Deserialization of Untrusted Data in emlog pro v.2.1.15 and earlier allows a remote attacker to execute arbitrary code via the cache.php component.

CVE-2023-43291: CVE-2023-43291.md

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system.




**Summary**

I spotted an off-by-one buffer overflow vulnerability at the following location in the Zephyr FS subsystem source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/fs/fuse\_fs\_access.c

**Details**

If the string passed to the following function via the path parameter is PATH\_MAX chars long (including the NUL terminator), the insecure sprintf() function call marked below writes one NUL byte off the stack variable mount_path:

static int fuse\_fs\_access\_readdir(const char \*path, void \*buf,
			      fuse\_fill\_dir\_t filler, off\_t off,
			      struct fuse\_file\_info \*fi)
{
	struct fs\_dir\_t dir;
	struct fs\_dirent entry;
	int err;
	struct stat stat;

	ARG\_UNUSED(off);
	ARG\_UNUSED(fi);

	if (strcmp(path, "/") \== 0) {
		return fuse\_fs\_access\_readmount(buf, filler);
	}

	fs\_dir\_t\_init(&dir);

	if (is\_mount\_point(path)) {
		/\* File system API expects trailing slash for a mount point
		 \* directory but FUSE strips the trailing slashes from
		 \* directory names so add it back.
		 \*/
		char mount\_path\[PATH\_MAX\];

		sprintf(mount\_path, "%s/", path); /\* VULN \*/
		err \= fs\_opendir(&dir, mount\_path);
	} else {
		err \= fs\_opendir(&dir, path);
	}
...

**PoC**

I haven't tried to reproduce this potential vulnerability against a live install of the Zephyr OS.

**Impact**

If the unchecked input above is attacker-controlled and crosses a security boundary, depending on stack layout, the off-by-one buffer overflow vulnerability could be exploited to cause a denial of service or even achieve arbitrary code execution.

CVE-2023-4260: Off-by-one buffer overflow vulnerability in the Zephyr FS subsystem

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem.




**Summary**

I spotted a few buffer overflow vulnerabilities at the following locations in the Zephyr Bluetooth subsystem source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/audio/tbs.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/audio/shell/mcc.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/audio/shell/media\_controller.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/host/conn.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/beacon.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/prov\_device.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/provisioner.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/shell/rpr.c

**Details**

Static buffer overflows in /subsys/bluetooth/audio/tbs.c:

int bt\_tbs\_remote\_incoming(uint8\_t bearer\_index, const char \*to,
			   const char \*from, const char \*friendly\_name)
{
	struct tbs\_service\_inst \*inst;
	struct bt\_tbs\_call \*call \= NULL;
	size\_t local\_uri\_ind\_len;
	size\_t remote\_uri\_ind\_len;
	size\_t friend\_name\_ind\_len;
...
	inst \= &svc\_insts\[bearer\_index\];
...
	if (friendly\_name) {
		inst\->friendly\_name.call\_index \= call\->index;
		(void)strcpy(inst\->friendly\_name.uri, friendly\_name); /\* VULN \*/
		friend\_name\_ind\_len \= strlen(from) + 1;
...
	if (IS\_ENABLED(CONFIG\_BT\_GTBS)) {
...
		if (friendly\_name) {
			gtbs\_inst.friendly\_name.call\_index \= call\->index;
			(void)strcpy(gtbs\_inst.friendly\_name.uri, friendly\_name); /\* VULN \*/
			friend\_name\_ind\_len \= strlen(from) + 1;
...

Stack-based buffer overflow in /subsys/bluetooth/audio/shell/mcc.c:

#ifdef CONFIG\_BT\_MCC\_OTS
static int cmd\_mcc\_send\_search\_raw(const struct shell \*sh, size\_t argc,
				   char \*argv\[\])
{
	int result;
	struct mpl\_search search;

	search.len \= strlen(argv\[1\]);
	memcpy(search.search, argv\[1\], search.len); /\* VULN \*/
	LOG\_DBG("Search string: %s", argv\[1\]);

	result \= bt\_mcc\_send\_search(default\_conn, &search);
	if (result) {
		shell\_print(sh, "Fail: %d", result);
	}
	return result;
}

Stack-based buffer overflow in /subsys/bluetooth/audio/shell/media\_controller.c:

#ifdef CONFIG\_BT\_OTS
static int cmd\_media\_set\_search(const struct shell \*sh, size\_t argc, char \*argv\[\])
{
	/\* TODO: Currently takes the raw search as input - add parameters
	 \* and build the search item here
	 \*/

	struct mpl\_search search;
	int err;

	search.len \= strlen(argv\[1\]);
	memcpy(search.search, argv\[1\], search.len); /\* VULN \*/
	LOG\_DBG("Search string: %s", argv\[1\]);

	err \= media\_proxy\_ctrl\_send\_search(current\_player, &search);
	if (err) {
		shell\_error(ctx\_shell, "Search send failed (%d)", err);
	}

	return err;
}

Heap-based buffer overflow in /subsys/bluetooth/host/conn.c:

