Vyper is a Pythonic Smart Contract Language. For the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right. `unsafe_add, unsafe_sub, unsafe_mul, unsafe_div, pow_mod256, |, &, ^ (bitwise operators), bitwise_or (deprecated), bitwise_and (deprecated), bitwise_xor (deprecated), raw_call, <, >, <=, >=, ==, !=, in, not in (when lhs and rhs are enums)`. This behaviour becomes a problem when the evaluation of one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect: state modifying external call , state modifying internal call, `raw_call`, `pop()` when used on a Dynamic Array stored in the storage, `create_minimal_proxy_to`, `create_copy_of`, `create_from_blueprint`. This issue has not yet been patched. Users are advised to make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.

**Affected versions**

<=0.3.9

**Impact**

For the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right.

    - unsafe_add
    - unsafe_sub
    - unsafe_mul
    - unsafe_div
    - pow_mod256
    - |, &, ^ (bitwise operators)
    - bitwise_or (deprecated)
    - bitwise_and (deprecated)
    - bitwise_xor (deprecated)
    - raw_call
    - <, >, <=, >=, ==, !=
    - in, not in (when lhs and rhs are enums)
    

This behaviour becomes a problem when the evaluation of one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect:

*   state modifying external call
*   state modifying internal call
*   raw_call
*   pop() when used on a Dynamic Array stored in the storage
*   create_minimal_proxy_to
*   create_copy_of
*   create_from_blueprint

For example:

f:uint256

@internal
def side\_effect() \-> uint256:
    self.f \= 12
    return 1

@external
def foo() \-> uint256:
    return unsafe\_add(self.f,self.side\_effect()) \# returns 13 instead of 1

a:DynArray\[uint256, 12\]
@external
def bar() \-> bool:
    self.a \= \[1,2,3\]
    return len(self.a) \== self.a.pop() \# return false instead of true

**Patches**

not yet patched, will address in a future release

**Workarounds**

When using expressions from the list above, make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.

**References**

_Are there any links users can visit to find out more?_

CVE-2023-40015: reversed order of side effects for some operations

Buffer Over-read in GitHub repository gpac/gpac prior to 2.3-DEV.

