libcaca is affected by a Divide By Zero issue via img2txt, which allows a remote malicious user to cause a Denial of Service

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

kdsjZh opened this issue

Feb 24, 2022

· 3 comments

Open

**\[BUG\] Divide by zero in img2txt #65**

kdsjZh opened this issue

Feb 24, 2022

· 3 comments

**Comments**

version: latest commit f42aa68  
driver: src/img2txt  
Environment: ubuntu 22.04, clang-12  
step to reproduce:

    export CFLAGS="-fsanitize=address -g"
    export CC=clang
    ./bootstrap
    ./configure 
    make -j8
    ./src/img2txt ./divide_by_0.seed
    

Sanitizer output:

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==25214==ERROR: AddressSanitizer: FPE on unknown address 0x0000004d0433 (pc 0x0000004d0433 bp 0x7fff1cb39010 sp 0x7fff1cb38ee0 T0)
        #0 0x4d0433 in main /benchmarks/libcaca/src/img2txt.c:183:42
        #1 0x7fa2270f9d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x2dd8f)
        #2 0x7fa2270f9e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2de3f)
        #3 0x421944 in _start (/benchmarks/libcaca/src/img2txt+0x421944)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: FPE /benchmarks/libcaca/src/img2txt.c:183:42 in main
    ==25214==ABORTING
    
    

#POC  
divide\_by\_0.zip

##Credit  
Han Zheng  
NCNIPC of China  
Hexhive

Thank you, reading the code it could happen when given a valid image of width 0 (probably the case here), but also with any image if passing -y 0.

How's this going to be fixed?  
I added a check for i->w and/or i->h being 0, issuing an error message ("image size is 0") and setting lines and cols to 0 (caca_set_canvas_size can handle this).  
Obviously caca_export_canvas_to_memory then chokes on this but this is handled already. I only then also changed the format in the error message to format?format:"ansi".

CVE-2022-0856: [BUG] Divide by zero in img2txt · Issue #65 · cacalabs/libcaca

A NULL pointer dereference flaw was found in the btrfs_rm_device function in fs/btrfs/volumes.c in the Linux Kernel, where triggering the bug requires ‘CAP_SYS_ADMIN’. This flaw allows a local attacker to crash the system or leak kernel internal information. The highest threat from this vulnerability is to system availability.

