A global buffer overflow vulnerability in jfif_encode at jfif.c:701 of ffjpeg through 2020-06-22 allows attackers to cause a Denial of Service (DOS) via a crafted jpeg file.

**Describe**

A global-buffer-overflow was discovered in ffjpeg. The issue is being triggered in function jfif\_encode at jfif.c:701

**Reproduce**

Tested in Ubuntu 18.04, 64bit. Compile ffjpeg with address sanitizer as I changed CCFLAGS src/Makefile as:

# ASan
CCFLAGS = -Wall -g -fsanitize=address -fno-omit-frame-pointer -O1

And do this command to reproduce this issue:  
ffjpeg -e $poc  
poc is here

**Expected behavior**

An attacker can exploit this vulnerability by submitting a malicious jpeg that exploits this issue. This will result in a Denial of Service (DoS) and when the application attempts to process the file.

**ASAN Reports**

\==81140==ERROR: AddressSanitizer: global-buffer-overflow on address 0x56063a6c1b92 at pc 0x7f2c96918733 bp 0x7ffe503e7fe0 sp 0x7ffe503e7788
READ of size 272 at 0x56063a6c1b92 thread T0
    #0 0x7f2c96918732  (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0x79732)
    #1 0x56063a6a88e7 in memcpy /usr/include/x86\_64-linux-gnu/bits/string\_fortified.h:34
    #2 0x56063a6a88e7 in jfif\_encode /root/study/ffjpeg/src/jfif.c:701
    #3 0x56063a69b382 in main /root/study/ffjpeg/src/ffjpeg.c:30
    #4 0x7f2c964cfb96 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21b96)
    #5 0x56063a69b829 in \_start (/root/study/ffjpeg/test/ffjpeg+0x2829)

0x56063a6c1b92 is located 0 bytes to the right of global variable 'STD\_HUFTAB\_LUMIN\_AC' defined in 'huffman.c:388:12' (0x56063a6c1ae0) of size 178
SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0x79732) 
Shadow bytes around the buggy address:
  0x0ac1474d0320: 00 00 00 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9
  0x0ac1474d0330: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ac1474d0340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 f9
  0x0ac1474d0350: f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9 00 00 00 00
  0x0ac1474d0360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=\>0x0ac1474d0370: 00 00\[02\]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ac1474d0380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac1474d0390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac1474d03a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac1474d03b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac1474d03c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==81140==ABORTING

CVE-2020-23705: global-buffer-overflow in function jfif_encode at jfif.c:701 · Issue #25 · rockcarry/ffjpeg

A heap buffer overflow vulnerability in Ap4TrunAtom.cpp of Bento 1.5.1-628 may lead to an out-of-bounds write while running mp42aac, leading to system crashes and a denial of service (DOS).

There is a heap buffer overflow in Ap4TrunAtom.cpp when running mp42aac.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial  
gcc: 5.4.0

To reproduce the bug,  
compile the project with flag  
'-DCMAKE\_C\_FLAGS=-g -m32 -fsanitize=address,undefined'

then run:  
'./mp42aac input /dev/null'

\==147243==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4208b40 at pc 0x083eb6d5 bp 0xffef35d8 sp 0xffef35c8  
WRITE of size 4 at 0xf4208b40 thread T0  
#0 0x83eb6d4 in AP4\_Array<AP4\_TrunAtom::Entry>::SetItemCount(unsigned int) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4TrunAtom.h:58  
#1 0x83d7d9b in AP4\_TrunAtom::AP4\_TrunAtom(unsigned int, unsigned char, unsigned int, AP4\_ByteStream&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4TrunAtom.cpp:127  
#2 0x83dde35 in AP4\_TrunAtom::Create(unsigned int, AP4\_ByteStream&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4TrunAtom.cpp:51  
#3 0x82dd3b4 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:408  
#4 0x8301ca3 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:225  
#5 0x82b6bae in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#6 0x82b6bae in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#7 0x841a898 in AP4\_MoovAtom::AP4\_MoovAtom(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4MoovAtom.cpp:80  
#8 0x82e2631 in AP4\_MoovAtom::Create(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4MoovAtom.h:56  
#9 0x82e2631 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:363  
#10 0x82fa1f7 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:225  
#11 0x82fa1f7 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, AP4\_Atom\*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:151  
#12 0x809a044 in AP4\_File::ParseStream(AP4\_ByteStream&, AP4\_AtomFactory&, bool) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4File.cpp:104  
#13 0x809a044 in AP4\_File::AP4\_File(AP4\_ByteStream&, bool) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4File.cpp:78  
#14 0x8082ce7 in main /mnt/data/playground/mp42-a/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250  
#15 0xf6a26636 in \_\_libc\_start\_main (/lib/i386-linux-gnu/libc.so.6+0x18636)  
#16 0x808df1b (/mnt/data/playground/mp42-patch/Build/mp42aac+0x808df1b)

