frame to be larger than the input frame. In this case, the contents of the heap after the frame buffer are “decoded” to the outputsamples_buffer_a, which is then copied to the output buffer.

To overwrite the heap, we set the setinfo_max_samples_per_frame to be smaller than the input frame. In this case, the data is decoded outside the outputsamples_buffer_a buffer as determined by what we set in the outputsamples.

In Figure 6, you can see the crash dump caused by the malformed frame shown in Figure 5. The test device is the Xiaomi Redmi Note 9T 5G (MediaTek MT6853 Dimensity 800U 5G chipset) with MIUI Global 12.5.2.0 OS.

**Figure 6:** Crash dump of MediaTek’s ALAC decoder.

All of the described vulnerabilities can be exploited as they provide both read and write primitives.

**Qualcomm**

The ALAC decoder implemented by Qualcomm has exactly the same issues as the MediaTek’s decoder.

The OpenMAX libOmxAlacDecSw.so library is a wrapper over the libAlacSwDec.so, which is based on the source code shared by Apple.

The ALACDecoder::Init method allocates the mMixBufferU buffer to store the decoded data. The buffer size is 4 times the frame length specified in the csd-0 and controlled by the attacker.

The ALACDecoder::Decode method decodes ALAC frames. Again, there is no verification of the number of samples provided in the frame.

Depending on the numSamples and the size of the input frame, the mMixBufferU buffer can be overflowed with the input frame or filled with leaked data.

In Figure 7, you can see the crash dump of Qualcomm’s ALAC decoder. The test device is the Sony Xperia XZ Premium.

**Figure 7:** Crash dump of Qualcomm’s ALAC decoder.

**Conclusion**

We discovered several vulnerabilities in the Apple lossless audio codec that are relevant for smartphones with MediaTek and Qualcomm chipsets. Two thirds of all smartphones sold in 2021 are vulnerable.

The issues we found could be used by an attacker for RCE on a mobile device via a malicious audio file, or for LPE from an unprivileged Android application. The attacker could gain access to user conversations and stored media.

MediaTek assigned CVE-2021-0674 and CVE-2021-0675 to the ALAC issues. The vulnerabilities were already fixed and published in the December 2021 MediaTek Security Bulletin. Qualcomm released the patch for CVE-2021-30351 in the December 2021 Qualcomm Security Bulletin.

Check Point’s customers _remain fully protected_ against such threats while using Harmony Mobile Security.

CVE-2022-23747: #ALHACK: One codec to hack the whole world - Check Point Research

Google’s new mobile operating system has arrived. Take back some control with these privacy and security tips.

It's late summer in the northern hemisphere, which means new phone operating systems are coming. In a few weeks, Apple will release iOS 16 to millions of iPhones and iPads around the world. Google, meanwhile, has already made the latest version of Android available—on some phones you can now download Android 13.

The newest version of the Android operating system is more “evolution than revolution,” with the majority of changes smaller than in previous iterations. But Android’s security team is trying to simplify people’s privacy options throughout Android 13. This version of the OS involves changes under the hood for app developers and some streamlined security options for users.

You probably don’t spend a lot of time thinking about the privacy and security settings on your phone. However, whenever you download a new operating system, it’s worth spending a few minutes scrolling and tapping through all the options you haven’t touched in the past 12 months. Here’s what you should take a look at on Android 13.

Clamp Down on App Permissions

In Android 12, Google introduced “nearby device” permissions. This was designed to stop your headphones app from requesting your precise location when it was trying to wirelessly connect to your headphones. Android 13 expands on these controls to stop apps from using Wi-Fi permissions to collect your location data. In their code, app developers have to specify that they will never use Wi-Fi APIs to access location information.

Android’s **Privacy dashboard** has also been updated. The dashboard, which can be accessed through **Settings >** **Privacy**, shows the permissions you have given apps to use—this includes the apps that can access your camera, contacts, and multiple other sensors and types of data. It will now show which apps have used each permission over the past seven days, rather than just 24 hours.

Some of the privacy changes in Android 13 don’t require you to do anything, but it is worth knowing about them anyway. For instance, the OS will start deleting your clipboard history automatically after a short period of time so that apps don’t snoop on the information you previously copied. Also, from now on, apps that use Google’s advertising ID, which is a unique code assigned to your device, must declare the ad ID permission in their documentation. “If your app does not declare this permission when targeting Android 13 or higher, the advertising ID is automatically removed and replaced with a string of zeroes,” Google says.

Photo Picker

When you want to use a photo you’ve taken in another app—for instance, as a Twitter profile photo or to share images with friends—your device uses Photo Picker. This loads up a screen that includes the photos on your device and gives you the option to use them in the app you’re in. The new privacy changes in Android 13 mean you won’t automatically give an app access to all your photos and videos. Instead, the photo picker will now only give the app access to the photos you allow it.

