Gentoo Linux Security Advisory 202311-7 - A vulnerability has been found in AIDE which can lead to root privilege escalation. Versions greater than or equal to 0.17.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-07  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: AIDE: Root Privilege Escalation  
     Date: November 25, 2023  
     Bugs: #831658  
       ID: 202311-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been found in AIDE which can lead to root privilege  
escalation.

Background  
==========

AIDE (Advanced Intrusion Detection Environment) is a file and directory  
integrity checker.

It creates a database from the regular expression rules that it finds  
from the config file(s). Once this database is initialized it can be  
used to verify the integrity of the files. It has several message digest  
algorithms (see below) that are used to check the integrity of the file.  
All of the usual file attributes can also be checked for  
inconsistencies.

Affected packages  
=================

Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
app-forensics/aide  < 0.17.4      >= 0.17.4

Description  
===========

A vulnerability has been discovered in AIDE. Please review the CVE  
identifier referenced below for details.

Impact  
======

AIDE before 0.17.4 allows local users to obtain root privileges via  
crafted file metadata (such as XFS extended attributes or tmpfs ACLs),  
because of a heap-based buffer overflow.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All AIDE users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-forensics/aide-0.17.4"

References  
==========

[ 1 ] CVE-2021-45417  
      https://nvd.nist.gov/vuln/detail/CVE-2021-45417

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-07

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-07

scheme/webauthn.c in Glewlwyd SSO server before 2.7.6 has a possible buffer overflow during FIDO2 credentials validation in webauthn registration.

Expand Up @@ -2299,13 +2299,13 @@ static json\_t \* register\_new\_attestation(struct config\_module \* config, json\_t \* for (i\=0; i<cbor\_map\_size(cbor\_cose); i++) { cbor\_key \= cbor\_map\_handle(cbor\_cose)\[i\].key; cbor\_value \= cbor\_map\_handle(cbor\_cose)\[i\].value; if (cbor\_isa\_negint(cbor\_key) && cbor\_get\_int(cbor\_key) \== 1 && cbor\_isa\_bytestring(cbor\_value)) { if (cbor\_isa\_negint(cbor\_key) && cbor\_get\_int(cbor\_key) \== 1 && cbor\_isa\_bytestring(cbor\_value) && cbor\_bytestring\_length(cbor\_value) <= 256) { has\_x \= 1; memcpy(cert\_x, cbor\_bytestring\_handle(cbor\_value), cbor\_bytestring\_length(cbor\_value)); cert\_x\_len \= cbor\_bytestring\_length(cbor\_value); g\_x.data \= cert\_x; g\_x.size \= (unsigned int)cbor\_bytestring\_length(cbor\_value); } else if (cbor\_isa\_negint(cbor\_key) && cbor\_get\_int(cbor\_key) \== 2 && cbor\_isa\_bytestring(cbor\_value)) { } else if (cbor\_isa\_negint(cbor\_key) && cbor\_get\_int(cbor\_key) \== 2 && cbor\_isa\_bytestring(cbor\_value) && cbor\_bytestring\_length(cbor\_value) <= 256) { has\_y \= 1; memcpy(cert\_y, cbor\_bytestring\_handle(cbor\_value), cbor\_bytestring\_length(cbor\_value)); cert\_y\_len \= cbor\_bytestring\_length(cbor\_value); Expand Down

CVE-2023-49208: Check key length before parsing it in FIDO2 attestation registration · babelouest/glewlwyd@f9d8c06

An issue was discovered in ClickHouse before 22.9.1.2603. An attacker could send a crafted HTTP request to the HTTP Endpoint (usually listening on port 8123 by default), causing a heap-based buffer overflow that crashes the process. This does not require authentication. The fixed versions are 22.9.1.2603, 22.8.2.11, 22.7.4.16, 22.6.6.16, and 22.3.12.19.

**Fixed in ClickHouse 22.9.1.2603, 2022-09-22​****CVE-2022-44011​**

A heap buffer overflow issue was discovered in ClickHouse server. A malicious user with ability to load data into ClickHouse server could crash the ClickHouse server by inserting a malformed CapnProto object.

