Ubuntu Security Notice 5748-1 - It was discovered that Sysstat incorrectly handled certain arithmetic multiplications. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5748-1  
November 29, 2022

sysstat vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Sysstat could be made to crash or run programs if it processed specially  
crafted data.

Software Description:  
- sysstat: system performance tools for Linux

Details:

It was discovered that Sysstat incorrectly handled certain arithmetic  
multiplications. An attacker could use this issue to cause Sysstat to  
crash, resulting in a denial of service, or possibly execute arbitrary  
code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   isag                            12.5.6-1ubuntu0.1  
   sysstat                         12.5.6-1ubuntu0.1

Ubuntu 22.04 LTS:  
   isag                            12.5.2-2ubuntu0.1  
   sysstat                         12.5.2-2ubuntu0.1

Ubuntu 20.04 LTS:  
   isag                            12.2.0-2ubuntu0.2  
   sysstat                         12.2.0-2ubuntu0.2

Ubuntu 18.04 LTS:  
   isag                            11.6.1-1ubuntu0.2  
   sysstat                         11.6.1-1ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5748-1  
   CVE-2022-39377

Package Information:  
   https://launchpad.net/ubuntu/+source/sysstat/12.5.6-1ubuntu0.1  
   https://launchpad.net/ubuntu/+source/sysstat/12.5.2-2ubuntu0.1  
   https://launchpad.net/ubuntu/+source/sysstat/12.2.0-2ubuntu0.2  
   https://launchpad.net/ubuntu/+source/sysstat/11.6.1-1ubuntu0.2

Ubuntu Security Notice USN-5748-1

Ubuntu Security Notice 5689-2 - USN-5689-1 fixed a vulnerability in Perl. This update provides the corresponding update for Ubuntu 22.10. It was discovered that Perl incorrectly handled certain signature verification. An remote attacker could possibly use this issue to bypass signature verification.

==========================================================================  
Ubuntu Security Notice USN-5689-2  
November 28, 2022

perl vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10

Summary:

Perl could be made to by pass signature verification.

Software Description:  
- perl: Practical Extraction and Report Language

Details:

USN-5689-1 fixed a vulnerability in Perl.  
This update provides the corresponding update for Ubuntu 22.10.

Original advisory details:

 It was discovered that Perl incorrectly handled certain signature verification.  
 An remote attacker could possibly use this issue to bypass signature verification.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
  perl                            5.34.0-5ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5689-2  
  https://ubuntu.com/security/notices/USN-5689-1  
  CVE-2020-16156

Package Information:  
  https://launchpad.net/ubuntu/+source/perl/5.34.0-5ubuntu1.1

Ubuntu Security Notice USN-5689-2

LibreDWG v0.12.4.4643 was discovered to contain a heap buffer overflow via the function decode_preR13_section_hdr at decode_r11.c.

**System info**  
Ubuntu x86\_64, clang 10.0  
version: 0.12.4.4643, last commit 93c2512

**Command line**  
./dwg2dxf poc

**Poc**  
poc: poc

**AddressSanitizer output**  
\==4080011==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x618000000428 at pc 0x000000480860 bp 0x7ffddb1de850 sp 0x7ffddb1de008  
WRITE of size 63 at 0x618000000428 thread T0  
#0 0x48085f in strncpy /home/brian/src/final/llvm-project/compiler-rt/lib/asan/asan\_interceptors.cpp:483:5  
#1 0x1123350 in decode\_preR13\_section\_hdr /home/SVF-tools/example/libredwg-2/src/decode\_r11.c:139:3  
#2 0x111d7e1 in decode\_preR13 /home/SVF-tools/example/libredwg-2/src/decode\_r11.c:762:7  
#3 0x4fb4b6 in dwg\_decode /home/SVF-tools/example/libredwg-2/src/decode.c:211:17  
#4 0x4c6dcc in dwg\_read\_file /home/SVF-tools/example/libredwg-2/src/dwg.c:254:11  
#5 0x4c4a40 in main /home/SVF-tools/example/libredwg-2/programs/dwg2dxf.c:258:15  
#6 0x7f7873298c86 in \_\_libc\_start\_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310  
#7 0x41b649 in \_start (/home/SVF-tools/example/libredwg-2/fuzz/dwg2dxf.ci+0x41b649)