linux-gcp-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
focal Ignored (was needs-triage now end-of-life)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-gcp-edge  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-gcp-5.3)  
focal Does not exist  
hirsute Does not exist  
upstream Released (5.15~rc1)  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
jammy Does not exist  
linux-gke  
Launchpad, Ubuntu, Debian bionic Does not exist  
hirsute Does not exist  
upstream Released (5.15~rc1)  
trusty Does not exist  
xenial Ignored (reached end of standard support)  
impish Does not exist  
focal Released (5.4.0-1055.58)  
jammy Not vulnerable (5.15.0-1002.2)  
linux-gke-4.15  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
upstream Released (5.15~rc1)  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
jammy Does not exist  
linux-gke-5.0  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
upstream Released (5.15~rc1)  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
jammy Does not exist  
linux-gke-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
upstream Released (5.15~rc1)  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
jammy Does not exist  
linux-gke-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1055.58~18.04.1)  
focal Does not exist  
hirsute Does not exist  
upstream Released (5.15~rc1)  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
jammy Does not exist  
linux-gkeop  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.4.0-1026.27)  
hirsute Does not exist  
upstream Released (5.15~rc1)  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
jammy Does not exist  
linux-gkeop-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1026.27~18.04.1)  
focal Does not exist  
hirsute Does not exist  
upstream Released (5.15~rc1)  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
jammy Does not exist  
linux-oracle-5.0  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-oracle-5.3)  
focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-oracle-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-oracle-5.4)  
focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-oracle-5.4  
Launchpad, Ubuntu, Debian focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
bionic Released (5.4.0-1057.61~18.04.1)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-oracle-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
focal Ignored (was needs-triage now end-of-life)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-oem  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
upstream Released (5.15~rc1)  
trusty Does not exist  
xenial Ignored (superseded by linux-hwe)  
impish Does not exist  
jammy Does not exist  
linux-oem-5.6  
Launchpad, Ubuntu, Debian bionic Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
focal Ignored (was needs-triage now end-of-life)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-oem-5.10  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.10.0-1050.52)  
hirsute Does not exist  
upstream Released (5.15~rc1)  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
jammy Does not exist  
linux-oem-osp1  
Launchpad, Ubuntu, Debian focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
bionic Ignored (was needs-triage now end-of-life)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-raspi  
Launchpad, Ubuntu, Debian bionic Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Not vulnerable (5.13.0-1008.9)  
focal Released (5.4.0-1046.50)  
hirsute Released (5.11.0-1021.22)  
upstream Released (5.15~rc1)  
jammy Not vulnerable (5.13.0-1008.9)  
linux-raspi2  
Launchpad, Ubuntu, Debian focal Ignored (replaced by linux-raspi)  
hirsute Does not exist  
trusty Does not exist  
xenial Ignored (was needs-triage now end-of-life)  
impish Does not exist  
bionic Not vulnerable (4.13.0-1005.5)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-raspi2-5.3  
Launchpad, Ubuntu, Debian focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
bionic Ignored (was needs-triage now end-of-life)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-raspi-5.4  
Launchpad, Ubuntu, Debian focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
bionic Released (5.4.0-1046.50~18.04.1)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-riscv  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (superseded by linux-riscv-5.8)  
trusty Does not exist  
xenial Does not exist  
impish Not vulnerable (5.13.0-1004.4)  
hirsute Released (5.11.0-1021.22)  
upstream Released (5.15~rc1)  
jammy Not vulnerable (5.13.0-1004.4)  
linux-riscv-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
focal Ignored (was needs-triage now end-of-life)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-riscv-5.11  
Launchpad, Ubuntu, Debian bionic Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
focal Released (5.11.0-1021.22~20.04.1)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-snapdragon  
Launchpad, Ubuntu, Debian focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Ignored (was needs-triage now end-of-life)  
impish Does not exist  
bionic Not vulnerable (4.4.0-1077.82)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-hwe  
Launchpad, Ubuntu, Debian bionic Ignored (replaced by linux-hwe-5.4)  
focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
impish Does not exist  
xenial Not vulnerable (4.8.0-39.42~16.04.1)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-hwe-5.4  
Launchpad, Ubuntu, Debian focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
bionic Released (5.4.0-90.101~18.04.1)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-hwe-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
upstream Released (5.15~rc1)  
focal Ignored (was pending \[5.8.0-67.75\] now end-of-life)  
jammy Does not exist  
linux-hwe-5.11  
Launchpad, Ubuntu, Debian bionic Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
focal Released (5.11.0-38.42~20.04.1)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-hwe-edge  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-hwe-5.4)  
focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Ignored (superseded by linux-hwe)  
impish Does not exist  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-lts-xenial  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Does not exist  
hirsute Does not exist  
xenial Does not exist  
impish Does not exist  
trusty Not vulnerable (4.4.0-13.29~14.04.1)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-aws-5.0  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-aws-5.3)  
focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-aws-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-aws-5.4)  
focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-aws-5.4  
Launchpad, Ubuntu, Debian focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
bionic Released (5.4.0-1059.62~18.04.1)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-aws-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
focal Ignored (was needs-triage now end-of-life)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-aws-hwe  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
impish Does not exist  
xenial Not vulnerable (4.15.0-1030.31~16.04.1)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-azure  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-azure-5.3)  
impish Not vulnerable (5.13.0-1006.7)  
hirsute Released (5.11.0-1020.21)  
focal Released (5.4.0-1063.66)  
trusty Not vulnerable (4.15.0-1023.24~14.04.1)  
xenial Not vulnerable (4.11.0-1009.9)  
upstream Released (5.15~rc1)  
jammy Not vulnerable (5.13.0-1006.7)  
linux-azure-4.15  
Launchpad, Ubuntu, Debian focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
bionic Not vulnerable (4.15.0-1082.92)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-azure-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-azure-5.4)  
focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-azure-5.4  
Launchpad, Ubuntu, Debian focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
bionic Released (5.4.0-1063.66~18.04.1)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-azure-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
focal Ignored (was pending \[5.8.0-1043.46~20.04.1\] now end-of-life)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-bluefield  
Launchpad, Ubuntu, Debian bionic Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
focal Released (5.4.0-1021.24)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-dell300x  
Launchpad, Ubuntu, Debian focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
bionic Not vulnerable (4.15.0-1005.8)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-azure-edge  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-azure-5.3)  
focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-gcp  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-gcp-5.3)  
trusty Does not exist  
impish Not vulnerable (5.13.0-1005.6)  
focal Released (5.4.0-1057.61)  
hirsute Released (5.11.0-1021.23)  
xenial Not vulnerable (4.10.0-1004.4)  
upstream Released (5.15~rc1)  
jammy Not vulnerable (5.13.0-1005.6)  
linux-gcp-4.15  
Launchpad, Ubuntu, Debian focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
bionic Not vulnerable (4.15.0-1071.81)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-gcp-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-gcp-5.4)  
focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-gcp-5.4  
Launchpad, Ubuntu, Debian focal Does not exist  
hirsute Does not exist  
trusty Does not exist  
xenial Does not exist  
impish Does not exist  
bionic Released (5.4.0-1057.61~18.04.1)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux  
Launchpad, Ubuntu, Debian impish Not vulnerable (5.13.0-19.19)  
bionic Not vulnerable (4.13.0-16.19)  
focal Released (5.4.0-90.101)  
trusty Not vulnerable (3.11.0-12.19)  
xenial Not vulnerable (4.4.0-2.16)  
upstream Released (5.15~rc1)  
hirsute Released (5.11.0-38.42)  
jammy Not vulnerable (5.13.0-19.19)  
linux-kvm  
Launchpad, Ubuntu, Debian trusty Does not exist  
impish Not vulnerable (5.13.0-1003.3)  
bionic Not vulnerable (4.15.0-1002.2)  
focal Released (5.4.0-1049.51)  
hirsute Released (5.11.0-1018.19)  
xenial Not vulnerable (4.4.0-1004.9)  
upstream Released (5.15~rc1)  
jammy Not vulnerable (5.13.0-1004.4)  
linux-aws  
Launchpad, Ubuntu, Debian trusty Not vulnerable (4.4.0-1002.2)  
impish Not vulnerable (5.13.0-1005.6)  
bionic Not vulnerable (4.15.0-1001.1)  
focal Released (5.4.0-1059.62)  
xenial Not vulnerable (4.4.0-1001.10)  
upstream Released (5.15~rc1)  
hirsute Released (5.11.0-1020.21)  
jammy Not vulnerable (5.13.0-1005.6)  
linux-oracle  
Launchpad, Ubuntu, Debian trusty Does not exist  
xenial Not vulnerable (4.15.0-1007.9~16.04.1)  
impish Not vulnerable (5.13.0-1008.10)  
bionic Not vulnerable (4.15.0-1007.9)  
upstream Released (5.15~rc1)  
focal Released (5.4.0-1057.61)  
hirsute Released (5.11.0-1020.21)  
jammy Not vulnerable (5.13.0-1008.10)  
linux-oem-5.13  
Launchpad, Ubuntu, Debian trusty Does not exist  
xenial Does not exist  
impish Does not exist  
bionic Does not exist  
hirsute Does not exist  
upstream Released (5.15~rc1)  
focal Released (5.13.0-1017.21)  
jammy Does not exist  
linux-aws-5.11  
Launchpad, Ubuntu, Debian trusty Does not exist  
xenial Does not exist  
impish Does not exist  
bionic Does not exist  
hirsute Does not exist  
upstream Released (5.15~rc1)  
focal Released (5.11.0-1020.21~20.04.2)  
jammy Does not exist  
linux-azure-5.11  
Launchpad, Ubuntu, Debian trusty Does not exist  
xenial Does not exist  
impish Does not exist  
bionic Does not exist  
hirsute Does not exist  
upstream Released (5.15~rc1)  
focal Released (5.11.0-1020.21~20.04.1)  
jammy Does not exist  
linux-oracle-5.11  
Launchpad, Ubuntu, Debian trusty Does not exist  
xenial Does not exist  
impish Does not exist  
bionic Does not exist  
focal Released (5.11.0-1020.21~20.04.1)  
hirsute Does not exist  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-ibm  
Launchpad, Ubuntu, Debian trusty Does not exist  
xenial Does not exist  
impish Does not exist  
bionic Does not exist  
focal Released (5.4.0-1007.8)  
hirsute Does not exist  
upstream Released (5.15~rc1)  
jammy Not vulnerable (5.15.0-1002.2)  
linux-gcp-5.11  
Launchpad, Ubuntu, Debian trusty Does not exist  
xenial Does not exist  
bionic Does not exist  
focal Released (5.11.0-1021.23~20.04.1)  
hirsute Does not exist  
impish Does not exist  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-oem-5.14  
Launchpad, Ubuntu, Debian trusty Does not exist  
xenial Does not exist  
bionic Does not exist  
hirsute Does not exist  
impish Does not exist  
focal Not vulnerable (5.14.0-1004.4)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-intel-5.13  
Launchpad, Ubuntu, Debian trusty Does not exist  
xenial Does not exist  
bionic Does not exist  
hirsute Does not exist  
impish Does not exist  
focal Ignored (was needs-triage now end-of-life)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-azure-5.13  
Launchpad, Ubuntu, Debian trusty Does not exist  
xenial Does not exist  
bionic Does not exist  
focal Not vulnerable (5.13.0-1009.10~20.04.2)  
impish Does not exist  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-hwe-5.13  
Launchpad, Ubuntu, Debian trusty Does not exist  
xenial Does not exist  
bionic Does not exist  
impish Does not exist  
focal Not vulnerable (5.13.0-21.21~20.04.1)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-aws-5.13  
Launchpad, Ubuntu, Debian trusty Does not exist  
xenial Does not exist  
bionic Does not exist  
impish Does not exist  
focal Not vulnerable (5.13.0-1008.9~20.04.2)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-fips  
Launchpad, Ubuntu, Debian trusty Does not exist  
bionic Does not exist  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
upstream Released (5.15~rc1)  
xenial Not vulnerable (4.4.0-1074.80)  
jammy Does not exist  
linux-oracle-5.13  
Launchpad, Ubuntu, Debian trusty Does not exist  
xenial Does not exist  
bionic Does not exist  
impish Does not exist  
focal Not vulnerable (5.13.0-1011.13~20.04.2)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-gcp-5.13  
Launchpad, Ubuntu, Debian trusty Does not exist  
xenial Does not exist  
bionic Does not exist  
impish Does not exist  
focal Not vulnerable (5.13.0-1008.9~20.04.3)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-ibm-5.4  
Launchpad, Ubuntu, Debian trusty Does not exist  
xenial Does not exist  
focal Does not exist  
impish Does not exist  
bionic Not vulnerable (5.4.0-1010.11~18.04.2)  
upstream Released (5.15~rc1)  
jammy Does not exist  
linux-azure-fde  
Launchpad, Ubuntu, Debian trusty Does not exist  
xenial Does not exist  
bionic Does not exist  
impish Does not exist  
upstream Released (5.15~rc1)  
focal Not vulnerable (5.4.0-1063.66+cvm2.2)  
jammy Does not exist  
linux-lowlatency  
Launchpad, Ubuntu, Debian trusty Does not exist  
xenial Does not exist  
bionic Does not exist  
focal Does not exist  
impish Does not exist  
jammy Not vulnerable (5.15.0-22.22)  
upstream Released (5.15~rc1)  
linux-oem-5.17  
Launchpad, Ubuntu, Debian trusty Does not exist  
xenial Does not exist  
bionic Does not exist  
focal Does not exist  
impish Does not exist  
jammy Not vulnerable (5.17.0-1003.3)  
upstream Released (5.15~rc1)