Expand Up @@ -2077,11 +2077,13 @@ int avi\_parse\_input\_file(avi\_t \*AVI, int getIndex) alBITMAPINFOHEADER bih;  
memcpy(&bih, hdrl\_data + i, sizeof(alBITMAPINFOHEADER)); AVI\->bitmap\_info\_header \= (alBITMAPINFOHEADER \*) gf\_malloc(str2ulong((unsigned char \*)&bih.bi\_size)); bih.bi\_size \= str2ulong((unsigned char \*)&bih.bi\_size);  
if (i + bih.bi\_size \> hdrl\_len) ERR\_EXIT(AVI\_ERR\_READ)  
AVI\->bitmap\_info\_header \= (alBITMAPINFOHEADER \*) gf\_malloc(bih.bi\_size); if (AVI\->bitmap\_info\_header != NULL) memcpy(AVI\->bitmap\_info\_header, hdrl\_data + i, str2ulong((unsigned char \*)&bih.bi\_size)); memcpy(AVI\->bitmap\_info\_header, hdrl\_data + i, bih.bi\_size);  
AVI\->width \= str2ulong(hdrl\_data+i+4); AVI\->height \= str2ulong(hdrl\_data+i+8); Expand Down Expand Up @@ -2154,6 +2156,8 @@ int avi\_parse\_input\_file(avi\_t \*AVI, int getIndex) {  
a \= (char\*)hdrl\_data+i; int avail \= hdrl\_len\-i; if (avail<32) ERR\_EXIT(AVI\_ERR\_READ)  
AVI\->video\_superindex \= (avisuperindex\_chunk \*) gf\_malloc (sizeof (avisuperindex\_chunk)); memset(AVI\->video\_superindex, 0, sizeof (avisuperindex\_chunk)); Expand All @@ -2180,6 +2184,8 @@ int avi\_parse\_input\_file(avi\_t \*AVI, int getIndex) if (AVI\->video\_superindex\->bIndexSubType != 0) { GF\_LOG(GF\_LOG\_ERROR, GF\_LOG\_CONTAINER, ("\[avilib\] Invalid Header, bIndexSubType != 0\\n")); } avail \-= 32; if (avail < AVI\->video\_superindex\->nEntriesInUse\*16) ERR\_EXIT(AVI\_ERR\_READ)  
AVI\->video\_superindex\->aIndex \= (avisuperindex\_entry\*) gf\_malloc (AVI\->video\_superindex\->wLongsPerEntry \* AVI\->video\_superindex\->nEntriesInUse \* sizeof (u32)); Expand Down Expand Up @@ -2221,6 +2227,8 @@ int avi\_parse\_input\_file(avi\_t \*AVI, int getIndex) {  
a \= (char\*) hdrl\_data+i; int avail \= hdrl\_len\-i; if (avail<32) ERR\_EXIT(AVI\_ERR\_READ)  
AVI\->track\[AVI\->aptr\].audio\_superindex \= (avisuperindex\_chunk \*) gf\_malloc (sizeof (avisuperindex\_chunk)); memcpy (AVI\->track\[AVI\->aptr\].audio\_superindex\->fcc, a, 4); Expand All @@ -2247,6 +2255,9 @@ int avi\_parse\_input\_file(avi\_t \*AVI, int getIndex) GF\_LOG(GF\_LOG\_ERROR, GF\_LOG\_CONTAINER, ("\[avilib\] Invalid Header, bIndexSubType != 0\\n")); }  
avail \-= 32; if (avail < AVI\->track\[AVI\->aptr\].audio\_superindex\->nEntriesInUse\*16) ERR\_EXIT(AVI\_ERR\_READ)  
AVI\->track\[AVI\->aptr\].audio\_superindex\->aIndex \= (avisuperindex\_entry\*) gf\_malloc (AVI\->track\[AVI\->aptr\].audio\_superindex\->wLongsPerEntry \* AVI\->track\[AVI\->aptr\].audio\_superindex\->nEntriesInUse \* sizeof (u32)); Expand Down

CVE-2023-4758: fixed #2573 · gpac/gpac@193633b


Dell Alienware Command Center, versions prior to 5.5.51.0, contain a deserialization of untrusted data vulnerability. A local malicious user could potentially send specially crafted requests to the .NET Remoting server to run arbitrary code on the system.



**Impact**

High

**Details**

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

Product

Software/Firmware

Affected Versions

Remediated Versions

Link

Alienware Command Center (AWCC)

Software

Versions prior to 5.5.51.0

Version 5.5.51.0 or later

Alienware Command Center for Windows 11 and Windows 10 64-bit

Alienware Command Center Application

Product

Software/Firmware

Affected Versions

Remediated Versions

Link

Alienware Command Center (AWCC)

Software

Versions prior to 5.5.51.0

Version 5.5.51.0 or later

Alienware Command Center for Windows 11 and Windows 10 64-bit

Alienware Command Center Application

**Acknowledgements**

Dell Technologies would like to thank Matt Hand for reporting this issue.  
 

**Revision History**

Revision

Date

Description

1.0

2023-08-30

Initial Release

2.0

2023-08-30

Corrected CVSS score link

3.0

2023-09-01

Corrected Acknowledgements section

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

CVE-2023-28072: DSA-2023-158: Security Update for a Dell Alienware Command Center Vulnerability

Use After Free in GitHub repository vim/vim prior to 9.0.1858.

**Description**

Heap Use After Free in function ins\_compl\_get\_exp at insexpand.c:3846

**vim version**

    git log
    commit 7193323b7796c05573f3aa89d422e848feb3a8dc (HEAD -> master, tag: v9.0.1223, origin/master, origin/HEAD)
    
    