0x618000000428 is located 24 bytes inside of 442820362-byte region \[0x618000000410,0x61801a64eb1a)  
\==4080011==AddressSanitizer CHECK failed: /home/brian/src/final/llvm-project/compiler-rt/lib/asan/asan\_descriptions.cpp:175 "((id)) != (0)" (0x0, 0x0)  
#0 0x49bf3e in \_\_asan::AsanCheckFailed(char const\*, int, char const\*, unsigned long long, unsigned long long) /home/brian/src/final/llvm-project/compiler-rt/lib/asan/asan\_rtl.cpp:73:5  
#1 0x4b045f in \_\_sanitizer::CheckFailed(char const\*, int, char const\*, unsigned long long, unsigned long long) /home/brian/src/final/llvm-project/compiler-rt/lib/sanitizer\_common/sanitizer\_termination.cpp:78:5  
#2 0x4245db in \_\_asan::HeapAddressDescription::Print() const /home/brian/src/final/llvm-project/compiler-rt/lib/asan/asan\_descriptions.cpp  
#3 0x427425 in \_\_asan::ErrorGeneric::Print() /home/brian/src/final/llvm-project/compiler-rt/lib/asan/asan\_errors.cpp:591:20  
#4 0x497ba8 in \_\_asan::ScopedInErrorReport::~ScopedInErrorReport() /home/brian/src/final/llvm-project/compiler-rt/lib/asan/asan\_report.cpp:141:50  
#5 0x4997dd in \_\_asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) /home/brian/src/final/llvm-project/compiler-rt/lib/asan/asan\_report.cpp:474:1  
#6 0x480881 in strncpy /home/brian/src/final/llvm-project/compiler-rt/lib/asan/asan\_interceptors.cpp:483:5  
#7 0x1123350 in decode\_preR13\_section\_hdr /home/SVF-tools/example/libredwg-2/src/decode\_r11.c:139:3  
#8 0x111d7e1 in decode\_preR13 /home/SVF-tools/example/libredwg-2/src/decode\_r11.c:762:7  
#9 0x4fb4b6 in dwg\_decode /home/SVF-tools/example/libredwg-2/src/decode.c:211:17  
#10 0x4c6dcc in dwg\_read\_file /home/SVF-tools/example/libredwg-2/src/dwg.c:254:11  
#11 0x4c4a40 in main /home/SVF-tools/example/libredwg-2/programs/dwg2dxf.c:258:15  
#12 0x7f7873298c86 in \_\_libc\_start\_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310  
#13 0x41b649 in \_start (/home/SVF-tools/example/libredwg-2/fuzz/dwg2dxf.ci+0x41b649)

CVE-2022-45332: heap-buffer-overflow exists in the function decode_preR13_section_hdr in decode_r11.c · Issue #524 · LibreDWG/libredwg

GPAC v2.1-DEV-rev478-g696e6f868-master was discovered to contain a heap use-after-free via the Q_IsTypeOn function at /gpac/src/bifs/unquantize.c.

