A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 9.5, iOS 15.7.6 and iPadOS 15.7.6, macOS Ventura 13.4, Safari 16.5, tvOS 16.5, iOS 16.5 and iPadOS 16.5. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

This document describes the security content of Safari 16.5.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**Safari 16.5**

Released May 18, 2023

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing web content may disclose sensitive information

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 255075  
CVE-2023-32402: an anonymous researcher

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing web content may disclose sensitive information

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 254781  
CVE-2023-32423: Ignacio Sanmillan (@ulexec)

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

WebKit Bugzilla: 255350  
CVE-2023-32409: Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 254930  
CVE-2023-28204: an anonymous researcher

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 254840  
CVE-2023-32373: an anonymous researcher

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: May 18, 2023

CVE-2023-32373: About the security content of Safari 16.5

A denial-of-service issue was addressed with improved memory handling. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4. Opening a PDF file may lead to unexpected app termination

Released May 18, 2023

**Accessibility**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32388: Kirin (@Pwnrin)

**Accessibility**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Entitlements and privacy permissions granted to this app may be used by a malicious app

Description: This issue was addressed with improved checks.

CVE-2023-32400: Mickey Jin (@patch1t)

**AppleMobileFileIntegrity**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32411: Mickey Jin (@patch1t)

**Associated Domains**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved checks.

CVE-2023-32371: James Duffy (mangoSecure)

**Cellular**

Available for: iPhone 8 and iPhone X

Impact: A remote attacker may be able to cause arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2023-32419: Amat Cama of Vigilant Labs

**Core Location**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32399: an anonymous researcher

**CoreServices**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-28191: Mickey Jin (@patch1t)

**GeoServices**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32392: an anonymous researcher

**ImageIO**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing an image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32372: Meysam Firouzi of @R00tkitSMM Mbition mercedes-benz innovation lab working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing an image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative

**IOSurfaceAccelerator**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32354: Linus Henze of Pinauten GmbH (pinauten.de)

**IOSurfaceAccelerator**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32420: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2023-27930: 08Tc3wBB of Jamf

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32398: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to gain root privileges

Description: A race condition was addressed with improved state handling.

CVE-2023-32413: Eloi Benoist-Vanderbeken (@elvanderb) from Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative

**LaunchServices**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may bypass Gatekeeper checks

Description: A logic issue was addressed with improved checks.

CVE-2023-32352: Wojciech Reguła (@\_r3ggi) of SecuRing (wojciechregula.blog)

**Metal**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-32407: Gergely Kalman (@gergely\_kalman)

**Model I/O**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing a 3D model may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32368: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32403: an anonymous researcher

**PDFKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Opening a PDF file may lead to unexpected app termination

Description: A denial-of-service issue was addressed with improved memory handling.

CVE-2023-32385: Jonathan Fritz

**Photos**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Shake-to-undo may allow a deleted photo to be re-surfaced without authentication

Description: The issue was addressed with improved checks.

CVE-2023-32365: Jiwon Park

**Photos**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup

Description: The issue was addressed with improved checks.

CVE-2023-32390: Julian Szulc

**Sandbox**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to retain access to system configuration files even after its permission is revoked

Description: An authorization issue was addressed with improved state management.

CVE-2023-32357: Yiğit Can YILMAZ (@yilmazcanyigit), Koh M. Nakagawa of FFRI Security, Inc., Kirin (@Pwnrin), Jeff Johnson (underpassapp.com), and Csaba Fitzl (@theevilbit) of Offensive Security

**Security**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed with improved entitlements.

CVE-2023-32367: James Duffy (mangoSecure)

**Shortcuts**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user

Description: The issue was addressed with improved checks.

CVE-2023-32391: Wenchao Li and Xiaolong Bai of Alibaba Group

**Shortcuts**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32404: Mickey Jin (@patch1t), Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com), and an anonymous researcher

**Siri**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A person with physical access to a device may be able to view contact information from the lock screen

Description: The issue was addressed with improved checks.

CVE-2023-32394: Khiem Tran

**SQLite**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by adding additional SQLite logging restrictions.

CVE-2023-32422: Gergely Kalman (@gergely\_kalman), and Wojciech Reguła of SecuRing (wojciechregula.blog)

Entry updated June 2, 2023

**StorageKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved entitlements.

CVE-2023-32376: Yiğit Can YILMAZ (@yilmazcanyigit)

**System Settings**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app firewall setting may not take effect after exiting the Settings app

Description: This issue was addressed with improved state management.