#if defined(CONFIG\_BT\_SMP)
...
int bt\_conn\_le\_start\_encryption(struct bt\_conn \*conn, uint8\_t rand\[8\],
				uint8\_t ediv\[2\], const uint8\_t \*ltk, size\_t len)
{
	struct bt\_hci\_cp\_le\_start\_encryption \*cp;
	struct net\_buf \*buf;

	buf \= bt\_hci\_cmd\_create(BT\_HCI\_OP\_LE\_START\_ENCRYPTION, sizeof(\*cp));
	if (!buf) {
		return \-ENOBUFS;
	}

	cp \= net\_buf\_add(buf, sizeof(\*cp));
	cp\->handle \= sys\_cpu\_to\_le16(conn\->handle);
	memcpy(&cp\->rand, rand, sizeof(cp\->rand));
	memcpy(&cp\->ediv, ediv, sizeof(cp\->ediv));

	memcpy(cp\->ltk, ltk, len); /\* VULN \*/
	if (len < sizeof(cp\->ltk)) {
		(void)memset(cp\->ltk + len, 0, sizeof(cp\->ltk) \- len);
	}

	return bt\_hci\_cmd\_send\_sync(BT\_HCI\_OP\_LE\_START\_ENCRYPTION, buf, NULL);
}

Ineffective size check due to assert and buffer overflow in /subsys/bluetooth/mesh/beacon.c:

void bt\_mesh\_beacon\_priv\_random\_get(uint8\_t \*random, size\_t size)
{
	\_\_ASSERT(size <= sizeof(priv\_random.val), "Invalid random value size %u", size);
	memcpy(random, priv\_random.val, size); /\* VULN \*/
}

Static buffer overflow in /subsys/bluetooth/mesh/prov\_device.c (conf\_size could be 32 and not 16):

static void prov\_confirm(const uint8\_t \*data)
{
	uint8\_t conf\_size \= bt\_mesh\_prov\_auth\_size\_get();

	LOG\_DBG("Remote Confirm: %s", bt\_hex(data, conf\_size));

	memcpy(bt\_mesh\_prov\_link.conf, data, conf\_size); /\* VULN \*/
	notify\_input\_complete();

	send\_confirm();
}

Static buffer overflow in /subsys/bluetooth/mesh/provisioner.c (conf\_size could be 32 and not 16):

static void prov\_confirm(const uint8\_t \*data)
{
	uint8\_t conf\_size \= bt\_mesh\_prov\_auth\_size\_get();

	LOG\_DBG("Remote Confirm: %s", bt\_hex(data, conf\_size));

	if (!memcmp(data, bt\_mesh\_prov\_link.conf, conf\_size)) {
		LOG\_ERR("Confirm value is identical to ours, rejecting.");
		prov\_fail(PROV\_ERR\_CFM\_FAILED);
		return;
	}

	memcpy(bt\_mesh\_prov\_link.conf, data, conf\_size); /\* VULN \*/

	send\_random();
}

Stack-based buffer overflow in /subsys/bluetooth/mesh/shell/rpr.c:

static void rpr\_scan\_report(struct bt\_mesh\_rpr\_cli \*cli,
			    const struct bt\_mesh\_rpr\_node \*srv,
			    struct bt\_mesh\_rpr\_unprov \*unprov,
			    struct net\_buf\_simple \*adv\_data)
{
	char uuid\_hex\_str\[32 + 1\];

	bin2hex(unprov\->uuid, 16, uuid\_hex\_str, sizeof(uuid\_hex\_str));

	shell\_print(bt\_mesh\_shell\_ctx\_shell,
		    "Server 0x%04x:\\n"
		    "\\tuuid:   %s\\n"
		    "\\tOOB:    0x%04x",
		    srv\->addr, uuid\_hex\_str, unprov\->oob);

	while (adv\_data && adv\_data\->len \> 2) {
		uint8\_t len, type;
		uint8\_t data\[31\];

		len \= net\_buf\_simple\_pull\_u8(adv\_data) \- 1;
		type \= net\_buf\_simple\_pull\_u8(adv\_data);
		memcpy(data, net\_buf\_simple\_pull\_mem(adv\_data, len), len); /\* VULN \*/
		data\[len\] \= '\\0';

		if (type \== BT\_DATA\_URI) {
			shell\_print(bt\_mesh\_shell\_ctx\_shell, "\\tURI:    \\"\\\\x%02x%s\\"",
				    data\[0\], &data\[1\]);
		} else if (type \== BT\_DATA\_NAME\_COMPLETE) {
			shell\_print(bt\_mesh\_shell\_ctx\_shell, "\\tName:   \\"%s\\"", data);
		} else {
			char string\[64 + 1\];

			bin2hex(data, len, string, sizeof(string));
			shell\_print(bt\_mesh\_shell\_ctx\_shell, "\\t0x%02x:  %s", type, string);
		}
	}
}

**PoC**

I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

**Impact**

If the unchecked inputs above are attacker-controlled and cross a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.