**Description**

Heap use after free in Q\_IsTypeOn at gpac/src/bifs/unquantize.c:175:12

**System info**

Ubuntu 20.04 lts

**Version info**

MP4Box - GPAC version 2.1-DEV-rev478-g696e6f868-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer --enable-debug
Features: GPAC\_CONFIG\_LINUX GPAC\_64\_BITS GPAC\_HAS\_IPV6 GPAC\_HAS\_SSL GPAC\_HAS\_SOCK\_UN GPAC\_MINIMAL\_ODF GPAC\_HAS\_QJS GPAC\_HAS\_FAAD GPAC\_HAS\_MAD GPAC\_HAS\_LIBA52 GPAC\_HAS\_JPEG GPAC\_HAS\_PNG GPAC\_HAS\_FFMPEG GPAC\_HAS\_THEORA GPAC\_HAS\_VORBIS GPAC\_HAS\_XVID GPAC\_HAS\_LINUX\_DVB

**compile**

./configure --enable-sanitizer --enable-debug
make

**crash command****POC**

POC-uaf

**Crash output**

/home/zw/AFL\_Fuzz\_Datas/gpac/bin/gcc/MP4Box -bt poc

\[iso file\] Unknown box type vref in parent dinf
\[iso file\] Missing dref box in dinf
\[iso file\] Unknown box type vref in parent dinf
\[iso file\] Missing dref box in dinf
MPEG-4 BIFS Scene Parsing
=================================================================
==1578219==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000001ad4 at pc 0x7f8194636c1d bp 0x7fff91f55420 sp 0x7fff91f55418
READ of size 4 at 0x610000001ad4 thread T0
    #0 0x7f8194636c1c in Q\_IsTypeOn /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/unquantize.c:175:12
    #1 0x7f8194643390 in gf\_bifs\_dec\_unquant\_field /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/unquantize.c:398:7
    #2 0x7f81945890e1 in gf\_bifs\_dec\_sf\_field /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:84:7
    #3 0x7f8194597e3f in BD\_DecMFFieldList /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:327:8
    #4 0x7f819459cd2f in gf\_bifs\_dec\_field /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:564:9
    #5 0x7f819459df3a in gf\_bifs\_dec\_node\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:626:7
    #6 0x7f81945965a8 in gf\_bifs\_dec\_node /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:928:7
    #7 0x7f8194598014 in BD\_DecMFFieldList /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:330:15
    #8 0x7f819459cd2f in gf\_bifs\_dec\_field /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:564:9
    #9 0x7f81945c0e7b in BM\_ParseFieldReplace /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:734:21
    #10 0x7f81945c4923 in BM\_ParseReplace /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:847:10
    #11 0x7f81945c7f12 in BM\_ParseCommand /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:915:8
    #12 0x7f81945c9706 in gf\_bifs\_flush\_command\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:964:9
    #13 0x7f81945cc012 in gf\_bifs\_decode\_command\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:1044:3
    #14 0x7f8195bc921f in gf\_sm\_load\_run\_isom /home/zw/AFL\_Fuzz\_Datas/gpac/src/scene\_manager/loader\_isom.c:303:10
    #15 0x7f8195a86732 in gf\_sm\_load\_run /home/zw/AFL\_Fuzz\_Datas/gpac/src/scene\_manager/scene\_manager.c:719:28
    #16 0x577f50 in dump\_isom\_scene /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/filedump.c:207:14
    #17 0x53949f in mp4box\_main /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/mp4box.c:6369:7
    #18 0x549801 in main /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/mp4box.c:6834:1
    #19 0x7f8192985082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #20 0x42ac5d in \_start (/home/zw/AFL\_Fuzz\_Datas/gpac/bin/gcc/MP4Box+0x42ac5d)

