In GraphicsMagick 1.4 snapshot-20191208 Q8, there is a heap-based buffer over-read in the function EncodeImage of coders/pict.c.

There is a heap buffer overflow in function EncodeImage of coders/pict.c whick can be reproduced as below.

/home/graphicsmagick/utilities/gm convert ./heap\-buffer\-overflow\-READ\-0x08417e7a.webp ./test.pct
\==9938\==ERROR: AddressSanitizer: heap\-buffer\-overflow on address 0xf12147ff at pc 0x08417e7a bp 0xffa81578 sp 0xffa81568
READ of size 1 at 0xf12147ff thread T0
    #0 0x8417e79 in EncodeImage coders/pict.c:1067
    #1 0x8421228 in WritePICTImage coders/pict.c:2408
    #2 0x80c6919 in WriteImage magick/constitute.c:2245
    #3 0x80c728f in WriteImages magick/constitute.c:2404
    #4 0x8072623 in ConvertImageCommand magick/command.c:6135
    #5 0x807ea51 in MagickCommand magick/command.c:8880
    #6 0x80ab9c2 in GMCommandSingle magick/command.c:17412
    #7 0x80abc86 in GMCommand magick/command.c:17465
    #8 0x80511ea in main utilities/gm.c:61
    #9 0xf697c636 in \_\_libc\_start\_main (/lib/i386\-linux\-gnu/libc.so.6+0x18636)
    #10 0x80510f0  (/home/graphicsmagick/utilities/gm+0x80510f0)

0xf12147ff is located 1 bytes to the left of 65536\-byte region \[0xf1214800,0xf1224800)
allocated by thread T0 here:
    #0 0xf72bbdee in malloc (/usr/lib/i386\-linux\-gnu/libasan.so.2+0x96dee)
    #1 0x8132492 in MagickMalloc magick/memory.c:174
    #2 0x841f32a in WritePICTImage coders/pict.c:2126
    #3 0x80c6919 in WriteImage magick/constitute.c:2245
    #4 0x80c728f in WriteImages magick/constitute.c:2404
    #5 0x8072623 in ConvertImageCommand magick/command.c:6135
    #6 0x807ea51 in MagickCommand magick/command.c:8880
    #7 0x80ab9c2 in GMCommandSingle magick/command.c:17412
    #8 0x80abc86 in GMCommand magick/command.c:17465
    #9 0x80511ea in main utilities/gm.c:61
    #10 0xf697c636 in \_\_libc\_start\_main (/lib/i386\-linux\-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap\-buffer\-overflow coders/pict.c:1067 EncodeImage
Shadow bytes around the buggy address:
  0x3e2428a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e2428b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e2428c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e2428d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e2428e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x3e2428f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\[fa\]
  0x3e242900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e242910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e242920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e242930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e242940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
\==9938\==ABORTING

System Configuration:

Distributor ID: Ubuntu
Description:    Ubuntu 16.04.5 LTS
Release:    16.04
Codename:   xenial

GraphicsMagick version:

GraphicsMagick 1.4 snapshot\-20191208 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002\-2019 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:
  Native Thread Safe       yes
  Large Files (\> 32 bit)   yes
  Large Memory (\> 32 bit)  no
  BZIP                     yes
  DPS                      no
  FlashPix                 no
  FreeType                 yes
  Ghostscript (Library)    no
  JBIG                     yes
  JPEG\-2000                yes
  JPEG                     yes
  Little CMS               yes
  Loadable Modules         no
  Solaris mtmalloc         no
  OpenMP                   yes (201307 "4.0")
  PNG                      yes
  TIFF                     yes
  TRIO                     no
  Solaris umem             no
  WebP                     yes
  WMF                      yes
  X11                      yes
  XML                      yes
  ZLIB                     yes

Host type: x86\_64\-pc\-linux\-gnu

Configured using the command:
  ./configure  'CFLAGS=-g -fsanitize=address' '\--enable-shared=no'

Final Build Parameters:
  CC       \= gcc
  CFLAGS   \= \-fopenmp \-g \-fsanitize\=address \-Wall \-pthread
  CPPFLAGS \= \-I/usr/include/freetype2 \-I/usr/include/libxml2
  CXX      \= g++
  CXXFLAGS \= \-pthread
  LDFLAGS  \= 
  LIBS     \= \-ljbig \-lwebp \-lwebpmux \-llcms2 \-ltiff \-lfreetype \-ljasper \-ljpeg \-lpng12 \-lwmflite \-lXext \-lSM \-lICE \-lX11 \-llzma \-lbz2 \-lxml2 \-lz \-lm \-lpthread

CVE-2019-19953: GraphicsMagick / Bugs / #617 heap-buffer-overflow in function EncodeImage of coders/pict.c

A heap-based buffer overflow in the vrend_renderer_transfer_write_iov function in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service, or QEMU guest-to-host escape and code execution, via VIRGL_CCMD_RESOURCE_INLINE_WRITE commands.

Skip to content

GitLab 

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    
*   *   
    
    Projects Groups Snippets
    
*   Sign up now
*   Login
*   Sign in / Register
    

*   virgl
*   virglrenderer
*   Merge requests
*   !314

**Fix fuzzer failures**

*   Review changes
    

*   
*   Download
    
*   Email patches
    
*   Plain diff
    

Merged Gert Wollny requested to merge gerddie/virglrenderer:fix-fuzzer-failures into master Oct 07, 2019

*   Overview 55
*   Commits 20
*   Pipelines 42
*   Changes 13

This series of patches improves the resource handling by checking the resource creation, blit, and sampler view parameters more thoroughly.

