An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c processes NLRIs if the attribute length is zero.

    3  0x00007f423aa42476 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26
    4  0x00007f423aef9740 in core_handler (signo=11, siginfo=0x7fffc414deb0, context=<optimized out>) at lib/sigevent.c:246
    5  <signal handler called>
    6  0x0000564dea2fc71e in route_set_aspath_prepend (rule=0x564debd66d50, prefix=0x7fffc414ea30, object=0x7fffc414e400)
        at bgpd/bgp_routemap.c:2258
    7  0x00007f423aeec7e0 in route_map_apply_ext (map=<optimized out>, prefix=prefix@entry=0x7fffc414ea30,
        match_object=match_object@entry=0x7fffc414e400, set_object=set_object@entry=0x7fffc414e400, pref=pref@entry=0x0) at lib/routemap.c:2690
    8  0x0000564dea2d277e in bgp_input_modifier (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, attr=attr@entry=0x7fffc414e770,
        afi=afi@entry=AFI_IP, safi=safi@entry=SAFI_UNICAST, rmap_name=rmap_name@entry=0x0, label=0x0, num_labels=0, dest=0x564debdd5130)
        at bgpd/bgp_route.c:1772
    9  0x0000564dea2df762 in bgp_update (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, addpath_id=addpath_id@entry=0,
        attr=0x7fffc414eb50, afi=afi@entry=AFI_IP, safi=<optimized out>, safi@entry=SAFI_UNICAST, type=9, sub_type=0, prd=0x0, label=0x0,
        num_labels=0, soft_reconfig=0, evpn=0x0) at bgpd/bgp_route.c:4374
    10 0x0000564dea2e2047 in bgp_nlri_parse_ip (peer=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, packet=0x7fffc414eaf0)
        at bgpd/bgp_route.c:6249
    11 0x0000564dea2c5a58 in bgp_nlri_parse (peer=peer@entry=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50,
        packet=packet@entry=0x7fffc414eaf0, mp_withdraw=mp_withdraw@entry=false) at bgpd/bgp_packet.c:339
    12 0x0000564dea2c5d66 in bgp_update_receive (peer=peer@entry=0x7f4238f59010, size=size@entry=109) at bgpd/bgp_packet.c:2024
    13 0x0000564dea2c901d in bgp_process_packet (thread=<optimized out>) at bgpd/bgp_packet.c:2933
    14 0x00007f423af0bf71 in event_call (thread=thread@entry=0x7fffc414ee40) at lib/event.c:1995
    15 0x00007f423aebb198 in frr_run (master=0x564deb73c670) at lib/libfrr.c:1213
    16 0x0000564dea261b83 in main (argc=<optimized out>, argv=<optimized out>) at bgpd/bgp_main.c:505
    

    frr version 9.1-dev-MyOwnFRRVersion
    frr defaults traditional
    hostname ip-172-31-13-140
    log file /tmp/debug.log
    log syslog
    service integrated-vtysh-config
    !
    debug bgp keepalives
    debug bgp neighbor-events
    debug bgp updates in
    debug bgp updates out
    !
    router bgp 100
     bgp router-id 9.9.9.9
     no bgp ebgp-requires-policy
     bgp bestpath aigp
     neighbor 172.31.2.47 remote-as 200
     !
     address-family ipv4 unicast
      neighbor 172.31.2.47 default-originate
      neighbor 172.31.2.47 route-map RM_IN in
     exit-address-family
    exit
    !
    route-map RM_IN permit 10
     set as-path prepend 200
    exit
    !
    

The issue is that we try to process NLRIs even if the attribute length is 0.

Later bgp\_update() will handle route-maps and a crash occurs because all the attributes are NULL, including aspath, where we dereference.

A value of 0 indicates that neither the Network Layer  
Reachability Information field nor the Path Attribute field is  
present in this UPDATE message.

But with a fuzzed UPDATE message this can be faked. I think it's reasonable to skip processing NLRIs if both update\_len and attribute\_len are 0.

CVE-2023-41358: bgpd: Do not process NLRIs if the attribute length is zero by ton31337 · Pull Request #14260 · FRRouting/frr

An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c can read the initial byte of the ORF header in an ahead-of-stream situation.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-41360: bgpd: Don't read the first byte of ORF header if we are ahead of stream by ton31337 · Pull Request #14245 · FRRouting/frr

An issue was discovered in FRRouting FRR through 9.0. There is an out-of-bounds read in bgp_attr_aigp_valid in bgpd/bgp_attr.c because there is no check for the availability of two bytes during AIGP validation.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation 10 Commits 1 Checks 5 Files changed

**Conversation**

Found when fuzzing:

    ==3470861==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xffff77801ef7 at pc 0xaaaaba7b3dbc bp 0xffffcff0e760 sp 0xffffcff0df50
    READ of size 2 at 0xffff77801ef7 thread T0
        0 0xaaaaba7b3db8 in __asan_memcpy (/home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgpd+0x363db8) (BuildId: cc710a2356e31c7f4e4a17595b54de82145a6e21)
        1 0xaaaaba81a8ac in ptr_get_be16 /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/./lib/stream.h:399:2
        2 0xaaaaba819f2c in bgp_attr_aigp_valid /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:504:3
        3 0xaaaaba808c20 in bgp_attr_aigp /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:3275:7
        4 0xaaaaba7ff4e0 in bgp_attr_parse /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:3678:10
    

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Topotests Ubuntu 18.04 arm8 part 6: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 6: No useful log found Topotests Ubuntu 18.04 arm8 part 8: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 8: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO8U18AMD64/TopotestDetails/ Topotests Ubuntu 18.04 arm8 part 8: No useful log found Addresssanitizer topotests part 4: Incomplete (check logs for details) Topotests Ubuntu 18.04 arm8 part 9: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 9: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18ARM8/TopotestDetails/ Topotests Ubuntu 18.04 arm8 part 9: No useful log found Topotests Ubuntu 18.04 i386 part 9: Failed (click for details)