0x610000001ad4 is located 148 bytes inside of 192-byte region \[0x610000001a40,0x610000001b00)
freed by thread T0 here:
    #0 0x4a5c52 in free (/home/zw/AFL\_Fuzz\_Datas/gpac/bin/gcc/MP4Box+0x4a5c52)
    #1 0x7f8193259324 in gf\_free /home/zw/AFL\_Fuzz\_Datas/gpac/src/utils/alloc.c:165:2
    #2 0x7f819378d74a in gf\_node\_free /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/base\_scenegraph.c:1622:2
    #3 0x7f81938a38fc in QuantizationParameter\_Del /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/mpeg4\_nodes.c:11981:2
    #4 0x7f81938962b1 in gf\_sg\_mpeg4\_node\_del /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/mpeg4\_nodes.c:37743:3
    #5 0x7f8193774108 in gf\_node\_del /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/base\_scenegraph.c:1904:59
    #6 0x7f8193763dc2 in gf\_node\_unregister /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/base\_scenegraph.c:763:3
    #7 0x7f8193772a1c in gf\_node\_try\_destroy /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/base\_scenegraph.c:669:9
    #8 0x7f81937ce9cc in gf\_sg\_command\_del /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/commands.c:72:7
    #9 0x7f81945ca742 in gf\_bifs\_flush\_command\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:990:5
    #10 0x7f81945cc012 in gf\_bifs\_decode\_command\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:1044:3
    #11 0x7f8195bc921f in gf\_sm\_load\_run\_isom /home/zw/AFL\_Fuzz\_Datas/gpac/src/scene\_manager/loader\_isom.c:303:10
    #12 0x7f8195a86732 in gf\_sm\_load\_run /home/zw/AFL\_Fuzz\_Datas/gpac/src/scene\_manager/scene\_manager.c:719:28
    #13 0x577f50 in dump\_isom\_scene /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/filedump.c:207:14
    #14 0x53949f in mp4box\_main /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/mp4box.c:6369:7
    #15 0x549801 in main /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/mp4box.c:6834:1
    #16 0x7f8192985082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x4a5ebd in malloc (/home/zw/AFL\_Fuzz\_Datas/gpac/bin/gcc/MP4Box+0x4a5ebd)
    #1 0x7f8193259214 in gf\_malloc /home/zw/AFL\_Fuzz\_Datas/gpac/src/utils/alloc.c:150:9
    #2 0x7f819381fc84 in QuantizationParameter\_Create /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/mpeg4\_nodes.c:12496:2
    #3 0x7f819388ffa6 in gf\_sg\_mpeg4\_node\_new /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/mpeg4\_nodes.c:36871:10
    #4 0x7f8193796799 in gf\_node\_new /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/base\_scenegraph.c:1996:51
    #5 0x7f8194595f4a in gf\_bifs\_dec\_node /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:900:15
    #6 0x7f8194598014 in BD\_DecMFFieldList /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:330:15
    #7 0x7f819459cd2f in gf\_bifs\_dec\_field /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:564:9
    #8 0x7f81945c0e7b in BM\_ParseFieldReplace /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:734:21
    #9 0x7f81945c4923 in BM\_ParseReplace /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:847:10
    #10 0x7f81945c7f12 in BM\_ParseCommand /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:915:8
    #11 0x7f81945c9706 in gf\_bifs\_flush\_command\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:964:9
    #12 0x7f81945cc012 in gf\_bifs\_decode\_command\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:1044:3
    #13 0x7f8195bc921f in gf\_sm\_load\_run\_isom /home/zw/AFL\_Fuzz\_Datas/gpac/src/scene\_manager/loader\_isom.c:303:10
    #14 0x7f8195a86732 in gf\_sm\_load\_run /home/zw/AFL\_Fuzz\_Datas/gpac/src/scene\_manager/scene\_manager.c:719:28
    #15 0x577f50 in dump\_isom\_scene /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/filedump.c:207:14
    #16 0x53949f in mp4box\_main /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/mp4box.c:6369:7
    #17 0x549801 in main /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/mp4box.c:6834:1
    #18 0x7f8192985082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/unquantize.c:175:12 in Q\_IsTypeOn
Shadow bytes around the buggy address:
  0x0c207fff8300: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c207fff8310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c207fff8320: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c207fff8330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c207fff8340: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
\=>0x0c207fff8350: fd fd fd fd fd fd fd fd fd fd\[fd\]fd fd fd fd fd
  0x0c207fff8360: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff8370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c207fff8380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff83a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==1578219\==ABORTING

**Occurrences:**

gpac/src/bifs/unquantize.c:175:12 in Q\_IsTypeOn

**Impact**

can cause a program to crash, use unexpected values, or execute code.