CVE-2021-3739: CVE-2021-3739 | Ubuntu

linux  
Launchpad, Ubuntu, Debian bionic Not vulnerable (4.13.0-16.19)  
focal Released (5.4.0-90.101)  
hirsute Released (5.11.0-38.42)  
impish Not vulnerable (5.13.0-19.19)  
trusty Not vulnerable (3.11.0-12.19)  
upstream Released (5.15~rc1)  
xenial Not vulnerable (4.4.0-2.16)  
linux-aws  
Launchpad, Ubuntu, Debian bionic Not vulnerable (4.15.0-1001.1)  
focal Released (5.4.0-1059.62)  
hirsute Released (5.11.0-1020.21)  
impish Not vulnerable (5.13.0-1005.6)  
trusty Not vulnerable (4.4.0-1002.2)  
upstream Released (5.15~rc1)  
xenial Not vulnerable (4.4.0-1001.10)  
linux-aws-5.0  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-aws-5.3)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-aws-5.11  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.11.0-1020.21~20.04.2)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-aws-5.13  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Not vulnerable (5.13.0-1008.9~20.04.2)  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-aws-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-aws-5.4)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-aws-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1059.62~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-aws-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was needs-triage now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-aws-hwe  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Not vulnerable (4.15.0-1030.31~16.04.1)  
linux-azure  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-azure-5.3)  
focal Released (5.4.0-1063.66)  
hirsute Released (5.11.0-1020.21)  
impish Not vulnerable (5.13.0-1006.7)  
trusty Not vulnerable (4.15.0-1023.24~14.04.1)  
upstream Released (5.15~rc1)  
xenial Not vulnerable (4.11.0-1009.9)  
linux-azure-4.15  
Launchpad, Ubuntu, Debian bionic Not vulnerable (4.15.0-1082.92)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-azure-5.11  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.11.0-1020.21~20.04.1)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-azure-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-azure-5.4)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-azure-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1063.66~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-azure-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was pending \[5.8.0-1043.46~20.04.1\] now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-azure-edge  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-azure-5.3)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-azure-fde  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Not vulnerable (5.4.0-1063.66+cvm2.2)  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-bluefield  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.4.0-1021.24)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-dell300x  
Launchpad, Ubuntu, Debian bionic Not vulnerable (4.15.0-1005.8)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-fips  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-gcp  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-gcp-5.3)  
focal Released (5.4.0-1057.61)  
hirsute Released (5.11.0-1021.23)  
impish Not vulnerable (5.13.0-1005.6)  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Not vulnerable (4.10.0-1004.4)  
linux-gcp-4.15  
Launchpad, Ubuntu, Debian bionic Not vulnerable (4.15.0-1071.81)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-gcp-5.11  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.11.0-1021.23~20.04.1)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-gcp-5.13  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Not vulnerable (5.13.0-1008.9~20.04.3)  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-gcp-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-gcp-5.4)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-gcp-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1057.61~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-gcp-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was needs-triage now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-gcp-edge  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-gcp-5.3)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-gke  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.4.0-1055.58)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Ignored (reached end of standard support)  
linux-gke-4.15  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-gke-5.0  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-gke-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-gke-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1055.58~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-gkeop  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.4.0-1026.27)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-gkeop-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1026.27~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-hwe  
Launchpad, Ubuntu, Debian bionic Ignored (replaced by linux-hwe-5.4)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Not vulnerable (4.8.0-39.42~16.04.1)  
linux-hwe-5.11  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.11.0-38.42~20.04.1)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-hwe-5.13  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Not vulnerable (5.13.0-21.21~20.04.1)  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-hwe-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-90.101~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-hwe-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was pending \[5.8.0-67.75\] now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-hwe-edge  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-hwe-5.4)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Ignored (superseded by linux-hwe)  
linux-ibm  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.4.0-1007.8)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-ibm-5.4  
Launchpad, Ubuntu, Debian bionic Not vulnerable (5.4.0-1010.11~18.04.2)  
focal Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-intel-5.13  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was needs-triage now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-kvm  
Launchpad, Ubuntu, Debian bionic Not vulnerable (4.15.0-1002.2)  
focal Released (5.4.0-1049.51)  
hirsute Released (5.11.0-1018.19)  
impish Not vulnerable (5.13.0-1003.3)  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Not vulnerable (4.4.0-1004.9)  
linux-lts-xenial  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Not vulnerable (4.4.0-13.29~14.04.1)  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-oem  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Ignored (superseded by linux-hwe)  
linux-oem-5.10  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.10.0-1050.52)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-oem-5.13  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.13.0-1017.21)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-oem-5.14  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Not vulnerable (5.14.0-1004.4)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-oem-5.6  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was needs-triage now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-oem-osp1  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-oracle  
Launchpad, Ubuntu, Debian bionic Not vulnerable (4.15.0-1007.9)  
focal Released (5.4.0-1057.61)  
hirsute Released (5.11.0-1020.21)  
impish Not vulnerable (5.13.0-1008.10)  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Not vulnerable (4.15.0-1007.9~16.04.1)  
linux-oracle-5.0  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-oracle-5.3)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-oracle-5.11  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.11.0-1020.21~20.04.1)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-oracle-5.13  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Not vulnerable (5.13.0-1011.13~20.04.2)  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-oracle-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-oracle-5.4)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-oracle-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1057.61~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-oracle-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was needs-triage now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-raspi  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.4.0-1046.50)  
hirsute Released (5.11.0-1021.22)  
impish Not vulnerable (5.13.0-1008.9)  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-raspi-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1046.50~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-raspi2  
Launchpad, Ubuntu, Debian bionic Not vulnerable (4.13.0-1005.5)  
focal Ignored (replaced by linux-raspi)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Ignored (was needs-triage now end-of-life)  
linux-raspi2-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-riscv  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (superseded by linux-riscv-5.8)  
hirsute Released (5.11.0-1021.22)  
impish Not vulnerable (5.13.0-1004.4)  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-riscv-5.11  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.11.0-1021.22~20.04.1)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-riscv-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was needs-triage now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Does not exist  
linux-snapdragon  
Launchpad, Ubuntu, Debian bionic Not vulnerable (4.4.0-1077.82)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.15~rc1)  
xenial Ignored (was needs-triage now end-of-life)