In addition, Android’s developer pages state that if apps want to use images, audio, or video that other apps have created, they must explicitly say the type of files they want access to and give you clear prompts that this will happen.

More Notification Control

Few things are more infuriating than apps that send a constant barrage of notifications. And there are some notifications you may not want appearing on your screen for anyone nearby to see. While it has been possible to control app notifications for some time, Android 13 is making it easier to do so from the outset. Now, when you open up an app for the first time or use it for the first time in a while, you’ll be asked if you want it to send you notifications. Spammy notifications, be gone.

Other Security and Privacy Options

While you’re thinking about your phone’s privacy settings, it’s worth taking some time to flick through your device’s other options to boost your overall protection. It’s possible there are previous changes that you’ve missed. The vast majority of the settings below can be changed by visiting **Settings** on your Android and then following the specific options.

In the **Security** section, Android provides you with an overview of your device’s status. It will show you when the last security update was applied, let you set a screen lock and fingerprint or biometric unlocking (if your device supports them), and let you go through Google’s wider security checkup that looks at the current state of your accounts. (Later this year, Android will introduce a new **Security & privacy** option that will put all of these settings in one place.)

In the **Privacy** menu, there are a few things you should change. The **Privacy dashboard**, as described above, will show you which apps have used which sensors and data on your phone in the past seven days. After looking at this, you should tap on **Permission manager**, where you’ll be presented with all the sensors and types of data that your phone can give to apps. These range from your location and camera access to your calendar and files. You should look through each of the permissions and decide if an app really needs access to them to function.

Next in **Privacy**, you should open **Google location history** and **Activity controls**. Both of these options are linked to your wider Google account(s), but the settings here allow you to control what data Google keeps about you—it’s a lot. Using these options, you can wipe your web and activity data, the locations Google keeps on your movements, and details such as YouTube search history.

Then head to **Privacy** and **Ads**. Here you can use **Reset advertising ID** to change the ID Google has assigned to your phone. This advertising ID is used by apps and advertisers across the web to track your interests and show you potentially creepy personalized advertising. As well as resetting your ad ID, there’s an option to **Delete advertising ID**, meaning “apps can no longer use this advertising ID to show you personalized ads.”

Finally, while you’re thinking about your digital privacy and security, you should make sure you are using a password manager to protect your online life and using multi-factor authentication wherever possible.

The Android 13 Privacy Settings You Should Update Now

A heap-buffer-overflow had occurred in function gf_isom_dovi_config_get of isomedia/avc_ext.c:2490, as demonstrated by MP4Box. This vulnerability was fixed in commit fef6242.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/  
**Description**  
A heap-buffer-overflow has occurred in function gf\_isom\_dovi\_config\_get of isomedia/avc\_ext.c:2490 when running program MP4Box,this can reproduce on the lattest commit.

**version info**

    fuzz@ubuntu:~/gpac2.1/gpac/bin/gcc$ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-revUNKNOWN-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    
    

**crash command**

 ./MP4Box -info poc1

**crash output**

    [iso file] Unknown box type 00000200 in parent stsd
    # Movie Info - 1 track - TimeScale 1000
    Duration 00:00:10.000 (recomputed 4 Days, 14:43:47.879)
    Fragmented: no
    Major Brand mp4@ - version 0 - compatible brands: mp42 mp41 isom iso2
    Created: GMT Thu Apr 26 09:02:13 2012
    
    
    # Track 1 Info - ID 1 - TimeScale 3000
    Media Duration 00:00:10.000  (recomputed 4 Days, 14:43:47.879)
    Track flags: Enabled In Movie In Preview
    Media Info: Language "Undetermined (und)" - Type "vide:00000200" - 300 samples
    Visual Sample Entry Info: width=320 height=240 (depth=24 bits)
    Visual Track layout: x=0 y=0 width=320 height=240
    =================================================================
    ==2235126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f000000130 at pc 0x7ff2a69b3bc0 bp 0x7fff43da89f0 sp 0x7fff43da89e0
    READ of size 8 at 0x60f000000130 thread T0
        #0 0x7ff2a69b3bbf in gf_isom_dovi_config_get isomedia/avc_ext.c:2490
        #1 0x56165102107a in DumpTrackInfo /home/fuzz/gpac2.1/gpac/applications/mp4box/filedump.c:2862
        #2 0x56165102ea17 in DumpMovieInfo /home/fuzz/gpac2.1/gpac/applications/mp4box/filedump.c:3994
        #3 0x561651002ad0 in mp4box_main /home/fuzz/gpac2.1/gpac/applications/mp4box/mp4box.c:6367
        #4 0x7ff2a4071082 in __libc_start_main ../csu/libc-start.c:308
        #5 0x561650fd7afd in _start (/home/fuzz/gpac2.1/gpac/bin/gcc/MP4Box+0xa2afd)
    