**Patches**

This has been fixed in:

*   main: #60465

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in zephyr
*   Email us at Zephyr-vulnerabilities

embargo: 2023-08-19

CVE-2023-4264: Buffer overflow vulnerabilities in the Zephyr Bluetooth subsystem

Possible buffer overflow  in Zephyr mgmt subsystem when asserts are disabled



**Summary**

I spotted a few buffer overflow vulnerabilities at the following locations in the Zephyr Mgmt subsystem source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/mgmt/mcumgr/transport/src/smp.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/mgmt/osdp/src/osdp\_cp.c

**Details**

Buffer overflow in /subsys/mgmt/mcumgr/transport/src/smp.c:

void \*smp\_alloc\_rsp(const void \*req, void \*arg)
{
	const struct net\_buf \*req\_nb;
	struct net\_buf \*rsp\_nb;
	struct smp\_transport \*smpt \= arg;

	req\_nb \= req;

	rsp\_nb \= smp\_packet\_alloc();
	if (rsp\_nb \== NULL) {
		return NULL;
	}

	if (smpt\->functions.ud\_copy) {
		smpt\->functions.ud\_copy(rsp\_nb, req\_nb);
	} else {
		memcpy(net\_buf\_user\_data(rsp\_nb),
		       net\_buf\_user\_data((void \*)req\_nb),
		       req\_nb\->user\_data\_size); /\* VULN \*/
	}

	return rsp\_nb;
}

Buffer overflow due to assert in /subsys/mgmt/osdp/src/osdp\_cp.c:

static int cp\_build\_command(struct osdp\_pd \*pd, uint8\_t \*buf, int max\_len)
{
	struct osdp\_cmd \*cmd \= NULL;
	int len \= 0;
	int data\_off \= osdp\_phy\_packet\_get\_data\_offset(pd, buf);
#ifdef CONFIG\_OSDP\_SC\_ENABLED
	uint8\_t \*smb \= osdp\_phy\_packet\_get\_smb(pd, buf);
#endif

	buf += data\_off;
	max\_len \-= data\_off;
	if (max\_len <= 0) {
		return OSDP\_CP\_ERR\_GENERIC;
	}

	switch (pd\->cmd\_id) {
...
	case CMD\_TEXT:
		cmd \= (struct osdp\_cmd \*)pd\->ephemeral\_data;
		assert\_buf\_len(CMD\_TEXT\_LEN + cmd\->text.length, max\_len); /\* VULN: assert \*/
		buf\[len++\] \= pd\->cmd\_id;
		buf\[len++\] \= cmd\->text.reader;
		buf\[len++\] \= cmd\->text.control\_code;
		buf\[len++\] \= cmd\->text.temp\_time;
		buf\[len++\] \= cmd\->text.offset\_row;
		buf\[len++\] \= cmd\->text.offset\_col;
		buf\[len++\] \= cmd\->text.length;
		memcpy(buf + len, cmd\->text.data, cmd\->text.length); /\* VULN: buffer overflow \*/
		len += cmd\->text.length;
		break;

Buffer overflows due to assert in /subsys/mgmt/osdp/src/osdp\_pd.c:

static int pd\_build\_reply(struct osdp\_pd \*pd, uint8\_t \*buf, int max\_len)
{
	int ret \= OSDP\_PD\_ERR\_GENERIC;
	int i, len \= 0;
	struct osdp\_cmd \*cmd;
	struct osdp\_event \*event;
	int data\_off \= osdp\_phy\_packet\_get\_data\_offset(pd, buf);
#ifdef CONFIG\_OSDP\_SC\_ENABLED
	uint8\_t \*smb \= osdp\_phy\_packet\_get\_smb(pd, buf);
#endif
	buf += data\_off;
	max\_len \-= data\_off;

	switch (pd\->reply\_id) {
...
	case REPLY\_KEYPPAD:
		event \= (struct osdp\_event \*)pd\->ephemeral\_data;
		assert\_buf\_len(REPLY\_KEYPAD\_LEN + event\->keypress.length, max\_len); /\* VULN: assert \*/
		buf\[len++\] \= pd\->reply\_id;
		buf\[len++\] \= (uint8\_t)event\->keypress.reader\_no;
		buf\[len++\] \= (uint8\_t)event\->keypress.length;
		memcpy(buf + len, event\->keypress.data, event\->keypress.length); /\* VULN: buffer overflow \*/
		len += event\->keypress.length;
		ret \= OSDP\_PD\_ERR\_NONE;
		break;
	case REPLY\_RAW: {
		int len\_bytes;