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO9U18I386-13630/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 9**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18I386/TopotestLogs/log\_topotests.txt  
Topotests Ubuntu 18.04 i386 part 9: Unknown Log  
URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18I386/TopotestDetails/

Successful on other platforms/tests

*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests Ubuntu 18.04 arm8 part 1
*   Topotests Ubuntu 18.04 amd64 part 7
*   Topotests debian 10 amd64 part 6
*   Addresssanitizer topotests part 3
*   Topotests Ubuntu 18.04 i386 part 5
*   Addresssanitizer topotests part 2
*   Topotests debian 10 amd64 part 5
*   Topotests Ubuntu 18.04 arm8 part 2
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 4
*   CentOS 7 rpm pkg check
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 amd64 part 3
*   Addresssanitizer topotests part 8
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests Ubuntu 18.04 i386 part 2
*   Ubuntu 18.04 deb pkg check
*   Topotests Ubuntu 18.04 i386 part 0
*   Addresssanitizer topotests part 6
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests Ubuntu 18.04 amd64 part 2
*   Topotests Ubuntu 18.04 i386 part 8
*   Topotests Ubuntu 18.04 i386 part 3
*   Addresssanitizer topotests part 0
*   Debian 10 deb pkg check
*   Topotests debian 10 amd64 part 3
*   Topotests debian 10 amd64 part 8
*   Topotests Ubuntu 18.04 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 4
*   Debian 9 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 3
*   Addresssanitizer topotests part 1
*   Topotests debian 10 amd64 part 9
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests debian 10 amd64 part 2
*   Topotests Ubuntu 18.04 amd64 part 8
*   Addresssanitizer topotests part 7
*   Static analyzer (clang)
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 amd64 part 5
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 5
*   Addresssanitizer topotests part 5
*   Topotests debian 10 amd64 part 1
*   Topotests Ubuntu 18.04 i386 part 6
*   Topotests Ubuntu 18.04 i386 part 1

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Failed**Topotests Ubuntu 18.04 arm8 part 6: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 6: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO6U18ARM8/TopotestDetails/ Topotests Ubuntu 18.04 arm8 part 6: No useful log found Topotests Ubuntu 18.04 arm8 part 8: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 8: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO8U18AMD64/TopotestDetails/ Topotests Ubuntu 18.04 arm8 part 8: No useful log found Topotests Ubuntu 18.04 arm8 part 9: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 9: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18ARM8/TopotestDetails/ Topotests Ubuntu 18.04 arm8 part 9: No useful log found Topotests Ubuntu 18.04 i386 part 9: Failed (click for details)

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO9U18I386-13630/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 9**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18I386/TopotestLogs/log\_topotests.txt  
Topotests Ubuntu 18.04 i386 part 9: Unknown Log  
URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18I386/TopotestDetails/

Successful on other platforms/tests

*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests Ubuntu 18.04 arm8 part 1
*   Topotests Ubuntu 18.04 amd64 part 7
*   Topotests debian 10 amd64 part 6
*   Addresssanitizer topotests part 3
*   Topotests Ubuntu 18.04 i386 part 5
*   Addresssanitizer topotests part 2
*   Topotests debian 10 amd64 part 5
*   Topotests Ubuntu 18.04 arm8 part 2
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 4
*   CentOS 7 rpm pkg check
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 amd64 part 3
*   Addresssanitizer topotests part 8
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests Ubuntu 18.04 i386 part 2
*   Ubuntu 18.04 deb pkg check
*   Topotests Ubuntu 18.04 i386 part 0
*   Addresssanitizer topotests part 6
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests Ubuntu 18.04 amd64 part 2
*   Topotests Ubuntu 18.04 i386 part 8
*   Topotests Ubuntu 18.04 i386 part 3
*   Addresssanitizer topotests part 0
*   Debian 10 deb pkg check
*   Topotests debian 10 amd64 part 3
*   Topotests debian 10 amd64 part 8
*   Topotests Ubuntu 18.04 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 4
*   Addresssanitizer topotests part 4
*   Debian 9 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 3
*   Addresssanitizer topotests part 1
*   Topotests debian 10 amd64 part 9
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests debian 10 amd64 part 2
*   Topotests Ubuntu 18.04 amd64 part 8
*   Addresssanitizer topotests part 7
*   Static analyzer (clang)
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 amd64 part 5
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 5
*   Addresssanitizer topotests part 5
*   Topotests debian 10 amd64 part 1
*   Topotests Ubuntu 18.04 i386 part 6
*   Topotests Ubuntu 18.04 i386 part 1

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13644/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Addresssanitizer topotests part 4: Incomplete (check logs for details) Successful on other platforms/tests