    Address 0x60f000000130 is a wild pointer.
    SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/avc_ext.c:2490 in gf_isom_dovi_config_get
    Shadow bytes around the buggy address:
      0x0c1e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
    =>0x0c1e7fff8020: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2235126==ABORTING
    

**source code**

    2481 GF_DOVIDecoderConfigurationRecord *gf_isom_dovi_config_get(GF_ISOFile* the_file, u32 trackNumber, u32 DescriptionIndex)
    2482 {
    2483 	GF_TrackBox* trak;
    2484 	GF_MPEGVisualSampleEntryBox *entry;
    2485 	trak = gf_isom_get_track_from_file(the_file, trackNumber);
    2486 	if (!trak || !trak->Media || !DescriptionIndex) return NULL;
    2487 	entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex - 1);
    2488	if (!entry) return NULL;
    2489 	if (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO) return NULL;
    2490 	if (!entry->dovi_config) return NULL;          /**here**/
    2491 	return DOVI_DuplicateConfig(&entry->dovi_config->DOVIConfig);
    2492 }
    
    

**sample poc:**

poc1.zip

ps: it is similar with the issue which occured in older gpac version ( #1846) . The bug was not patched . It still occured in the newest version.

CVE-2022-36191: heap-buffer-overflow in function gf_isom_dovi_config_get  · Issue #2218 · gpac/gpac

A Null Pointer dereference vulnerability exists in GPAC 2.1-DEV-revUNKNOWN-master via the function gf_filter_pid_set_property_full () at filter_core/filter_pid.c:5250,which causes a Denial of Service (DoS). This vulnerability was fixed in commit b43f9d1.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description:**  
\`A crash happened on MP4Box(GPAC version 2.1-DEV-revUNKNOWN-master) due to a null pointer dereference vulnerability in gf\_filter\_pid\_set\_property\_full function (filter\_core/filter\_pid.c:5250) .

\`  
**MP4Box version**

    ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-revUNKNOWN-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**poc**  
poc.zip

**command**  
./MP4Box -info poc

**crash output**

    [AVC|H264] Warning: Error parsing NAL unit
    filter_core/filter_pid.c:5250:6: runtime error: member access within null pointer of type 'struct GF_FilterPid'
    

**gdb output**

    pwndbg> r
    Starting program: /home/fuzz/gpac2.1/gpac/bin/gcc/MP4Box -info ../../../test/segv2/poc
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    [AVC|H264] Warning: Error parsing NAL unit
    filter_core/filter_pid.c:5250:6: runtime error: member access within null pointer of type 'struct GF_FilterPid'
    [Inferior 1 (process 2239153) exited with code 01]
    pwndbg> b filter_pid.c:5250
    Breakpoint 1 at 0x7ffff4b829f6: filter_pid.c:5250. (6 locations)
    pwndbg> r
    Starting program: /home/fuzz/gpac2.1/gpac/bin/gcc/MP4Box -info ../../../test/segv2/poc
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    
    Breakpoint 1, gf_filter_pid_set_property_full (is_info=GF_FALSE, value=0x7ffffffe9150, dyn_name=0x0, prop_name=0x0, prop_4cc=1347244884, pid=0x613000000040) at filter_core/filter_pid.c:5301
    5301		return gf_filter_pid_set_property_full(pid, prop_4cc, NULL, NULL, value, GF_FALSE);
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     RAX  0x0
     RBX  0x7ffffffe8f50 ◂— 0x41b58ab3
     RCX  0xfffffffd22a ◂— 0x0
     RDX  0x7ffffffe9150 ◂— 0x2
     RDI  0x613000000040 ◂— 0x613000000040 /* '@' */
     RSI  0x504d5354
     R8   0x0
     R9   0x7ffff58cb4f0 (global_log_tools+496) ◂— 0x2
     R10  0x7ffff24ab3f1 ◂— 'gf_filter_pid_set_property'
     R11  0x7ffff4b84110 (gf_filter_pid_set_property) ◂— endbr64 
     R12  0x613000000040 ◂— 0x613000000040 /* '@' */
     R13  0x7ffffffe9150 ◂— 0x2
     R14  0x504d5354
     R15  0xfffffffd1ea ◂— 0x0
     RBP  0x7ffffffe9060 —▸ 0x7ffffffe9380 —▸ 0x7ffffffea0d0 —▸ 0x7ffffffea170 —▸ 0x7ffffffea280 ◂— ...
     RSP  0x7ffffffe8f30 ◂— 0x0
     RIP  0x7ffff4b841c6 (gf_filter_pid_set_property+182) ◂— test   r12, r12
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     ► 0x7ffff4b841c6 <gf_filter_pid_set_property+182>    test   r12, r12
       0x7ffff4b841c9 <gf_filter_pid_set_property+185>    je     gf_filter_pid_set_property+1477                <gf_filter_pid_set_property+1477>
     