		event \= (struct osdp\_event \*)pd\->ephemeral\_data;
		len\_bytes \= (event\->cardread.length + 7) / 8;
		assert\_buf\_len(REPLY\_RAW\_LEN + len\_bytes, max\_len); /\* VULN: assert \*/
		buf\[len++\] \= pd\->reply\_id;
		buf\[len++\] \= (uint8\_t)event\->cardread.reader\_no;
		buf\[len++\] \= (uint8\_t)event\->cardread.format;
		buf\[len++\] \= BYTE\_0(event\->cardread.length);
		buf\[len++\] \= BYTE\_1(event\->cardread.length);
		memcpy(buf + len, event\->cardread.data, len\_bytes); /\* VULN: buffer overflow \*/
		len += len\_bytes;
		ret \= OSDP\_PD\_ERR\_NONE;
		break;
	}
	case REPLY\_FMT:
		event \= (struct osdp\_event \*)pd\->ephemeral\_data;
		assert\_buf\_len(REPLY\_FMT\_LEN + event\->cardread.length, max\_len); /\* VULN: assert \*/
		buf\[len++\] \= pd\->reply\_id;
		buf\[len++\] \= (uint8\_t)event\->cardread.reader\_no;
		buf\[len++\] \= (uint8\_t)event\->cardread.direction;
		buf\[len++\] \= (uint8\_t)event\->cardread.length;
		memcpy(buf + len, event\->cardread.data, event\->cardread.length); /\* VULN: buffer overflow \*/
		len += event\->cardread.length;
		ret \= OSDP\_PD\_ERR\_NONE;
		break;
...

**PoC**

I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

**Impact**

If the unchecked inputs above are attacker-controlled and cross a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.

CVE-2023-4262: Buffer overflow vulnerabilities in the Zephyr Mgmt subsystem

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The ITIL actors input field from the Ticket form can be used to perform a SQL injection. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-42461: SQL injection in ITIL actors

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to delete some files. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

CVE-2023-42462: File deletion through document upload process

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The lack of path filtering on the GLPI URL may allow an attacker to transmit a malicious URL of login page that can be used to attempt a phishing attack on user credentials. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

**Affected versions**

\>= 10.0.8

**Description**

**Impact**

The lack of path filtering on the GLPI URL may allow an attacker to transmit a malicious URL of login page that can be used to attempt a phishing attack on user credentials.

**Patches**

Upgrade to 10.0.10

**For more information**

If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.

CVE-2023-41888: Phishing through a login page malicious URL

A permissions issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sonoma 14. An app may be able to access sensitive user data.

CVE-2023-23495: About the security content of macOS Sonoma 14

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.

Issued:

2023-08-31

Updated:

2023-08-31

**RHSA-2023:4918 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: Red Hat Single Sign-On 7.6.5 security update on RHEL 7

**Type/Severity**

Security Advisory: Important

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

New Red Hat Single Sign-On 7.6.5 packages are now available for Red Hat Enterprise Linux 7.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.  

This release of Red Hat Single Sign-On 7.6.5 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.  

Security Fix(es):  

*   jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
*   jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)
*   undertow: OutOfMemoryError due to @MultipartConfig handling (CVE-2023-3223)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

**Solution**

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.  

For details on how to apply this update, refer to:  

https://access.redhat.com/articles/11258

**Affected Products**

*   Red Hat Single Sign-On 7.6 for RHEL 7 x86\_64

**Fixes**

*   BZ - 2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray
*   BZ - 2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode
*   BZ - 2209689 - CVE-2023-3223 undertow: OutOfMemoryError due to @MultipartConfig handling

**Red Hat Single Sign-On 7.6 for RHEL 7**

SRPM

rh-sso7-keycloak-18.0.9-1.redhat\_00001.1.el7sso.src.rpm

SHA-256: 815b38ee5176e3db39d67d75c58e3da2d2497beb98bf0285571d956ce2f813c2

x86\_64

rh-sso7-keycloak-18.0.9-1.redhat\_00001.1.el7sso.noarch.rpm

SHA-256: 1d66f533b329f7eb6502b3c1883a610f0ba13eb91192a770eebdc588bac5cacb

rh-sso7-keycloak-server-18.0.9-1.redhat\_00001.1.el7sso.noarch.rpm

SHA-256: f74947d427d57dfa47aa747c0a22964487151056b44a88eeeaa7bc8d41d564bd

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

CVE-2023-3223

In Apollo  change requests, comments added by users could contain a javascript URI link that when rendered will result in an XSS that require user interaction.

Source

CVE