**POC**

    ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_huaf01_s.dat -c :qa!
    =================================================================
    ==2302704==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000006394 at pc 0x555555d4d2c1 bp 0x7fffffffbcc0 sp 0x7fffffffbcb0
    WRITE of size 4 at 0x625000006394 thread T0
        #0 0x555555d4d2c0 in ins_compl_get_exp /home/fuzz/vim/src/insexpand.c:3846
        #1 0x555555d4fd14 in find_next_completion_match /home/fuzz/vim/src/insexpand.c:4058
        #2 0x555555d510a5 in ins_compl_next /home/fuzz/vim/src/insexpand.c:4160
        #3 0x555555d5bb23 in ins_complete /home/fuzz/vim/src/insexpand.c:5018
        #4 0x5555558d1dc5 in edit /home/fuzz/vim/src/edit.c:1289
        #5 0x555555f87569 in invoke_edit /home/fuzz/vim/src/normal.c:7049
        #6 0x555555f870dd in nv_edit /home/fuzz/vim/src/normal.c:7019
        #7 0x555555f28ab6 in normal_cmd /home/fuzz/vim/src/normal.c:938
        #8 0x555555b1b122 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887
        #9 0x555555b1aab7 in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850
        #10 0x555555b199ff in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768
        #11 0x555555abd90f in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
        #12 0x555555aa5e49 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
        #13 0x55555633a827 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1672
        #14 0x55555633d026 in do_source /home/fuzz/vim/src/scriptfile.c:1818
        #15 0x555556335719 in cmd_source /home/fuzz/vim/src/scriptfile.c:1163
        #16 0x555556335872 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
        #17 0x555555abd90f in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
        #18 0x555555aa5e49 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
        #19 0x555555aa1bbc in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587
        #20 0x555556adbcd0 in exe_commands /home/fuzz/vim/src/main.c:3146
        #21 0x555556ac5d78 in vim_main2 /home/fuzz/vim/src/main.c:782
        #22 0x555556ac3250 in main /home/fuzz/vim/src/main.c:433
        #23 0x7ffff71f9082 in __libc_start_main ../csu/libc-start.c:308
        #24 0x55555569724d in _start (/home/fuzz/vim/src/vim+0x14324d)
    
    0x625000006394 is located 4756 bytes inside of 9424-byte region [0x625000005100,0x6250000075d0)
    freed by thread T0 here:
        #0 0x7ffff769040f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
        #1 0x555555698b50 in vim_free /home/fuzz/vim/src/alloc.c:615
        #2 0x5555556ec3a1 in free_buffer /home/fuzz/vim/src/buffer.c:984
        #3 0x5555556e9f36 in close_buffer /home/fuzz/vim/src/buffer.c:769
        #4 0x5555556ee794 in empty_curbuf /home/fuzz/vim/src/buffer.c:1246
        #5 0x5555556f1c07 in do_buffer_ext /home/fuzz/vim/src/buffer.c:1439
        #6 0x5555556f5da5 in do_buffer /home/fuzz/vim/src/buffer.c:1652
        #7 0x5555556f5f53 in do_bufdel /home/fuzz/vim/src/buffer.c:1686
        #8 0x555555af1448 in ex_bunload /home/fuzz/vim/src/ex_docmd.c:5543
        #9 0x555555abd90f in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
        #10 0x555555aa5e49 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
        #11 0x555556722c9c in call_user_func /home/fuzz/vim/src/userfunc.c:3041
        #12 0x55555672545f in call_user_func_check /home/fuzz/vim/src/userfunc.c:3203
        #13 0x55555672bbf6 in call_func /home/fuzz/vim/src/userfunc.c:3759
        #14 0x555556727e3b in call_callback /home/fuzz/vim/src/userfunc.c:3504
        #15 0x55555653cd8f in find_tagfunc_tags /home/fuzz/vim/src/tag.c:1480
        #16 0x5555565415b9 in findtags_apply_tfu /home/fuzz/vim/src/tag.c:1847
        #17 0x555556552ed2 in find_tags /home/fuzz/vim/src/tag.c:3153
        #18 0x555555d46a70 in get_next_tag_completion /home/fuzz/vim/src/insexpand.c:3400
        #19 0x555555d4b5d2 in get_next_completion_match /home/fuzz/vim/src/insexpand.c:3715
        #20 0x555555d4cbad in ins_compl_get_exp /home/fuzz/vim/src/insexpand.c:3823
        #21 0x555555d4fd14 in find_next_completion_match /home/fuzz/vim/src/insexpand.c:4058
        #22 0x555555d510a5 in ins_compl_next /home/fuzz/vim/src/insexpand.c:4160
        #23 0x555555d5bb23 in ins_complete /home/fuzz/vim/src/insexpand.c:5018
        #24 0x5555558d1dc5 in edit /home/fuzz/vim/src/edit.c:1289
        #25 0x555555f87569 in invoke_edit /home/fuzz/vim/src/normal.c:7049
        #26 0x555555f870dd in nv_edit /home/fuzz/vim/src/normal.c:7019
        #27 0x555555f28ab6 in normal_cmd /home/fuzz/vim/src/normal.c:938
        #28 0x555555b1b122 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887
        #29 0x555555b1aab7 in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850
    