       0x7ffff4b841cf <gf_filter_pid_set_property+191>    test   r12b, 7
       0x7ffff4b841d3 <gf_filter_pid_set_property+195>    jne    gf_filter_pid_set_property+1477                <gf_filter_pid_set_property+1477>
     
       0x7ffff4b841d9 <gf_filter_pid_set_property+201>    mov    rax, r12
       0x7ffff4b841dc <gf_filter_pid_set_property+204>    shr    rax, 3
       0x7ffff4b841e0 <gf_filter_pid_set_property+208>    cmp    byte ptr [rax + 0x7fff8000], 0
       0x7ffff4b841e7 <gf_filter_pid_set_property+215>    jne    gf_filter_pid_set_property+1447                <gf_filter_pid_set_property+1447>
     
       0x7ffff4b841ed <gf_filter_pid_set_property+221>    cmp    r12, qword ptr [r12]
       0x7ffff4b841f1 <gf_filter_pid_set_property+225>    jne    gf_filter_pid_set_property+1016                <gf_filter_pid_set_property+1016>
     
       0x7ffff4b841f7 <gf_filter_pid_set_property+231>    mov    esi, r14d
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    In file: /home/fuzz/gpac2.1/gpac/src/filter_core/filter_pid.c
       5296 
       5297 GF_EXPORT
       5298 GF_Err gf_filter_pid_set_property(GF_FilterPid *pid, u32 prop_4cc, const GF_PropertyValue *value)
       5299 {
       5300 	if (!prop_4cc) return GF_BAD_PARAM;
     ► 5301 	return gf_filter_pid_set_property_full(pid, prop_4cc, NULL, NULL, value, GF_FALSE);
       5302 }
       5303 
       5304 GF_EXPORT
       5305 GF_Err gf_filter_pid_set_property_str(GF_FilterPid *pid, const char *name, const GF_PropertyValue *value)
       5306 {
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    00:0000│ rsp 0x7ffffffe8f30 ◂— 0x0
    01:0008│     0x7ffffffe8f38 ◂— 0x0
    02:0010│     0x7ffffffe8f40 —▸ 0x7ffffffe9030 —▸ 0x7ffff54af2c0 ◂— 0x6372636170672e /* '.gpacrc' */
    03:0018│     0x7ffffffe8f48 —▸ 0x7ffffffe8f50 ◂— 0x41b58ab3
    04:0020│ rbx 0x7ffffffe8f50 ◂— 0x41b58ab3
    05:0028│     0x7ffffffe8f58 —▸ 0x7ffff5640eff ◂— '1 48 100 11 szName:5290'
    06:0030│     0x7ffffffe8f60 —▸ 0x7ffff4b84110 (gf_filter_pid_set_property) ◂— endbr64 
    07:0038│     0x7ffffffe8f68 —▸ 0x618000000c80 —▸ 0x7ffff6de03e0 (FileInRegister) —▸ 0x7ffff56a6580 ◂— 0x6e6966 /* 'fin' */
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     ► f 0   0x7ffff4b841c6 gf_filter_pid_set_property+182
       f 1   0x7ffff4b841c6 gf_filter_pid_set_property+182
       f 2   0x7ffff4c06993 gf_filter_pid_raw_new+595
       f 3   0x7ffff4dc30b1 filein_process+2721
       f 4   0x7ffff4c0eb6d gf_filter_process_task+3581
       f 5   0x7ffff4bd4953 gf_fs_thread_proc+2275
       f 6   0x7ffff4be0c67 gf_fs_run+455
       f 7   0x7ffff462a677 gf_media_import+10263
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  gf_filter_pid_set_property_full (is_info=GF_FALSE, value=0x7ffffffe9150, dyn_name=0x0, prop_name=0x0, prop_4cc=1347244884, pid=0x613000000040) at filter_core/filter_pid.c:5301
    #1  gf_filter_pid_set_property (pid=pid@entry=0x613000000040, prop_4cc=prop_4cc@entry=1347244884, value=0x7ffffffe9150) at filter_core/filter_pid.c:5301
    #2  0x00007ffff4c06993 in gf_filter_pid_raw_new (filter=filter@entry=0x618000000c80, url=0x603000000f40 "../../../test/segv2/poc", local_file=<optimized out>, mime_type=<optimized out>, fext=<optimized out>, probe_data=<optimized out>, probe_size=<optimized out>, trust_mime=<optimized out>, out_pid=<optimized out>) at filter_core/filter.c:3891
    #3  0x00007ffff4dc30b1 in filein_process (filter=<optimized out>) at filters/in_file.c:481
    #4  0x00007ffff4c0eb6d in gf_filter_process_task (task=0x607000000b10) at filter_core/filter.c:2639
    #5  0x00007ffff4bd4953 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x616000000110) at filter_core/filter_session.c:1857
    #6  0x00007ffff4be0c67 in gf_fs_run (fsess=fsess@entry=0x616000000080) at filter_core/filter_session.c:2118
    #7  0x00007ffff462a677 in gf_media_import (importer=importer@entry=0x7ffffffeaa50) at media_tools/media_import.c:1226
    #8  0x0000555555651a12 in convert_file_info (inName=<optimized out>, track_id=0x555555764fb0 <info_track_id>) at fileimport.c:130
    #9  0x000055555562279f in mp4box_main (argc=<optimized out>, argv=<optimized out>) at mp4box.c:6265
    #10 0x00007ffff1949083 in __libc_start_main (main=0x5555555f6a00 <main>, argc=3, argv=0x7fffffffe488, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe478) at ../csu/libc-start.c:308
    #11 0x00005555555f6afe in _start () at mp4box.c:6811
    pwndbg> p pid
    $2 = (GF_FilterPid *) 0x613000000040
    pwndbg> c
    Continuing.
    [AVC|H264] Warning: Error parsing NAL unit
    