*   Topotests Ubuntu 18.04 i386 part 6
*   Addresssanitizer topotests part 2
*   Topotests Ubuntu 18.04 amd64 part 5
*   Topotests Ubuntu 18.04 amd64 part 4
*   Topotests Ubuntu 18.04 i386 part 1
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests debian 10 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 6
*   Topotests Ubuntu 18.04 arm8 part 1
*   Topotests Ubuntu 18.04 arm8 part 2
*   Addresssanitizer topotests part 3
*   Topotests Ubuntu 18.04 amd64 part 7
*   Topotests Ubuntu 18.04 i386 part 2
*   Topotests debian 10 amd64 part 5
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 arm8 part 8
*   Addresssanitizer topotests part 7
*   Topotests Ubuntu 18.04 i386 part 0
*   Topotests debian 10 amd64 part 9
*   Topotests Ubuntu 18.04 i386 part 7
*   Addresssanitizer topotests part 6
*   CentOS 7 rpm pkg check
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 amd64 part 2
*   Topotests Ubuntu 18.04 amd64 part 3
*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests debian 10 amd64 part 8
*   Topotests Ubuntu 18.04 arm8 part 4
*   Topotests Ubuntu 18.04 i386 part 5
*   Ubuntu 20.04 deb pkg check
*   Ubuntu 18.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 9
*   Debian 10 deb pkg check
*   Debian 9 deb pkg check
*   Addresssanitizer topotests part 1
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests Ubuntu 18.04 i386 part 3
*   Topotests Ubuntu 18.04 i386 part 8
*   Addresssanitizer topotests part 8
*   Topotests Ubuntu 18.04 amd64 part 6
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 5
*   Addresssanitizer topotests part 5
*   Topotests Ubuntu 18.04 arm8 part 3
*   Topotests debian 10 amd64 part 1
*   Topotests debian 10 amd64 part 4
*   Topotests debian 10 amd64 part 2
*   Topotests Ubuntu 18.04 i386 part 9
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 amd64 part 8
*   Topotests debian 10 amd64 part 3
*   Addresssanitizer topotests part 0
*   Static analyzer (clang)

Continuous Integration Result: SUCCESSFUL**Continuous Integration Result: SUCCESSFUL**

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13644/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

… AIGP

Found when fuzzing:

\`\`\`
==3470861==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xffff77801ef7 at pc 0xaaaaba7b3dbc bp 0xffffcff0e760 sp 0xffffcff0df50
READ of size 2 at 0xffff77801ef7 thread T0
    0 0xaaaaba7b3db8 in \_\_asan\_memcpy (/home/ubuntu/frr\_8\_5\_2/frr\_8\_5\_2\_fuzz\_clang/bgpd/bgpd+0x363db8) (BuildId: cc710a2356e31c7f4e4a17595b54de82145a6e21)
    1 0xaaaaba81a8ac in ptr\_get\_be16 /home/ubuntu/frr\_8\_5\_2/frr\_8\_5\_2\_fuzz\_clang/./lib/stream.h:399:2
    2 0xaaaaba819f2c in bgp\_attr\_aigp\_valid /home/ubuntu/frr\_8\_5\_2/frr\_8\_5\_2\_fuzz\_clang/bgpd/bgp\_attr.c:504:3
    3 0xaaaaba808c20 in bgp\_attr\_aigp /home/ubuntu/frr\_8\_5\_2/frr\_8\_5\_2\_fuzz\_clang/bgpd/bgp\_attr.c:3275:7
    4 0xaaaaba7ff4e0 in bgp\_attr\_parse /home/ubuntu/frr\_8\_5\_2/frr\_8\_5\_2\_fuzz\_clang/bgpd/bgp\_attr.c:3678:10
\`\`\`

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Addresssanitizer topotests part 4: Incomplete (check logs for details) Topotests Ubuntu 18.04 i386 part 1: Failed (click for details)

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO1U18I386-13677/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 1**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/artifact/TOPO1U18I386/TopotestLogs/log\_topotests.txt  
Topotests Ubuntu 18.04 i386 part 1: Unknown Log  
URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/artifact/TOPO1U18I386/TopotestDetails/

Topotests Ubuntu 18.04 i386 part 9: Failed (click for details)

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO9U18I386-13677/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 9**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/artifact/TOPO9U18I386/TopotestLogs/log\_topotests.txt  
Topotests Ubuntu 18.04 i386 part 9: Unknown Log  
URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/artifact/TOPO9U18I386/TopotestDetails/

Successful on other platforms/tests

*   Topotests Ubuntu 18.04 arm8 part 3
*   Topotests debian 10 amd64 part 9
*   Addresssanitizer topotests part 5
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 3
*   Topotests Ubuntu 18.04 amd64 part 2
*   Topotests debian 10 amd64 part 8
*   Addresssanitizer topotests part 0
*   Topotests debian 10 amd64 part 3
*   Topotests Ubuntu 18.04 arm8 part 4
*   Addresssanitizer topotests part 2
*   Topotests Ubuntu 18.04 arm8 part 9
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 amd64 part 5
*   Topotests Ubuntu 18.04 i386 part 6
*   Debian 10 deb pkg check
*   Topotests Ubuntu 18.04 amd64 part 4
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests Ubuntu 18.04 i386 part 8
*   Topotests Ubuntu 18.04 i386 part 3
*   Addresssanitizer topotests part 3
*   Topotests Ubuntu 18.04 arm8 part 2
*   Topotests Ubuntu 18.04 amd64 part 7
*   Topotests debian 10 amd64 part 0
*   Addresssanitizer topotests part 7
*   Topotests Ubuntu 18.04 i386 part 0
*   Addresssanitizer topotests part 6
*   CentOS 7 rpm pkg check
*   Topotests debian 10 amd64 part 1
*   Topotests Ubuntu 18.04 arm8 part 5
*   Topotests debian 10 amd64 part 2
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 amd64 part 8
*   Topotests Ubuntu 18.04 amd64 part 0
*   Static analyzer (clang)
*   Topotests Ubuntu 18.04 i386 part 5
*   Ubuntu 18.04 deb pkg check
*   Topotests debian 10 amd64 part 5
*   Debian 9 deb pkg check
*   Addresssanitizer topotests part 1
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests debian 10 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 1
*   Addresssanitizer topotests part 8
*   Topotests Ubuntu 18.04 arm8 part 6
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests Ubuntu 18.04 amd64 part 6
*   Topotests Ubuntu 18.04 i386 part 2
*   Topotests Ubuntu 18.04 arm8 part 8

