Buffer Overflow vulnerability in postprocess_terminfo function in tinfo/parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2020-19189: fuzzpoc/infotocap_poc5.md at master · zjuchenyuan/fuzzpoc

Buffer Overflow vulnerability in _nc_find_entry in tinfo/comp_hash.c:70 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

CVE-2020-19190: fuzzpoc/infotocap_poc6.md at master · zjuchenyuan/fuzzpoc

An issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.

@yan-too This change now passes all _automated_ pre-integration checks.

After integration, the commit message for the final commit will be:

    8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int)
    

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been no new commits pushed to the master branch. If another commit should be pushed before you perform the /integrate command, your PR will be automatically rebased. If you prefer to avoid any potential automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

CVE-2022-40433: 8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int) by yan-too · Pull Request #261 · openjdk/jdk15u-dev

An issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service. Note: Vendor states that this to is Defense in Depth at most due to the nature of the issue and the special circumstances required (server must be running particular code locally, code compiled with an old, old version of javac, etc.).

ADDITIONAL SYSTEM INFORMATION :  
OS version:  
Distributor ID: Ubuntu  
Description: Ubuntu 20.04.2 LTS  
Release: 20.04  
Codename: focal

JDK version we used:

openjdk version "17.0.2" 2022-01-18  
OpenJDK Runtime Environment (build 17.0.2+8-86)  
OpenJDK 64-Bit Server VM (build 17.0.2+8-86, mixed mode, sharing)

openjdk version "18" 2022-03-22  
OpenJDK Runtime Environment (build 18+36-2087)  
OpenJDK 64-Bit Server VM (build 18+36-2087, mixed mode, sharing)

openjdk version "19-ea" 2022-09-20  
OpenJDK Runtime Environment (build 19-ea+13-808)  
OpenJDK 64-Bit Server VM (build 19-ea+13-808, mixed mode, sharing)

A DESCRIPTION OF THE PROBLEM :  
When we run the test in jdk17.0.2, jdk18 and jdk19-ea, all in compiled mode(with "-Xcomp"), it crashed with the following message. But when run the test in mixed mode or interpreted mode(with "-Xint), it passed successfully.

The error message in compiled mode:

jdk17.0.2:  
\# A fatal error has been detected by the Java Runtime Environment:  
#  
\# SIGSEGV (0xb) at pc=0x00007f0b86b5a37b, pid=32365, tid=32379  
#  
\# JRE version: OpenJDK Runtime Environment (17.0.2+8) (build 17.0.2+8-86)  
\# Java VM: OpenJDK 64-Bit Server VM (17.0.2+8-86, compiled mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, linux-amd64)  
\# Problematic frame:  
\# V \[libjvm.so+0x52837b\] ciMethodBlocks::make\_block\_at(int)+0x3b  
#  
\# No core dump will be written. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again  
#  
\# An error report file with more information is saved as:  
\# /home/minghai/hs\_err\_pid32365.log  
#  
\# Compiler replay data is saved as:  
\# /home/minghai/replay\_pid32365.log  
#  
\# If you would like to submit a bug report, please visit:  
\# https://bugreport.java.com/bugreport/crash.jsp

jdk18:  
\# A fatal error has been detected by the Java Runtime Environment:  
#  
\# SIGSEGV (0xb) at pc=0x00007f9a003d800b, pid=32250, tid=32263  
#  
\# JRE version: OpenJDK Runtime Environment (18.0+36) (build 18+36-2087)  
\# Java VM: OpenJDK 64-Bit Server VM (18+36-2087, compiled mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, linux-amd64)  
\# Problematic frame:  
\# V \[libjvm.so+0x54b00b\] ciTypeFlow::get\_block\_for(int, ciTypeFlow::JsrSet\*, ciTypeFlow::CreateOption)+0x2b  
#  
\# No core dump will be written. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again  
#  
\# An error report file with more information is saved as:  
\# /home/minghai/hs\_err\_pid32250.log  
#  
\# Compiler replay data is saved as:  
\# /home/minghai/replay\_pid32250.log  
#  
\# If you would like to submit a bug report, please visit:  
\# https://bugreport.java.com/bugreport/crash.jsp

jdk19-ea:  
\# A fatal error has been detected by the Java Runtime Environment:  
#  
\# SIGSEGV (0xb) at pc=0x00007f96f291b1fb, pid=32319, tid=32332  
#  
\# JRE version: OpenJDK Runtime Environment (19.0+13) (build 19-ea+13-808)  
\# Java VM: OpenJDK 64-Bit Server VM (19-ea+13-808, compiled mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, linux-amd64)  
\# Problematic frame:  
\# V \[libjvm.so+0x5571fb\] ciTypeFlow::get\_block\_for(int, ciTypeFlow::JsrSet\*, ciTypeFlow::CreateOption)+0x2b  
#  
\# No core dump will be written. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again  
#  
\# An error report file with more information is saved as:  
\# /home/minghai/hs\_err\_pid32319.log  
#  
\# Compiler replay data is saved as:  
\# /home/minghai/replay\_pid32319.log  
#  
\# If you would like to submit a bug report, please visit:  
\# https://bugreport.java.com/bugreport/crash.jsp