    Breakpoint 1, gf_filter_pid_set_property_full (is_info=GF_FALSE, value=0x7ffffffe9810, dyn_name=0x0, prop_name=0x0, prop_4cc=1146050121, pid=0x0) at filter_core/filter_pid.c:5301
    5301		return gf_filter_pid_set_property_full(pid, prop_4cc, NULL, NULL, value, GF_FALSE);
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ............
    until.......
    
    pwndbg> p pid
    $3 = (GF_FilterPid *) 0x0
    pwndbg> i b
    Num     Type           Disp Enb Address            What
    1       breakpoint     keep y   <MULTIPLE>         
    	breakpoint already hit 9 times
    1.1                         y   0x00007ffff4b829f6 in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    1.2                         y   0x00007ffff4b8314e in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    1.3                         y   0x00007ffff4b834d1 in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    1.4                         y   0x00007ffff4b8393e in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    1.5                         y   0x00007ffff4b83cc1 in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    1.6                         y   0x00007ffff4b841c6 in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    pwndbg> n
    filter_core/filter_pid.c:5250:6: runtime error: member access within null pointer of type 'struct GF_FilterPid'
    [Inferior 1 (process 2239158) exited with code 01]
    
    

**source code**

    5246 static GF_Err gf_filter_pid_set_property_full(GF_FilterPid *pid, u32 prop_4cc, const char *prop_name, char *dyn_name, const GF_PropertyValue *value, Bool is_info)
    5247 {
    5248 	GF_PropertyMap *map;
    5249 	const GF_PropertyValue *oldp;
    5250	if (PID_IS_INPUT(pid)) {    //**here**//
    5251		GF_LOG(GF_LOG_ERROR, GF_LOG_FILTER, ("Attempt to write property on input PID in filter %s - ignoring\n", pid->filter->name));
    5252		return GF_BAD_PARAM;
    5253	}

CVE-2022-36186: A NULL pointer dereference in gf_filter_pid_set_property_full  · Issue #2223 · gpac/gpac

GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free vulnerability in function gf_isom_dovi_config_get. This vulnerability was fixed in commit fef6242.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Heap use after free in fuction gf_isom_dovi_config_get located in isomedia/avc_ext.c:2490

**System info**

ubuntu 20.04 lts

**version info:**

     ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-revUNKNOWN-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**compile**

    ./configure --enable-sanitizer 
    make
    

**crash command:**  
./MP4Box -info  poc

**poc :**  
poc.zip

**Crash output:**

    
    [iso file] Unknown box type mp4u in parent stsd
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Unknown box type drzf in parent dinf
    [iso file] Missing dref box in dinf
    [iso file] Incomplete box mdat - start 11495 size 853076
    [iso file] Incomplete file while reading for dump - aborting parsing
    # Movie Info - 5 tracks - TimeScale 90000
    Duration 00:00:22.839 (recomputed 00:00:22.848)
    Fragmented: no
    Progressive (moov before mdat)
    Major Brand isom - version 1 - compatible brands:
    Created: GMT Wed Sep 14 06:08:31 2078
    Modified: GMT Wed Sep 14 06:08:33 2078
    
    File has root IOD (96 bytes)
    Scene PL 0xff - Graphics PL 0xff - OD PL 0xff
    Visual PL: Simple Profile @ Level 1 (0x01)
    Audio PL: High Quality Audio Profile @ Level 2 (0x0f)
    1 UDTA types: 
    	hnti: 
    