**Continuous Integration Result: SUCCESSFUL**

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

 ton31337 deleted the fix/aigp\_validation\_bytes branch

August 24, 2023 11:44

This was referenced

Aug 24, 2023

donaldsharp added a commit that referenced this pull request

Aug 24, 2023

bgpd: Make sure we have enough data to read two bytes when validating AIGP (backport #14232)

donaldsharp added a commit that referenced this pull request

Aug 24, 2023

bgpd: Make sure we have enough data to read two bytes when validating AIGP (backport #14232)

CVE-2023-41359: bgpd: Make sure we have enough data to read two bytes when validating AIGP by ton31337 · Pull Request #14232 · FRRouting/frr

An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open.c does not check for an overly large length of the rcv software version.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merged

donaldsharp merged 1 commit into FRRouting:master from opensourcerouting:fix/software\_version\_capability\_handling\_len

Aug 21, 2023

Merged

**bgpd: Check the length of the rcv software version #14241**

donaldsharp merged 1 commit into FRRouting:master from opensourcerouting:fix/software\_version\_capability\_handling\_len

Aug 21, 2023

+11 −1

Conversation 6 Commits 1 Checks 5 Files changed 1

**Conversation**

Copy link

Member

**

 **ton31337** commented

Aug 20, 2023

**

Make sure we don't exceed the maximum of BGP\_MAX\_SOFT\_VERSION.

The Capability Length SHOULD be no greater than 64.

Reported-by: Iggy Frankovic iggyfran@amazon.com

 frrbot bot added the bgp label

Aug 20, 2023

 github-actions bot added master size/XS labels

Aug 20, 2023

 ton31337 force-pushed the fix/software\_version\_capability\_handling\_len branch from 4ab7b68 to 5e3a269 Compare

August 20, 2023 18:47

 github-actions bot added size/S and removed size/XS labels

Aug 20, 2023

          bgpd: Check the length of the rcv software version
        

          b4d09af
        

Make sure we don't exceed the maximum of BGP\_MAX\_SOFT\_VERSION.

The Capability Length SHOULD be no greater than 64.

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>

 ton31337 force-pushed the fix/software\_version\_capability\_handling\_len branch from 5e3a269 to b4d09af Compare

August 20, 2023 18:48

Copy link

Member Author

**

**ton31337** commented

Aug 20, 2023

**

@Mergifyio backport stable/9.0

mergify\[bot\] reacted with thumbs up emoji

Copy link

**

**mergify bot** commented

Aug 20, 2023

•

edited



**

> backport stable/9.0

**✅ Backports have been created**

*   #14250 bgpd: Check the length of the rcv software version (backport #14241) has been created for branch stable/9.0

 github-actions bot added the backport label

Aug 20, 2023

Copy link

Collaborator

**

**NetDEF-CI** commented

Aug 20, 2023

•

edited



**

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13678/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Addresssanitizer topotests part 4: Incomplete (check logs for details) Successful on other platforms/tests

*   Topotests Ubuntu 18.04 arm8 part 3
*   Topotests debian 10 amd64 part 9
*   Addresssanitizer topotests part 5
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 3
*   Topotests Ubuntu 18.04 amd64 part 2
*   Addresssanitizer topotests part 0
*   Topotests debian 10 amd64 part 3
*   Topotests debian 10 amd64 part 8
*   Topotests Ubuntu 18.04 arm8 part 4
*   Topotests Ubuntu 18.04 arm8 part 9
*   Addresssanitizer topotests part 2
*   Topotests Ubuntu 18.04 amd64 part 5
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 2
*   Topotests Ubuntu 18.04 i386 part 6
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 4
*   Topotests Ubuntu 18.04 i386 part 1
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests Ubuntu 18.04 i386 part 8
*   Topotests Ubuntu 18.04 i386 part 3
*   Topotests Ubuntu 18.04 amd64 part 7
*   Debian 10 deb pkg check
*   Addresssanitizer topotests part 3
*   Addresssanitizer topotests part 7
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 i386 part 0
*   Addresssanitizer topotests part 6
*   Topotests Ubuntu 18.04 arm8 part 5
*   Topotests debian 10 amd64 part 1
*   CentOS 7 rpm pkg check
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 i386 part 9
*   Topotests Ubuntu 18.04 amd64 part 8
*   Topotests debian 10 amd64 part 2
*   Static analyzer (clang)
*   Topotests Ubuntu 18.04 i386 part 5
*   Ubuntu 18.04 deb pkg check
*   Debian 9 deb pkg check
*   Topotests debian 10 amd64 part 5
*   Addresssanitizer topotests part 1
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests Ubuntu 18.04 arm8 part 6
*   Topotests Ubuntu 18.04 arm8 part 1
*   Addresssanitizer topotests part 8
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests debian 10 amd64 part 6
*   Topotests Ubuntu 18.04 i386 part 2
*   Topotests Ubuntu 18.04 arm8 part 8
*   Topotests Ubuntu 18.04 amd64 part 6

Copy link

Collaborator

**

**NetDEF-CI** commented

Aug 20, 2023

•

edited



**

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13679/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Addresssanitizer topotests part 4: Incomplete (check logs for details) Successful on other platforms/tests