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :  
1\. extract the bug.zip  
2\. in dictionary "bug", run command:  
java -cp ./bugFiles:./util:./junit.jar:./hamcrest.jar:./target/classes:./target/test-classes org.junit.runner.JUnitCore com.alibaba.fastjson.deserializer.issue1463.TestIssue1463

you may add "-Xcomp" or "-Xint" to get different results.

EXPECTED VERSUS ACTUAL BEHAVIOR :  
EXPECTED -  
The result should be the same since the program are the same, no matter in compiled mode, mixed mode or interpreted mode.  
ACTUAL -  
When run in compiled mode(with "-Xcomp"), it crashed. But when run in mixed mode or interpreted mode(with -Xint), it passed successfully.

\---------- BEGIN SOURCE ----------  
to be attached in bug.zip  
\---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :  
run the command without -Xcomp or with -Xint

FREQUENCY : always

CVE-2022-40433: C2: segmentation fault in ciMethodBlocks::make_block_at(int)

A Segmentation Fault issue discovered in in ieee_segment function in outieee.c in nasm 2.14.03 and 2.15 allows remote attackers to cause a denial of service via crafted assembly file.

Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)

'3392637?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-21528: Invalid Bug ID

An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out of bounds memory.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-22218: fix use-of-uninitialized-value by ltx2018 · Pull Request #476 · libssh2/libssh2

There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.

'15216?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-48174: Invalid Bug ID

An issue was discovered in json-c through 0.15-20200726. A stack-buffer-overflow exists in the function parseit located in json_parse.c. It allows an attacker to cause code Execution.

cmake ..-DCMAKE\_CXX\_FLAGS="-fsanitize=address -g" -DCMAKE\_C\_FLAGS="-fsanitize=address -g" -DCMAKE\_EXE\_LINKER\_FLAGS="-fsanitize=address"

    =================================================================
    ==12668==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffea9c409b0 at pc 0x00000051747b bp 0x7ffea9c388b0 sp 0x7ffea9c388a8
    READ of size 1 at 0x7ffea9c409b0 thread T0
        #0 0x51747a in parseit /home/seviezhou/jsonc/apps/json_parse.c:89:44
        #1 0x51747a in main /home/seviezhou/jsonc/apps/json_parse.c:182
        #2 0x7fc02a77783f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
        #3 0x41a928 in _start (/home/seviezhou/jsonc/build/apps/json_parse+0x41a928)
    
    Address 0x7ffea9c409b0 is located in stack of thread T0 at offset 33008 in frame
        #0 0x51651f in main /home/seviezhou/jsonc/apps/json_parse.c:159
    
      This frame has 3 object(s):
        [32, 176) 'rusage.i.i.i' (line 42)
        [240, 33008) 'buf.i' (line 52) <== Memory access at offset 33008 overflows this variable
        [33264, 33408) 'rusage.i' (line 42)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/seviezhou/jsonc/apps/json_parse.c:89:44 in parseit
    Shadow bytes around the buggy address:
      0x1000553800e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x1000553800f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055380100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055380110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055380120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x100055380130: 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x100055380140: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x100055380150: f2 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
      0x100055380160: f8 f8 f8 f8 f8 f8 f8 f8 f3 f3 f3 f3 f3 f3 f3 f3
      0x100055380170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055380180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==12668==ABORTING

CVE-2021-32292: A stack-buffer-overflow in json_parse.c:89:44 · Issue #654 · json-c/json-c

File before 5.43 has an stack-based buffer over-read in file_copystr in funcs.c. NOTE: "File" is the name of an Open Source project.

*   Anonymous

APPLICATION ERROR #203

A number was expected for id.

Please use the "Back" button in your web browser to return to the previous page. There you can correct whatever problems were identified in this error or select another action. You can also click an option from the menu bar to go directly to a new section.

CVE-2022-48554: MantisBT

An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.

Created on **2020-05-27 07:41** by **Devin Jeanpierre**, last changed **2022-04-11 14:59** by **admin**. This issue is now **closed**.