    previously allocated by thread T0 here:
        #0 0x7ffff7690808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x555555697ed6 in lalloc /home/fuzz/vim/src/alloc.c:246
        #2 0x5555556978ce in alloc_clear /home/fuzz/vim/src/alloc.c:177
        #3 0x5555556fcc86 in buflist_new /home/fuzz/vim/src/buffer.c:2156
        #4 0x55555692e35a in win_alloc_firstwin /home/fuzz/vim/src/window.c:4251
        #5 0x55555692da9e in win_alloc_first /home/fuzz/vim/src/window.c:4185
        #6 0x555556ac6cd4 in common_init /home/fuzz/vim/src/main.c:976
        #7 0x555556ac204e in main /home/fuzz/vim/src/main.c:186
        #8 0x7ffff71f9082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzz/vim/src/insexpand.c:3846 in ins_compl_get_exp
    Shadow bytes around the buggy address:
      0x0c4a7fff8c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8c30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    =>0x0c4a7fff8c70: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2302704==ABORTING
    
    

poc\_huaf01\_s.dat

**Impact**

This vulnerability is capable of crashing software, modify memory, and possible remote execution.

CVE-2023-4752: Heap Use After Free in function ins_compl_get_exp in vim

Use After Free in GitHub repository vim/vim prior to 9.0.1857.

**Description**

    heap-use-after-free in function bt_quickfix at buffer.c:5770
    

**Vim Version**

    git log
    commit 32ff96ef018eb1a5bea0953648b4892a6ee71658 (HEAD -> master, tag: v9.0.1307, origin/master, origin/HEAD)
    

**Proof of Concept**

    ./vim -u NONE -i NONE -n -m -X -Z -e -s -S bt_quickfix_poc -c :qa!
    =================================================================
    ==693059==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000018438 at pc 0x5643bc7b3ff3 bp 0x7ffd7a50df20 sp 0x7ffd7a50df10
    READ of size 8 at 0x625000018438 thread T0
        #0 0x5643bc7b3ff2 in bt_quickfix /home/limweicheng/Desktop/Fuzz/vim/src/buffer.c:5770
        #1 0x5643bd02b95c in is_qf_win /home/limweicheng/Desktop/Fuzz/vim/src/quickfix.c:4482
        #2 0x5643bd02d0db in qf_find_buf /home/limweicheng/Desktop/Fuzz/vim/src/quickfix.c:4526
        #3 0x5643bd03cd1b in qf_update_buffer /home/limweicheng/Desktop/Fuzz/vim/src/quickfix.c:4579
        #4 0x5643bd074848 in ex_vimgrep /home/limweicheng/Desktop/Fuzz/vim/src/quickfix.c:6495
        #5 0x5643bcb254ff in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580
        #6 0x5643bcb254ff in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993
        #7 0x5643bd1fe495 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1759
        #8 0x5643bd20505b in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1233
        #9 0x5643bcb254ff in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580
        #10 0x5643bcb254ff in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993
        #11 0x5643bd1fe495 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1759
        #12 0x5643bd204d60 in do_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1905
        #13 0x5643bd204d60 in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1250
        #14 0x5643bcb254ff in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580
        #15 0x5643bcb254ff in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993
        #16 0x5643bd85e301 in exe_commands /home/limweicheng/Desktop/Fuzz/vim/src/main.c:3146
        #17 0x5643bd85e301 in vim_main2 /home/limweicheng/Desktop/Fuzz/vim/src/main.c:782
        #18 0x5643bc75ae97 in main /home/limweicheng/Desktop/Fuzz/vim/src/main.c:433
        #19 0x7f80b2980d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #20 0x7f80b2980e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #21 0x5643bc761b44 in _start (/home/limweicheng/Desktop/Fuzz/vim/src/vim+0x19ab44)
    