A flaw was found in the Linux kernel's OverlayFS subsystem in the way the user mounts the TmpFS filesystem with OverlayFS. This flaw allows a local user to gain access to hidden files that should not be accessible.

CVE-2021-3732: CVE-2021-3732 | Ubuntu

A security issue was found in Linux kernel’s OverlayFS subsystem where a local attacker who has the ability to mount the TmpFS filesystem with OverlayFS can abuse a logic bug in the overlayfs code which can inadvertently reveal files hidden in the original mount.

linux  
Launchpad, Ubuntu, Debian bionic Released (4.15.0-159.167)  
focal Released (5.4.0-89.100)  
hirsute Released (5.11.0-38.42)  
impish Not vulnerable (5.13.0-16.16)  
trusty Ignored (was needed ESM criteria)  
upstream Released (5.14~rc6)  
xenial Ignored (was needed ESM criteria)  
linux-aws  
Launchpad, Ubuntu, Debian bionic Released (4.15.0-1112.119)  
focal Released (5.4.0-1058.61)  
hirsute Released (5.11.0-1020.21)  
impish Not vulnerable (5.13.0-1005.6)  
trusty Ignored (was needed ESM criteria)  
upstream Released (5.14~rc6)  
xenial Ignored (was needed ESM criteria)  
linux-aws-5.0  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-aws-5.3)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-aws-5.11  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.11.0-1020.21~20.04.2)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-aws-5.13  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Not vulnerable (5.13.0-1008.9~20.04.2)  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-aws-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-aws-5.4)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-aws-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1058.61~18.04.3)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-aws-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was needs-triage now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-aws-hwe  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Released (4.15.0-1112.119~16.04.1)  
linux-azure  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-azure-5.3)  
focal Released (5.4.0-1062.65)  
hirsute Released (5.11.0-1020.21)  
impish Not vulnerable (5.13.0-1004.5)  
trusty Released (4.15.0-1124.137~14.04.1)  
upstream Released (5.14~rc6)  
xenial Released (4.15.0-1124.137~16.04.1)  
linux-azure-4.15  
Launchpad, Ubuntu, Debian bionic Released (4.15.0-1124.137)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-azure-5.11  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.11.0-1020.21~20.04.1)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-azure-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-azure-5.4)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-azure-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1062.65~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-azure-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was needed now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-azure-edge  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-azure-5.3)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-azure-fde  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Not vulnerable (5.4.0-1063.66+cvm2.2)  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-bluefield  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.4.0-1020.23)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-dell300x  
Launchpad, Ubuntu, Debian bionic Released (4.15.0-1028.33)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-fips  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gcp  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-gcp-5.3)  
focal Released (5.4.0-1056.60)  
hirsute Released (5.11.0-1021.23)  
impish Not vulnerable (5.13.0-1003.4)  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Released (4.15.0-1109.123~16.04.1)  
linux-gcp-4.15  
Launchpad, Ubuntu, Debian bionic Released (4.15.0-1109.123)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gcp-5.11  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.11.0-1021.23~20.04.1)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gcp-5.13  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Not vulnerable (5.13.0-1008.9~20.04.3)  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gcp-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-gcp-5.4)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gcp-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1056.60~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gcp-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was needs-triage now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gcp-edge  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-gcp-5.3)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gke  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.4.0-1054.57)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Ignored (reached end of standard support)  
linux-gke-4.15  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gke-5.0  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gke-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gke-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1054.57~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gkeop  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.4.0-1025.26)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gkeop-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1025.26~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-hwe  
Launchpad, Ubuntu, Debian bionic Ignored (replaced by linux-hwe-5.4)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Released (4.15.0-159.167~16.04.1)  
linux-hwe-5.11  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.11.0-38.42~20.04.1)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-hwe-5.13  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Not vulnerable (5.13.0-21.21~20.04.1)  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-hwe-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-89.100~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-hwe-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was needed now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-hwe-edge  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-hwe-5.4)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Ignored (superseded by linux-hwe)  
linux-ibm  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.4.0-1006.7)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-ibm-5.4  
Launchpad, Ubuntu, Debian bionic Not vulnerable (5.4.0-1010.11~18.04.2)  
focal Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-intel-5.13  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Not vulnerable  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-kvm  
Launchpad, Ubuntu, Debian bionic Released (4.15.0-1100.102)  
focal Released (5.4.0-1048.50)  
hirsute Released (5.11.0-1018.19)  
impish Not vulnerable (5.13.0-1002.2)  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Ignored (was needed ESM criteria)  
linux-lts-xenial  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Ignored (was needed ESM criteria)  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oem  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Ignored (superseded by linux-hwe)  
linux-oem-5.10  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.10.0-1050.52)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oem-5.13  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.13.0-1014.18)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oem-5.14  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Not vulnerable (5.14.0-1004.4)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oem-5.6  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was needs-triage now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oem-osp1  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oracle  
Launchpad, Ubuntu, Debian bionic Released (4.15.0-1081.89)  
focal Released (5.4.0-1056.60)  
hirsute Released (5.11.0-1020.21)  
impish Not vulnerable (5.13.0-1008.10)  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Released (4.15.0-1081.89~16.04.1)  
linux-oracle-5.0  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-oracle-5.3)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oracle-5.11  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.11.0-1020.21~20.04.1)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oracle-5.13  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Not vulnerable (5.13.0-1011.13~20.04.2)  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oracle-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-oracle-5.4)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oracle-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1056.60~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oracle-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was needs-triage now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-raspi  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.4.0-1045.49)  
hirsute Released (5.11.0-1021.22)  
impish Not vulnerable (5.13.0-1007.8)  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-raspi-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1045.49~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-raspi2  
Launchpad, Ubuntu, Debian bionic Released (4.15.0-1096.102)  
focal Ignored (replaced by linux-raspi)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Ignored (was needs-triage now end-of-life)  
linux-raspi2-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-riscv  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (superseded by linux-riscv-5.8)  
hirsute Released (5.11.0-1021.22)  
impish Not vulnerable (5.13.0-1003.3)  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-riscv-5.11  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.11.0-1021.22~20.04.1)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-riscv-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was needs-triage now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-snapdragon  
Launchpad, Ubuntu, Debian bionic Released (4.15.0-1113.122)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Ignored (was needs-triage now end-of-life)