@MatthewShao

Edited Oct 08, 2019 by Gert Wollny

CVE-2019-18389: Fix fuzzer failures (!314) · Merge requests · virgl / virglrenderer · GitLab

A heap-based buffer overflow in the vrend_renderer_transfer_write_iov function in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service via VIRGL_CCMD_RESOURCE_INLINE_WRITE commands.

**Red Hat Product Security Center**

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

CVE-2019-18391: Red Hat Customer Portal - Access to 24x7 support and knowledge

Lout 3.40 has a heap-based buffer overflow in the srcnext() function in z02.c.

\[Date Prev\]\[Date Next\]\[Thread Prev\]\[Thread Next\]\[Date Index\]\[Thread Index\]

**From**:

Frederic Cambus

**Subject**:

Heap-based buffer overflow in the srcnext() function

**Date**:

Fri, 20 Dec 2019 19:00:59 +0100

Hi,

While fuzzing lout 3.40 with Honggfuzz, I found a heap-based buffer
overflow in the srcnext() function, in z02.c.

Attaching a reproducer (gzipped so it doesn't get mangled).

Issue can be reproduced by running:

\`\`\`
lout test01
\`\`\`

\`\`\`
=================================================================
==30030==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x6260000000ff at pc 0x0000004d9b84 bp 0x7fff16458220 sp 0x7fff16458218
WRITE of size 1 at 0x6260000000ff thread T0
    #0 0x4d9b83 in srcnext /home/fcambus/lout-3.40/z02.c:381:26
    #1 0x4d37b2 in LexGetToken /home/fcambus/lout-3.40/z02.c:491:15
    #2 0x4f75fd in Parse /home/fcambus/lout-3.40/z06.c:819:7
    #3 0x4ce4b5 in run /home/fcambus/lout-3.40/z01.c:898:9
    #4 0x4c30f4 in main /home/fcambus/lout-3.40/z01.c:971:5
    #5 0x7f11f51731e2 in \_\_libc\_start\_main 
/build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
    #6 0x41b45d in \_start (/home/fcambus/lout-3.40/lout+0x41b45d)

0x6260000000ff is located 1 bytes to the left of 10243-byte region 
\[0x626000000100,0x626000002903)
allocated by thread T0 here:
    #0 0x49335d in malloc (/home/fcambus/lout-3.40/lout+0x49335d)
    #1 0x4d1c2d in LexPush /home/fcambus/lout-3.40/z02.c:240:29

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/home/fcambus/lout-3.40/z02.c:381:26 in srcnext
Shadow bytes around the buggy address:
  0x0c4c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4c7fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\[fa\]
  0x0c4c7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==30030==ABORTING
\`\`\`

 **test01.gz**  
_Description:_ application/gunzip

*   **Heap-based buffer overflow in the srcnext() function**, _Frederic Cambus_ **<=**
    *   **Re: Heap-based buffer overflow in the srcnext() function**, _Frederic Cambus_, 2019/12/21

*   Prev by Date: **Re: Experiments with @Graph**
*   Next by Date: **Buffer overflow in the StringQuotedWord() function**
*   Previous by thread: **Re: Experiments with @Graph**
*   Next by thread: **Re: Heap-based buffer overflow in the srcnext() function**
*   Index(es):
    *   **Date**
    *   **Thread**

CVE-2019-19918: Heap-based buffer overflow in the srcnext() function

An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic. This issue is fixed in iOS 12.2, macOS Mojave 10.14.4, watchOS 5.2. A user’s video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing.

Released March 25, 2019

**802.1X**

Available for: macOS Mojave 10.14.3

Impact: An attacker in a privileged network position may be able to intercept network traffic

Description: A logic issue was addressed with improved state management.

CVE-2019-6203: Dominic White of SensePost (@singe)

Entry added April 15, 2019

**802.1X**

Available for: macOS High Sierra 10.13.6

Impact: An untrusted radius server certificate may be trusted

Description: A validation issue existed in Trust Anchor Management. This issue was addressed with improved validation.

CVE-2019-8531: an anonymous researcher, QA team of SecureW2

Entry added May 15, 2019

**Accounts**

Available for: macOS Mojave 10.14.3

Impact: Processing a maliciously crafted vcf file may lead to a denial of service

Description: A denial of service issue was addressed with improved validation.

CVE-2019-8538: Trevor Spiniolas (@TrevorSpiniolas)

Entry added April 3, 2019

**APFS**

Available for: macOS Mojave 10.14.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management.

CVE-2019-8534: Mac working with Trend Micro's Zero Day Initiative

Entry added April 15, 2019

**AppleGraphicsControl**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A buffer overflow was addressed with improved size validation.

CVE-2019-8555: Zhiyi Zhang of 360 ESG Codesafe Team, Zhuo Liang and shrek\_wzw of Qihoo 360 Nirvan Team

**Bom**

Available for: macOS Mojave 10.14.3

Impact: A malicious application may bypass Gatekeeper checks

Description: This issue was addressed with improved handling of file metadata.

CVE-2019-6239: Ian Moorhouse and Michael Trimm

**CFString**

Available for: macOS Mojave 10.14.3

Impact: Processing a maliciously crafted string may lead to a denial of service

Description: A validation issue was addressed with improved logic.