CVE-2023-28202: Satish Panduranga and an anonymous researcher

**Telephony**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32412: Ivan Fratric of Google Project Zero

**TV App**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32408: an anonymous researcher

**Weather**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32415: Wojciech Regula of SecuRing (wojciechregula.blog), and an anonymous researcher

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may disclose sensitive information

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 255075  
CVE-2023-32402: an anonymous researcher

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may disclose sensitive information

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 254781  
CVE-2023-32423: Ignacio Sanmillan (@ulexec)

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

WebKit Bugzilla: 255350  
CVE-2023-32409: Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 254930  
CVE-2023-28204: an anonymous researcher

_This issue was first addressed in Rapid Security Response iOS 16.4.1 (a) and iPadOS 16.4.1 (a)._

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 254840  
CVE-2023-32373: an anonymous researcher

_This issue was first addressed in Rapid Security Response iOS 16.4.1 (a) and iPadOS 16.4.1 (a)._

**Wi-Fi**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to disclose kernel memory

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32389: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

CVE-2023-32385: About the security content of iOS 16.5 and iPadOS 16.5

LibreDWG v0.12.5 was discovered to contain a heap buffer overflow via the function bit_wcs2nlen at bits.c.

Hello, I was testing my fuzzer and found two bugs in dwg2SVG.

**environment**

ubuntu 20.04, GCC 9.4.0, libredwg latest commit 9df4ec3

compile with

    ./autogen.sh && ./configure --disable-shared && make -j$(nproc)
    

##BUG1

    ./dwg2SVG ../pocs/poc0.bit_utf8_to_TU
    =================================================================
    ==19712==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000dc at pc 0x5603ca37f05a bp 0x7fff049b1c90 sp 0x7fff049b1c80
    WRITE of size 2 at 0x6020000000dc thread T0
        #0 0x5603ca37f059 in bit_utf8_to_TU /libredwg/src/bits.c:2883
        #1 0x5603cae6faab in dwg_is_valid_tag /libredwg/src/dwg_api.c:22059
        #2 0x5603cae6faab in dwg_is_valid_tag /libredwg/src/dwg_api.c:22048
        #3 0x5603ca7744de in dwg_decode_ATTRIB_private /libredwg/src/dwg.spec:204
        #4 0x5603ca8fe1ec in dwg_decode_ATTRIB /libredwg/src/dwg.spec:187
        #5 0x5603cacaa3a2 in decode_preR13_entities /libredwg/src/decode.c:6520
        #6 0x5603cacf559c in decode_preR13 /libredwg/src/decode_r11.c:719
        #7 0x5603cac76a6a in dwg_decode /libredwg/src/decode.c:217
        #8 0x5603ca362d77 in dwg_read_file /libredwg/src/dwg.c:261
        #9 0x5603ca35857c in main /libredwg/programs/dwg2SVG.c:979
        #10 0x7fc02854f082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #11 0x5603ca358c1d in _start (/validate/dwg2SVG/dwg2SVG+0x206c1d)
    
    0x6020000000dc is located 0 bytes to the right of 12-byte region [0x6020000000d0,0x6020000000dc)
    allocated by thread T0 here:
        #0 0x7fc028979a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
        #1 0x5603ca37e83a in bit_utf8_to_TU /libredwg/src/bits.c:2856
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /libredwg/src/bits.c:2883 in bit_utf8_to_TU
    Shadow bytes around the buggy address:
      0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff8000: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00
    =>0x0c047fff8010: fa fa 02 fa fa fa 01 fa fa fa 00[04]fa fa fa fa
      0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==19712==ABORTING
    