**Report of the Information Security Laboratory of Ocean University of China @OUC\_ISLOUC @OUC\_Blue\_Whale**

CVE-2022-45343: Heap use after free in Q_IsTypeOn at gpac/src/bifs/unquantize.c · Issue #2315 · gpac/gpac

Ubuntu Security Notice 5747-1 - It was discovered that Bind incorrectly handled large query name when using lightweight resolver protocol. A remote attacker could use this issue to consume resources, leading to a denial of service. It was discovered that Bind incorrectly handled large zone data size received via AXFR response. A remote authenticated attacker could use this issue to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS.

    =========================================================================Ubuntu Security Notice USN-5747-1November 29, 2022bind9 vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:Several security issues were fixed in Bind.Software Description:- bind9: Internet Domain Name ServerDetails:It was discovered that Bind incorrectly handled large query name when usinglightweight resolver protocol. A remote attacker could use this issue toconsume resources, leading to a denial of service. (CVE-2016-2775)It was discovered that Bind incorrectly handled large zone data sizereceived via AXFR response. A remote authenticated attacker could use thisissue to consume resources, leading to a denial of service. This issue onlyaffected Ubuntu 16.04 LTS. (CVE-2016-6170)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:  bind9                           1:9.10.3.dfsg.P4-8ubuntu1.19+esm5  lwresd                          1:9.10.3.dfsg.P4-8ubuntu1.19+esm5Ubuntu 14.04 ESM:  bind9                           1:9.9.5.dfsg-3ubuntu0.19+esm9  lwresd                          1:9.9.5.dfsg-3ubuntu0.19+esm9In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5747-1  CVE-2016-2775, CVE-2016-6170

Ubuntu Security Notice USN-5747-1

Ubuntu Security Notice 5746-1 - Behzad Najjarpour Jabbari discovered that HarfBuzz incorrectly handled certain inputs. A remote attacker could possibly use this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5746-1November 28, 2022harfbuzz vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:HarfBuzz could be made to crash if it received specially craftedinput.Software Description:- harfbuzz: OpenType text shaping engineDetails:Behzad Najjarpour Jabbari discovered that HarfBuzz incorrectly handledcertain inputs. A remote attacker could possibly use this issue to causea denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   libharfbuzz-bin                 1.0.1-1ubuntu0.1+esm1   libharfbuzz0b                   1.0.1-1ubuntu0.1+esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5746-1   CVE-2015-9274

Ubuntu Security Notice USN-5746-1

GPAC v2.1-DEV-rev428-gcb8ae46c8-master was discovered to contain a memory leak via the function dimC_box_read at isomedia/box_code_3gpp.c.

**Description**

Memory Leak in dimC\_box\_read at isomedia/box\_code\_3gpp.c:1060

**System info**

ubuntu 20.04 lts

version info:

    ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev460-g9d963dc62-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: 
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DI
    

**compile**

./configure --enable-sanitizer  
make

**crash command:**

./MP4Box -bt poc\_ml

poc :  
https://github.com/Janette88/test\_pocs/blob/main/poc\_ml

Here is output by ASAN:

    [ISOBMFF] AV1ConfigurationBox: read only 4 bytes (expected 16).
    [iso file] Box "av1C" (start 20) has 12 extra bytes
    [isom] not enough bytes in box dimC: 0 left, reading 1 (file isomedia/box_code_3gpp.c, line 1082)
    [iso file] Read Box "dimC" (start 44) failed (Invalid IsoMedia File) - skipping
    Error opening file /home/fuzz/test/poc_ml: Invalid IsoMedia File
    