*   Topotests Ubuntu 18.04 arm8 part 3
*   Topotests debian 10 amd64 part 9
*   Addresssanitizer topotests part 5
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 3
*   Topotests Ubuntu 18.04 amd64 part 2
*   Addresssanitizer topotests part 0
*   Topotests debian 10 amd64 part 8
*   Topotests debian 10 amd64 part 3
*   Topotests Ubuntu 18.04 arm8 part 4
*   Topotests Ubuntu 18.04 arm8 part 9
*   Topotests Ubuntu 18.04 amd64 part 5
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 2
*   Topotests Ubuntu 18.04 i386 part 1
*   Topotests Ubuntu 18.04 i386 part 6
*   Topotests Ubuntu 18.04 amd64 part 4
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 i386 part 3
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests Ubuntu 18.04 i386 part 8
*   Addresssanitizer topotests part 3
*   Debian 10 deb pkg check
*   Addresssanitizer topotests part 7
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 amd64 part 7
*   Addresssanitizer topotests part 6
*   Topotests Ubuntu 18.04 i386 part 0
*   Topotests Ubuntu 18.04 i386 part 5
*   Topotests debian 10 amd64 part 1
*   Topotests Ubuntu 18.04 arm8 part 5
*   CentOS 7 rpm pkg check
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests Ubuntu 18.04 i386 part 9
*   Topotests debian 10 amd64 part 2
*   Topotests Ubuntu 18.04 amd64 part 8
*   Static analyzer (clang)
*   Addresssanitizer topotests part 2
*   Debian 9 deb pkg check
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests debian 10 amd64 part 5
*   Ubuntu 18.04 deb pkg check
*   Addresssanitizer topotests part 1
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 arm8 part 6
*   Addresssanitizer topotests part 8
*   Topotests debian 10 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 1
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests Ubuntu 18.04 amd64 part 6
*   Topotests Ubuntu 18.04 i386 part 2
*   Topotests Ubuntu 18.04 arm8 part 8

Copy link

Collaborator

**

**NetDEF-CI** commented

Aug 20, 2023

•

edited



**

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Addresssanitizer topotests part 4: Incomplete (check logs for details) Topotests Ubuntu 18.04 i386 part 3: Failed (click for details) Topotests Ubuntu 18.04 i386 part 3: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/artifact/TOPO3U18I386/TopotestDetails/

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO3U18I386-13680/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 3**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/artifact/TOPO3U18I386/TopotestLogs/log\_topotests.txt

Topotests Ubuntu 18.04 i386 part 9: Failed (click for details)

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO9U18I386-13680/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 9**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/artifact/TOPO9U18I386/TopotestLogs/log\_topotests.txt  
Topotests Ubuntu 18.04 i386 part 9: Unknown Log  
URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/artifact/TOPO9U18I386/TopotestDetails/

Successful on other platforms/tests

*   Topotests Ubuntu 18.04 arm8 part 3
*   Topotests debian 10 amd64 part 9
*   Addresssanitizer topotests part 5
*   Topotests Ubuntu 18.04 amd64 part 2
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 3
*   Topotests debian 10 amd64 part 8
*   Addresssanitizer topotests part 0
*   Topotests Ubuntu 18.04 arm8 part 4
*   Topotests debian 10 amd64 part 3
*   Topotests Ubuntu 18.04 arm8 part 9
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 amd64 part 5
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 2
*   Topotests Ubuntu 18.04 i386 part 1
*   Topotests Ubuntu 18.04 amd64 part 8
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 4
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 i386 part 6
*   Topotests Ubuntu 18.04 i386 part 8
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 7
*   Debian 10 deb pkg check
*   Addresssanitizer topotests part 7
*   Topotests Ubuntu 18.04 amd64 part 7
*   Addresssanitizer topotests part 6
*   Topotests Ubuntu 18.04 i386 part 5
*   Topotests Ubuntu 18.04 i386 part 0
*   Addresssanitizer topotests part 3
*   Topotests debian 10 amd64 part 1
*   Topotests Ubuntu 18.04 arm8 part 5
*   CentOS 7 rpm pkg check
*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests debian 10 amd64 part 2
*   Addresssanitizer topotests part 2
*   Static analyzer (clang)
*   Debian 9 deb pkg check
*   Topotests Ubuntu 18.04 amd64 part 1
*   Addresssanitizer topotests part 1
*   Topotests Ubuntu 18.04 i386 part 4
*   Ubuntu 18.04 deb pkg check
*   Topotests debian 10 amd64 part 5
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 arm8 part 6
*   Addresssanitizer topotests part 8
*   Topotests debian 10 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 8
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests Ubuntu 18.04 arm8 part 1
*   Topotests Ubuntu 18.04 i386 part 2
*   Topotests Ubuntu 18.04 amd64 part 6

Copy link

Collaborator

**

**NetDEF-CI** commented

Aug 21, 2023

**

**Continuous Integration Result: SUCCESSFUL**

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

 donaldsharp merged commit ff4c767 into FRRouting:master

Aug 21, 2023

6 checks passed

 mergify bot mentioned this pull request

Aug 21, 2023

bgpd: Check the length of the rcv software version (backport #14241) #14250

Merged

 ton31337 deleted the fix/software\_version\_capability\_handling\_len branch

August 21, 2023 13:53

donaldsharp added a commit that referenced this pull request

Aug 21, 2023

          Merge pull request #14250 from FRRouting/mergify/bp/stable/9.0/pr-14241
        

          d8238e9
        

bgpd: Check the length of the rcv software version (backport #14241)

Sign up for free **to join this conversation on GitHub**. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

backport bgp master size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

None yet

3 participants

CVE-2023-41361: bgpd: Check the length of the rcv software version by ton31337 · Pull Request #14241 · FRRouting/frr

Insufficient Logging vulnerability in Hitachi HiRDB Server, HiRDB Server With Addtional Function, HiRDB Structured Data Access Facility.This issue affects HiRDB Server: before 09-60-39, before 09-65-23, before 10-01-10, before 10-03-12, before 10-04-06, before 10-05-06, before 10-06-02; HiRDB Server With Addtional Function: before 09-60-2M, before 09-65-/W; HiRDB Structured Data Access Facility: before 09-60-39, before 10-03-12, before 10-04-06, before 10-06-02.