Fix has been pushed to version 22.9.1.2603, 22.8.2.11, 22.7.4.16, 22.6.6.16, 22.3.12.19

Credits: Kiojj (independent researcher)

**CVE-2022-44010​**

A heap buffer overflow issue was discovered in ClickHouse server. An attacker could send a specially crafted HTTP request to the HTTP Endpoint (listening on port 8123 by default), causing a heap-based buffer overflow that crashes the ClickHouse server process. This attack does not require authentication.

Fix has been pushed to version 22.9.1.2603, 22.8.2.11, 22.7.4.16, 22.6.6.16, 22.3.12.19

Credits: Kiojj (independent researcher)

**Fixed in ClickHouse 21.10.2.15, 2021-10-18​****CVE-2021-43304​**

Heap buffer overflow in ClickHouse's LZ4 compression codec when parsing a malicious query. There is no verification that the copy operations in the LZ4::decompressImpl loop and especially the arbitrary copy operation wildCopy<copy\_amount>(op, ip, copy\_end), don’t exceed the destination buffer’s limits.

Credits: JFrog Security Research Team

**CVE-2021-43305​**

Heap buffer overflow in ClickHouse's LZ4 compression codec when parsing a malicious query. There is no verification that the copy operations in the LZ4::decompressImpl loop and especially the arbitrary copy operation wildCopy<copy\_amount>(op, ip, copy\_end), don’t exceed the destination buffer’s limits. This issue is very similar to CVE-2021-43304, but the vulnerable copy operation is in a different wildCopy call.

Credits: JFrog Security Research Team

**CVE-2021-42387​**

Heap out-of-bounds read in ClickHouse's LZ4 compression codec when parsing a malicious query. As part of the LZ4::decompressImpl() loop, a 16-bit unsigned user-supplied value ('offset') is read from the compressed data. The offset is later used in the length of a copy operation, without checking the upper bounds of the source of the copy operation.

Credits: JFrog Security Research Team

**CVE-2021-42388​**

Heap out-of-bounds read in ClickHouse's LZ4 compression codec when parsing a malicious query. As part of the LZ4::decompressImpl() loop, a 16-bit unsigned user-supplied value ('offset') is read from the compressed data. The offset is later used in the length of a copy operation, without checking the lower bounds of the source of the copy operation.

Credits: JFrog Security Research Team

**CVE-2021-42389​**

Divide-by-zero in ClickHouse's Delta compression codec when parsing a malicious query. The first byte of the compressed buffer is used in a modulo operation without being checked for 0.

Credits: JFrog Security Research Team

**CVE-2021-42390​**

Divide-by-zero in ClickHouse's DeltaDouble compression codec when parsing a malicious query. The first byte of the compressed buffer is used in a modulo operation without being checked for 0.

Credits: JFrog Security Research Team

**CVE-2021-42391​**

Divide-by-zero in ClickHouse's Gorilla compression codec when parsing a malicious query. The first byte of the compressed buffer is used in a modulo operation without being checked for 0.

Credits: JFrog Security Research Team

**Fixed in ClickHouse 21.4.3.21, 2021-04-12​****CVE-2021-25263​**

An attacker that has CREATE DICTIONARY privilege, can read arbitary file outside permitted directory.

Fix has been pushed to versions 20.8.18.32-lts, 21.1.9.41-stable, 21.2.9.41-stable, 21.3.6.55-lts, 21.4.3.21-stable and later.

Credits: Vyacheslav Egoshin

**Fixed in ClickHouse Release 19.14.3.3, 2019-09-10​****CVE-2019-15024​**

Аn attacker that has write access to ZooKeeper and who can run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper. When another replica will fetch data part from the malicious replica, it can force clickhouse-server to write to arbitrary path on filesystem.

Credits: Eldar Zaitov of Yandex Information Security Team

**CVE-2019-16535​**

Аn OOB read, OOB write and integer underflow in decompression algorithms can be used to achieve RCE or DoS via native protocol.