    =================================================================
    ==71539==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 2566 byte(s) in 1 object(s) allocated from:
        #0 0x7fe8c635f808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x7fe8c2ef8d39 in dimC_box_read isomedia/box_code_3gpp.c:1060
        #2 0x7fe8c2fb75c3 in gf_isom_box_read isomedia/box_funcs.c:1866
        #3 0x7fe8c2fb75c3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #4 0x7fe8c2fb8a15 in gf_isom_parse_root_box isomedia/box_funcs.c:38
        #5 0x7fe8c2fe1a8c in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:378
        #6 0x7fe8c2fe7ca1 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:868
        #7 0x7fe8c2fe7ca1 in gf_isom_open_file isomedia/isom_intern.c:988
        #8 0x55c56a3e9139 in mp4box_main /home/fuzz/gpac/applications/mp4box/mp4box.c:6209
        #9 0x7fe8c0558082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: 2566 byte(s) leaked in 1 allocation(s).
    

**code location:**

    GF_Err dimC_box_read(GF_Box *s, GF_BitStream *bs)
    {
    	u32 i, msize;
    	GF_DIMSSceneConfigBox *p = (GF_DIMSSceneConfigBox *)s;
    
    	ISOM_DECREASE_SIZE(p, 3);
    	p->profile = gf_bs_read_u8(bs);
    	p->level = gf_bs_read_u8(bs);
    	p->pathComponents = gf_bs_read_int(bs, 4);
    	p->fullRequestHost = gf_bs_read_int(bs, 1);
    	p->streamType = gf_bs_read_int(bs, 1);
    	p->containsRedundant = gf_bs_read_int(bs, 2);
    
    	char *str = gf_malloc(sizeof(char)*(p->size+1));       //line 1060   here p->size+1 = 2566
    	if (!str) return GF_OUT_OF_MEM;
    	msize = (u32) p->size;
    	str[msize] = 0;
    	i=0;
    	str[0]=0;
    	while (i < msize) {
    		ISOM_DECREASE_SIZE(p, 1);
    		str[i] = gf_bs_read_u8(bs);
    		if (!str[i]) break;
    		i++;
    	}
    	if (i == msize) {
    		gf_free(str);
    		return GF_ISOM_INVALID_FILE;
    	}
    
    	p->textEncoding = gf_strdup(str);
    
    	i=0;
    	str[0]=0;
    	while (i < msize) {
    		ISOM_DECREASE_SIZE(p, 1);            //line :1082 not enough bytes in box dimC: 0 left, reading 1 
    
    		str[i] = gf_bs_read_u8(bs);
    		if (!str[i]) break;
    		i++;
    	}
    	if (i == msize) {
    		gf_free(str);
    		return GF_ISOM_INVALID_FILE;
    	}
    
    	p->contentEncoding = gf_strdup(str);
    	gf_free(str);
    	if (!p->textEncoding || !p->contentEncoding)
    		return GF_OUT_OF_MEM;
    	return GF_OK;
    }
    

ps: The issue could be verified using the poc in issue 2294 and 2296. The patch of issue 2294 and 2296 was not perfect because it still existed memory leak risk .

ref:  
#2294  
#2296

CVE-2022-45204: Memory Leak in dimC_box_read at isomedia/box_code_3gpp.c:1060 · Issue #2307 · gpac/gpac

Ubuntu Security Notice 5745-1 - Florian Weimer discovered that shadow was not properly copying and removing user directory trees, which could lead to a race condition. A local attacker could possibly use this issue to setup a symlink attack and alter or remove directories without authorization.

==========================================================================  
Ubuntu Security Notice USN-5745-1  
November 28, 2022

shadow vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

shadow could be made to overwrite files.