CVE-2019-8516: SWIPS Team of Frifee Inc.

**configd**

Available for: macOS Mojave 10.14.3

Impact: A malicious application may be able to elevate privileges

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2019-8552: Mohamed Ghannam (@\_simo36)

**Contacts**

Available for: macOS Mojave 10.14.3

Impact: A malicious application may be able to elevate privileges

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2019-8511: an anonymous researcher

**CoreCrypto**

Available for: macOS Mojave 10.14.3

Impact: A malicious application may be able to elevate privileges

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2019-8542: an anonymous researcher

**DiskArbitration**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: An encrypted volume may be unmounted and remounted by a different user without prompting for the password

Description: A logic issue was addressed with improved state management.

CVE-2019-8522: Colin Meginnis (@falc420)

**FaceTime**

Available for: macOS Mojave 10.14.3

Impact: A user’s video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing

Description: An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic.

CVE-2019-8550: Lauren Guzniczak of Keystone Academy

**FaceTime**

Available for: macOS Mojave 10.14.3

Impact: A local attacker may be able to view contacts from the lock screen

Description: A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management.

CVE-2019-8777: Abdullah H. AlJaber (@aljaber) of AJ.SA

Entry added October 8, 2019

**Feedback Assistant**

Available for: macOS Mojave 10.14.3

Impact: A malicious application may be able to gain root privileges

Description: A race condition was addressed with additional validation.

CVE-2019-8565: CodeColorist of Ant-Financial LightYear Labs

**Feedback Assistant**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: A malicious application may be able to overwrite arbitrary files

Description: This issue was addressed with improved checks.

CVE-2019-8521: CodeColorist of Ant-Financial LightYear Labs

**file**

Available for: macOS Mojave 10.14.3

Impact: Processing a maliciously crafted file might disclose user information

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2019-8906: Francisco Alonso

Entry updated April 15, 2019

**Graphics Drivers**

Available for: macOS Mojave 10.14.3

Impact: An application may be able to read restricted memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2019-8519: Aleksandr Tarasikov (@astarasikov), Juwei Lin (@panicaII) and Junzhi Lu of Trend Micro Research working with Trend Micro's Zero Day Initiative, Lilang Wu and Moony Li of Trend Micro

Entry updated August 1, 2019

**iAP**

Available for: macOS Mojave 10.14.3

Impact: A malicious application may be able to elevate privileges

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2019-8542: an anonymous researcher

**IOGraphics**

Available for: macOS Mojave 10.14.3

Impact: A Mac may not lock when disconnecting from an external monitor

Description: A lock handling issue was addressed with improved lock handling.

CVE-2019-8533: an anonymous researcher, James Eagan of Télécom ParisTech, R. Scott Kemp of MIT, and Romke van Dijk of Z-CERT

**IOHIDFamily**

Available for: macOS Mojave 10.14.3

Impact: A local user may be able to cause unexpected system termination or read kernel memory

Description: A memory corruption issue was addressed with improved state management.

CVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team

**IOKit**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: A local user may be able to read kernel memory

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2019-8504: an anonymous researcher

**IOKit SCSI**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2019-8529: Juwei Lin (@panicaII) of Trend Micro Research working with Trend Micro's Zero Day Initiative

Entry updated April 15, 2019

**Kernel**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6

Impact: A local user may be able to read kernel memory

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2018-4448: Brandon Azad

Entry added September 17, 2019

**Kernel**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: A remote attacker may be able to alter network traffic data

Description: A memory corruption issue existed in the handling of IPv6 packets. This issue was addressed with improved memory management.

CVE-2019-5608: Apple

Entry added August 6, 2019

**Kernel**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory

Description: A buffer overflow was addressed with improved size validation.

CVE-2019-8527: Ned Williamson of Google and derrek (@derrekr6)

**Kernel**

Available for: macOS Mojave 10.14.3, macOS High Sierra 10.13.6

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2019-8528: Fabiano Anemone (@anoane), Zhao Qixun (@S0rryMybad) of Qihoo 360 Vulcan Team

Entry added April 3, 2019, updated August 1, 2019

**Kernel**

Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3

Impact: Mounting a maliciously crafted NFS network share may lead to arbitrary code execution with system privileges

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2019-8508: Dr. Silvio Cesare of InfoSect

**Kernel**

Available for: macOS Mojave 10.14.3

Impact: An application may be able to gain elevated privileges

Description: A logic issue was addressed with improved state management.

CVE-2019-8514: Samuel Groß of Google Project Zero

**Kernel**

Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3

Impact: A malicious application may be able to determine kernel memory layout

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2019-8540: Weibo Wang (@ma1fan) of Qihoo 360 Nirvan Team

**Kernel**

Available for: macOS Mojave 10.14.3

Impact: A local user may be able to read kernel memory

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-7293: Ned Williamson of Google

**Kernel**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: A malicious application may be able to determine kernel memory layout

Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.

CVE-2019-6207: Weibo Wang of Qihoo 360 Nirvan Team (@ma1fan)

CVE-2019-8510: Stefan Esser of Antid0te UG

**Kernel**

Available for: macOS Mojave 10.14.3

Impact: A remote attacker may be able to leak memory

Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.