Credits: Eldar Zaitov of Yandex Information Security Team

**CVE-2019-16536​**

Stack overflow leading to DoS can be triggered by a malicious authenticated client.

Credits: Eldar Zaitov of Yandex Information Security Team

**Fixed in ClickHouse Release 19.13.6.1, 2019-09-20​****CVE-2019-18657​**

Table function url had the vulnerability allowed the attacker to inject arbitrary HTTP headers in the request.

Credits: Nikita Tikhomirov

**Fixed in ClickHouse Release 18.12.13, 2018-09-10​****CVE-2018-14672​**

Functions for loading CatBoost models allowed path traversal and reading arbitrary files through error messages.

Credits: Andrey Krasichkov of Yandex Information Security Team

**Fixed in ClickHouse Release 18.10.3, 2018-08-13​****CVE-2018-14671​**

unixODBC allowed loading arbitrary shared objects from the file system which led to a Remote Code Execution vulnerability.

Credits: Andrey Krasichkov and Evgeny Sidorov of Yandex Information Security Team

**Fixed in ClickHouse Release 1.1.54388, 2018-06-28​****CVE-2018-14668​**

“remote” table function allowed arbitrary symbols in “user”, “password” and “default\_database” fields which led to Cross Protocol Request Forgery Attacks.

Credits: Andrey Krasichkov of Yandex Information Security Team

**Fixed in ClickHouse Release 1.1.54390, 2018-07-06​****CVE-2018-14669​**

ClickHouse MySQL client had “LOAD DATA LOCAL INFILE” functionality enabled that allowed a malicious MySQL database read arbitrary files from the connected ClickHouse server.

Credits: Andrey Krasichkov and Evgeny Sidorov of Yandex Information Security Team

**Fixed in ClickHouse Release 1.1.54131, 2017-01-10​****CVE-2018-14670​**

Incorrect configuration in deb package could lead to the unauthorized use of the database.

Credits: the UK’s National Cyber Security Centre (NCSC)

CVE-2022-44010: Security Changelog | ClickHouse Docs

An issue was discovered in ClickHouse before 22.9.1.2603. An authenticated user (with the ability to load data) could cause a heap buffer overflow and crash the server by inserting a malformed CapnProto object. The fixed versions are 22.9.1.2603, 22.8.2.11, 22.7.4.16, 22.6.6.16, and 22.3.12.19.

**Query billions of rows in milliseconds**

ClickHouse is the fastest and most resource efficient open-source database for real-time apps and analytics.

Or download open-source ClickHouse

SELECT toStartOfMonth(upload\_date) AS month, sum(view\_count) AS \`Youtube Views\`, bar(sum(has\_subtitles) / count(), 0.55, 0.7, 100) AS \`% Subtitles\` FROM youtube WHERE (month >= '2020-08-01') AND (month <= '2021-08-01') GROUP BY month ORDER BY month ASC

13 rows in set. Elapsed: 0.823 sec Processed 1.07 billion rows, 11.75 GB (1.30 billion rows/s., 14.27 GB/s.)

Trusted by developers that work with data at

scale

Don't take our word for it.

Read our user stories

"Moving over to ClickHouse we were basically able to cut that (Redshift) bill in half."

Brooke McKim  
Co-founder and CTO, Vantage

"There is that feeling of new tech where everything just feels like it's going right."

Harlow Ward  
Co-founder and CTO, Clearbit

"We wanted something not only just simple to use, but also simple to manage."

Jason Wang  
Software Engineer, Statsig

**Speed up queries from any data source**

ClickHouse supports all the data sources you need to power your apps and use cases that require exceptional performance.

Databases and data warehouses Streams, logs, and analytics Data lake formats Local files Data visualization tools Languages and drivers

**Why is ClickHouse so fast?**

Column-oriented databases are better suited to OLAP scenarios. They are at least 100x faster

in processing most queries. ClickHouse uses all available system resources to their full potential to process each analytical query as fast as possible.

