NetHack is a single player dungeon exploration game. Starting with version 3.6.2 and prior to version 3.6.7, illegal input to the "C" (call) command can cause a buffer overflow and crash the NetHack process. This vulnerability may be a security issue for systems that have NetHack installed suid/sgid and for shared systems. For all systems, it may result in a process crash. This issue is resolved in NetHack 3.6.7. There are no known workarounds.

**Impact**

Illegal input to the "C" (call) command can crash the NetHack process.

**CVSS including Temporal Score**

For a multiuser installation: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:R (6.5 Medium)  
For a single user installation: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (3.3 Low)

**Patches**

This issue is resolved in NetHack 3.6.7.

**Workarounds**

None.

Additional information, if any, will be made available at https://nethack.org/security.

**For more information**

If you have any questions or comments about this advisory:

*   Submit our contact form at https://nethack.org/common/contact.html
*   Email us at devteam@nethack.org

CVE-2023-24809: NetHack Call command buffer overflow

Buffer Overflow vulnerability in Dvidelabs flatcc v.0.6.0 allows local attacker to execute arbitrary code via the fltacc execution of the error_ref_sym function.

in parser.c  
k seems like the size of the rest of buffer on stack(var 'buf' which type is char\[\]).  
n is memcpy size as 3rd para.  
while condition k>0 to keep buffer is not full.  
if enter in if(k<n) branch n=k,var n is assigned the value of k  
then k -=n ,var k is assigned the value 0  
then --k, var k is assigned the value 0xffffffffffffffff while var k's type is size\_t.  
so the while conditionk > 0 not make sense.  
next memcpy will lead to stack overflow

void error\_ref\_sym(fb\_parser\_t \*P, fb\_ref\_t \*ref, const char \*msg, fb\_symbol\_t \*s2)
{
    fb\_ref\_t \*p;
    char buf\[FLATCC\_MAX\_IDENT\_SHOW + 1\];
    size\_t k = FLATCC\_MAX\_IDENT\_SHOW;
    size\_t n = 0;
    size\_t n0 = 0;
    p = ref;
    while (p && k > 0) {
        n = (size\_t)p->ident\->len;
        if (k < n) {
            n = k;
        }
        memcpy(buf + n0, p->ident\->text, n);
        k -= n;
        n0 += n;
        buf\[n0\] = '.';
        --k; //overflow here when k = 0
        ++n0;
        p = p->link;
    }
    buf\[n0\] = '\\0';
    if (n0 > 0) {
        --n0;
    }
    if (k <= 0) {
        memcpy(buf + FLATCC\_MAX\_IDENT\_SHOW + 1 - 4, "...\\0", 4);
        n0 = FLATCC\_MAX\_IDENT\_SHOW;
    }
    error\_report(P, ref->ident, msg, s2 ? s2->ident : 0, buf, n0);
}

poc:

    ➜  fuzz_test cat test9
    struct tsj{
            damage:shortllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllve.tlllllllllllllllllllllllllllllllllllllll;
    }
    ➜  fuzz_test ../flatcc/bin/flatcc test9
    test9:2:9: error: 'shortlllllllllllllllllllllllllllllllllllllllllllll.tlllllllllllllllllllllllllllllllllllllll': unknown type reference used with struct field: test9:2:2: 'damage'
    *** stack smashing detected ***: terminated
    [1]    3685 abort (core dumped)  ../flatcc/bin/flatcc test9
    ➜  fuzz_test
    

    ➜  fuzz_test gdb ../flatcc/bin/flatcc
    GNU gdb (Ubuntu 9.2-0ubuntu1~20.04) 9.2
    Copyright (C) 2020 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    Type "show copying" and "show warranty" for details.
    This GDB was configured as "x86_64-linux-gnu".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    <http://www.gnu.org/software/gdb/bugs/>.
    Find the GDB manual and other documentation resources online at:
        <http://www.gnu.org/software/gdb/documentation/>.
    