CVE-2019-8547: derrek (@derrekr6)

Entry added August 1, 2019

**Kernel**

Available for: macOS Mojave 10.14.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2019-8525: Zhuo Liang and shrek\_wzw of Qihoo 360 Nirvan Team

Entry added August 1, 2019

**libmalloc**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6

Impact: A malicious application may be able to modify protected parts of the file system

Description: A configuration issue was addressed with additional restrictions.

CVE-2018-4433: Vitaly Cheptsov

Entry added August 1, 2019, updated September 17, 2019

**Mail**

Available for: macOS Mojave 10.14.3

Impact: Processing a maliciously crafted mail message may lead to S/MIME signature spoofing

Description: An issue existed in the handling of S-MIME certificates. This issue was addressed with improved validation of S-MIME certificates.

CVE-2019-8642: Maya Sigal of Freie Universität Berlin and Volker Roth of Freie Universität Berlin

Entry added August 1, 2019

**Mail**

Available for: macOS Mojave 10.14.3

Impact: An attacker in a privileged network position may be able to intercept the contents of S/MIME-encrypted e-mail

Description: An issue existed in the handling of encrypted Mail. This issue was addressed with improved isolation of MIME in Mail.

CVE-2019-8645: Maya Sigal of Freie Universität Berlin and Volker Roth of Freie Universität Berlin

Entry added August 1, 2019

**Messages**

Available for: macOS Mojave 10.14.3

Impact: A local user may be able to view sensitive user information

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2019-8546: ChiYuan Chang

**Modem CCL**

Available for: macOS Mojave 10.14.3

Impact: An application may be able to gain elevated privileges

Description: An input validation issue was addressed with improved memory handling.

CVE-2019-8579: an anonymous researcher

Entry added April 15, 2019

**Notes**

Available for: macOS Mojave 10.14.3

Impact: A local user may be able to view a user’s locked notes

Description: An access issue was addressed with improved memory management.

CVE-2019-8537: Greg Walker (gregwalker.us)

**PackageKit**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: A malicious application may be able to elevate privileges

Description: A logic issue was addressed with improved validation.

CVE-2019-8561: Jaron Bradley of Crowdstrike

**Perl**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: Multiple issues in Perl

Description: Multiple issues in Perl were addressed in this update.

CVE-2018-12015: Jakub Wilk

CVE-2018-18311: Jayakrishna Menon

CVE-2018-18313: Eiichi Tsukata

**Power Management**

Available for: macOS Mojave 10.14.3

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: Multiple input validation issues existed in MIG generated code. These issues were addressed with improved validation.

CVE-2019-8549: Mohamed Ghannam (@\_simo36) of SSD Secure Disclosure (ssd-disclosure.com)

**QuartzCore**

Available for: macOS Mojave 10.14.3

Impact: Processing malicious data may lead to unexpected application termination

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2019-8507: Kai Lu of Fortinet's FortiGuard Labs

**Sandbox**

Available for: macOS Mojave 10.14.3

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: A logic issue was addressed with improved restrictions.

CVE-2019-8618: Brandon Azad

Entry added August 1, 2019

**Security**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: An application may be able to gain elevated privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2019-8526: Linus Henze (pinauten.de)

**Security**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: A malicious application may be able to read restricted memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2019-8520: Antonio Groza, The UK's National Cyber Security Centre (NCSC)

**Security**

Available for: macOS Mojave 10.14.3

Impact: An untrusted radius server certificate may be trusted

Description: A validation issue existed in Trust Anchor Management. This issue was addressed with improved validation.

CVE-2019-8531: an anonymous researcher, QA team of SecureW2

**Security**

Available for: macOS Mojave 10.14.3

Impact: An untrusted radius server certificate may be trusted

Description: A validation issue existed in Trust Anchor Management. This issue was addressed with improved validation.

CVE-2019-8531: an anonymous researcher, QA team of SecureW2

Entry added May 15, 2019

**Siri**

Available for: macOS Mojave 10.14.3

Impact: A malicious application may be able to initiate a Dictation request without user authorization

Description: An API issue existed in the handling of dictation requests. This issue was addressed with improved validation.

CVE-2019-8502: Luke Deshotels of North Carolina State University, Jordan Beichler of North Carolina State University, William Enck of North Carolina State University, Costin Carabaș of University POLITEHNICA of Bucharest, and Răzvan Deaconescu of University POLITEHNICA of Bucharest

**Time Machine**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: A local user may be able to execute arbitrary shell commands

Description: This issue was addressed with improved checks.

CVE-2019-8513: CodeColorist of Ant-Financial LightYear Labs

**Touch Bar Support**

Available for: macOS Mojave 10.14.3

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8569: Viktor Oreshkin (@stek29)

Entry added August 1, 2019

**TrueTypeScaler**

Available for: macOS Mojave 10.14.3

Impact: Processing a maliciously crafted font may result in the disclosure of process memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2019-8517: riusksk of VulWar Corp working with Trend Micro Zero Day Initiative

**Wi-Fi**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: An attacker in a privileged network position can modify driver state

Description: A logic issue was addressed with improved validation.

CVE-2019-8564: Hugues Anguelkov during an internship at Quarkslab

Entry added April 15, 2019

**Wi-Fi**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6

Impact: An attacker in a privileged network position can modify driver state

Description: A logic issue was addressed with improved state management.