    # Track 1 Info - ID 1 - TimeScale 90000
    Media Duration 00:00:22.800 
    Track flags: Enabled
    Media Info: Language "Undetermined (und)" - Type "vide:mp4u" - 342 samples
    Visual Sample Entry Info: width=176 height=144 (depth=24 bits)
    Visual Track layout: x=0 y=0 width=176 height=144
    =================================================================
    ==2234976==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000000130 at pc 0x7fbba822fbc0 bp 0x7ffe87b46740 sp 0x7ffe87b46730
    READ of size 8 at 0x60f000000130 thread T0
        #0 0x7fbba822fbbf in gf_isom_dovi_config_get isomedia/avc_ext.c:2490
        #1 0x55f3db03107a in DumpTrackInfo /home/fuzz/gpac2.1/gpac/applications/mp4box/filedump.c:2862
        #2 0x55f3db03ea17 in DumpMovieInfo /home/fuzz/gpac2.1/gpac/applications/mp4box/filedump.c:3994
        #3 0x55f3db012ad0 in mp4box_main /home/fuzz/gpac2.1/gpac/applications/mp4box/mp4box.c:6367
        #4 0x7fbba58ed082 in __libc_start_main ../csu/libc-start.c:308
        #5 0x55f3dafe7afd in _start (/home/fuzz/gpac2.1/gpac/bin/gcc/MP4Box+0xa2afd)
    
    0x60f000000130 is located 0 bytes inside of 168-byte region [0x60f000000130,0x60f0000001d8)
    freed by thread T0 here:
        #0 0x7fbbab63440f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
        #1 0x7fbba825252d in unkn_box_read isomedia/box_code_base.c:793
        #2 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #3 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #4 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #5 0x7fbba82524fb in unkn_box_read isomedia/box_code_base.c:789
        #6 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #7 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #8 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #9 0x7fbba82524fb in unkn_box_read isomedia/box_code_base.c:789
        #10 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #11 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #12 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #13 0x7fbba82524fb in unkn_box_read isomedia/box_code_base.c:789
        #14 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #15 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #16 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #17 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #18 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #19 0x7fbba8302a35 in gf_isom_parse_root_box isomedia/box_funcs.c:38
        #20 0x7fbba832babc in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:373
        #21 0x7fbba8331c2f in gf_isom_parse_movie_boxes isomedia/isom_intern.c:860
        #22 0x7fbba8331c2f in gf_isom_open_file isomedia/isom_intern.c:980
        #23 0x55f3db00c549 in mp4box_main /home/fuzz/gpac2.1/gpac/applications/mp4box/mp4box.c:6181
        #24 0x7fbba58ed082 in __libc_start_main ../csu/libc-start.c:308
    
    previously allocated by thread T0 here:
        #0 0x7fbbab634808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x7fbba82521ef in unkn_box_read isomedia/box_code_base.c:768
        #2 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #3 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #4 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #5 0x7fbba82524fb in unkn_box_read isomedia/box_code_base.c:789
        #6 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #7 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #8 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #9 0x7fbba82524fb in unkn_box_read isomedia/box_code_base.c:789
        #10 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #11 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #12 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #13 0x7fbba82524fb in unkn_box_read isomedia/box_code_base.c:789
        #14 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #15 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #16 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #17 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #18 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #19 0x7fbba8302a35 in gf_isom_parse_root_box isomedia/box_funcs.c:38
        #20 0x7fbba832babc in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:373
        #21 0x7fbba8331c2f in gf_isom_parse_movie_boxes isomedia/isom_intern.c:860
        #22 0x7fbba8331c2f in gf_isom_open_file isomedia/isom_intern.c:980
        #23 0x55f3db00c549 in mp4box_main /home/fuzz/gpac2.1/gpac/applications/mp4box/mp4box.c:6181
        #24 0x7fbba58ed082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: heap-use-after-free isomedia/avc_ext.c:2490 in gf_isom_dovi_config_get
    Shadow bytes around the buggy address:
      0x0c1e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
    =>0x0c1e7fff8020: fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd
      0x0c1e7fff8030: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
      0x0c1e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2234976==ABORTING
    
    

**Impact**

can cause a program to crash, use unexpected values, or execute code.

Occurrences:  
avc\_ext.c:2490

ps: this test was still based on the newest mp4box+asan. The bug happened in avc\_ext.c:2490 which was the same location with the other issue i submitted (#2218). Maybe asan mistakenly reports "heap-use-after-free" instead of "heap-buffer-overflow". Pls check it again.