Row-oriented databases

In row-oriented databases, data is stored in rows, with all the values related to a row physically stored next to each other.

Column-oriented databases

In column-oriented databases, like ClickHouse, data is stored in columns, with values from the same columns stored together.

**Deploy your way**

Unlike traditional closed-source OLAP databases, ClickHouse runs on every environment, whether it’s on your machine or in the cloud.

ClickHouse Local

Run fast queries on local files (CSV, TSV, Parquet, and more) without a server.

Open-source ClickHouse

Spin up a database server with open-source ClickHouse. Always Free.

ClickHouse Cloud

Deploy a fully managed ClickHouse service on AWS or GCP.

**Join the 100k+ developers using ClickHouse today**

**What do developers say?**

ClickHouse is the most commonly used database for internal and commercial observability platforms. Disney+ uses ClickHouse to provide analytics for its content distribution system.

“We were really not doing well with ingesting all the logs that we have because it's big data, it's all the users of Disney+ generating that data. Ever since we chose ClickHouse, it's been going well.”

Roni Lazimi

Software Engineer, Disney+

Uber’s log analytics platform

Learn why Uber migrated to ClickHouse from the ELK stack.

Cloudflare’s HTTP analytics infrastructure

Read about how Cloudflare uses ClickHouse to support 6M requests per second.

GitLab’s APM datastore

Watch this YouTube video showing why GitLab chose ClickHouse over Timescale to power their APM infrastructure.

**FAQs**

Wherever you need us, we’re there. We love to engage in thoughtful conversation with the ClickHouse community and are always on-hand to answer your questions.

Ask us anything

CVE-2022-44011: Fast Open-Source OLAP DBMS - ClickHouse

An attacker could exploit a vulnerability by sending crafted messages to computers installed with this plug-in to modify plug-in parameters, which could cause affected computers to download malicious files. 

**SN No.** HSRC-202311-02

**Edit:** Hikvision Security Response Center (HSRC)

**Initial Release Date:** 2023-11-23

**Summary**

1\. A buffer overflow vulnerability in a web browser plug-in could allow an attacker to exploit the vulnerability by sending crafted messages to computers installed with this plug-in, which could lead to arbitrary code execution or cause process exception of the plug-in. 

2. An attacker could exploit a vulnerability by sending crafted messages to computers installed with this plug-in to modify plug-in parameters, which could cause affected computers to download malicious files. 

**CVE ID**

CVE-2023-28812

CVE-2023-28813

**Scoring**

CVSS v3.1 is adopted in this vulnerability scoring(http://www.first.org/cvss/specification-document)

CVE-2023-28812

Base score：9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)

CVE-2023-28813

Base score：8.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H) 

**Affected Versions and Fix**

**Product Name**

**Affected Versions**

**Resolved Version**

LocalServiceComponents

version 1.0.0.78 and the versions prior to it

1.0.0.81

**Obtaining Fixed Version**

Users can download the patch on the Hikvision official website.(https://www.hikvision.com/en/support/tools/hitools/cl31f95c645ddb0235/)  

**Source of vulnerability information**

This vulnerability is reported to HSRC by Team.ENVY (KITRI BoB 12th).

**Contact Us**

To report any security issues or vulnerabilities in Hikvision products and solutions, please contact Hikvision Security Response Center at hsrc@hikvision.com.

Hikvision would like to thank all security researchers for your attention to our products.

CVE-2023-28813: Security Vulnerabilities in Hikvision Web Browser Plug-in LocalServiceComponents

There is a buffer overflow in the password recovery feature of Hikvision NVR/DVR models. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device.

**SN No.** HSRC-202311-01

**Edit:** Hikvision Security Response Center (HSRC)

**Initial Release Date:** 2023-11-17

**Summary**

Hikvision has released a patch to fix a buffer overflow vulnerability in the password recovery feature of Hikvision NVR/DVR models. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device.

**CVE ID**

CVE-2023-28811

**Scoring**

CVSS v3.1 was used in scoring this vulnerability.