CVE-2019-8612: Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt

Entry added August 1, 2019

**Wi-Fi**

Available for: macOS Mojave 10.14.3

Impact: A device may be passively tracked by its Wi-Fi MAC address

Description: A user privacy issue was addressed by removing the broadcast MAC address.

CVE-2019-8567: David Kreitschmann and Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt

Entry added August 1, 2019

**xar**

Available for: macOS Mojave 10.14.3

Impact: Processing a maliciously crafted package may lead to arbitrary code execution

Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.

CVE-2019-6238: Yiğit Can YILMAZ (@yilmazcanyigit)

Entry added April 15, 2019

**XPC**

Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3

Impact: A malicious application may be able to overwrite arbitrary files

Description: This issue was addressed with improved checks.

CVE-2019-8530: CodeColorist of Ant-Financial LightYear Labs

CVE-2019-8550: About the security content of macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra

A logic issue was addressed with improved state management. This issue is fixed in tvOS 13, iTunes for Windows 12.10.1, iCloud for Windows 10.7, iCloud for Windows 7.14. Processing maliciously crafted web content may lead to universal cross site scripting.

Released October 7, 2019

**CoreCrypto**

Available for: Windows 7 and later

Impact: Processing a large input may lead to a denial of service

Description: A denial of service issue was addressed with improved input validation.

CVE-2019-8741: Nicky Mouha of NIST

Entry added October 29, 2019

**CoreMedia**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2019-8825: Found by GWP-ASan in Google Chrome

Entry added October 29, 2019

**Foundation**

Available for: Windows 7 and later

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8746: natashenka and Samuel Groß of Google Project Zero

Entry added October 29, 2019

**libxml2**

Available for: Windows 7 and later

Impact: Multiple issues in libxml2

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2019-8749: found by OSS-Fuzz

CVE-2019-8756: found by OSS-Fuzz

Entry added October 29, 2019

**libxslt**

Available for: Windows 7 and later

Impact: Multiple issues in libxslt

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2019-8750: found by OSS-Fuzz

Entry added October 29, 2019

**UIFoundation**

Available for: Windows 7 and later

Impact: Processing a maliciously crafted text file may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2019-8745: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved state management.

CVE-2019-8625: Sergei Glazunov of Google Project Zero

CVE-2019-8719: Sergei Glazunov of Google Project Zero

CVE-2019-8764: Sergei Glazunov of Google Project Zero

Entry updated October 29, 2019

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2019-8707: an anonymous researcher working with Trend Micro's Zero Day Initiative, cc working with Trend Micro Zero Day Initiative

CVE-2019-8710: found by OSS-Fuzz

CVE-2019-8726: Jihui Lu of Tencent KeenLab

CVE-2019-8728: Junho Jang of LINE Security Team and Hanul Choi of ABLY Corporation

CVE-2019-8733: Sergei Glazunov of Google Project Zero

CVE-2019-8734: found by OSS-Fuzz

CVE-2019-8735: G. Geshev working with Trend Micro Zero Day Initiative

CVE-2019-8743: zhunki from Codesafe Team of Legendsec at Qi'anxin Group

CVE-2019-8751: Dongzhuo Zhao working with ADLab of Venustech

CVE-2019-8752: Dongzhuo Zhao working with ADLab of Venustech

CVE-2019-8763: Sergei Glazunov of Google Project Zero

CVE-2019-8765: Samuel Groß of Google Project Zero

CVE-2019-8766: found by OSS-Fuzz

CVE-2019-8773: found by OSS-Fuzz

Entry updated October 29, 2019

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A validation issue was addressed with improved logic.

CVE-2019-8762: Sergei Glazunov of Google Project Zero

Entry added November 18, 2019

CVE-2019-8719: About the security content of iTunes 12.10.1 for Windows

ATasm 1.06 has a stack-based buffer overflow in the parse_expr() function in setparse.c via a crafted .m65 file.

*   Summary
*   Files
*   Reviews
*   Support
*   Wiki
*   Tickets ▾
    *   Bugs
    *   Feature Requests
*   News
*   Code
*   Discussion

Menu ▾ ▴

**#9 Stack-based buffer overflow in the parse\_expr() function**

Status: closed

Owner: nobody

Labels: None

Priority: 5

Updated: 2021-03-20

Created: 2019-12-13

Private: No

Hi,

While fuzzing ATasm 1.08 with Honggfuzz, I found a stack-based buffer overflow in the parse\_expr() function, in setparse.c.

Attaching a reproducer, issue can be reproduced by running:

\=================================================================
\==29838\==ERROR: AddressSanitizer: stack\-buffer\-overflow on address 0x7fff079a8b00 at pc 0x0000004e0478 bp 0x7fff079a8a70 sp 0x7fff079a8a68
WRITE of size 1 at 0x7fff079a8b00 thread T0
    #0 0x4e0477 in parse\_expr /home/fcambus/atasm/src/setparse.c:83:13
    #1 0x4e236d in get\_signed\_expression /home/fcambus/atasm/src/setparse.c:319:5
    #2 0x4e08a5 in get\_expression /home/fcambus/atasm/src/setparse.c:154:27
    #3 0x4d3deb in proc\_sym /home/fcambus/atasm/src/asm.c:1678:14
    #4 0x4d5556 in do\_cmd /home/fcambus/atasm/src/asm.c:1941:5
    #5 0x4d5b46 in assemble /home/fcambus/atasm/src/asm.c:1980:9
    #6 0x4d8082 in main /home/fcambus/atasm/src/asm.c:2392:3
    #7 0x7fad7a5101e2 in \_\_libc\_start\_main /build/glibc\-4WA41p/glibc\-2.30/csu/../csu/libc\-start.c:308:16
    #8 0x41b3fd in \_start (/home/fcambus/atasm/atasm+0x41b3fd)