    0x625000018438 is located 6968 bytes inside of 9424-byte region [0x625000016900,0x625000018dd0)
    freed by thread T0 here:
        #0 0x7f80b341a517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
        #1 0x5643bc762def in vim_free /home/limweicheng/Desktop/Fuzz/vim/src/alloc.c:615
    
    previously allocated by thread T0 here:
        #0 0x7f80b341a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
        #1 0x5643bc76209a in lalloc /home/limweicheng/Desktop/Fuzz/vim/src/alloc.c:246
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/limweicheng/Desktop/Fuzz/vim/src/buffer.c:5770 in bt_quickfix
    Shadow bytes around the buggy address:
      0x0c4a7fffb030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fffb040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fffb050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fffb060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fffb070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    =>0x0c4a7fffb080: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
      0x0c4a7fffb090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fffb0a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fffb0b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fffb0c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fffb0d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:          00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:    fa
      Freed heap region:    fd
      Stack left redzone:   f1
      Stack mid redzone:    f2
      Stack right redzone:  f3
      Stack after return:   f5
      Stack use after scope:   f8
      Global redzone:       f9
      Global init order:    f6
      Poisoned by user:     f7
      Container overflow:   fc
      Array cookie:         ac
      Intra object redzone: bb
      ASan internal:        fe
      Left alloca redzone:  ca
      Right alloca redzone: cb
      Shadow gap:           cc
    ==693059==ABORTING
    
    

**Impact**

This is capable of causing crashes by using unexpected value, or possible code execution.

CVE-2023-4750: heap-use-after-free in function bt_quickfix in vim

Use After Free in GitHub repository vim/vim prior to 9.0.1840.

**Description**

Heap-use-after-free in function buflist\_altfpos at buffer.c:3703

**Proof of Concept**

    ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_huaf -c :qa!
    
    ==1404==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000011940 at pc 0x0000004a4dbe bp 0x7ffc6204d090 sp 0x7ffc6204d080
    READ of size 4 at 0x625000011940 thread T0
        #0 0x4a4dbd in buflist_altfpos /home/fuzz/asan_program/vim/src/buffer.c:3703
        #1 0x78a8b7 in do_ecmd /home/fuzz/asan_program/vim/src/ex_cmds.c:2694
        #2 0x457614 in do_argfile /home/fuzz/asan_program/vim/src/arglist.c:738
        #3 0x457614 in ex_rewind /home/fuzz/asan_program/vim/src/arglist.c:649
        #4 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
        #5 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
        #6 0xf03484 in do_source_ext /home/fuzz/asan_program/vim/src/scriptfile.c:1760
        #7 0xf21643 in do_source /home/fuzz/asan_program/vim/src/scriptfile.c:1906
        #8 0xf21643 in cmd_source /home/fuzz/asan_program/vim/src/scriptfile.c:1251
        #9 0xf21643 in ex_source /home/fuzz/asan_program/vim/src/scriptfile.c:1277
        #10 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
        #11 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
        #12 0x15ec5af in exe_commands /home/fuzz/asan_program/vim/src/main.c:3173
        #13 0x15ec5af in vim_main2 /home/fuzz/asan_program/vim/src/main.c:790
        #14 0x442afa in main /home/fuzz/asan_program/vim/src/main.c:441
        #15 0x7fee94545554 in __libc_start_main (/lib64/libc.so.6+0x22554)
        #16 0x446fde  (/home/fuzz/bug_finder/bug_validate/vimtest1/vim_asan+0x446fde)
    