    For help, type "help".
    Type "apropos word" to search for commands related to "word"...
    pwndbg: loaded 196 commands. Type pwndbg [filter] for a list.
    pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
    Reading symbols from ../flatcc/bin/flatcc...
    pwndbg> set args test9
    pwndbg> r
    Starting program: /mnt/c/Users/tsj/Desktop/flatcc/bin/flatcc test9
    test9:2:9: error: 'shortlllllllllllllllllllllllllllllllllllllllllllll.tlllllllllllllllllllllllllllllllllllllll': unknown type reference used with struct field: test9:2:2: 'damage'
    *** stack smashing detected ***: terminated
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ─────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────────────────
     RAX  0x0
     RBX  0x7fffff7e13c0 ◂— 0x7fffff7e13c0
     RCX  0x8
     RDX  0x0
     RDI  0x2
     RSI  0x7ffffffed990 ◂— 0x0
     R8   0x0
     R9   0x7ffffffed990 ◂— 0x0
     R10  0x8
     R11  0x8
     R12  0x7ffffffedc10 ◂— 0x642ccf000a276567 /* "ge'\n" */
     R13  0x20
     R14  0x7fffff510000 ◂— 0x202a2a2a00001000
     R15  0x1
     RBP  0x7ffffffedd10 —▸ 0x7fffff76a07c ◂— '*** %s ***: terminated\n'
     RSP  0x7ffffffed990 ◂— 0x0
     RIP  0x7fffff5f618b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
    ───────────────────────────────────────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────────────────────────────────────
     ► 0x7fffff5f618b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7fffff5f6193 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7fffff5f619c <raise+220>    jne    raise+260 <raise+260>
        ↓
       0x7fffff5f61c4 <raise+260>    call   __stack_chk_fail <__stack_chk_fail>
    
       0x7fffff5f61c9                nop    dword ptr [rax]
       0x7fffff5f61d0 <killpg>       endbr64
       0x7fffff5f61d4 <killpg+4>     test   edi, edi
       0x7fffff5f61d6 <killpg+6>     js     killpg+16 <killpg+16>
    
       0x7fffff5f61d8 <killpg+8>     neg    edi
       0x7fffff5f61da <killpg+10>    jmp    kill <kill>
    
       0x7fffff5f61df <killpg+15>    nop
    ───────────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7ffffffed990 ◂— 0x0
    01:0008│            0x7ffffffed998 —▸ 0x7ffffffedb48 ◂— 0x3000000030 /* '0' */
    02:0010│            0x7ffffffed9a0 —▸ 0x7ffffffedb60 ◂— "test9:2:9: error: 'shortlllllllllllllllllllllllllllllllllllllllllllll.tlllllllllllllllllllllllllllllllll"
    03:0018│            0x7ffffffed9a8 —▸ 0x7fffff63f11a (__vsnprintf_internal+170) ◂— mov    r9, qword ptr [rsp + 8]
    04:0020│            0x7ffffffed9b0 ◂— 0x3
    05:0028│            0x7ffffffed9b8 —▸ 0x7ffffffedab0 ◂— 0x20 /* ' ' */
    06:0030│            0x7ffffffed9c0 ◂— 0xfbad8001
    07:0038│            0x7ffffffed9c8 —▸ 0x7ffffffedb60 ◂— "test9:2:9: error: 'shortlllllllllllllllllllllllllllllllllllllllllllll.tlllllllllllllllllllllllllllllllll"
    ─────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────────────
     ► f 0   0x7fffff5f618b raise+203
       f 1   0x7fffff5d5859 abort+299
       f 2   0x7fffff6403ee __libc_message+670
       f 3   0x7fffff6e2b4a __fortify_fail+42
       f 4   0x7fffff6e2b16
       f 5        0x8073af9
       f 6        0x80976b9 __flatcc_fb_build_schema+21961
       f 7        0x80976b9 __flatcc_fb_build_schema+21961
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg>

CVE-2021-33983: found a integer overflow leads to stack_overflow  · Issue #188 · dvidelabs/flatcc

Buffer Overflow vulnerability in Saltstack v.3003 and before allows attacker to execute arbitrary code via the func variable in salt/salt/modules/status.py file.