Address 0x7fff079a8b00 is located in stack of thread T0 at offset 128 in frame
    #0 0x4dfd9f in parse\_expr /home/fcambus/atasm/src/setparse.c:71

  This frame has 2 object(s):
    \[32, 36) 'v' (line 72)
    \[48, 128) 'expr' (line 73) <== Memory access at offset 128 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack\-buffer\-overflow /home/fcambus/atasm/src/setparse.c:83:13 in parse\_expr
Shadow bytes around the buggy address:
  0x100060f2d110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100060f2d120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100060f2d130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100060f2d140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100060f2d150: f1 f1 f1 f1 04 f2 00 00 00 00 00 00 00 00 00 00
\=>0x100060f2d160:\[f3\]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100060f2d170: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8
  0x100060f2d180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x100060f2d190: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
  0x100060f2d1a0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x100060f2d1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==29838\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2019-19786: ATasm: 6502 cross-assembler / Bugs

ATasm 1.06 has a stack-based buffer overflow in the get_signed_expression() function in setparse.c via a crafted .m65 file.

*   Summary
*   Files
*   Reviews
*   Support
*   Wiki
*   Tickets ▾
    *   Bugs
    *   Feature Requests
*   News
*   Code
*   Discussion

Menu ▾ ▴

**#10 Stack-based buffer overflow in the get\_signed\_expression() function**

Status: closed

Owner: nobody

Labels: None

Priority: 5

Updated: 2021-03-20

Created: 2019-12-13

Private: No

Hi,

While fuzzing ATasm 1.08 with Honggfuzz, I found a stack-based buffer overflow in the get\_signed\_expression() function, in setparse.c.

Attaching a reproducer, issue can be reproduced by running:

\=================================================================
\==10633\==ERROR: AddressSanitizer: stack\-buffer\-overflow on address 0x7ffe5c1b3480 at pc 0x0000004e27ea bp 0x7ffe5c1b3210 sp 0x7ffe5c1b3208
WRITE of size 1 at 0x7ffe5c1b3480 thread T0
    #0 0x4e27e9 in get\_signed\_expression /home/fcambus/atasm/src/setparse.c:179:14
    #1 0x4e08a5 in get\_expression /home/fcambus/atasm/src/setparse.c:154:27
    #2 0x4c8de1 in add\_label /home/fcambus/atasm/src/asm.c
    #3 0x4d5563 in do\_cmd /home/fcambus/atasm/src/asm.c:1934:5
    #4 0x4d5b46 in assemble /home/fcambus/atasm/src/asm.c:1980:9
    #5 0x4d8082 in main /home/fcambus/atasm/src/asm.c:2392:3
    #6 0x7f1cbb2811e2 in \_\_libc\_start\_main /build/glibc\-4WA41p/glibc\-2.30/csu/../csu/libc\-start.c:308:16
    #7 0x41b3fd in \_start (/home/fcambus/atasm/atasm+0x41b3fd)

Address 0x7ffe5c1b3480 is located in stack of thread T0 at offset 608 in frame
    #0 0x4e08bf in get\_signed\_expression /home/fcambus/atasm/src/setparse.c:157

  This frame has 4 object(s):
    \[32, 288) 'err.i' (line 136)
    \[352, 608) 'buf' (line 158) <== Memory access at offset 608 overflows this variable
    \[672, 928) 'work' (line 158)
    \[992, 1005) 'math' (line 162)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack\-buffer\-overflow /home/fcambus/atasm/src/setparse.c:179:14 in get\_signed\_expression
Shadow bytes around the buggy address:
  0x10004b82e640: 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8
  0x10004b82e650: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10004b82e660: f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 f2
  0x10004b82e670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b82e680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x10004b82e690:\[f2\]f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
  0x10004b82e6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b82e6b0: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2
  0x10004b82e6c0: 00 05 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b82e6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b82e6e0: 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==10633\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2019-19787: ATasm: 6502 cross-assembler / Bugs

ATasm 1.06 has a stack-based buffer overflow in the to_comma() function in asm.c via a crafted .m65 file.

*   Summary
*   Files
*   Reviews
*   Support
*   Wiki
*   Tickets ▾
    *   Bugs
    *   Feature Requests
*   News
*   Code
*   Discussion

Menu ▾ ▴

**#8 Stack-based buffer overflow in the to\_comma() function**

Status: closed

Owner: nobody

Labels: None

Priority: 5

Updated: 2021-03-20

Created: 2019-12-13

Private: No

Hi,

While fuzzing ATasm 1.08 with Honggfuzz, I found a stack-based buffer overflow in the to\_comma() function, in asm.c.