    0x625000011940 is located 64 bytes inside of 9176-byte region [0x625000011900,0x625000013cd8)
    freed by thread T0 here:
        #0 0x7fee9555c23f in free (/lib64/libasan.so.5+0x10c23f)
        #1 0x47886c in apply_autocmds_group /home/fuzz/asan_program/vim/src/autocmd.c:2385
        #2 0x481acf in apply_autocmds /home/fuzz/asan_program/vim/src/autocmd.c:1780
        #3 0xb0cfda in may_trigger_modechanged /home/fuzz/asan_program/vim/src/misc1.c:2806
        #4 0xbcd17e in end_visual_mode_keep_button /home/fuzz/asan_program/vim/src/normal.c:1165
        #5 0xbcd17e in end_visual_mode /home/fuzz/asan_program/vim/src/normal.c:1120
        #6 0xbcd17e in reset_VIsual /home/fuzz/asan_program/vim/src/normal.c:1190
        #7 0xbcd17e in reset_VIsual /home/fuzz/asan_program/vim/src/normal.c:1186
        #8 0x7899d4 in do_ecmd /home/fuzz/asan_program/vim/src/ex_cmds.c:2653
        #9 0x457614 in do_argfile /home/fuzz/asan_program/vim/src/arglist.c:738
        #10 0x457614 in ex_rewind /home/fuzz/asan_program/vim/src/arglist.c:649
        #11 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
        #12 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
        #13 0xf03484 in do_source_ext /home/fuzz/asan_program/vim/src/scriptfile.c:1760
        #14 0xf21643 in do_source /home/fuzz/asan_program/vim/src/scriptfile.c:1906
        #15 0xf21643 in cmd_source /home/fuzz/asan_program/vim/src/scriptfile.c:1251
        #16 0xf21643 in ex_source /home/fuzz/asan_program/vim/src/scriptfile.c:1277
        #17 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
        #18 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
        #19 0x15ec5af in exe_commands /home/fuzz/asan_program/vim/src/main.c:3173
        #20 0x15ec5af in vim_main2 /home/fuzz/asan_program/vim/src/main.c:790
        #21 0x442afa in main /home/fuzz/asan_program/vim/src/main.c:441
        #22 0x7fee94545554 in __libc_start_main (/lib64/libc.so.6+0x22554)
    
    previously allocated by thread T0 here:
        #0 0x7fee9555c82e in calloc (/lib64/libasan.so.5+0x10c82e)
        #1 0x447ab4 in lalloc /home/fuzz/asan_program/vim/src/alloc.c:246
        #2 0x447ab4 in alloc_clear /home/fuzz/asan_program/vim/src/alloc.c:177
        #3 0x140d552 in win_alloc /home/fuzz/asan_program/vim/src/window.c:5502
        #4 0x1454b36 in win_split_ins /home/fuzz/asan_program/vim/src/window.c:1187
        #5 0x457164 in do_argfile /home/fuzz/asan_program/vim/src/arglist.c:708
        #6 0x457164 in ex_rewind /home/fuzz/asan_program/vim/src/arglist.c:649
        #7 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
        #8 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
        #9 0xf03484 in do_source_ext /home/fuzz/asan_program/vim/src/scriptfile.c:1760
        #10 0xf21643 in do_source /home/fuzz/asan_program/vim/src/scriptfile.c:1906
        #11 0xf21643 in cmd_source /home/fuzz/asan_program/vim/src/scriptfile.c:1251
        #12 0xf21643 in ex_source /home/fuzz/asan_program/vim/src/scriptfile.c:1277
        #13 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
        #14 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
        #15 0x15ec5af in exe_commands /home/fuzz/asan_program/vim/src/main.c:3173
        #16 0x15ec5af in vim_main2 /home/fuzz/asan_program/vim/src/main.c:790
        #17 0x442afa in main /home/fuzz/asan_program/vim/src/main.c:441
        #18 0x7fee94545554 in __libc_start_main (/lib64/libc.so.6+0x22554)
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzz/asan_program/vim/src/buffer.c:3703 in buflist_altfpos
    Shadow bytes around the buggy address:
      0x0c4a7fffa2d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fffa2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fffa2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fffa300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fffa310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c4a7fffa320: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
      0x0c4a7fffa330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fffa340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fffa350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fffa360: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fffa370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1404==ABORTING
    

here are three different triggering poc : https://github.com/fizz-is-on-the-way/vim/blob/main/poc\_huaf1?raw=true https://github.com/fizz-is-on-the-way/vim/blob/main/poc\_huaf2?raw=true https://github.com/fizz-is-on-the-way/vim/blob/main/poc\_huaf3?raw=true

**Impact**

This vulnerability is capable of crashing software, modify memory, and possible remote execution.