Messages (15) msg370053 - (view) Author: Devin Jeanpierre (Devin Jeanpierre) \* Date: 2020-05-27 07:41

\`hmac.compare\_digest\` (via \`\_tscmp\`) does not mark the accumulator variable \`result\` as volatile, which means that the compiler is allowed to short-circuit the comparison loop as long as it still reads from both strings.

In particular, when \`result\` is non-volatile, the compiler is allowed to change the loop from this:


\`\`\`c
for (i=0; i < length; i++) {
    result |= \*left++ ^ \*right++;
}
return (result == 0);
\`\`\`

into (the moral equivalent of) this:


\`\`\`c
for (i=0; i < length; i++) {
    result |= \*left++ ^ \*right++;
    if (result) {
        for (; ++i < length;) {
            \*left++; \*right++;
        }
        return 1;
    }
}
return (result == 0);
\`\`\`

(Code not tested.)

This might not seem like much, but it cuts out almost all of the data dependencies between \`result\`, \`left\`, and \`right\`, which in theory would free the CPU to race ahead using out of order execution -- it could execute code that depends on the result of \`\_tscmp\`, even while \`\_tscmp\` is still performing the volatile reads. (I have not actually benchmarked this. :)) In other words, this weird short circuiting could still actually improve performance. That, in turn, means that it would break constant-time guarantees.

(This is different from saying that it \_would\_ increase performance, but marking it volatile removes the worry.)

(Prior art/discussion: https://github.com/google/tink/commit/335291c42eecf29fca3d85fed6179d11287d253e )


I propose two changes, one trivial, and one that's more invasive:

1) Make \`result\` a \`volatile unsigned char\` instead of \`unsigned char\`. 

2) When SSL is available, instead use \`CRYPTO\_memcmp\` from OpenSSL/BoringSSL. We are, in effect, "rolling our own crypto". The SSL libraries are more strictly audited for timing issues, down to actually checking the generated machine code. As tools improve, those libraries will grow to use those tools. If we use their functions, we get the benefit of those audits and improvements.

msg370094 - (view) Author: Raymond Hettinger (rhettinger) \*  Date: 2020-05-27 15:26

+1 for both of these suggestions

msg370108 - (view) Author: Gregory P. Smith (gregory.p.smith) \*  Date: 2020-05-27 16:05

Christian - Devin could likely use some help with the build/ifdef plumbing required for (2) to use CRYPTO\_memcmp from Modules/\_operator.c when OpenSSL is available.

msg370109 - (view) Author: Christian Heimes (christian.heimes) \*  Date: 2020-05-27 16:14

GPS, I got you covered :)

CRYPTO\_memcmp() was on my TODO list for a while. Thanks for nagging me.

\_operator is a built-in module. I don't want to add libcrypto dependency to libpython. I copied the code, made some adjustments and added it to \_hashopenssl.c.

msg370121 - (view) Author: Christian Heimes (christian.heimes) \*  Date: 2020-05-27 19:18

Greg, is GH-20456 a bug fix / security enhancement or a new feature? I'm hesitant to backport it to 3.7 and 3.8. 3.9 might be ok.

msg370122 - (view) Author: Gregory P. Smith (gregory.p.smith) \*  Date: 2020-05-27 19:46

I'd feel fine doing that for 3.9 given 3.9.0 is only in beta and this changes no public APIs.  For 3.8 and 3.7 i wouldn't.

Be sure to update the versionchanged in the docs if you choose to do it for 3.9.

msg370124 - (view) Author: Christian Heimes (christian.heimes) \*  Date: 2020-05-27 19:50

New changeset db5aed931f8a617f7b63e773f62db468fe9c5ca1 by Christian Heimes in branch 'master':
bpo-40791: Use CRYPTO\_memcmp() for compare\_digest (#20456)
https://github.com/python/cpython/commit/db5aed931f8a617f7b63e773f62db468fe9c5ca1

msg370195 - (view) Author: miss-islington (miss-islington) Date: 2020-05-28 12:10

New changeset 8183e11d87388e4e44e3242c42085b87a878f781 by Christian Heimes in branch '3.9':
\[3.9\] bpo-40791: Use CRYPTO\_memcmp() for compare\_digest (GH-20456) (GH-20461)
https://github.com/python/cpython/commit/8183e11d87388e4e44e3242c42085b87a878f781

msg381530 - (view) Author: Gregory P. Smith (gregory.p.smith) \*  Date: 2020-11-21 08:55

New changeset 31729366e2bc09632e78f3896dbce0ae64914f28 by Devin Jeanpierre in branch 'master':
bpo-40791: Make compare\_digest more constant-time. (GH-20444)
https://github.com/python/cpython/commit/31729366e2bc09632e78f3896dbce0ae64914f28

msg381531 - (view) Author: miss-islington (miss-islington) Date: 2020-11-21 09:12

