podofoinfo 0.10.0 was discovered to contain a segmentation violation via the function PoDoFo::PdfDictionary::findKeyParent.

CVE-2023-31556: [podofo-0.10.0]Stack-Overflow · Issue #66 · podofo/podofo

xpdf pdfimages v4.04 was discovered to contain a stack overflow in the component Catalog::readEmbeddedFileTree(Object*). This vulnerability allows attackers to cause a Denial of Service (DoS).

CVE-2023-31557: A stack-overflow in xpdf4.04 - forum.xpdfreader.com

Podofo v0.10.0 was discovered to contain a heap buffer overflow via the component PoDoFo::PdfEncryptRC4::PdfEncryptRC4.

We found a heap-buffer-overflow in podofo 0.10.0(main/PdfEncrypt.cpp:1132:5 in PoDoFo::PdfEncryptRC4::PdfEncryptRC4).

**Command Input**

podofopdfinfo poc_file 

poc\_file is attached.

**Sanitizer Dump**

    ==3975233==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000122f at pc 0x0000004ab677 bp 0x7ffc5060df20 sp 0x7ffc5060d6e8
    READ of size 32 at 0x60300000122f thread T0
        #0 0x4ab676 in __asan_memcpy /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
        #1 0x64570f in PoDoFo::PdfEncryptRC4::PdfEncryptRC4(PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfPermissions, int, PoDoFo::PdfEncryptAlgorithm, int, bool) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:1132:5
        #2 0x638356 in PoDoFo::PdfEncrypt::CreateFromObject(PoDoFo::PdfObject const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:556:43
        #3 0x79b3a8 in PoDoFo::PdfParser::ReadObjects(PoDoFo::InputStreamDevice&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:631:29
        #4 0x798f13 in PoDoFo::PdfParser::Parse(PoDoFo::InputStreamDevice&, bool) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:83:9
        #5 0x71c42e in PoDoFo::PdfMemDocument::loadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:148:12
        #6 0x71dcdd in PoDoFo::PdfMemDocument::LoadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:137:5
        #7 0x71d8eb in PoDoFo::PdfMemDocument::Load(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:119:5
        #8 0x4e1be9 in PdfInfoHelper::PdfInfoHelper(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /root/target/Invariants/podofo-0.10.0/tools/podofopdfinfo/pdfinfo.cpp:16:12
        #9 0x4e06b7 in main /root/target/Invariants/podofo-0.10.0/tools/podofopdfinfo/podofopdfinfo.cpp:94:23
        #10 0x7f5ed7b54082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #11 0x43106d in _start (/root/target/Invariants/podofo-0.10.0/build_clang/target/podofopdfinfo+0x43106d)
    
    0x60300000122f is located 0 bytes to the right of 31-byte region [0x603000001210,0x60300000122f)
    allocated by thread T0 here:
        #0 0x4dd3dd in operator new(unsigned long) /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
        #1 0x7f5ed800487f in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::reserve(unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x14387f)
        #2 0x87564a in PoDoFo::StandardStreamDevice::readChar(char&) /root/target/Invariants/podofo-0.10.0/src/podofo/auxiliary/StreamDevice.cpp:290:12
        #3 0x868d29 in PoDoFo::InputStream::Read(char&) /root/target/Invariants/podofo-0.10.0/src/podofo/auxiliary/InputStream.cpp:53:12
        #4 0x7e319a in readHexString(PoDoFo::InputStreamDevice&, PoDoFo::charbuff_t<void>&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfTokenizer.cpp:801:16
    LLVMSymbolizer: error reading file: No such file or directory
        #5 0x7ffc50612342  ([stack]+0x20342)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0c067fff81f0: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
      0x0c067fff8200: fd fd fd fa fa fa 00 00 00 fa fa fa fd fd fd fa
      0x0c067fff8210: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
      0x0c067fff8220: 00 fa fa fa fd fd fd fa fa fa 00 00 00 fa fa fa
      0x0c067fff8230: 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd fd fa
    =>0x0c067fff8240: fa fa 00 00 00[07]fa fa 00 00 00 fa fa fa 00 00
      0x0c067fff8250: 00 00 fa fa fd fd fd fa fa fa fd fd fd fa fa fa
      0x0c067fff8260: 00 00 00 fa fa fa fd fd fd fd fa fa 00 00 00 00
      0x0c067fff8270: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa 00 00
      0x0c067fff8280: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
      0x0c067fff8290: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3975233==ABORTING
    

**Environment**

*   OS: Ubuntu 20.04.1
*   clang:12.0.0
*   podofo:0.10.0

we built podofo with AddressSanitizer (ASAN) .

cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang -DCMAKE_C_FLAGS="-O0 -fsanitize=address" -DCMAKE_CXX_FLAGS="-O0 -fsanitize=address"

poc\_file.zip

CVE-2023-31568: Heap-buffer-overflow in podofo 0.10.0(main/PdfEncrypt.cpp:1132:5 in PoDoFo::PdfEncryptRC4::PdfEncryptRC4) · Issue #72 · podofo/podofo

podofoinfo 0.10.0 was discovered to contain a segmentation violation via the function PoDoFo::PdfObject::DelayedLoad.