*   Security Information ID
*   Vulnerability description
*   Affected products
*   Fixed products
*   Revision history

Update: August 29, 2023

A Vulnerability (CVE-2023-1995) exists in HiRDB.

**Security Information ID**

hitachi-sec-2023-133

**Affected products**

The information is organized under the following headings:  

**(Example)  
Product name: Gives the name of the affected product.**

Version:

Platform

Gives the affected version.

**\- HiRDB V10**

**Product name: HiRDB Server Version 10  
**

Version(s):

AIX

10-06 to 10-06-01, 10-05 to 10-05-05, 10-04 to 10-04-04, 10-03 to 10-03-11, 10-02 to 10-02-12, 10-01 to 10-01-09, 10-00 to 10-00-09

HP-UX

10-05 to 10-05-05, 10-04 to 10-04-04, 10-03 to 10-03-10, 10-02 to 10-02-12, 10-01 to 10-01-09, 10-00 to 10-00-09

Linux

10-06 to 10-06-01, 10-05 to 10-05-05, 10-04 to 10-04-05, 10-03 to 10-03-10, 10-02 to 10-02-12, 10-01 to 10-01-09, 10-00 to 10-00-09

Windows

10-06 to 10-06-01, 10-05 to 10-05-05, 10-04 to 10-04-04, 10-03 to 10-03-10, 10-02 to 10-02-12, 10-01 to 10-01-09, 10-00 to 10-00-09

**Product name: HiRDB Structured Data Access Facility Version 10  
**

Version(s):

Linux

10-06 to 10-06-01, 10-04 to 10-04-05, 10-03 to 10-03-10, 10-02 to 10-02-12, 10-01 to 10-01-03

**\- HiRDB V9**

**Product name: HiRDB Server Version 9  
**

Version(s):

AIX

09-66 to 09-66-16, 09-65 to 09-65-22, 09-60 to 09-60-38, 09-50 to 09-50-37, 09-04 to 09-04-45, 09-03 to 09-03-31, 09-02 to 09-02-32, 09-01 to 09-01-24, 09-00 to 09-00-32

HP-UX

09-66 to 09-66-16, 09-65 to 09-65-22, 09-60 to 09-60-37, 09-50 to 09-50-37, 09-04 to 09-04-45, 09-03 to 09-03-27, 09-02 to 09-02-32, 09-01 to 09-01-24, 09-00 to 09-00-30

Solaris

09-04 to 09-04-31, 09-03 to 09-03-27, 09-02 to 09-02-32, 09-01 to 09-01-24, 09-00 to 09-00-30

Linux

09-66 to 09-66-16, 09-65 to 09-65-22, 09-60 to 09-60-37, 09-50 to 09-50-37, 09-04 to 09-04-45, 09-03 to 09-03-27, 09-02 to 09-02-32, 09-01 to 09-01-24, 09-00 to 09-00-30

Windows

09-66 to 09-66-16, 09-65 to 09-65-22, 09-60 to 09-60-37, 09-50 to 09-50-37, 09-04 to 09-04-45, 09-03 to 09-03-27, 09-02 to 09-02-32, 09-01 to 09-01-24, 09-00 to 09-00-30

**Product name: HiRDB Server with Additional Function Version 9  
**

Version(s):

AIX

09-66 to 09-66-/P, 09-65 to 09-65-/V, 09-60 to 09-60-2L, 09-50 to 09-50-2K, 09-04 to 09-04-2S, 09-03 to 09-03-2E, 09-02 to 09-02-2F, 09-01 to 09-01-/X, 09-00 to 09-00-2F

HP-UX

09-66 to 09-66-/P, 09-65 to 09-65-/V, 09-60 to 09-60-2K, 09-50 to 09-50-2K, 09-04 to 09-04-2S, 09-03 to 09-03-2A, 09-02 to 09-02-2F, 09-01 to 09-01-/X, 09-00 to 09-00-2D

Linux

09-66 to 09-66-/P, 09-65 to 09-65-/V, 09-60 to 09-60-2K, 09-50 to 09-50-2K, 09-04 to 09-04-2S, 09-03 to 09-03-2A, 09-02 to 09-02-2F, 09-01 to 09-01-/X, 09-00 to 09-00-2D

Windows

09-66 to 09-66-/P, 09-65 to 09-65-/V, 09-60 to 09-60-2K, 09-50 to 09-50-2K, 09-04 to 09-04-2S, 09-03 to 09-03-2A, 09-02 to 09-02-2F, 09-01 to 09-01-/X, 09-00 to 09-00-2D

**Product name: HiRDB Server Version 9(32)  
**

Version(s):

Windows

09-66 to 09-66-16, 09-65 to 09-65-22, 09-60 to 09-60-37, 09-50 to 09-50-37, 09-04 to 09-04-45, 09-03 to 09-03-27, 09-02 to 09-02-32

**Product name: HiRDB Server with Additional Function Version 9(32)  
**

Version(s):

Windows

09-66 to 09-66-/P, 09-65 to 09-65-/V, 09-60 to 09-60-2K, 09-50 to 09-50-2K, 09-04 to 09-04-2S, 09-03 to 09-03-2A, 09-02 to 09-02-2F

**Product name: HiRDB Structured Data Access Facility Version 9  
**

Version(s):

Linux

09-66 to 09-66-06, 09-60 to 09-60-37

**Fixed products**

The information is organized under the following headings:  

**(Example)  
Product name: Gives the name of the fixed product.**

Version:

Platform

Gives the fixed version, and release date.

Scheduled version:

Platform

Gives the fixed version scheduled to be released.