CVE-2021-33226: salt/status.py at master · saltstack/salt

Buffer Overflow vulnerability in LibRaw linux/unix v0.20.0 allows attacker to escalate privileges via the LibRaw_buffer_datastream::gets(char*, int) in /src/libraw/src/libraw_datastream.cpp.

@@ -287,6 +287,7 @@ INT64 LibRaw\_file\_datastream::tell()

  

char \*LibRaw\_file\_datastream::gets(char \*str, int sz)

{

if(sz<1) return NULL;

LR\_STREAM\_CHK();

std::istream is(f.get());

is.getline(str, sz);

@@ -421,6 +422,7 @@ INT64 LibRaw\_buffer\_datastream::tell()

  

char \*LibRaw\_buffer\_datastream::gets(char \*s, int sz)

{

if(sz<1) return NULL;

unsigned char \*psrc, \*pdest, \*str;

str = (unsigned char \*)s;

psrc = buf + streampos;

@@ -618,6 +620,7 @@ INT64 LibRaw\_bigfile\_datastream::tell()

  

char \*LibRaw\_bigfile\_datastream::gets(char \*str, int sz)

{

if(sz<1) return NULL;

LR\_BF\_CHK();

return fgets(str, sz, f);

}

CVE-2021-32142: check for input buffer size on datastream::gets · LibRaw/LibRaw@bc3aaf4

Cisco has rolled out security updates to address a critical flaw reported in the ClamAV open source antivirus engine that could lead to remote code execution on susceptible devices.
Tracked as CVE-2023-20032 (CVSS score: 9.8), the issue relates to a case of remote code execution residing in the HFS+ file parser component.
The flaw affects versions 1.0.0 and earlier, 0.105.1 and earlier, and

Sysadmin / Endpoint Security

Cisco has rolled out security updates to address a critical flaw reported in the ClamAV open source antivirus engine that could lead to remote code execution on susceptible devices.

Tracked as CVE-2023-20032 (CVSS score: 9.8), the issue relates to a case of remote code execution residing in the HFS+ file parser component.

The flaw affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Google security engineer Simon Scannell has been credited with discovering and reporting the bug.

"This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write," Cisco Talos said in an advisory. "An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device."

Successful exploitation of the weakness could enable an adversary to run arbitrary code with the same privileges as that of the ClamAV scanning process, or crash the process, resulting in a denial-of-service (DoS) condition.

The networking equipment said the following products are vulnerable -

*   Secure Endpoint, formerly Advanced Malware Protection (AMP) for Endpoints (Windows, macOS, and Linux)
*   Secure Endpoint Private Cloud, and
*   Secure Web Appliance, formerly Web Security Appliance

It further confirmed that the vulnerability does not impact Secure Email Gateway (formerly Email Security Appliance) and Secure Email and Web Manager (formerly Security Management Appliance) products.

Also patched by Cisco is a remote information leak vulnerability in ClamAV's DMG file parser (CVE-2023-20052, CVSS score: 5.3) that could be exploited by an unauthenticated, remote attacker.

"This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection," Cisco noted. "An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device."

It's worth pointing out that CVE-2023-20052 does not affect Cisco Secure Web Appliance. That said, both vulnerabilities have been addressed in ClamAV versions 0.103.8, 0.105.2, and 1.0.1.

Cisco separately also resolved a denial-of-service (DoS) vulnerability impacting Cisco Nexus Dashboard (CVE-2023-20014, CVSS score: 7.5) and two other privilege escalation and command injection flaws in Email Security Appliance (ESA) and Secure Email and Web Manager (CVE-2023-20009 and CVE-2023-20075, CVSS scores: 6.5).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical RCE Vulnerability Discovered in ClamAV Open-Source Antivirus Software

Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3.0-DEV.

CVE-2023-0866

Multiple stack-based buffer overflow vulnerabilities [CWE-121] in the proxy daemon of FortiWeb 5.x all versions, 6.0.7 and below, 6.1.2 and below, 6.2.6 and below, 6.3.16 and below, 6.4 all versions may allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests.