When using podofopdfinfo to parse a PDF file, a SIGSEGV error occurs. By debugging with gdb, it was found that the error occurred at line 163 in podofo-0.10.0/src/podofo/main/PdfObject.cpp:

if (m\_IsDelayedLoadDone)

When checking the value of m\_IsDelayedLoadDone with "p" command, it was found that the value was 0x31. As a boolean value, it should only be assigned either 0 or 1, but not any other numbers. Previously, PoDoFo::PdfObject::DelayedLoad was also called and executed normally, but calling this function in the getString() function would result in a failure. The specific gdb bt stack trace is as follows.

**Command Input**

podofopdfinfo poc\_file

poc\_file are attached.

**Environment**

*   OS: Ubuntu 20.04.1
*   clang:12.0.0
*   podofo:0.10.0

poc\_file.zip

CVE-2023-31555: [podofo-0.10.0]a SIGSEGV error occurs · Issue #67 · podofo/podofo

xpdf pdfimages v4.04 was discovered to contain a stack overflow in the component Catalog::readPageLabelTree2(Object*). This vulnerability allows attackers to cause a Denial of Service (DoS).

CVE-2023-31554: A stack-overflow in pdfimages xpdf4.04

Ubuntu Security Notice 6064-1 - It was discovered that SQL parse incorrectly handled certain regular expression. An attacker could possibly use this issue to cause a denial of service.

=========================================================================  
Ubuntu Security Notice USN-6064-1  
May 10, 2023

sqlparse vulnerability  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

SQL parse could be made to denial of service if it received  
a specially crafted regular expression.

Software Description:  
- sqlparse: documentation for non-validating SQL parser in Python

Details:

It was discovered that SQL parse incorrectly handled certain regular expression.  
An attacker could possibly use this issue to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  python3-sqlparse                0.4.2-1ubuntu0.23.04.1

Ubuntu 22.10:  
  python3-sqlparse                0.4.2-1ubuntu0.22.10.1

Ubuntu 22.04 LTS:  
  python3-sqlparse                0.4.2-1ubuntu0.22.04.1

Ubuntu 20.04 LTS:  
  python3-sqlparse                0.2.4-3ubuntu0.1

Ubuntu 18.04 LTS:  
  python-sqlparse                 0.2.4-0.1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6064-1  
  CVE-2023-30608

Package Information:  
  https://launchpad.net/ubuntu/+source/sqlparse/0.4.2-1ubuntu0.23.04.1  
  https://launchpad.net/ubuntu/+source/sqlparse/0.4.2-1ubuntu0.22.10.1  
  https://launchpad.net/ubuntu/+source/sqlparse/0.4.2-1ubuntu0.22.04.1  
  https://launchpad.net/ubuntu/+source/sqlparse/0.2.4-3ubuntu0.1  
  https://launchpad.net/ubuntu/+source/sqlparse/0.2.4-0.1ubuntu0.1

Ubuntu Security Notice USN-6064-1

Ubuntu Security Notice 6068-1 - David Marchand discovered that Open vSwitch incorrectly handled IP packets with the protocol set to 0. A remote attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6068-1  
May 10, 2023

openvswitch vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Open vSwitch could be made to stop forwarding packets if it received  
specially crafted network traffic.

Software Description:  
- openvswitch: Ethernet virtual switch

Details:

David Marchand discovered that Open vSwitch incorrectly handled IP packets  
with the protocol set to 0. A remote attacker could possibly use this issue  
to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   openvswitch-common              3.0.3-0ubuntu0.22.10.3  
   python3-openvswitch             3.0.3-0ubuntu0.22.10.3

Ubuntu 22.04 LTS:  
   openvswitch-common              2.17.5-0ubuntu0.22.04.2  
   python3-openvswitch             2.17.5-0ubuntu0.22.04.2

Ubuntu 20.04 LTS:  
   openvswitch-common              2.13.8-0ubuntu1.2  
   python3-openvswitch             2.13.8-0ubuntu1.2

Ubuntu 18.04 LTS:  
   openvswitch-common              2.9.8-0ubuntu0.18.04.5  
   python-openvswitch              2.9.8-0ubuntu0.18.04.5  
   python3-openvswitch             2.9.8-0ubuntu0.18.04.5

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6068-1  
   CVE-2023-1668

Package Information:  
   https://launchpad.net/ubuntu/+source/openvswitch/3.0.3-0ubuntu0.22.10.3  
   https://launchpad.net/ubuntu/+source/openvswitch/2.17.5-0ubuntu0.22.04.2  
   https://launchpad.net/ubuntu/+source/openvswitch/2.13.8-0ubuntu1.2  
   https://launchpad.net/ubuntu/+source/openvswitch/2.9.8-0ubuntu0.18.04.5