**\- HiRDB V10**

**Product name: HiRDB Server Version 10  
**

Version(s):

AIX, Linux, Windows

10-06-02 July 26, 2023

AIX, HP-UX, Linux, Windows

10-05-06 August 21, 2023

10-04-06 March 30, 2023

10-03-12 June 28, 2023

10-01-10 April 17, 2023

**Product name: HiRDB Structured Data Access Facility Version 10  
**

Version(s):

Linux

10-06-02 July 26, 2023

10-04-06 March 30, 2023

10-03-12 June 28, 2023

**\- HiRDB V9**

**Product name: HiRDB Server Version 9  
**

Version(s):

AIX, HP-UX, Linux, Windows

09-65-23 May 24, 2023

09-60-39 July 11, 2023

Windows

09-50-38 March 28, 2023

**Product name: HiRDB Server with Additional Function Version 9  
**

Version(s):

AIX, HP-UX, Linux, Windows

09-65-/W May 24, 2023

09-60-2M July 11, 2023

Windows

09-50-2L March 28, 2023

**Product name: HiRDB Server Version 9(32)  
**

Version(s):

Windows

09-65-23 May 24, 2023

09-60-39 July 11, 2023

**Product name: HiRDB Server with Additional Function Version 9(32)  
**

Version(s):

Windows

09-65-/W May 24, 2023

09-60-2M July 11, 2023

**Product name: HiRDB Structured Data Access Facility Version 9  
**

Version(s):

Linux

09-60-39 July 11, 2023

For details on the fixed products, contact your Hitachi support service representative.

**Revision history**

August 29, 2023

This page is released.

*   Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide accurate information about security countermeasures. However, since information about security problems constantly changes, the contents of these Web pages are subject to change without prior notice. When referencing information, please confirm that you are referencing the latest information.
*   The Web pages include information about products that are developed by non-Hitachi software developers. Vulnerability information about those products is based on the information provided or disclosed by those developers. Although Hitachi is careful about the accuracy and completeness of this information, the contents of the Web pages may change depending on the changes made by the developers.
*   The Web pages are intended to provide vulnerability information only, and Hitachi shall not have any legal responsibility for the information contained in them. Hitachi shall not be liable for any consequences arising out of or in connection with the security countermeasures or other actions that you will take or have taken (or not taken) by yourself.
*   The links to other web sites are valid at the time of the release of the page. Although Hitachi makes an effort to maintain the links, Hitachi cannot guarantee their permanent availability.

CVE-2023-1995: hitachi-sec-2023-133: Vulnerability in HiRDB

Theme Volty CMS Blog up to version v4.0.1 was discovered to contain a SQL injection vulnerability via the id parameter at /tvcmsblog/single.

In the module “Theme Volty CMS Blog” (tvcmsblog) up to versions 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-39650
*   **Published at**: 2023-08-24
*   **Platform**: PrestaShop
*   **Product**: tvcmsblog
*   **Impacted release**: <= 4.0.1 (4.0.2 fixed the vulnerability)
*   **Product author**: Theme Volty
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The method TvcmsBlogSingleModuleFrontController::run() have a sensitive SQL call that can be executed with a trivial HTTP call and exploited to forge a SQL injection.

If your server do not manage correctly these HTTP headers (which will be the case for all servers not managed by a professional system administrator), you are concerned:

*   CLIENT\_IP
*   X\_FORWARDED\_FOR
*   X\_FORWARDED
*   FORWARDED\_FOR
*   FORWARDED

See recommendations if needed about this.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 4.0.1**

    --- 4.0.1/tvcmsblog/controllers/front/single.php
    +++ 4.0.2/tvcmsblog/controllers/front/single.php
    ...
        public function initContent()
        {
            $ipaddress = '';
            if (isset($_SERVER['HTTP_CLIENT_IP'])) {
                $ipaddress = $_SERVER['HTTP_CLIENT_IP'];
            } elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
                $ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
            } elseif (isset($_SERVER['HTTP_X_FORWARDED'])) {
                $ipaddress = $_SERVER['HTTP_X_FORWARDED'];
            } elseif (isset($_SERVER['HTTP_FORWARDED_FOR'])) {
                $ipaddress = $_SERVER['HTTP_FORWARDED_FOR'];
            } elseif (isset($_SERVER['HTTP_FORWARDED'])) {
                $ipaddress = $_SERVER['HTTP_FORWARDED'];
            } elseif (isset($_SERVER['REMOTE_ADDR'])) {
                $ipaddress = $_SERVER['REMOTE_ADDR'];
            } else {
                $ipaddress = 'UNKNOWN';
            }
            $blogid = $this->blogpost['id_tvcmsposts'];
    
    -       $select_data = 'SELECT MAX(id_view) as max_id FROM `' . _DB_PREFIX_ . 'tvcmsposts_view` where `id_tvcmsposts` = ' . $blogid . ' AND `ipadress` = \'' . $ipaddress . '\' ';
    +       $select_data = 'SELECT MAX(id_view) as max_id FROM `' . _DB_PREFIX_ . 'tvcmsposts_view` where `id_tvcmsposts` = ' . (int) $blogid . ' AND `ipadress` = \'' . pSQL($ipaddress) . '\' ';
            $ans = Db::getInstance()->executeS($select_data);
    
            if (1 > $ans[0]['max_id']) {
                $dataquery = 'INSERT INTO `' . _DB_PREFIX_ . 'tvcmsposts_view`
                                    SET 
    -                                   `id_tvcmsposts` = ' . $blogid . ',
    +                                   `id_tvcmsposts` = ' . (int) $blogid . ',
    -                                    ipadress = \'' . $ipaddress . '\'';
    +                                    ipadress = \'' . pSQL($ipaddress) . '\'';
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **tvcmsblog**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   These HTTP headers are not supposed to be used on a final application, since they should be used only if REMOTE_ADDR is allowed with modules like mod\_remoteip for Apache2, so you should auto-delete them if you are not behind a well setup load-balancer or reverse proxy.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-02-10

Issue discovered during a code review by TouchWeb.fr

2023-02-10

Contact PrestaShop Addons security Team to confirm versions scope by author

2023-02-15

The author provided a patch, but it still contains all critical vulnerabilities.