CVE-2023-4733: Heap-use-after-free in function buflist_altfpos in vim in vim

Use After Free in GitHub repository gpac/gpac prior to 2.3-DEV.

**Description**

heap-use-after-free in MP4Box.

**Version**

    $ ./bin/gcc/MP4Box -version
    MP4Box - GPAC version 2.3-DEV-revrelease
    (c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

complie and run

    ./configure --enable-sanitizer
    make
    

**Proof of Concept**

    ./bin/gcc/MP4Box -dash 1000 -out /dev/null ./crash000024
    

POC\_crash000024 is here.

**ASAN**

information reported by sanitizer

    $ ./bin/gcc/MP4Box -dash 1000 ./crash000024
    [Dasher] No template assigned, using $File$_dash$FS$$Number$
    [Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
    [Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
    [RFC6381] Cannot find M4V config, using default mp4v.20
    [Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
    [Dasher] PID crash000024 config changed during active period, forcing period switch
    [MPD] Generating MPD at time 2023-09-01T02:57:51.085Z
    [Dasher] End of Period 
    [MP4Mux] PID has no input packet and configuration not known after 10 retries, aborting initial timing sync
    [Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
    [Dasher] PID crash000024 config changed during active period, forcing period switch
    [MPD] Generating MPD at time 2023-09-01T02:57:51.088Z
    [Dasher] End of Period 
    [RFC6381] Cannot find M4V config, using default mp4v.20
    [Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 11000/29667
    [Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
    [Dasher] PID crash000024 config changed during active period, forcing period switch
    [MP4Mux] PID has no input packet and configuration not known after 10 retries, aborting initial timing sync
    [MP4Mux] Unable to setup fragmentation for track ID 0: Bad Parameter
    [MPD] Generating MPD at time 2023-09-01T02:57:51.090Z
    [Dasher] End of Period 
    [Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 12000/29667
    [Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 13000/29667
    [Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 14000/29667
    [Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 15000/29667
    [Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 16000/29667
    [Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 17000/29667
    [Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 18000/29667
    [Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 19000/29667
    [Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 20000/29667
    [Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 21000/29667
    [Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
    [Dasher] PID crash000024 config changed during active period, forcing period switch
    [MPD] Generating MPD at time 2023-09-01T02:57:51.093Z
    [Dasher] End of Period 
    [RFC6381] Cannot find M4V config, using default mp4v.20
    [Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 22000/29667
    [Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
    =================================================================
    ==416525==ERROR: AddressSanitizer: heap-use-after-free on address 0x617000012b40 at pc 0x7f561b9e449d bp 0x7ffd43a3c280 sp 0x7ffd43a3c270
    READ of size 8 at 0x617000012b40 thread T0
        #0 0x7f561b9e449c in mp4_mux_process_fragmented filters/mux_isom.c:6634
        #1 0x7f561b9e449c in mp4_mux_process filters/mux_isom.c:7207
        #2 0x7f561b66adbe in gf_filter_process_task filter_core/filter.c:2971
        #3 0x7f561b62a0ea in gf_fs_thread_proc filter_core/filter_session.c:1962
        #4 0x7f561b637a56 in gf_fs_run filter_core/filter_session.c:2261
        #5 0x7f561afcd03d in gf_dasher_process media_tools/dash_segmenter.c:1236
        #6 0x55c711eb7c26 in do_dash /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
        #7 0x55c711eb7c26 in mp4box_main /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
        #8 0x7f5618279082 in __libc_start_main ../csu/libc-start.c:308
        #9 0x55c711e8ffcd in _start (/home/functionmain/Desktop/gpac-master-asan/bin/gcc/MP4Box+0xa5fcd)
    