CVE-2022-36190: Heap Use After Free in function gf_isom_dovi_config_get  · Issue #2220 · gpac/gpac

In this article, we explore what Red Hat Insights and Red Hat Satellite have to offer individually, and then we will look at how you can have a heightened experience of the two products with the use of Cloud Connector.

In this article, we explore what **Red Hat Insights** and **Red Hat Satellite** have to offer individually, and then we will look at how you can have a heightened experience of the two products with the use of Cloud Connector. We then evaluate both offerings by performing a feature-by-feature comparison of the tools for a better understanding of how they compare.

Insights and Satellite are frequently used by customers for a myriad of use cases — some similar and some vastly different — including managing their IT estate. Ultimately, customers are able to proactively streamline the security posture of their IT estate with both or either of these products.

**Red Hat Insights and Red Hat Satellite overview**

Insights is a Software-as-a-Service (SaaS) offering, available through the Hybrid Cloud Console with a Red Hat Enterprise Linux (RHEL) or Satellite subscription. Insights continuously analyzes platforms and applications to predict risk and recommend actions. This aids in the more effective management of your hybrid cloud environments overall.

_Figure 1: Insights dashboard on Hybrid Cloud Console_

Insights gathers configuration and utilization data on an ongoing basis, then analyzes and provides insights from that data via the web UI, API or integrations through notifications or webhooks. Insights gives you a Red Hat view of how you should prioritize taking action, when and where needed, based on our unique experience in supporting Red Hat products.

With a holistic view of your IT estate in mind, how does an organization manage its IT environment? It is important for customers to have a systematic way to manage their infrastructure. Without standard processes, their organization could at best have inefficiencies, and at worst be open to all kinds of security breaches, compliance issues and audit difficulties.

In relation to scalability, Satellite automates workflow and streamlines content management. This can make administrators much more efficient, giving them more time to work on strategic initiatives rather than spending all day on tedious, manual and error-prone tasks. Other advantages of Satellite include that it provides lifecycle management across your Red Hat infrastructure, that it streamlines your content management and that it is able to scale.

**Introducing Cloud Connector**

Satellite can work with Insights for the advanced remediation of issues through the use of Cloud Connector. Cloud Connector ties the technologies together so that you can find issues with Insights and fix them with Satellite at scale.

_Figure 2: Insights and Satellite (with Cloud Connector) enables push-button remediation of issues identified by Insights_

The connected experience between Insights and Satellite is illustrated in Figure 2. All of the data collected on Insights is automatically proxied through Satellite without you having to do any manual configuration. Configuring Cloud Connector enables the "Execute Remediation" button inside of the Insights Remediations service.

_Figure 3: Remediations service on Insights console_

It really is as simple as clicking a button and running the playbook and having the issue fixed in a matter of minutes. 

Our goal at Red Hat is to do what we can to help you solve your business needs and keep your organization performing at its best. With this in mind, Insights is able to help detect and address IT security issues beyond patching, compliance, performance and availability as well as consistency issues; all of these can result in reduced efficiency and increased costs.

Satellite will help detect and address problems such as the remediation of issues, lifecycle and content management, provisioning and patching at scale across your entire environment.

**Feature comparison**

Here's a comparison of Insights and Satellite features. This is not an all-encompassing list, but provides key functionality comparisons in different focus areas.

**Focus area: Vulnerability**

 

Red Hat Insights

Red Hat Satellite

Dashboard

Displays only CVEs with errata. If there is no CVE resolution, Insights won’t show it.

All vulnerabilities with an errata are shown. By default, you can only see a vulnerability that affects your environment.

Risk scoring

Uses standard common vulnerability scoring system (CVSS). Can score business risk and change status for CVE.

Uses standard common vulnerability scoring system (CVSS).

Reporting

PDF or CSV

CSV

**Focus area: Compliance**

 

Red Hat Insights

Red Hat Satellite

Configuration

Better known for compliance; knows the compatibility matrix, avoiding false positives.

Does not know the compatibility matrix.

OpenSCAP

Manual installation required, but can be simplified using Red Hat Connector.

Manual installation. Required to then automate the process.

Policy customisation

Can edit as needed within the compliance service. Cannot tailor value of a rule, but can tailor to include/exclude policies.

Can edit policy within OpenSCAP Workbench (UI) and can tailor the value of a rule.

Additional configuration

Each host will need OpenSCAP and RHEL security packages installed. Assign host to a policy.

Enable OpenSCAP on a capsule, assign an OpenSCAP capsule.

SCAP Import

Does not support any import/export functionality as of today.

SCAP content must be imported into Satellite Server before being applied in a policy.

**Focus area: Patching**

 

Red Hat Insights

Red Hat Satellite

Usage

Centralized view of impact of your entire state registered to Insights.

Robust content management and lifecycle management — not offered as part of Insights. Satellite would likely not be used to manage the same set of systems.