0xf4208b40 is located 0 bytes to the right of 34624-byte region \[0xf4200400,0xf4208b40)  
allocated by thread T0 here:  
#0 0xf729dcd6 in operator new(unsigned int) (/usr/lib32/libasan.so.2+0x97cd6)  
#1 0x83e9fa7 in AP4\_Array<AP4\_TrunAtom::Entry>::EnsureCapacity(unsigned int) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4Array.h:172  
#2 0x83e9fa7 in AP4\_Array<AP4\_TrunAtom::Entry>::SetItemCount(unsigned int) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4Array.h:210

SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/data/playground/mp42-a/Source/C++/Core/Ap4TrunAtom.h:58 AP4\_Array<AP4\_TrunAtom::Entry>::SetItemCount(unsigned int)  
Shadow bytes around the buggy address:  
0x3e841110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x3e841120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x3e841130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x3e841140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x3e841150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x3e841160: 00 00 00 00 00 00 00 00\[fa\]fa fa fa fa fa fa fa  
0x3e841170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x3e841180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x3e841190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x3e8411a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x3e8411b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==147243==ABORTING

poc\_input5.zip

CVE-2020-19721: Heap buffer overflow in Ap4TrunAtom.cpp when running mp42aac · Issue #415 · axiomatic-systems/Bento4

A buffer overflow vulnerability in the Databuf function in types.cpp of Exiv2 v0.27.1 leads to a denial of service (DOS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Assignees

**Comments**

There is a buffer overflow in exiv2 in file types.cpp.

Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial  
gcc: 5.4.0

The compile command is:  
cmake ./ ;make

To reproduce the issue, run:  
./exiv2 input

Here is the trace reported by asan:

#0 0x7faff55ba631 (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0xa0631)  
#1 0x7faff55bf5e3 in \_\_sanitizer::CheckFailed(char const\*, int, char const\*, unsigned long long, unsigned long long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0xa55e3)  
#2 0x7faff5537425 (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x1d425)  
#3 0x7faff55bd865 (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0xa3865)  
#4 0x7faff553cb4d (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x22b4d)  
#5 0x7faff55b367e in operator new\[\](unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x9967e)  
#6 0x7faff0f63d25 in Exiv2::DataBuf::DataBuf(long) /home/heqing/playground/exiv2-0.27.1-Source-a/src/types.cpp:141  
#7 0x7faff0dc8995 in Exiv2::RafImage::readMetadata() /home/heqing/playground/exiv2-0.27.1-Source-a/src/rafimage.cpp:300  
#8 0x77b36d in Action::Print::printSummary() /home/heqing/playground/exiv2-0.27.1-Source-a/src/actions.cpp:286  
#9 0x79935f in Action::Print::run(std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&) /home/heqing/playground/exiv2-0.27.1-Source-a/src/actions.cpp:246  
#10 0x410f18 in main /home/heqing/playground/exiv2-0.27.1-Source-a/src/exiv2.cpp:169  
#11 0x7fafecfe282f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)  
#12 0x41abb8 in \_start (/home/heqing/playground/exiv2-0.27.1-Source-a/build/bin/exiv2+0x41abb8)

The reason is that DataBuf in types.cpp does not check the malloced buffer is a null pointer or not yet directly use memcpy to write the buffer.  

The attachment is the poc input.  
poc\_input2.zip

Thank you for reporting this.

I am unable to reproduce your report.

I have build 0.27.1-Source on Ubuntu 18.04  
and 0.27.2 (the current release)  
and master (the development branch)

    rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/exiv2-0.27.1-Source/asan_build$ ls -l /media/psf/Home/Downloads/poc_input2
    -rw------- 1 rmills rmills 25 Aug  9 09:45 /media/psf/Home/Downloads/poc_input2
    rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/exiv2-0.27.1-Source/asan_build$ bin/exiv2 /media/psf/Home/Downloads/poc_input2
    Exiv2 exception in print action for file /media/psf/Home/Downloads/poc_input2:
    Failed to read image data
    rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/exiv2-0.27.1-Source/asan_build$ 
    

This one is reproducible on my server with exiv2 0.27.1.