##BUG2

    ./dwg2SVG ../pocs/poc1.bit_wcs2nlen
    ==19713==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000097a at pc 0x55781f6dd09d bp 0x7ffc201cb2e0 sp 0x7ffc201cb2d0
    READ of size 2 at 0x60400000097a thread T0
        #0 0x55781f6dd09c in bit_wcs2nlen /libredwg/src/bits.c:1834
        #1 0x5578201d2abb in dwg_is_valid_tag /libredwg/src/dwg_api.c:22060
        #2 0x5578201d2abb in dwg_is_valid_tag /libredwg/src/dwg_api.c:22048
        #3 0x55781fad74de in dwg_decode_ATTRIB_private /libredwg/src/dwg.spec:204
        #4 0x55781fc611ec in dwg_decode_ATTRIB /libredwg/src/dwg.spec:187
        #5 0x55782000d3a2 in decode_preR13_entities /libredwg/src/decode.c:6520
        #6 0x55782005859c in decode_preR13 /libredwg/src/decode_r11.c:719
        #7 0x55781ffd9a6a in dwg_decode /libredwg/src/decode.c:217
        #8 0x55781f6c5d77 in dwg_read_file /libredwg/src/dwg.c:261
        #9 0x55781f6bb57c in main /libredwg/programs/dwg2SVG.c:979
        #10 0x7faa3dcaf082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #11 0x55781f6bbc1d in _start (/validate/dwg2SVG/dwg2SVG+0x206c1d)
    
    0x60400000097a is located 0 bytes to the right of 42-byte region [0x604000000950,0x60400000097a)
    allocated by thread T0 here:
        #0 0x7faa3e0d9a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
        #1 0x55781f6e183a in bit_utf8_to_TU /libredwg/src/bits.c:2856
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /libredwg/src/bits.c:1834 in bit_wcs2nlen
    Shadow bytes around the buggy address:
      0x0c087fff80d0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff80e0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff80f0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff8100: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
      0x0c087fff8110: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
    =>0x0c087fff8120: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00[02]
      0x0c087fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==19713==ABORTING
    

**POC**

poc.zip

**Credit**

Han Zheng (Hexhive, NCNIPC of China)

CVE-2023-36271: [FUZZ] two bugs in dwg2SVG · Issue #681 · LibreDWG/libredwg

LibreDWG v0.12.5 was discovered to contain a heap buffer overflow via the function bit_utf8_to_TU at bits.c.

CVE-2023-36272: [FUZZ] two bugs in dwg2SVG · Issue #681 · LibreDWG/libredwg

LibreDWG v0.12.5 was discovered to contain a heap buffer overflow via the function bit_write_TF at bits.c.

**Comments**

 rurban changed the title \[BUG\] two bugs in dwg2dxf \[FUZZ\] two bugs in dwg2dxf

Mar 30, 2023

rurban added a commit that referenced this issue

Mar 30, 2023

Sanitize wrong auxheader\_address or auxheader\_size.
Fixes part1 of GH #677

rurban added a commit that referenced this issue

Mar 30, 2023

1.: use unsigned length
2.: fix wrong size check for case 9, long len.

Fixes GH #677

rurban added a commit that referenced this issue

Mar 30, 2023

Sanitize wrong auxheader\_address or auxheader\_size.
Fixes part1 of GH #677

rurban added a commit that referenced this issue

Mar 30, 2023

1.: use unsigned length
2.: fix wrong size check for case 9, long len.

Fixes GH #677

rurban added a commit that referenced this issue

Mar 30, 2023

Sanitize wrong auxheader\_address or auxheader\_size.
Fixes part1 of GH #677

rurban added a commit that referenced this issue

Mar 30, 2023

1.: use unsigned length
2.: fix wrong size check for case 9, long len.

Fixes GH #677

rurban added a commit that referenced this issue

Mar 31, 2023

CVE-2023-36274: [FUZZ] two bugs in dwg2dxf · Issue #677 · LibreDWG/libredwg

LibreDWG v0.12.5 was discovered to contain a heap buffer overflow via the function bit_calc_CRC at bits.c.