** PSIRT Advisories**

**FortiWeb - Stack-based buffer overflows in Proxyd**

**Summary**

Multiple stack-based buffer overflow vulnerabilities \[CWE-121\] in FortiWeb's proxy daemon may allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests.

**Affected Products**

FortiWeb versions 5.x all versions,  
FortiWeb versions 6.0.7 and below,  
FortiWeb versions 6.1.2 and below,  
FortiWeb versions 6.2.6 and below,  
FortiWeb versions 6.3.16 and below,  
FortiWeb versions 6.4 all versions.

**Solutions**

Upgrade to FortiWeb 7.0.0 or above,  
Upgrade to FortiWeb 6.3.17 or above,  
Upgrade to FortiWeb 6.2.7 or above.  
Upgrade to FortiWeb 6.1.3 or above.  
Upgrade to FortiWeb 6.0.8 or above.

**Acknowledgement**

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.

CVE-2021-42756: Fortiguard

A stack-based buffer overflow in Fortinet FortiWeb version 7.0.0 through 7.0.1, Fortinet FortiWeb version 6.3.6 through 6.3.19, Fortinet FortiWeb 6.4 all versions allows attacker to escalation of privilege via specifically crafted HTTP requests.

** PSIRT Advisories**

**FortiWeb - Multiple Stack based buffer overflow in web interface**

**Summary**

Multiple buffer overflow \[CWE-121\] vulnerabilities in the web server of FortiWeb may allow an authenticated attacker to achieve arbitrary code execution via specifically crafted HTTP requests.

**Affected Products**

FortiWeb version 7.0.0 through 7.0.1  
FortiWeb version 6.3.6 through 6.3.19  
FortiWeb 6.4 all versions

**Solutions**

Please upgrade to FortiWeb version 7.0.2 or above  
Please upgrade to FortiWeb version 6.3.20 or above

**Acknowledgement**

Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security Team.

CVE-2023-23780: Fortiguard

A stack-based buffer overflow vulnerability [CWE-121] in FortiWeb version 7.0.1 and below, 6.4 all versions, version 6.3.19 and below SAML server configuration may allow an authenticated attacker to achieve arbitrary code execution via specifically crafted XML files.

** PSIRT Advisories**

**FortiWeb - Stack based buffer overflow in SAML management**

**Summary**

A stack-based buffer overflow vulnerability \[CWE-121\] in FortiWeb SAML server configuration may allow an authenticated attacker to achieve arbitrary code execution via specifically crafted XML files.

**Affected Products**

At least  
FortiWeb version 7.0.0 through 7.0.1  
FortiWeb version 6.3.6 through 6.3.19  
FortiWeb 6.4 all versions

**Solutions**

Please upgrade to FortiWeb version 7.0.2 or above  
Please upgrade to FortiWeb version 6.3.20 or above

CVE-2023-23781: Fortiguard

A heap-based buffer overflow in Fortinet FortiWeb version 7.0.0 through 7.0.1, FortiWeb version 6.3.0 through 6.3.19, FortiWeb 6.4 all versions, FortiWeb 6.2 all versions, FortiWeb 6.1 all versions allows attacker to escalation of privilege via specifically crafted arguments to existing commands.

** PSIRT Advisories**

**FortiWeb - Heap based overflow in CLI**

**Summary**

A buffer overflow vulnerability \[CWE-122\] in the the command line interpreter of FortiWeb may allow an authenticated attacker to achieve arbitrary code execution via specifically crafted arguments to existing commands.

**Affected Products**

FortiWeb version 7.0.0 through 7.0.1  
FortiWeb version 6.3.0 through 6.3.19  
FortiWeb 6.4 all versions  
FortiWeb 6.2 all versions  
FortiWeb 6.1 all versions  
FortiWeb 6.0 all versions

**Solutions**

Upgrade to FortiWeb 7.0.2 or above,  
upgrade to FortiWeb 6.3.20 or above.

**Acknowledgement**

Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security Team.

Tag

#buffer_overflow