I use  
cmake ../ ; make  
to compile the project.

Maybe this related to the system environment?  
But the reason is that exiv2 try to allocate a very large memory space from the heap, 0xfffffffffffffff4 bytes without prior checking or failure handling.

\==182864==WARNING: AddressSanitizer failed to allocate 0xfffffffffffffff4 bytes  
\==182864==AddressSanitizer's allocator is terminating the process instead of returning 0  
\==182864==If you don't like this behavior set allocator\_may\_return\_null=1  
\==182864==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer\_common/sanitizer\_allocator.cc:147 "((0)) != (0)" (0x0, 0x0)  
#0 0x7f02ba1ec631 (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0xa0631)  
#1 0x7f02ba1f15e3 in \_\_sanitizer::CheckFailed(char const\*, int, char const\*, unsigned long long, unsigned long long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0xa55e3)  
#2 0x7f02ba169425 (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x1d425)  
#3 0x7f02ba1ef865 (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0xa3865)  
#4 0x7f02ba16eb4d (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x22b4d)  
#5 0x7f02ba1e567e in operator new\[\](unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x9967e)  
#6 0x7f02b5b95d25 in Exiv2::DataBuf::DataBuf(long) /home/heqing/playground/exiv2-0.27.1-Source-a/src/types.cpp:141  
#7 0x7f02b59fa995 in Exiv2::RafImage::readMetadata() /home/heqing/playground/exiv2-0.27.1-Source-a/src/rafimage.cpp:300  
#8 0x77b36d in Action::Print::printSummary() /home/heqing/playground/exiv2-0.27.1-Source-a/src/actions.cpp:286  
#9 0x79935f in Action::Print::run(std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&) /home/heqing/playground/exiv2-0.27.1-Source-a/src/actions.cpp:246  
#10 0x410f18 in main /home/heqing/playground/exiv2-0.27.1-Source-a/src/exiv2.cpp:169  
#11 0x7f02b1c1482f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)  
#12 0x41abb8 in \_start (/home/heqing/playground/exiv2-0.27.1-Source-a/build/bin/exiv2+0x41abb8)

It cannot produce at the 0.27.2 version with this input, but I have checked the code which is the same to the 0.27.1 version.  
I think the reason is that there are some upper-level check for the file format,  
however, the unhandled exhaustive memory usage can still cause the problem if this part of the code is reached.

Thanks. We're working together.

I've built 0.27.1, 0.27.2 and master without ASAN on Ubuntu and get:  
**0.27.1**

    rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/exiv2-0.27.1-Source/build$ bin/exiv2 --version | head -1
    exiv2 0.27.1
    rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/exiv2-0.27.1-Source/build$ bin/exiv2 /media/psf/Home/Downloads/poc_input2
    Uncaught exception: std::bad_alloc
    

**0.27.2**

    rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/0.27-maintenance/build$ bin/exiv2 --version | head -1
    exiv2 0.27.2
    rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/0.27-maintenance/build$ bin/exiv2 /media/psf/Home/Downloads/poc_input2
    Exiv2 exception in print action for file /media/psf/Home/Downloads/poc_input2:
    Failed to read image data
    rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/0.27-maintenance/build$
    

**master:**

    rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/master/build$ bin/exiv2 --version | head -1
    exiv2 0.27.99.0
    rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/master/build$ bin/exiv2 /media/psf/Home/Downloads/poc_input2
    Exiv2 exception in print action for file /media/psf/Home/Downloads/poc_input2:
    Failed to read image data
    

We added a check a couple of years ago:

    if (alloc_size > file.size() ) throw crazy_alloc;
    

I think poc\_input2 uses a code path that didn't have that test. And it's been fixed in 0.27.2 and master. I'm going to close this issue. However happy to re-open and continue the discussion if you wish.

Thank You very much for looking into this and the other issue you reported earlier. We take security and crashes very seriously. We have quarterly "dot" releases of Exiv2 v0.27 to ensure that fixes can be adopted quickly in the field.