saitoha libsixel v1.8.6 was discovered to contain a double free via the component sixel_chunk_destroy at /root/libsixel/src/chunk.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

chibataiki opened this issue

Dec 31, 2020

· 1 comment

**Comments**

![@chibataiki](https://avatars.githubusercontent.com/u/52232425?s=88&u=b05c72b1731b34a91f1aa94bf4ed3d3532bdd12e&v=4)

version:  
img2sixel 1.8.6

OS: Ubuntu 20.04.1 LTS x86\_64  
Kernel: 5.4.0-54-generic

compiler: gcc version 9.3.0

configured with:  
libcurl: no  
libpng: yes  
libjpeg: no  
gdk-pixbuf2: no  
GD: no

compiled with :

    (CFLAGS="-g -fsanitize=address" ./configure && make)
    

run

poc\_double\_free.zip

    =================================================================
    ==872176==ERROR: AddressSanitizer: attempting double-free on 0x62d000000400 in thread T0:
        #0 0x49489d in free (/root/libsixel/converters/.libs/img2sixel+0x49489d)
        #1 0x7fb24078593d in sixel_chunk_destroy /root/libsixel/src/chunk.c:107:9
        #2 0x7fb240799ddf in sixel_helper_load_image_file /root/libsixel/src/loader.c:1432:5
        #3 0x7fb2407f4e36 in sixel_encoder_encode /root/libsixel/src/encoder.c:1743:14
        #4 0x4c5c88 in main /root/libsixel/converters/img2sixel.c:457:22
        #5 0x7fb2403400b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
        #6 0x41c3dd in _start (/root/libsixel/converters/.libs/img2sixel+0x41c3dd)
    
    0x62d000000400 is located 0 bytes inside of 32768-byte region [0x62d000000400,0x62d000008400)
    freed by thread T0 here:
        #0 0x49489d in free (/root/libsixel/converters/.libs/img2sixel+0x49489d)
        #1 0x7fb2407defe9 in load_png /root/libsixel/src/loader.c:633:5
        #2 0x7fb240799a85 in load_with_builtin /root/libsixel/src/loader.c:889:18
        #3 0x7fb240799a85 in sixel_helper_load_image_file /root/libsixel/src/loader.c:1418:18
        #4 0x7fb2407f4e36 in sixel_encoder_encode /root/libsixel/src/encoder.c:1743:14
        #5 0x4c5c88 in main /root/libsixel/converters/img2sixel.c:457:22
        #6 0x7fb2403400b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    previously allocated by thread T0 here:
        #0 0x494b1d in malloc (/root/libsixel/converters/.libs/img2sixel+0x494b1d)
        #1 0x7fb24080df0c in sixel_allocator_malloc /root/libsixel/src/allocator.c:162:12
        #2 0x7fb240797a57 in sixel_helper_load_image_file /root/libsixel/src/loader.c:1375:14
        #3 0x7fb2407f4e36 in sixel_encoder_encode /root/libsixel/src/encoder.c:1743:14
        #4 0x4c5c88 in main /root/libsixel/converters/img2sixel.c:457:22
        #5 0x7fb2403400b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: double-free (/root/libsixel/converters/.libs/img2sixel+0x49489d) in free
    ==872176==ABORTING

![@chibataiki](https://avatars.githubusercontent.com/u/52232425?s=60&u=b05c72b1731b34a91f1aa94bf4ed3d3532bdd12e&v=4) chibataiki changed the title AddressSanitizer: double-free in in sixel\_chunk\_destroy /root/libsixel/src/chunk.c:107:9 double-free in in sixel\_chunk\_destroy /root/libsixel/src/chunk.c:107:9

Jan 4, 2021

![@chibataiki](https://avatars.githubusercontent.com/u/52232425?s=60&u=b05c72b1731b34a91f1aa94bf4ed3d3532bdd12e&v=4) chibataiki changed the title double-free in in sixel\_chunk\_destroy /root/libsixel/src/chunk.c:107:9 double-free in sixel\_chunk\_destroy /root/libsixel/src/chunk.c:107:9

Jan 18, 2021

![@chibataiki](https://avatars.githubusercontent.com/u/52232425?s=88&u=b05c72b1731b34a91f1aa94bf4ed3d3532bdd12e&v=4)

I cannot reproduce this so i will closed this now

1 participant

![@chibataiki](https://avatars.githubusercontent.com/u/52232425?s=52&v=4)

CVE-2020-36123: double-free in sixel_chunk_destroy /root/libsixel/src/chunk.c:107:9 · Issue #144 · saitoha/libsixel

Null pointer dereference in the htmldoc v1.9.11 and before may allow attackers to execute arbitrary code and cause a denial of service via a crafted html file.