    0x617000012b40 is located 320 bytes inside of 672-byte region [0x617000012a00,0x617000012ca0)
    freed by thread T0 here:
        #0 0x7f561e27a40f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
        #1 0x7f561b9d9b86 in mp4_mux_configure_pid filters/mux_isom.c:3994
        #2 0x7f561b5f941e in gf_filter_pid_configure filter_core/filter_pid.c:876
        #3 0x7f561b601505 in gf_filter_pid_disconnect_task filter_core/filter_pid.c:1285
        #4 0x7f561b62a0ea in gf_fs_thread_proc filter_core/filter_session.c:1962
        #5 0x7f561b637a56 in gf_fs_run filter_core/filter_session.c:2261
        #6 0x7f561afcd03d in gf_dasher_process media_tools/dash_segmenter.c:1236
        #7 0x55c711eb7c26 in do_dash /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
        #8 0x55c711eb7c26 in mp4box_main /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
        #9 0x7f5618279082 in __libc_start_main ../csu/libc-start.c:308
    
    previously allocated by thread T0 here:
        #0 0x7f561e27a808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x7f561b9bf53d in mp4_mux_setup_pid filters/mux_isom.c:1078
        #2 0x7f561b5f941e in gf_filter_pid_configure filter_core/filter_pid.c:876
        #3 0x7f561b601dee in gf_filter_pid_connect_task filter_core/filter_pid.c:1230
        #4 0x7f561b62a0ea in gf_fs_thread_proc filter_core/filter_session.c:1962
        #5 0x7f561b637a56 in gf_fs_run filter_core/filter_session.c:2261
        #6 0x7f561afcd03d in gf_dasher_process media_tools/dash_segmenter.c:1236
        #7 0x55c711eb7c26 in do_dash /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
        #8 0x55c711eb7c26 in mp4box_main /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
        #9 0x7f5618279082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: heap-use-after-free filters/mux_isom.c:6634 in mp4_mux_process_fragmented
    Shadow bytes around the buggy address:
      0x0c2e7fffa510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c2e7fffa520: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2e7fffa530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2e7fffa540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c2e7fffa550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    =>0x0c2e7fffa560: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
      0x0c2e7fffa570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c2e7fffa580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c2e7fffa590: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2e7fffa5a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2e7fffa5b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==416525==ABORTING
    
    

**Impact**

This is capable of causing crashes.

**References**

POC\_crash000024 is here.

**Impact**

This is capable of causing crashes.

CVE-2023-4755: heap-use-after-free in mp4_mux_process_fragmented filters/mux_isom.c:6634 in gpac

Vulnerability in the password recovery mechanism of Password Recovery plugin for Roundcube, in its 1.2 version, which could allow a remote attacker to change an existing user´s password by adding a 6-digit numeric token. An attacker could create an automatic script to test all possible values because the platform has no limit on the number of requests.

Affected Resources

Roundcube Password Recovery Plugin, 1.2 version

Description

INCIBE has coordinated the publication of 2 vulnerabilities in the password recovery plugin for Roundcube, which have been discovered by Pedro José Navas Pérez of Hispasec.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector string and the CWE vulnerability type of each vulnerability:

*   **CVE-2023-3221**: CVSS v3.1: 5,3 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | CWE-204.
*   **CVE-2023-3222**: CVSS v3.1: 7,5 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | CWE-640.

Solution

There is no reported solution at this time.

Detail

**CVE-2023-3221**: user enumeration vulnerability, which could allow a remote attacker to create a test script against the password recovery function to enumerate all users in the database.

**CVE-2023-3222**: vulnerability in the password recovery mechanism, which could allow a remote attacker to change an existing user's password by adding a 6-digit numeric token. An attacker could create an automatic script to test all possible values because the platform has no limit on the number of requests.

CVE-2023-3222: Multiple Vulnerabilities Roundcube Password Recovery Plugin | INCIBE-CERT

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Solwin Infotech Responsive WordPress Slider – Avartan Slider Lite plugin <= 1.5.3 versions.

**Solution**

 No fix

No patched version available.

OZ1NG (TOOR, LISA) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Avartan Slider Lite Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-30485: WordPress Avartan Slider Lite plugin <= 1.5.3 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

The Post Timeline WordPress plugin before 2.2.6 does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Source

CVE