Fixed by commit 109d5df  
Author: Kevin Backhouse kev@semmle.com  
Date: Thu May 16 14:30:12 2019 +0100

    Check bounds of jpg_img_off and jpg_img_len. (#858)

CVE-2020-19716: Buffer overflow caused by exhaustive memory usage  · Issue #980 · Exiv2/exiv2

An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.3 x64. A specially crafted HTML web page can cause a use-after-free condition, resulting in remote code execution. The victim needs to visit a malicious web site to trigger the vulnerability.

CVE-2021-21806: TALOS-2020-1214 || Cisco Talos Intelligence Group

It was discovered that the get_pid_info() function in data/apport did not properly parse the /proc/pid/status file from the kernel.

Vulnerabilities in Apport in ubuntu 20.04/18.04

\=======\=======\=======\=======\=======\=======\======

Author information

\------------------

Itai Greenhut(@Gr33nh4t)

Aleph Research by HCL Appscan

<email address hidden>

SUMMARY

\-------

We found several vulnerabilities in apport program which work on default installations of ubuntu 20.04/18.04.

We were able to chain those vulnerabilities together to get local privilege escalation to root from an unprivileged user.

Issue 1: Bypass drop\_privileges and set Uid and Gid to arbitrary value

\-------\-------\-------\-------\-------\-------\-------\-------\------

real\_uid and real\_gid are set by reading /proc/pid/status file and parsing its content.

"get\_pid\_info" function will iterate through each line and if a line starts with "Uid:" or "Gid:" it takes the first argument in that line and puts it into real\_uid and real\_gid variables.

We were able to bypass this by crashing a process with a file name set to "a\\rUid: 0\\rGid: 0".

When the process crashed, we "injected" those values to /proc/pid/status file (in the Name field), causing apport to never really drop privileges in the function drop\_privileges( real\_uid now is 0 and real\_gid is also 0).

By having full control over real\_uid and real\_gid we were able to bypass the suid check on "write\_user\_coredump" function.

Issue 2: Bypass get\_process\_startime check

\-------\-------\-------\-------\-------\-------\-------\-------\-

Apport checks if the process was replaced after the crash by comparing between apport\_start and process\_start.

process\_start gets the start time of the process by parsing the content of /proc/pid/stat file.

The start time is extracted from the 22 column of the /proc/pid/stat file.

We were able to bypass this check by recycle the pid with a process with " "(space) in its filename, causing get\_process\_starttime to return the wrong value (which is smaller than apport\_start).

Issue 3: delay apport get\_pid\_info by 30 seconds and recycle pid to suid process

\-------\-------\-------\-------\-------\-------\-------\-------\-------\-------\-------\----

We were able to delay apport get\_pid by 30 seconds from the process creation by acquiring the lock file of apport.

We were able to lock the file by creating a fifo file with a predictable name file crash in /var/log, and then create a new instance of apport.

Now when we create another apport instance it will then be locked for 30 seconds before getting a timeout.

We can release the lock file of the first instance by writing to the fifo file.

Exploitation:

\-------\-------\-------\-------\-------\-------\-------\-------\-

Our main goal in the exploitation is to write core file owned by root with our content to an arbitrary directory.

Apport creates a core file in the current directory of the crashed process.

As seen before on other apport exploits, we will create a core file in /etc/logrotate.d/ directory and execute a root shell.

In order to exploit those issues to gain local privilege escalation we need to perform the following steps:

1\. Create unpackaged=true configuration in ~/.conf/apport/settings

2\. mkfifo a predictable file of a decoy process.

3\. Run the decoy process causing the first apport instance to "hang".

4\. Create a symlink to /usr/bin/sudo with the name "a\\rUid: 0\\rGid: 0"

5\. chdir to desired directory.

6\. Create the crash program.

7\. Fork lots of new processes to make the pid wrap to crash\_program\_pid - 1.

8\. Send SIGSEGV to crash the program and trigger an additional apport instance.

9\. Send SIGKILL to terminate the program and release crash\_program\_pid.

10\. Create new process with fork and execve("a/rUid: 0\\rGid: 0"). (The crafted file name)

11\. Release the first process by writing to the fifo file.

The second apport instance will continue with execution and create a core dump in the current directory of the new suid process.

Now we have a root owned core file in desired directory, we can exploit this by having a valid configuration for logrotate inside the core dump and place the core dump inside /etc/logrotate.d/ directory.

CREDITS

\-------\-------\-------\-------\-------\-------\-------\-------\-

Please credit "Itai Greenhut(@Gr33nh4t) from Aleph Research by HCL Appscan" for those issues.