While fuzzing htmldoc I found a segmentation fault in the copy\_image() function, in epub.cxx:1221

testcase:(zipped so GitHub accepts it)  
crash01.html.zip

reproduced by running:

    htmldoc -f demo.epub  crash01.html 
    

htmldoc Version v1.9.11 git \[master 0f9d20\]  
tested on:

OS :Ubuntu 20.04.1 LTS  
kernel: 5.4.0-53-generic  
compiler: clang version 10.0.0-4ubuntu1  
Target: x86\_64-pc-linux-gnu

OS : macOS Catalina 10.15.5(19F101) MacBook Pro (Retina, 13-inch, Early 2015)  
compiler: Apple clang version 11.0.0 (clang-1100.0.33.17)

Install from snap or download mac dmg don't crash for this testcase.

*   addresssanitizer

    ==3252595==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000042fc30 bp 0x7ffe6ab48d00 sp 0x7ffe6ab484a0 T0)
    ==3252595==The signal is caused by a READ memory access.
    ==3252595==Hint: address points to the zero page.
        #0 0x42fc30 in strcmp (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x42fc30)
        #1 0x7f70ce1fd7c7 in bsearch /build/glibc-ZN95T4/glibc-2.31/stdlib/../bits/stdlib-bsearch.h:33:23
        #2 0x4c81b0 in copy_image(_zipc_s*, char const*) /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:1221:25
        #3 0x4c8434 in copy_images(_zipc_s*, tree_str*) /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:1288:11
        #4 0x4c71c5 in epub_export /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:211:13
        #5 0x4d0f13 in main /home/chiba/check_crash/htmldoc/htmldoc/htmldoc.cxx:1291:3
        #6 0x7f70ce1dd0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
        #7 0x41c5fd in _start (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x41c5fd)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x42fc30) in strcmp
    ==3252595==ABORTING
    

*   gdb

    ─[ DISASM ]─
     ► 0x7ffff7de1ed7 <__strcmp_avx2+887>    vmovdqu ymm1, ymmword ptr [rdi + rdx]
       0x7ffff7de1edc <__strcmp_avx2+892>    vpcmpeqb ymm0, ymm1, ymmword ptr [rsi + rdx]
       0x7ffff7de1ee1 <__strcmp_avx2+897>    vpminub ymm0, ymm0, ymm1
       0x7ffff7de1ee5 <__strcmp_avx2+901>    vpcmpeqb ymm0, ymm0, ymm7
       0x7ffff7de1ee9 <__strcmp_avx2+905>    vpmovmskb ecx, ymm0
       0x7ffff7de1eed <__strcmp_avx2+909>    test   ecx, ecx
       0x7ffff7de1eef <__strcmp_avx2+911>    jne    __strcmp_avx2+848 <__strcmp_avx2+848>
        ↓
       0x7ffff7de1eb0 <__strcmp_avx2+848>    add    rdi, rdx
       0x7ffff7de1eb3 <__strcmp_avx2+851>    add    rsi, rdx
       0x7ffff7de1eb6 <__strcmp_avx2+854>    tzcnt  edx, ecx
       0x7ffff7de1eba <__strcmp_avx2+858>    movzx  eax, byte ptr [rdi + rdx]
    ─[ STACK ]──
    00:0000│ rsp  0x7fffffffd948 —▸ 0x7ffff7ca27c8 (bsearch+88) ◂— test   eax, eax
    01:0008│      0x7fffffffd950 —▸ 0x555555aa6bc0 —▸ 0x555555aa6fd0 —▸ 0x7ffff7e47000 (main_arena+1152) —▸ 0x7ffff7e46ff0 (main_arena+1136) ◂— ...
    02:0010│      0x7fffffffd958 ◂— 0x8
    03:0018│      0x7fffffffd960 ◂— 0x0
    04:0020│      0x7fffffffd968 —▸ 0x555555aa8bf0 —▸ 0x555555aa8af0 —▸ 0x555555aa7f40 —▸ 0x555555aa65c0 ◂— ...
    05:0028│      0x7fffffffd970 —▸ 0x555555aa9200 —▸ 0x555555aa6340 ◂— 0x5555fbad2480
    06:0030│      0x7fffffffd978 —▸ 0x555555aa8fe0 ◂— 0x616d693a61746164 ('data:ima')
    07:0038│      0x7fffffffd980 —▸ 0x5555555cd04b ◂— 0x22263e3c00435253 /* 'SRC' */
    
    pwndbg> bt
    #0  __strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:736
    #1  0x00007ffff7ca27c8 in __GI_bsearch (__key=0x7fffffffd9a0, __base=0x555555aa6bc0, __nmemb=<optimized out>, __size=8, __compar=0x55555555d609 <compare_images(char**, char**)>) at ../bits/stdlib-bsearch.h:33
    #2  0x000055555555d6ed in copy_image (zipc=zipc@entry=0x555555aa9200, filename=filename@entry=0x555555aa8fe0 "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAQMAAAAlPW0iAAA,BlBMVEUAAAD///+l2Z/dAAAAM0lEQVR4nGP4/5/h/1+G/58ZDrAz3D/McH8yw83NDDeNGe4Ug9CLzwz3gVLMDA/A6P9/#FGGF\207jOXZtQAAAAAElFTkSuQmCC") at epub.cxx:1235
    #3  0x000055555555d81c in copy_images (zipc=zipc@entry=0x555555aa9200, t=0x555555aa8bf0, t@entry=0x555555aa65c0) at epub.cxx:1288
    #4  0x000055555555e813 in epub_export (document=0x555555aa65c0, toc=0x555555aa6760) at epub.cxx:211
    #5  0x000055555555d448 in main (argc=<optimized out>, argc@entry=4, argv=argv@entry=0x7fffffffe4e8) at htmldoc.cxx:1291
    #6  0x00007ffff7c820b3 in __libc_start_main (main=0x55555555af20 <main(int, char**)>, argc=4, argv=0x7fffffffe4e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4d8) at ../csu/libc-start.c:308
    #7  0x000055555555d54e in _start () at htmldoc.cxx:1315
    
    

The bug locate in epub.cxx:1221 compare\_images. The arguments of compare\_images didn't checked so strcmp() lead a segfault due to to null pointer.