Attaching a reproducer, issue can be reproduced by running:

\=================================================================
\==15033\==ERROR: AddressSanitizer: stack\-buffer\-overflow on address 0x7ffec9190ef0 at pc 0x0000004ce38e bp 0x7ffec9190e30 sp 0x7ffec9190e28
WRITE of size 1 at 0x7ffec9190ef0 thread T0
    #0 0x4ce38d in to\_comma /home/fcambus/atasm/src/asm.c:1126:11
    #1 0x4ce38d in do\_xbyte /home/fcambus/atasm/src/asm.c:1346:9
    #2 0x4cfe17 in proc\_sym /home/fcambus/atasm/src/asm.c:1553:7
    #3 0x4d5556 in do\_cmd /home/fcambus/atasm/src/asm.c:1941:5
    #4 0x4d5b46 in assemble /home/fcambus/atasm/src/asm.c:1980:9
    #5 0x4d8082 in main /home/fcambus/atasm/src/asm.c:2392:3
    #6 0x7f32f46441e2 in \_\_libc\_start\_main /build/glibc\-4WA41p/glibc\-2.30/csu/../csu/libc\-start.c:308:16
    #7 0x41b3fd in \_start (/home/fcambus/atasm/atasm+0x41b3fd)

Address 0x7ffec9190ef0 is located in stack of thread T0 at offset 176 in frame
    #0 0x4cc7af in do\_xbyte /home/fcambus/atasm/src/asm.c:1299

  This frame has 2 object(s):
    \[32, 64) 'buf.i' (line 736)
    \[96, 176) 'buf' (line 1301) <== Memory access at offset 176 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack\-buffer\-overflow /home/fcambus/atasm/src/asm.c:1126:11 in to\_comma
Shadow bytes around the buggy address:
  0x10005922a180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a1c0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8
\=>0x10005922a1d0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00\[f3\]f3
  0x10005922a1e0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a200: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8
  0x10005922a210: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10005922a220: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==15033\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2019-19785: ATasm: 6502 cross-assembler / Bugs

OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.

For errata on a certain release, click below:  
2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 3.0, 3.1, 3.2, 3.3, 3.4, 3.5,  
3.6, 3.7, 3.8, 3.9, 4.0, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 5.0, 5.1,  
5.2, 5.3, 5.4, 5.5, 5.6, 5.7, 5.8, 5.9, 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.7, 6.8,  
6.9, 7.0, 7.1, 7.2.

Patches for the OpenBSD base system are distributed as unified diffs. Each patch is cryptographically signed with the signify(1) tool and contains usage instructions. All the following patches are also available in one tar.gz file for convenience.

Alternatively, the syspatch(8) utility can be used to apply binary updates on the following architectures: amd64, i386, arm64.

Patches for supported releases are also incorporated into the \-stable branch.