Please note that we follow the community standard of 90 days before public disclosure please coordinate your patch release date with us.

Attaching poc of the exploit, run as follows:  
1\. tar zxvfm exploit.tar.gz  
2\. cd exploit  
3\. ./exploit.sh

Best regards,  
Itai Greenhut  
Aleph Research by HCL Appscan

CVE-2021-25682: Bug #1912326 “Privilege escalation to root with core file dump” : Bugs : apport package : Ubuntu

A null pointer dereference was discovered lzo_decompress_buf in stream.c in Irzip 0.621 which allows an attacker to cause a denial of service (DOS) via a crafted compressed file.

Bug #1893641 reported by Doudou Huang on 2020-08-31

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

lrzip (Ubuntu)

Confirmed

Undecided

Unassigned

**Bug Description**

Hi, there.

There is invalid memory access in lzo\_decompress\_buf, stream.c 589 in the lrzip version 0.621 (newest branch 597be1f).  
According to the trace, it seems to be an incomplete fix of CVE-2017-8845 and CVE-2019-10654.  
System:

DISTRIB\_ID=Ubuntu  
DISTRIB\_RELEASE=16.04  
DISTRIB\_CODENAME=xenial  
DISTRIB\_DESCRIPTION="Ubuntu 16.04.6 LTS"

To reproduce, run:

lrzip -t seg-stream589

This is the output from the terminal:

Decompressing...  
Segmentation fault  
This is the trace reported by ASAN:

\==177389==ERROR: AddressSanitizer: SEGV on unknown address 0x606000010000 (pc 0x7f19986a0144 bp 0x62100001cd54 sp 0x7f1994afed60 T1)  
    #0 0x7f19986a0143 in lzo1x\_decompress (/lib/x86\_64-linux-gnu/liblzo2.so.2+0x13143)  
    #1 0x43faff in lzo\_decompress\_buf ../stream.c:589  
    #2 0x43faff in ucompthread ../stream.c:1529  
    #3 0x7f199804d6b9 in start\_thread (/lib/x86\_64-linux-gnu/libpthread.so.0+0x76b9)  
    #4 0x7f199747f41c in clone (/lib/x86\_64-linux-gnu/libc.so.6+0x10741c)

AddressSanitizer can not provide additional info.  
SUMMARY: AddressSanitizer: SEGV ??:0 lzo1x\_decompress  
Thread T1 created by T0 here:  
    #0 0x7f19988e51e3 in pthread\_create (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x361e3)  
    #1 0x451505 in create\_pthread ../stream.c:133  
    #2 0x451505 in fill\_buffer ../stream.c:1694  
    #3 0x451505 in read\_stream ../stream.c:1781  
    #4 0x18 (<unknown module>)

\==177389==ABORTING

CVE-2020-25467: Bug #1893641 “segmentation fault in lzo_decompress_buf, stream.c...” : Bugs : lrzip package : Ubuntu

An issue was discovered in the Linux kernel before 5.0.19. The XFRM subsystem has a use-after-free, related to an xfrm_state_fini panic, aka CID-dbb2483b2a46.

CVE-2019-25045

SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)

CVE-2021-33054: sogo/CHANGELOG.md at master · inverse-inc/sogo

A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the av_dict_set function in dict.c.

**#8315 closed defect (fixed)**

Reported by:

Owned by:

Priority:

minor

Component:

ffmpeg

Version:

git-master

Keywords:

leak

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Summary of the bug:  
There're memory leaks detected in av\_dict\_set()  
How to reproduce:  

% ffmpeg\_g -y -i $PoC1 -i $PoC2 -filter\_complex acompressor -target dvd -loglevel 0 -c pcm\_s24le tmp.dnxhd

ffmpeg version N-95464-g7056ddc0e0 Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE\_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug

Here's Valgrind log  

\==36149== HEAP SUMMARY:
==36149==     in use at exit: 1,046 bytes in 61 blocks
==36149==   total heap usage: 643 allocs, 582 frees, 2,630,129 bytes allocated
==36149== 
==36149== 54 (16 direct, 38 indirect) bytes in 1 blocks are definitely lost in loss record 40 of 44
==36149==    at 0x9FE3E76: memalign (in /usr/lib/valgrind/vgpreload\_memcheck-amd64-linux.so)
==36149==    by 0x9FE3F91: posix\_memalign (in /usr/lib/valgrind/vgpreload\_memcheck-amd64-linux.so)
==36149==    by 0x592F079: av\_malloc (mem.c:87)
==36149==    by 0x592F079: av\_mallocz (mem.c:238)
==36149==    by 0x58EA3CC: av\_dict\_set (dict.c:89)
==36149==    by 0x45D36E: new\_output\_stream (ffmpeg\_opt.c:1554)
==36149==    by 0x455A25: new\_audio\_stream (ffmpeg\_opt.c:1860)
==36149==    by 0x4508EC: init\_output\_filter (ffmpeg\_opt.c:2062)
==36149==    by 0x43481F: open\_output\_file (ffmpeg\_opt.c:2187)
==36149==    by 0x42DE5E: open\_files (ffmpeg\_opt.c:3283)
==36149==    by 0x42DC06: ffmpeg\_parse\_options (ffmpeg\_opt.c:3337)
==36149==    by 0x487BB3: main (ffmpeg.c:4862)
==36149== 
==36149== LEAK SUMMARY:
==36149==    definitely lost: 16 bytes in 1 blocks
==36149==    indirectly lost: 38 bytes in 3 blocks
==36149==      possibly lost: 0 bytes in 0 blocks
==36149==    still reachable: 992 bytes in 57 blocks
==36149==         suppressed: 0 bytes in 0 blocks
==36149== Reachable blocks (those to which a pointer was found) are not shown.
==36149== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==36149== 
==36149== For counts of detected and suppressed errors, rerun with: -v
==36149== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Please confirm.  
Thanks

CVE-2020-22054: #8315 (memory leaks in av_dict_set()) – FFmpeg

A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the wtvfile_open_sector function in wtvdec.c.

**#8314 closed defect (fixed)**

Reported by:

Owned by:

Priority:

normal

Component:

avformat

Version:

git-master

Keywords:

wtv leak

Cc:

Blocked By:

Blocking:

Reproduced by developer:

yes

Analyzed by developer:

no

Summary of the bug:  
There're memory leaks detected in wtvfile\_open\_sector()  
How to reproduce:  

% ffmpeg\_g -i $PoC tmp.lxf

ffmpeg version N-95464-g7056ddc0e0 Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE\_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug

Here's Valgrind log  

\==10445== HEAP SUMMARY:
==10445==     in use at exit: 5,236 bytes in 38 blocks
==10445==   total heap usage: 102 allocs, 64 frees, 79,475 bytes allocated
==10445== 
==10445== 4,412 (264 direct, 4,148 indirect) bytes in 1 blocks are definitely lost in loss record 33 of 33
==10445==    at 0x9FE3E76: memalign (in /usr/lib/valgrind/vgpreload\_memcheck-amd64-linux.so)
==10445==    by 0x9FE3F91: posix\_memalign (in /usr/lib/valgrind/vgpreload\_memcheck-amd64-linux.so)
==10445==    by 0x592EC7D: av\_malloc (mem.c:87)
==10445==    by 0x14731F6: avio\_alloc\_context (aviobuf.c:140)
==10445==    by 0x1AB7BA6: wtvfile\_open\_sector (wtvdec.c:238)
==10445==    by 0x1AB7BA6: wtvfile\_open2 (wtvdec.c:289)
==10445==    by 0x1AB3355: read\_header (wtvdec.c:989)
==10445==    by 0x1A145FC: avformat\_open\_input (utils.c:633)
==10445==    by 0x42FFF7: open\_input\_file (ffmpeg\_opt.c:1105)
==10445==    by 0x42DE5E: open\_files (ffmpeg\_opt.c:3283)
==10445==    by 0x42DB4F: ffmpeg\_parse\_options (ffmpeg\_opt.c:3323)
==10445==    by 0x487BB3: main (ffmpeg.c:4862)
==10445== 
==10445== LEAK SUMMARY:
==10445==    definitely lost: 264 bytes in 1 blocks
==10445==    indirectly lost: 4,148 bytes in 3 blocks
==10445==      possibly lost: 0 bytes in 0 blocks
==10445==    still reachable: 824 bytes in 34 blocks
==10445==         suppressed: 0 bytes in 0 blocks
==10445== Reachable blocks (those to which a pointer was found) are not shown.
==10445== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==10445== 
==10445== For counts of detected and suppressed errors, rerun with: -v
==10445== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Please confirm.  
Thanks

Tag

#ubuntu