Reporter: chiba of topsec alphalab

CVE-2021-26948: SEGV on unknown address 0x000000000000   · Issue #410 · michaelrsweet/htmldoc

While fuzzing htmldoc I found a segmentation fault in the copy\_image() function, in epub.cxx:1221

testcase:(zipped so GitHub accepts it)  
crash01.html.zip

reproduced by running:

    htmldoc -f demo.epub  crash01.html 
    

htmldoc Version v1.9.11 git \[master 0f9d20\]  
tested on:

OS :Ubuntu 20.04.1 LTS  
kernel: 5.4.0-53-generic  
compiler: clang version 10.0.0-4ubuntu1  
Target: x86\_64-pc-linux-gnu

OS : macOS Catalina 10.15.5(19F101) MacBook Pro (Retina, 13-inch, Early 2015)  
compiler: Apple clang version 11.0.0 (clang-1100.0.33.17)

Install from snap or download mac dmg don't crash for this testcase.

*   addresssanitizer

    ==3252595==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000042fc30 bp 0x7ffe6ab48d00 sp 0x7ffe6ab484a0 T0)
    ==3252595==The signal is caused by a READ memory access.
    ==3252595==Hint: address points to the zero page.
        #0 0x42fc30 in strcmp (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x42fc30)
        #1 0x7f70ce1fd7c7 in bsearch /build/glibc-ZN95T4/glibc-2.31/stdlib/../bits/stdlib-bsearch.h:33:23
        #2 0x4c81b0 in copy_image(_zipc_s*, char const*) /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:1221:25
        #3 0x4c8434 in copy_images(_zipc_s*, tree_str*) /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:1288:11
        #4 0x4c71c5 in epub_export /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:211:13
        #5 0x4d0f13 in main /home/chiba/check_crash/htmldoc/htmldoc/htmldoc.cxx:1291:3
        #6 0x7f70ce1dd0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
        #7 0x41c5fd in _start (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x41c5fd)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x42fc30) in strcmp
    ==3252595==ABORTING
    

*   gdb

    ─[ DISASM ]─
     ► 0x7ffff7de1ed7 <__strcmp_avx2+887>    vmovdqu ymm1, ymmword ptr [rdi + rdx]
       0x7ffff7de1edc <__strcmp_avx2+892>    vpcmpeqb ymm0, ymm1, ymmword ptr [rsi + rdx]
       0x7ffff7de1ee1 <__strcmp_avx2+897>    vpminub ymm0, ymm0, ymm1
       0x7ffff7de1ee5 <__strcmp_avx2+901>    vpcmpeqb ymm0, ymm0, ymm7
       0x7ffff7de1ee9 <__strcmp_avx2+905>    vpmovmskb ecx, ymm0
       0x7ffff7de1eed <__strcmp_avx2+909>    test   ecx, ecx
       0x7ffff7de1eef <__strcmp_avx2+911>    jne    __strcmp_avx2+848 <__strcmp_avx2+848>
        ↓
       0x7ffff7de1eb0 <__strcmp_avx2+848>    add    rdi, rdx
       0x7ffff7de1eb3 <__strcmp_avx2+851>    add    rsi, rdx
       0x7ffff7de1eb6 <__strcmp_avx2+854>    tzcnt  edx, ecx
       0x7ffff7de1eba <__strcmp_avx2+858>    movzx  eax, byte ptr [rdi + rdx]
    ─[ STACK ]──
    00:0000│ rsp  0x7fffffffd948 —▸ 0x7ffff7ca27c8 (bsearch+88) ◂— test   eax, eax
    01:0008│      0x7fffffffd950 —▸ 0x555555aa6bc0 —▸ 0x555555aa6fd0 —▸ 0x7ffff7e47000 (main_arena+1152) —▸ 0x7ffff7e46ff0 (main_arena+1136) ◂— ...
    02:0010│      0x7fffffffd958 ◂— 0x8
    03:0018│      0x7fffffffd960 ◂— 0x0
    04:0020│      0x7fffffffd968 —▸ 0x555555aa8bf0 —▸ 0x555555aa8af0 —▸ 0x555555aa7f40 —▸ 0x555555aa65c0 ◂— ...
    05:0028│      0x7fffffffd970 —▸ 0x555555aa9200 —▸ 0x555555aa6340 ◂— 0x5555fbad2480
    06:0030│      0x7fffffffd978 —▸ 0x555555aa8fe0 ◂— 0x616d693a61746164 ('data:ima')
    07:0038│      0x7fffffffd980 —▸ 0x5555555cd04b ◂— 0x22263e3c00435253 /* 'SRC' */
    
    pwndbg> bt
    #0  __strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:736
    #1  0x00007ffff7ca27c8 in __GI_bsearch (__key=0x7fffffffd9a0, __base=0x555555aa6bc0, __nmemb=<optimized out>, __size=8, __compar=0x55555555d609 <compare_images(char**, char**)>) at ../bits/stdlib-bsearch.h:33
    #2  0x000055555555d6ed in copy_image (zipc=zipc@entry=0x555555aa9200, filename=filename@entry=0x555555aa8fe0 "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAQMAAAAlPW0iAAA,BlBMVEUAAAD///+l2Z/dAAAAM0lEQVR4nGP4/5/h/1+G/58ZDrAz3D/McH8yw83NDDeNGe4Ug9CLzwz3gVLMDA/A6P9/#FGGF\207jOXZtQAAAAAElFTkSuQmCC") at epub.cxx:1235
    #3  0x000055555555d81c in copy_images (zipc=zipc@entry=0x555555aa9200, t=0x555555aa8bf0, t@entry=0x555555aa65c0) at epub.cxx:1288
    #4  0x000055555555e813 in epub_export (document=0x555555aa65c0, toc=0x555555aa6760) at epub.cxx:211
    #5  0x000055555555d448 in main (argc=<optimized out>, argc@entry=4, argv=argv@entry=0x7fffffffe4e8) at htmldoc.cxx:1291
    #6  0x00007ffff7c820b3 in __libc_start_main (main=0x55555555af20 <main(int, char**)>, argc=4, argv=0x7fffffffe4e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4d8) at ../csu/libc-start.c:308
    #7  0x000055555555d54e in _start () at htmldoc.cxx:1315
    
    

The bug locate in epub.cxx:1221 compare\_images. The arguments of compare\_images didn't checked so strcmp() lead a segfault due to to null pointer.

A flaw was found in htmldoc in v1.9.12. Heap buffer overflow in render_table_row(),in ps-pdf.cxx may lead to arbitrary code execution and denial of service.