CVE-2023-36273: [FUZZ] two bugs in dwg2dxf · Issue #677 · LibreDWG/libredwg

Debian Linux Security Advisory 5438-1 - A flaw was found in Asterisk, an Open Source Private Branch Exchange. A buffer overflow vulnerability affects users that use PJSIP DNS resolver. This vulnerability is related to CVE-2022-24793. The difference is that this issue is in parsing the query record parse_query(), while the issue in CVE-2022-24793 is in parse_rr(). A workaround is to disable DNS resolution in PJSIP config (by setting nameserver_count to zero) or use an external resolver implementation instead.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5438-1                   security@debian.orghttps://www.debian.org/security/                          Markus KoschanyJune 22, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : asteriskCVE ID         : CVE-2023-27585Debian Bug     : 1036697A flaw was found in Asterisk, an Open Source Private Branch Exchange. Abuffer overflow vulnerability affects users that use PJSIP DNS resolver.This vulnerability is related to CVE-2022-24793. The difference is thatthis issue is in parsing the query record `parse_query()`, while the issuein CVE-2022-24793 is in `parse_rr()`. A workaround is to disable DNSresolution in PJSIP config (by setting `nameserver_count` to zero) or usean external resolver implementation instead.For the oldstable distribution (bullseye), this problem has been fixedin version 1:16.28.0~dfsg-0+deb11u3.We recommend that you upgrade your asterisk packages.For the detailed security status of asterisk please refer toits security tracker page at:https://security-tracker.debian.org/tracker/asteriskFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmSUwnRfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFDRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7UeRsCxAAuFfItEe6Gyu5VcJqSzHQpy+kfbBD1F6msFf7GnNzx4WiJssF5b4eVC4hIm6N4tW6S3YfoymUC4chFy9ifeH10HMruAlWik+h4v/TLEaeBps4UF6JmUkF8ra4ML3NT+vkdaLlFF7jtcDyTZXc0Vhy2wQ51EABX8bd7vUp39UObhZZw6+wJjrT6tCcP7wwMEOkoUCrg3llX/yvtpHqJiYo6yLrtEaoPpLvl2up6cx9FRvuK7E1B2hhPu0HoULxjphtz3Xmccw5kViC7zIo588GXCqIQW0/t6Uh0pYT1aWpWAfViMlpOtZx+PffpvFJy8Vizyp3MQ3yVZSOMrz68uOenXUkh9BbrdMw8AHbZgk/j8mKFbQhGJNfB2098BcmibGF3fPr0g6Ux6dGXlWUF1fMeuChmo5dylZhxmI4/M6wd5sqpHv4+RiEOM4XlROdlRQVToHIBGbwGvFAD7hiv6/wjmOXuY1NafqzCTyX1awMgKcQPqjPrUo1ugWyIQayIG2RhSKC/x8fUn1fr5+kA/KjvjH7pLtlvr2MWhOWV5ryUtuXdqGp5YWGZV5D2gA2sGeeGJgmAZfnzW6iY7/EZcLTnF1uWHGEk5cN/FQIObpqTqmSU2KOYWWmUOOVLAbko9P1aLCUNjj1WOzOMy29nbGBINnQquyW2DkhoaTYW6jjmPc==SDbp-----END PGP SIGNATURE-----

Debian Security Advisory 5438-1

Buffer Overflow vulnerability in coap_send function in libcoap library 4.3.1-103-g52cfd56 fixed in 4.3.1-120-ge242200 allows attackers to obtain sensitive information via malformed pdu.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-30362: net.c: Fix potential overflow in coap_send_internal() by mrdeep1 · Pull Request #1065 · obgm/libcoap

Sngrep v1.6.0 was discovered to contain a heap buffer overflow via the function capture_ws_check_packet at /src/capture.c.

Hello, Sngrep developers! We recently ran some fuzz testing on sngrep 1.6.0 and encountered a heap-buffer-overflow bug. The ASAN report is provided below.

\==909699==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200001137a at pc 0x00000049b787 bp 0x7fa0664f97f0 sp 0x7fa0664f8fb8  
READ of size 4 at 0x60200001137a thread T1  
#0 0x49b786 in \_\_asan\_memcpy (/home/root/sp/Fuzz/aflpp\_fuzz/Sngrep/sngrep/sngrep\_1/sngrep+0x49b786)  
#1 0x4d5def in capture\_ws\_check\_packet /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:923:9  
#2 0x4d177f in parse\_packet /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:444:9  
#3 0x7fa068139466 (/lib/x86\_64-linux-gnu/libpcap.so.0.8+0x23466)  
#4 0x7fa068127f67 in pcap\_loop (/lib/x86\_64-linux-gnu/libpcap.so.0.8+0x11f67)  
#5 0x4cf5c9 in capture\_thread /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:1042:5  
#6 0x7fa0680f9608 in start\_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread\_create.c:477:8  
#7 0x7fa067ea4132 in \_\_clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86\_64/clone.S:95