*   **001: RELIABILITY FIX: October 28, 2019**   _All architectures_  
    bpf(4) has a race condition during device removal.  
    A source code patch exists which remedies this problem.
*   **002: RELIABILITY FIX: October 28, 2019**   _All architectures_  
    Various third party applications may crash due to symbol collision.  
    A source code patch exists which remedies this problem.
*   **003: RELIABILITY FIX: October 31, 2019**   _All architectures_  
    bgpd(8) can crash on nexthop changes or during startup in certain configurations.  
    A source code patch exists which remedies this problem.
*   **004: RELIABILITY FIX: November 16, 2019**   _All architectures_  
    The kernel could crash due to a NULL pointer dereference in net80211.  
    A source code patch exists which remedies this problem.
*   **005: RELIABILITY FIX: November 16, 2019**   _All architectures_  
    A new kernel may require newer firmware images when using sysupgrade.  
    A source code patch exists which remedies this problem.
*   **006: SECURITY FIX: November 16, 2019**   _All architectures_  
    A regular user could change some network interface parameters due to missing checks in the ioctl(2) system call.  
    A source code patch exists which remedies this problem.
*   **007: SECURITY FIX: November 22, 2019**   _i386 and amd64_  
    A local user could cause the system to hang by reading specific registers when Intel Gen8/Gen9 graphics hardware is in a low power state. A local user could perform writes to memory that should be blocked with Intel Gen9 graphics hardware.  
    A source code patch exists which remedies this problem.
*   **008: SECURITY FIX: November 22, 2019**   _All architectures_  
    Shared memory regions used by some Mesa drivers had permissions which allowed others to access that memory.  
    A source code patch exists which remedies this problem.
*   **009: SECURITY FIX: December 4, 2019**   _All architectures_  
    Environment-provided paths are used for dlopen() in mesa, resulting in escalation to the auth group in xlock(1).  
    A source code patch exists which remedies this problem.
*   **010: SECURITY FIX: December 4, 2019**   _All architectures_  
    libc's authentication layer performed insufficient username validation.  
    A source code patch exists which remedies this problem.
*   **011: SECURITY FIX: December 4, 2019**   _All architectures_  
    xenodm uses the libc authentication layer incorrectly.  
    A source code patch exists which remedies this problem.
*   **012: SECURITY FIX: December 8, 2019**   _All architectures_  
    A user can log in with a different user's login class.  
    A source code patch exists which remedies this problem.
*   **013: SECURITY FIX: December 11, 2019**   _All architectures_  
    ld.so may fail to remove the LD\_LIBRARY\_PATH environment variable for set-user-ID and set-group-ID executables in low memory conditions.  
    A source code patch exists which remedies this problem.
*   **014: SECURITY FIX: December 18, 2019**   _arm64_  
    ARM64 CPUs speculatively execute instructions after ERET.  
    A source code patch exists which remedies this problem.
*   **015: SECURITY FIX: December 20, 2019**   _All architectures_  
    ftp(1) will follow remote redirects to local files.  
    A source code patch exists which remedies this problem.
*   **016: SECURITY FIX: December 20, 2019**   _All architectures_  
    ripd(8) fails to validate authentication lengths.  
    A source code patch exists which remedies this problem.
*   **017: SECURITY FIX: January 17, 2020**   _i386 and amd64_  
    Execution Unit state was not cleared on context switch with Intel Gen9 graphics hardware.  
    A source code patch exists which remedies this problem.
*   **018: RELIABILITY FIX: January 30, 2020**   _All architectures_  
    smtpd can crash on opportunistic TLS downgrade, causing a denial of service.  
    A source code patch exists which remedies this problem.
*   **019: SECURITY FIX: January 30, 2020**   _All architectures_  
    An incorrect check allows an attacker to trick mbox delivery into executing arbitrary commands as root and lmtp delivery into executing arbitrary commands as an unprivileged user.  
    A source code patch exists which remedies this problem.
*   **020: SECURITY FIX: February 17, 2020**   _amd64_  
    A missing range check in the vmm pvclock allows a guest to write to host memory.  
    A source code patch exists which remedies this problem.
*   **021: SECURITY FIX: February 24, 2020**   _All architectures_  
    An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the \_smtpq group.  
    A source code patch exists which remedies this problem.
*   **022: RELIABILITY FIX: March 10, 2020**   _All architectures_  
    Missing input validation in sysctl(2) can be used to crash the kernel.  
    A source code patch exists which remedies this problem.
*   **023: RELIABILITY FIX: March 13, 2020**   _All architectures_  
    Local outbound UDP broadcast or multicast packets sent by a spliced socket can crash the kernel.  
    A source code patch exists which remedies this problem.
*   **024: SECURITY FIX: April 7, 2020**   _All architectures_  
    dhcpd could reference freed memory after releasing a lease with an unusually long uid.  
    A source code patch exists which remedies this problem.
*   **025: SECURITY FIX: April 19, 2020**   _i386, amd64, arm64, loongson, macppc, sparc64_  
    There was an incorrect test for root in the DRM Linux compatibility code.  
    A source code patch exists which remedies this problem.
*   **026: RELIABILITY FIX: May 10, 2020**   _All architectures_  
    ospfd could generate corrupt OSPF Router (Type 1) LSAs in certain situations.  
    A source code patch exists which remedies this problem.
*   **027: SECURITY FIX: May 13, 2020**   _All architectures_  
    An out-of-bounds index access in wscons(4) can cause a kernel crash.  
    A source code patch exists which remedies this problem.
*   **028: SECURITY FIX: May 22, 2020**   _All architectures_  
    Specially crafted queries may crash unbound and unwind. Both can be tricked into amplifying an incoming query.  
    A source code patch exists which remedies this problem.
*   **029: SECURITY FIX: June 1, 2020**   _All architectures_  
    Several problems in Perl's regular expression compiler could lead to corruption of the intermediate language state of a compiled regular expression.  
    A source code patch exists which remedies this problem.
*   **030: SECURITY FIX: June 5, 2020**   _All architectures_  
    Malicious HID descriptors could be misparsed.  
    A source code patch exists which remedies this problem.
*   **031: RELIABILITY FIX: June 8, 2020**   _All architectures_  
    libc's resolver could get into a corrupted state.  
    A source code patch exists which remedies this problem.
*   **032: RELIABILITY FIX: June 11, 2020**   _All architectures_  
    libcrypto may fail to build a valid certificate chain due to expired untrusted issuer certificates.  
    A source code patch exists which remedies this problem.
*   **033: SECURITY FIX: July 9, 2020**   _All architectures_  
    shmget IPC\_STAT leaked some kernel data.  
    A source code patch exists which remedies this problem.
*   **034: RELIABILITY FIX: July 16, 2020**   _All architectures_  
    tty subsystem abuse can impact performance badly.  
    A source code patch exists which remedies this problem.
*   **035: RELIABILITY FIX: July 22, 2020**   _All architectures_  
    Only pty devices need reprint delays.  
    A source code patch exists which remedies this problem.
*   **036: SECURITY FIX: July 27, 2020**   _All architectures_  
    In iked, incorrect use of EVP\_PKEY\_cmp allows an authentication bypass.  
    A source code patch exists which remedies this problem.
*   **037: SECURITY FIX: July 31, 2020**   _All architectures_  
    Malformed messages can cause heap corruption in the X Input Method client implementation in libX11.  
    A source code patch exists which remedies this problem.
*   **038: SECURITY FIX: July 31, 2020**   _All architectures_  
    Pixmaps inside the xserver were an info leak.  
    A source code patch exists which remedies this problem.
*   **039: RELIABILITY FIX: August 7, 2020**   _All architectures_  
    The recent security errata 037 broke X11 input methods.  
    A source code patch exists which remedies this problem.
*   **040: SECURITY FIX: August 25, 2020**   _All architectures_  
    An integer overflow in libX11 could lead to a double free. Additionally fix a regression in ximcp.  
    A source code patch exists which remedies this problem.
*   **041: SECURITY FIX: August 25, 2020**   _All architectures_  
    Various X server extensions had deficient input validation.  
    A source code patch exists which remedies this problem.
*   **042: SECURITY FIX: September 5, 2020**   _amd64, arm64_  
    A buffer overflow was discovered in an amdgpu ioctl.  
    A source code patch exists which remedies this problem.

Tag

#buffer_overflow