Hello, While fuzzing htmldoc , I found a heap-buffer-overflow in the render\_table\_row() ps-pdf.cxx:6123:34

*   test platform  
    htmldoc Version 1.9.12 git \[master 6898d0a\]  
    OS :Ubuntu 20.04.1 LTS x86\_64  
    kernel: 5.4.0-53-generic  
    compiler: clang version 10.0.0-4ubuntu1  
    reproduced:

htmldoc -f demo.pdf poc7.html  
poc(zipped for update):  
poc7.zip

    =================================================================
    ==38248==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000002100 at pc 0x00000059260e bp 0x7fffa3362670 sp 0x7fffa3362668
    READ of size 8 at 0x625000002100 thread T0
        #0 0x59260d in render_table_row(hdtable_t&, tree_str***, int, unsigned char*, float, float, float, float, float*, float*, int*) /home//htmldoc_sani/htmldoc/ps-pdf.cxx:6123:34
        #1 0x588630 in parse_table(tree_str*, float, float, float, float, float*, float*, int*, int) /home//htmldoc_sani/htmldoc/ps-pdf.cxx:7081:5
        #2 0x558013 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home//htmldoc_sani/htmldoc/ps-pdf.cxx:4167:11
        #3 0x556c54 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home//htmldoc_sani/htmldoc/ps-pdf.cxx:4081:9
        #4 0x556c54 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home//htmldoc_sani/htmldoc/ps-pdf.cxx:4081:9
        #5 0x54f90e in pspdf_export /home//htmldoc_sani/htmldoc/ps-pdf.cxx:803:3
        #6 0x53c845 in main /home//htmldoc_sani/htmldoc/htmldoc.cxx:1291:3
        #7 0x7f52a6b3e0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #8 0x41f8bd in _start (/home//htmldoc_sani/htmldoc/htmldoc+0x41f8bd)
    
    0x625000002100 is located 32 bytes to the right of 8160-byte region [0x625000000100,0x6250000020e0)
    allocated by thread T0 here:
        #0 0x4eea4e in realloc /home/goushi/work/libfuzzer-workshop/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:165
        #1 0x55d96b in check_pages(int) /home//htmldoc_sani/htmldoc/ps-pdf.cxx:8804:24
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home//htmldoc_sani/htmldoc/ps-pdf.cxx:6123:34 in render_table_row(hdtable_t&, tree_str***, int, unsigned char*, float, float, float, float, float*, float*, int*)
    Shadow bytes around the buggy address:
      0x0c4a7fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4a7fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4a7fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4a7fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4a7fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
    =>0x0c4a7fff8420:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff8440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff8450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==38248==ABORTING
    

    ──── source:ps-pdf.cxx+8754 ────
       8749	         break;
       8750	   }
       8751
       8752	   if (insert)
       8753	   {
     → 8754	     if (insert->prev)
       8755	       insert->prev->next = r;
       8756	     else
       8757	       pages[page].start = r;
       8758
       8759	     r->prev      = insert->prev;
     ─ threads ────
    [#0] Id 1, Name: "htmldoc", stopped 0x415e8c in new_render (), reason: SIGSEGV
    ──  trace ────
    [#0] 0x415e8c → new_render(page=0x14, type=0x2, x=0, y=-6.3660128850113321e+24, width=1.2732025770022664e+25, height=6.3660128850113321e+24, data=0x7fffffff6a40, insert=0x682881c800000000)
    [#1] 0x4267e2 → render_table_row(table=@0x7fffffff6d98, cells=<optimized out>, row=<optimized out>, height_var=<optimized out>, left=0, right=0, bottom=<optimized out>, top=<optimized out>, x=<optimized out>, y=<optimized out>, page=<optimized out>)
    [#2] 0x424519 → parse_table(t=<optimized out>, left=<optimized out>, right=<optimized out>, bottom=<optimized out>, top=<optimized out>, x=<optimized out>, y=<optimized out>, page=<optimized out>, needspace=<optimized out>)
    [#3] 0x4157c0 → parse_doc(t=0x918c20, left=0x7fffffffb6e8, right=0x7fffffffb6e4, bottom=0x7fffffffb6ac, top=<optimized out>, x=<optimized out>, y=0x7fffffffb674, page=0x7fffffffb684, cpara=0x917cc0, needspace=0x7fffffffb6d4)
    [#4] 0x414964 → parse_doc(t=0x918390, left=<optimized out>, right=<optimized out>, bottom=<optimized out>, top=0x7fffffffb69c, x=0x7fffffffb6ec, y=<optimized out>, page=<optimized out>, cpara=<optimized out>, needspace=<optimized out>)
    [#5] 0x414964 → parse_doc(t=0x9171d0, left=<optimized out>, right=<optimized out>, bottom=<optimized out>, top=0x7fffffffb69c, x=0x7fffffffb6ec, y=<optimized out>, page=<optimized out>, cpara=<optimized out>, needspace=<optimized out>)
    [#6] 0x411980 → pspdf_export(document=<optimized out>, toc=<optimized out>)
    [#7] 0x408e89 → main(argc=<optimized out>, argv=<optimized out>)
    ──

CVE-2021-26259: AddressSanitizer: heap-buffer-overflow on  render_table_row()  ps-pdf.cxx:6123:34 · Issue #417 · michaelrsweet/htmldoc

OS4ED openSIS 8.0 is affected by cross-site scripting (XSS) in EmailCheckOthers.php. An attacker can inject JavaScript code to get the user's cookie and take over the working session of user.

**Description**

By injecting Javascript code, an attacker can steal the user's cookie and take over the user's account. This happened because of the lack of security implementation for`type` parameter. This was tested on demo website

**Exploitation**

![Screenshot from 2021-09-05 14-06-22](https://user-images.githubusercontent.com/35491855/132122706-da7fec3a-2b7b-433b-b059-a25f7cf604ae.jpg)

**Injection point:**  
`HTTP://demo/EmailCheckOthers.php?opt=<script>alert(1)</script>&email=asfasf`  
**Request:**

GET /EmailCheckOthers.php?opt=%3Cscript%3Ealert(1)%3C/script%3E&email=asfasf HTTP/1.1
Host: demo.opensis.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=iadm2hjbvs4vqmskk07vcpp8n5; miniSidebar=0
Upgrade-Insecure-Requests: 1

**Response:**

HTTP/1.1 200 OK
Date: Sun, 05 Sep 2021 09:57:28 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.29
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

**Solution:**

Before using any user's input, make sure to verify and sanitize it properly, trust nothing that's sent from the client. In the case of XSS, please consider using `htmlentities()` function to encode the user's input before printing it out to the user's screen

Tag

#ubuntu