0x60200001137a is located 6 bytes to the right of 4-byte region \[0x602000011370,0x602000011374)  
allocated by thread T1 here:  
#0 0x49c3cd in \_\_interceptor\_malloc (/home/root/sp/Fuzz/aflpp\_fuzz/Sngrep/sngrep/sngrep\_1/sngrep+0x49c3cd)  
#1 0x4dc743 in packet\_set\_payload /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/packet.c:145:27  
#2 0x4d4bd5 in capture\_packet\_reasm\_tcp /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:788:9  
#3 0x4d1722 in parse\_packet /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:433:21  
#4 0x7fa068139466 (/lib/x86\_64-linux-gnu/libpcap.so.0.8+0x23466)

Thread T1 created by T0 here:  
#0 0x486a8c in pthread\_create (/home/root/sp/Fuzz/aflpp\_fuzz/Sngrep/sngrep/sngrep\_1/sngrep+0x486a8c)  
#1 0x4d712c in capture\_launch\_thread /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:1027:13  
#2 0x4efb9e in main /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/main.c:433:9  
#3 0x7fa067da9082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/root/sp/Fuzz/aflpp\_fuzz/Sngrep/sngrep/sngrep\_1/sngrep+0x49b786) in \_\_asan\_memcpy  
Shadow bytes around the buggy address:  
0x0c047fffa210: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd  
0x0c047fffa220: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa  
0x0c047fffa230: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa  
0x0c047fffa240: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd  
0x0c047fffa250: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa  
\=>0x0c047fffa260: fa fa 00 00 fa fa 00 fa fa fa fd fa fa fa 04\[fa\]  
0x0c047fffa270: fa fa fd fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fffa280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fffa290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fffa2a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fffa2b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==909699==ABORTING

**Command To Reproduce the bug:**

./sngrep -N -I $crash\_seed  
The URL of crash\_seed is crash\_seed

**Environment**

*   OS: Ubuntu 20.04
*   gcc 9.4.0
*   ndisasm: 1.6.0

Many Thanks.

CVE-2023-36192: heap-buffer-overflow on capture.c:923:9 · Issue #438 · irontec/sngrep

Gifsicle v1.9.3 was discovered to contain a heap buffer overflow via the ambiguity_error component at /src/clp.c.

Hello, Gifsicle developers! We recently ran some fuzz testing on gifsicle 1.93 and encountered a heap-buffer-overflow bug.

**Command To Reproduce the bug:**

./gifsicle --loopcount=-

**Environment**

*   OS: Ubuntu 20.04
*   gcc 9.4.0
*   gifsicle 1.93

**ASAN Report**

\=================================================================  
\==956047==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000005a at pc 0x0000004dd2b4 bp 0x7ffcf8c9a7f0 sp 0x7ffcf8c9a7e8  
READ of size 1 at 0x60300000005a thread T0  
#0 0x4dd2b3 in ambiguity\_error /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:2395:62  
#1 0x4d17b1 in parse\_string\_list /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:1216:9  
#2 0x4d949e in Clp\_Next /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:1967:6  
#3 0x5a235f in main /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/gifsicle.c:1533:15  
#4 0x7fdb41691082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16  
#5 0x41d4cd in \_start (/home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/install/bin/gifsicle+0x41d4cd)

0x60300000005a is located 2 bytes to the right of 24-byte region \[0x603000000040,0x603000000058)  
allocated by thread T0 here:  
#0 0x499c7d in \_\_interceptor\_malloc (/home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/install/bin/gifsicle+0x499c7d)  
#1 0x4d4a20 in finish\_string\_list /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:1230:50  
#2 0x4d47fc in Clp\_AddStringListType /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:1332:9  
#3 0x5a1e11 in main /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/gifsicle.c:1461:3  
#4 0x7fdb41691082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:2395:62 in ambiguity\_error  
Shadow bytes around the buggy address:  
0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c067fff8000: fa fa 00 00 00 00 fa fa 00 00 00\[fa\]fa fa 00 00  
0x0c067fff8010: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa  
0x0c067fff8020: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==956047==ABORTING

Many Thanks.  
cheng meng da

Tag

#buffer_overflow