(http://www.first.org/cvss/specification-document)

Base score: 7.4 (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

**  
**Affected Versions and Fixes****

**Product Name**

**Affected Versions**

**Fix Download**

DVR

iDS-EXXHUH

DS-EXXHGH

iDS-EXXHQH

DVR-EXXHUH

DVR-EXXHGH

DVR-EXXHQH

iDS-72XXHQH-M(C)

iDS-72XXHUH-M(C)

iDS-72XXHQH-M(E)

iDS-72XXHUH-M(E)

iDS-72XXHTH-M(C)

HW-HWD-72XXMH-G4

HW-HWD-62XXMH-G4

HL-DVR-216Q-K2(E）

DS-71XXHGH-M(C)

DS-72XXHGH-M(C)

DS-71XXHGH-K(S)

DS-72XXHGH-K(S)

HL-DVR-1XXG-K(S)

HL-DVR-2XXG-K(S)

HL-DVR-1XXG-M(C)

HL-DVR-2XXG-M(C)

HW-HWD-51XXH(S)

HW-HWD-51XXH-G

HW-HWD-51XXMH-G

iDS-71xxHQH-M(C)

iDS-71xxHQH-M(E)

iDS-72xxHQH-M/E(C)

iDS-72xxHQH-M/E(E)

HL-DVR-2XXQ-M(C)

HL-DVR-2XXQ-M(E)

HW-HWD-61XXMH-G4

HW-HWD-61XXMH-G4(E)

iDS-71xxHUH-M(C)

iDS-72xxHUH-M/E(C)

iDS-71xxHUH-M(E)

iDS-72xxHUH-M/E(E)

HL-DVR-2XXU-M(C)

HL-DVR-2XXU-M(E)

HW-HWD-71XXMH-G4

HW-HWD-71XXMH-G4(E)

V4.1.60 build date before 20230821

Version build date after 20230821

NVR

NVR-2xxMH-C(D)

NVR-1xxMH-C(D)

HW-HWN-42xxMH(D)

HW-HWN-41xxMH(D)

DS-71xxNI-Q1(C)

DS-71xxNI-Q1(D)

HL-NVR-1xxMH-D(C)

HL-NVR-1xxMH-D(D)

HW-HWN-21xxMH(C)

HW-HWN-21xxMH(D)

DS-76xxNI-Q1(C)

DS-76xxNI-Q2(C)

DS-76xxNI-K1(C)

HW-HWN-41xxMH(C)

HW-HWN-42xxMH(C)

HL-NVR-1xxMH-C(C)

HL-NVR-2xxMH-C(C)

DS-77xxNI-I4(B)

V4.1.60 build date before 20230821

Version build date after 20230821

**Obtaining Fixed Versions**  

Users can download patches/updates on the Hikvision official website or contact support@hikvision.com.

**Source of Vulnerability Information:**

The vulnerability was reported to HSRC by Sergio Ruiz of the IOActive team.

**Contact Us:**

To report any security issues or vulnerabilities in Hikvision products and solutions, please contact the Hikvision Security Response Center at hsrc@hikvision.com.

Hikvision would like to thank all security researchers for your attention to our products.

CVE-2023-28811: Buffer Overflow Vulnerability in Hikvision NVR/DVR Devices

A maliciously crafted MODEL file when parsed through Autodesk AutoCAD 2024 and 2023 can be used to cause a Heap-Based Buffer Overflow. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.


**Description**

The details of the vulnerabilities are as follows:

1) CVE-2023-29073 - A maliciously crafted MODEL file when parsed through Autodesk AutoCAD 2024 and 2023 can be used to cause a Heap-Based Buffer Overflow. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.

2) CVE- 2023-29074 - A maliciously crafted CATPART file when parsed through Autodesk AutoCAD 2024 and 2023 can be used to cause an Out-Of-Bounds Write. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.

3) CVE-2023-29075 - A maliciously crafted PRT file when parsed through Autodesk AutoCAD 2024 and 2023 can be used to cause an Out-Of-Bounds Write. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.