Software Description:  
- shadow: system login tools

Details:

Florian Weimer discovered that shadow was not properly copying and removing  
user directory trees, which could lead to a race condition. A local attacker  
could possibly use this issue to setup a symlink attack and alter or remove  
directories without authorization.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   libsubid4                       1:4.11.1+dfsg1-2ubuntu1.1  
   login                           1:4.11.1+dfsg1-2ubuntu1.1  
   passwd                          1:4.11.1+dfsg1-2ubuntu1.1  
   uidmap                          1:4.11.1+dfsg1-2ubuntu1.1

Ubuntu 22.04 LTS:  
   login                           1:4.8.1-2ubuntu2.1  
   passwd                          1:4.8.1-2ubuntu2.1  
   uidmap                          1:4.8.1-2ubuntu2.1

Ubuntu 20.04 LTS:  
   login                           1:4.8.1-1ubuntu5.20.04.3  
   passwd                          1:4.8.1-1ubuntu5.20.04.3  
   uidmap                          1:4.8.1-1ubuntu5.20.04.3

Ubuntu 18.04 LTS:  
   login                           1:4.5-1ubuntu2.4  
   passwd                          1:4.5-1ubuntu2.4  
   uidmap                          1:4.5-1ubuntu2.4

Ubuntu 16.04 ESM:  
   login                           1:4.2-3.1ubuntu5.5+esm2  
   passwd                          1:4.2-3.1ubuntu5.5+esm2  
   uidmap                          1:4.2-3.1ubuntu5.5+esm2

Ubuntu 14.04 ESM:  
   login                           1:4.1.5.1-1ubuntu9.5+esm2  
   passwd                          1:4.1.5.1-1ubuntu9.5+esm2  
   uidmap                          1:4.1.5.1-1ubuntu9.5+esm2

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5745-1  
   CVE-2013-4235

Package Information:  
https://launchpad.net/ubuntu/+source/shadow/1:4.11.1+dfsg1-2ubuntu1.1  
   https://launchpad.net/ubuntu/+source/shadow/1:4.8.1-2ubuntu2.1  
https://launchpad.net/ubuntu/+source/shadow/1:4.8.1-1ubuntu5.20.04.3  
   https://launchpad.net/ubuntu/+source/shadow/1:4.5-1ubuntu2.4

Ubuntu Security Notice USN-5745-1

Ubuntu Security Notice 5744-1 - It was discovered that libICE was using a weak mechanism to generate the session cookies. A local attacker could possibly use this issue to perform a privilege escalation attack.

    =========================================================================Ubuntu Security Notice USN-5744-1November 28, 2022libice vulnerability=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS- Ubuntu 16.04 ESMSummary:Weak session cookies generated using libICE could allow sensitiveinformation to be exposed.Software Description:- libice: X11 Inter-Client Exchange library (development headers)Details:It was discovered that libICE was using a weak mechanism to generate thesession cookies. A local attacker could possibly use this issue to performa privilege escalation attack.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS:  libice-dev                      2:1.0.9-2ubuntu0.18.04.1  libice6                         2:1.0.9-2ubuntu0.18.04.1Ubuntu 16.04 ESM:  libice-dev                      2:1.0.9-1ubuntu0.16.04.1+esm1  libice6                         2:1.0.9-1ubuntu0.16.04.1+esm1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5744-1  CVE-2017-2626Package Information:  https://launchpad.net/ubuntu/+source/libice/2:1.0.9-2ubuntu0.18.04.1

Ubuntu Security Notice USN-5744-1

Ubuntu Security Notice 5743-1 - It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.

    ==========================================================================Ubuntu Security Notice USN-5743-1November 24, 2022tiff vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:LibTIFF could be made to crash or run programs as your login if itopened a specially crafted file.Software Description:- tiff: Tag Image File Format (TIFF) libraryDetails:It was discovered that LibTIFF incorrectly handled certain malformedimages. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   libtiff-tools                   4.0.6-1ubuntu0.8+esm8   libtiff5                         4.0.6-1ubuntu0.8+esm8In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5743-1   CVE-2022-3970

Tag

#ubuntu