New changeset 97136d71a78a4b6b816f7e14acc52be426efcb6f by Miss Islington (bot) in branch '3.8':
bpo-40791: Make compare\_digest more constant-time. (GH-20444)
https://github.com/python/cpython/commit/97136d71a78a4b6b816f7e14acc52be426efcb6f

msg381533 - (view) Author: miss-islington (miss-islington) Date: 2020-11-21 09:18

New changeset c1bbca5b004b3f74d240ef8a76ff445cc1a27efb by Miss Islington (bot) in branch '3.9':
bpo-40791: Make compare\_digest more constant-time. (GH-20444)
https://github.com/python/cpython/commit/c1bbca5b004b3f74d240ef8a76ff445cc1a27efb

msg381624 - (view) Author: Benjamin Peterson (benjamin.peterson) \*  Date: 2020-11-22 17:33

New changeset db95802bdfac4d13db3e2a391ec7b9e2f8d92dbe by Miss Islington (bot) in branch '3.7':
bpo-40791: Make compare\_digest more constant-time. (GH-23438)
https://github.com/python/cpython/commit/db95802bdfac4d13db3e2a391ec7b9e2f8d92dbe

msg382972 - (view) Author: Michał Górny (mgorny) \* Date: 2020-12-14 10:12

Any reason this wasn't backported to 3.6?  FWICS it's supposed to be security supported still.

msg382993 - (view) Author: Ned Deily (ned.deily) \*  Date: 2020-12-14 17:05

New changeset 8bef9ebb1b88cfa4b2a38b93fe4ea22015d8254a by Miss Islington (bot) in branch '3.6':
bpo-40791: Make compare\_digest more constant-time. (GH-23438) (GH-23767)
https://github.com/python/cpython/commit/8bef9ebb1b88cfa4b2a38b93fe4ea22015d8254a

msg382995 - (view) Author: Ned Deily (ned.deily) \*  Date: 2020-12-14 17:11

\> Any reason this wasn't backported to 3.6?

Just an oversight. Thanks for pointing it out.

History Date User Action Args 2022-04-11 14:59:31adminsetgithub: 84968 2020-12-14 17:11:27ned.deilysetmessages: + msg382995  
versions: + Python 3.6 2020-12-14 17:05:09ned.deilysetnosy: + ned.deily  
messages: + msg382993  
2020-12-14 16:41:09miss-islingtonsetpull\_requests: + pull\_request22623 2020-12-14 10:12:35mgornysetnosy: + mgorny  
messages: + msg382972  
2020-11-22 17:34:28benjamin.petersonsetstatus: open -> closed  
resolution: fixed  
stage: patch review -> resolved 2020-11-22 17:33:22benjamin.petersonsetnosy: + benjamin.peterson  
messages: + msg381624  
2020-11-21 09:18:44miss-islingtonsetmessages: + msg381533 2020-11-21 09:12:24miss-islingtonsetmessages: + msg381531 2020-11-21 08:56:06miss-islingtonsetpull\_requests: + pull\_request22330 2020-11-21 08:55:58miss-islingtonsetpull\_requests: + pull\_request22329 2020-11-21 08:55:51miss-islingtonsetpull\_requests: + pull\_request22328 2020-11-21 08:55:27gregory.p.smithsetmessages: + msg381530 2020-05-28 12:10:04miss-islingtonsetnosy: + miss-islington  
messages: + msg370195  
2020-05-27 19:51:51christian.heimessetpull\_requests: + pull\_request19714 2020-05-27 19:50:11christian.heimessetmessages: + msg370124 2020-05-27 19:46:01gregory.p.smithsetmessages: + msg370122 2020-05-27 19:18:24christian.heimessetmessages: + msg370121 2020-05-27 16:14:21christian.heimessetmessages: + msg370109 2020-05-27 16:12:11christian.heimessetpull\_requests: + pull\_request19711 2020-05-27 16:05:20gregory.p.smithsetassignee: christian.heimes  
messages: + msg370108 2020-05-27 15:26:51rhettingersetversions: - Python 3.5, Python 3.6  
nosy: + rhettinger

messages: + msg370094

type: security

2020-05-27 15:25:47zach.waresetnosy: + gregory.p.smith, christian.heimes  
2020-05-27 09:00:48Devin Jeanpierresetkeywords: + patch  
stage: patch review  
pull\_requests: + pull\_request19700 2020-05-27 07:41:07Devin Jeanpierrecreate