Capability

High-level; using subscription manager or yum, providing access to all appropriate packages on the Red Hat CDN.

Robust content and lifecycle management and is purpose-built for patching (and provisioning etc.) of RHEL. Content views to filter and curate available packages in Red Hat, third party and custom repos.

**Focus area: Remediations**

 

Red Hat Insights

Red Hat Satellite

Execution

Manual; download playbook and transfer to system with an Ansible setup. Can connect Red Hat Ansible Automation Platform or Tower to Insights, or use Red Hat Connector with RHEL 8.4+ to seamlessly interact directly with hosts; execute playbook button enabled.

Satellite configured with Red Hat Connector has  a remediate playbook button, and Satellite server can run the playbook at the click of a button on connected hosts.

Cloud connector required

No

Required to create connection between Satellite servers and Insights to remediate playbooks. Multiple satellites can be connected.

GUI access to Insights services

Available on Hybrid Cloud Console. Access to all Insights services.

Satellite GUI only displays Advisor service.

To summarize, Red Hat Insights and Red Hat  Satellite can help you to achieve your organization’s overall security goals. Combining Insights and Satellite through the use of Cloud Connector allows you to unlock a connected experience when managing your environment.

Learn more

*   Red Hat Insights: Predictive analytics for Red Hat Enterprise Linux
    
*   Automation analytics and Red Hat Insights for Red Hat Ansible Automation Platform
    
*   Save administrator time and effort by activating Red Hat Insights
    
*   Boost Red Hat Enterprise Linux efficiency with Red Hat Insights
    
*   Red Hat Satellite: How to obtain Insights Advisor recommendations

Streamlining IT security operations with Red Hat Insights and Red Hat Satellite

SWFTools commit 772e55a2 was discovered to contain a heap-buffer overflow via swf_DefineLosslessBitsTagToImage at /modules/swfbits.c.

    ==20010==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000007fc at pc 0x000000509052 bp 0x7ffd07ab6370 sp 0x7ffd07ab6368
    READ of size 4 at 0x6110000007fc thread T0
        #0 0x509051 in swf_DefineLosslessBitsTagToImage /home/bupt/Desktop/swftools/lib/modules/swfbits.c:1037:16
        #1 0x50aacb in swf_ExtractImage /home/bupt/Desktop/swftools/lib/modules/swfbits.c:1221:9
        #2 0x4fcf44 in extractDefinitions /home/bupt/Desktop/swftools/lib/readers/swf.c:405:18
        #3 0x4fcf44 in swf_open /home/bupt/Desktop/swftools/lib/readers/swf.c:736:18
        #4 0x4f6846 in main /home/bupt/Desktop/swftools/src/swfrender.c:174:29
        #5 0x7fb150d57c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #6 0x41d4c9 in _start (/home/bupt/Desktop/swftools/build/bin/swfrender+0x41d4c9)
    
    0x6110000007fc is located 764 bytes to the right of 256-byte region [0x611000000400,0x611000000500)
    allocated by thread T0 here:
        #0 0x4afa90 in malloc /home/bupt/桌面/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x62146e in rfx_alloc /home/bupt/Desktop/swftools/lib/mem.c:30:9
        #2 0x50aacb in swf_ExtractImage /home/bupt/Desktop/swftools/lib/modules/swfbits.c:1221:9
        #3 0x4f6846 in main /home/bupt/Desktop/swftools/src/swfrender.c:174:29
        #4 0x7fb150d57c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/swftools/lib/modules/swfbits.c:1037:16 in swf_DefineLosslessBitsTagToImage
    Shadow bytes around the buggy address:
      0x0c227fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c227fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c227fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c227fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c227fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c227fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
      0x0c227fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c227fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c227fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c227fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c227fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==20010==ABORTING
    

    ==20817==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x0000004f9f76 bp 0x0c1600000664 sp 0x7fffe97402a0 T0)
    ==20817==The signal is caused by a READ memory access.
    ==20817==Hint: address points to the zero page.
        #0 0x4f9f76 in extractFrame /home/bupt/Desktop/swftools/lib/readers/swf.c:458:49
        #1 0x4f981c in swfpage_render /home/bupt/Desktop/swftools/lib/readers/swf.c:637:23
        #2 0x4f7398 in main /home/bupt/Desktop/swftools/src/swfrender.c:218:17
        #3 0x7f720636dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #4 0x41d4c9 in _start (/home/bupt/Desktop/swftools/build/bin/swfrender+0x41d4c9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/swftools/lib/readers/swf.c:458:49 in extractFrame
    ==20817==ABORTING

CVE-2022-35113: bug found in swfrender · Issue #185 · matthiaskramm/swftools

OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via /release-x64/otfccdump+0x6e412a.

Tag

#ssl