Ubuntu Security Notice USN-6068-1

Ubuntu Security Notice 6067-1 - David Sinquin discovered that OpenStack Neutron incorrectly handled the default Open vSwitch firewall rules. An attacker could possibly use this issue to impersonate the IPv6 addresses of other systems on the network. This issue only affected Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Jake Yip and Justin Mammarella discovered that OpenStack Neutron incorrectly handled the linuxbridge driver when ebtables-nft is being used. An attacker could possibly use this issue to impersonate the hardware address of other systems on the network. This issue only affected Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-6067-1  
May 10, 2023

neutron vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in OpenStack Neutron.

Software Description:  
- neutron: OpenStack Virtual Network Service

Details:

David Sinquin discovered that OpenStack Neutron incorrectly handled the  
default Open vSwitch firewall rules. An attacker could possibly use this  
issue to impersonate the IPv6 addresses of other systems on the network.  
This issue only affected Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.  
(CVE-2021-20267)

Jake Yip and Justin Mammarella discovered that OpenStack Neutron  
incorrectly handled the linuxbridge driver when ebtables-nft is being  
used. An attacker could possibly use this issue to impersonate the hardware  
addresss of other systems on the network. This issue only affected Ubuntu  
18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-38598)

Pavel Toporkov discovered that OpenStack Neutron incorrectly handled  
extra_dhcp_opts values. An attacker could possibly use this issue to  
reconfigure dnsmasq. This issue only affected Ubuntu 18.04 LTS, and Ubuntu  
20.04 LTS. (CVE-2021-40085)

Slawek Kaplonski discovered that OpenStack Neutron incorrectly handled the  
routes middleware. An attacker could possibly use this issue to cause the  
API worker to consume memory, leading to a denial of service. This issue  
only affected Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-40797)

It was discovered that OpenStack Neutron incorrectly handled certain  
queries. A remote authenticated user could possibly use this issue to cause  
resource consumption, leading to a denial of service. (CVE-2022-3277)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   python3-neutron                 2:20.3.0-0ubuntu1.1

Ubuntu 20.04 LTS:  
   python3-neutron                 2:16.4.2-0ubuntu6.2

Ubuntu 18.04 LTS:  
   python-neutron                  2:12.1.1-0ubuntu8.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6067-1  
   CVE-2021-20267, CVE-2021-38598, CVE-2021-40085, CVE-2021-40797,  
   CVE-2022-3277

Package Information:  
   https://launchpad.net/ubuntu/+source/neutron/2:20.3.0-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/neutron/2:16.4.2-0ubuntu6.2  
   https://launchpad.net/ubuntu/+source/neutron/2:12.1.1-0ubuntu8.1

Ubuntu Security Notice USN-6067-1

Ubuntu Security Notice 6066-1 - It was discovered that OpenStack Heat incorrectly handled certain hidden parameter values. A remote authenticated user could possibly use this issue to obtain sensitive data.

==========================================================================  
Ubuntu Security Notice USN-6066-1  
May 10, 2023

heat vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

OpenStack Heat could be made to expose sensitive information.

Software Description:  
- heat: OpenStack Orchestration Service

Details:

It was discovered that OpenStack Heat incorrectly handled certain hidden  
parameter values. A remote authenticated user could possibly use this issue  
to obtain sensitive data.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   python3-heat                    1:14.2.0-0ubuntu1.1

Ubuntu 18.04 LTS:  
   python-heat                     1:10.0.2-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6066-1  
   CVE-2023-1625

Package Information:  
   https://launchpad.net/ubuntu/+source/heat/1:14.2.0-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/heat/1:10.0.2-0ubuntu1.1

Ubuntu Security Notice USN-6066-1

Ubuntu Security Notice 6065-1 - It was discovered that css-what incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6065-1May 10, 2023node-css-what vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 ESM- Ubuntu 18.04 LTS- Ubuntu 16.04 ESMSummary:Several security issues were fixed in css-what.Software Description:- node-css-what: A CSS selector parserDetails:It was discovered that css-what incorrectly handled certain inputs. If a useror an automated system were tricked into opening a specially crafted inputfile, a remote attacker could possibly use this issue to cause a denial ofservice. (CVE-2021-33587, CVE-2022-21222)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 ESM:   node-css-what                   3.2.1-1ubuntu0.1~esm1Ubuntu 18.04 LTS:   node-css-what                   2.1.0-1+deb10u1build0.18.04.1Ubuntu 16.04 ESM:   node-css-what                   2.1.0-1ubuntu0.16.04.1~esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6065-1   CVE-2021-33587, CVE-2022-21222Package Information: https://launchpad.net/ubuntu/+source/node-css-what/2.1.0-1+deb10u1build0.18.04.1

Tag

#ubuntu