2023-04-13

Recontact PrestaShop Addons security Team to confirm versions scope by author

2023-04-13

Request a CVE ID

2023-05-19

Author provide patch

2023-08-15

Received CVE ID

2023-08-24

Publish this security advisory

**Links**

*   PrestaShop addons product page
*   Author product page
*   National Vulnerability Database

CVE-2023-39650: [CVE-2023-39650] Improper neutralization of SQL parameters in Theme Volty CMS Blog module for PrestaShop

A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux Kernel. This issue may allow a local attacker to cause a double-deactivations of catchall elements, which results in a memory leak.

'2235470?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-4569: Invalid Bug ID

An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the expandIfZip method in the extract function.

**This is a PR submission for #536**

To verify that there is a directory traversal risk when unzipping the zip file, I test in FileUtilsTest.java.

1.Using the zipslip vulnerability, create a zip file.Save the created zip file in the D:/code/pf4j directory, if you do not have this path on your computer D drive, create it.  

2.  Next, call expandIfZip or loadPluginFromPath method to extract the zip file to the root directory of disk D of the computer.  
    

3.To prevent path crossing problems caused by unsafe input, I recommend adding checks to the extract() method.  

After adding the check, an exception is thrown when there is a malicious file name  

Sorry, commits/c1b03c92c03cc42ef7d197d962acd785bbea60dd is wrong, commits/ed9392069fe14c6c30d9f876710e5ad40f7ea8c1 provide repair plan is correct.

CVE-2023-40828: Add security checks to prevent directory traversal when decompressing… by afeng2016-s · Pull Request #537 · pf4j/pf4j

Buffer Overflow vulnerability in VirusTotal yara v.4.3.2 allows a remote attacker to execute arbtirary code via the yr_execute_cod function in the exe.c component.

**Describe the bug**  
AddressSanitizer: heap-buffer-overflow libyara/exec.c:1426 in yr\_execute\_code

**To Reproduce**  
Steps to reproduce the behavior:  
1, compile yara with asan: ./configure CC=gcc CXX=g++ CFLAGS="-g -O0 -fsanitize=address" CXXFLAGS="-g -O0 -fsanitize=address" LDFLAGS="-g -O0 -fsanitize=address"  
2, run this command: ./yara -C PoC binFile

**Please complete the following information:**

*   OS: ubuntu 20.04
*   YARA version: 4.3.2

****Additional context**  
ASAN reprot:**

\==1855158==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000248 at pc 0x7f168933dfaf bp 0x7ffd229d5530 sp 0x7ffd229d5520  
READ of size 8 at 0x604000000248 thread T0  
#0 0x7f168933dfae in yr\_execute\_code libyara/exec.c:1426  
#1 0x7f16893a1cd8 in yr\_scanner\_scan\_mem\_blocks libyara/scanner.c:526  
#2 0x7f16893a27a0 in yr\_scanner\_scan\_mem libyara/scanner.c:670  
#3 0x7f16893a2b3e in yr\_scanner\_scan\_fd libyara/scanner.c:706  
#4 0x55aa2e6ed11a in scan\_file cli/yara.c:736  
#5 0x55aa2e6f1444 in main cli/yara.c:1654  
#6 0x7f1688c22082 in \_\_libc\_start\_main ../csu/libc-start.c:308  
#7 0x55aa2e6e9ced in \_start (/home/root/latestFiles/yara-4.3.2/.libs/yara+0x7ced)

0x604000000248 is located 8 bytes to the left of 48-byte region \[0x604000000250,0x604000000280)  
allocated by thread T0 here:  
#0 0x7f1689535a06 in \_\_interceptor\_calloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cc:153  
#1 0x7f168936db41 in yr\_calloc libyara/mem.c:127  
#2 0x7f168939fe48 in yr\_scanner\_create libyara/scanner.c:242  
#3 0x55aa2e6f12af in main cli/yara.c:1640  
#4 0x7f1688c22082 in \_\_libc\_start\_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow libyara/exec.c:1426 in yr\_execute\_code  
Shadow bytes around the buggy address:  
0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c087fff8000: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa  
0x0c087fff8010: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa  
0x0c087fff8020: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa  
0x0c087fff8030: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa  
\=>0x0c087fff8040: fa fa 00 00 00 00 00 00 fa\[fa\]00 00 00 00 00 00  
0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==1855158==ABORTING

CVE-2023-40857: heap-buffer-overflow libyara/exec.c:1426 in yr_execute_code · Issue #1945 · VirusTotal/yara

Buffer Overflow vulnerability in O-RAN Software Community ric-plt-lib-rmr v.4.9.0 allows a remote attacker to cause a denial of service via a crafted packet.

Hello,

I would like to report an issue related to the incorrect format in the rmr library (ric-plt-lib-rmr).

When RMR service receives a packet in an incorrect format, it crash during the packet parsing process

*   First, the header is extracted from the received packet. Due to the packet's incorrect format, the header value becomes abnormal.
*   Then, a memory location is calculated, leading to an illegal access in **d1**, as shown in the attached image.

This is my initial analysis, and there might be errors. Please kindly forgive any mistakes.

Through xApp, we can send packets of this nature to services that utilize this RMR library, leading to the disruption of the services.

This problem can be found in components that utilize the RMR library.