4) CVE-2023-29076 - A maliciously crafted MODEL, SLDASM, SAT or CATPART file when parsed through Autodesk AutoCAD 2024 and 2023 could cause memory corruption vulnerability. This vulnerability, along with other vulnerabilities, could lead to code execution in the current process.

5) CVE-2023-41139 - A maliciously crafted STP file when parsed through Autodesk AutoCAD 2024 and 2023 can be used to dereference an untrusted pointer. This vulnerability, along with other vulnerabilities, could lead to code execution in the current process.

6) CVE-2023-41140 - A maliciously crafted PRT file when parsed through Autodesk AutoCAD 2024 and 2023 can be used to cause a Heap-Based Buffer Overflow. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.

CVE-2023-29073: adsk-sa-2023-0018

Buffer Overflow vulnerability in zlib-ng minizip-ng v.4.0.2 allows an attacker to execute arbitrary code via a crafted file to the mz_path_has_slash function in the mz_os.c file.

> poc0 is a malformed zip file generated by fuzzer. I used the "-x" flag when testing and it came into a heap-buffer-overflow crash. So maybe you could give a proper prompt when using "-x" to extract malformed files like poc0?

Aaaah, ok.

When built without ASAN the poc0 zipfile triggers an error when you attempt to extract it

    $ ./minizip -x  poc0
    minizip-ng 4.0.2 - https://github.com/zlib-ng/minizip-ng
    ---------------------------------------------------
    -x poc0 
    Archive poc0
    Extracting .\
    Error -104 saving entries to disk poc0
    

That said, there is still a buffer overflow present. Let's take a look at that

FYI - the cmake build now support building with ASAN, like this.

     cmake -S . -B build -D MZ_BUILD_TESTS=ON -DMZ_SANITIZER=Address 
    

When I run that I get the line numbers where the problems are

     ./minizip -x poc0
    minizip-ng 4.0.2 - https://github.com/zlib-ng/minizip-ng
    ---------------------------------------------------
    -x poc0 
    Archive poc0
    Extracting .\
    =================================================================
    ==49164==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000010f at pc 0x55686d69e58d bp 0x7ffc7a5e2d80 sp 0x7ffc7a5e2d70
    READ of size 1 at 0x60200000010f thread T0
        #0 0x55686d69e58c in mz_path_has_slash /home/paul/git/minizip-ng/mz_os.c:71
        #1 0x55686d6b55e1 in mz_zip_reader_entry_save_file /home/paul/git/minizip-ng/mz_zip_rw.c:698
        #2 0x55686d6b67ef in mz_zip_reader_save_all /home/paul/git/minizip-ng/mz_zip_rw.c:893
        #3 0x55686d69c6f0 in minizip_extract /home/paul/git/minizip-ng/minizip.c:379
        #4 0x55686d69e02c in main /home/paul/git/minizip-ng/minizip.c:654
        #5 0x7f2f44c280cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #6 0x7f2f44c28188 in __libc_start_main_impl ../csu/libc-start.c:360
        #7 0x55686d69a264 in _start (/home/paul/git/minizip-ng/build/minizip+0x7264) (BuildId: 576262a7c293cbb21845b25bd97a13cb33d9dd27)
    
    0x60200000010f is located 1 bytes before 1-byte region [0x602000000110,0x602000000111)
    allocated by thread T0 here:
        #0 0x7f2f456de997 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
        #1 0x55686d6b5269 in mz_zip_reader_entry_save_file /home/paul/git/minizip-ng/mz_zip_rw.c:665
        #2 0x55686d6b67ef in mz_zip_reader_save_all /home/paul/git/minizip-ng/mz_zip_rw.c:893
        #3 0x55686d69c6f0 in minizip_extract /home/paul/git/minizip-ng/minizip.c:379
        #4 0x55686d69e02c in main /home/paul/git/minizip-ng/minizip.c:654
        #5 0x7f2f44c280cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/paul/git/minizip-ng/mz_os.c:71 in mz_path_has_slash
    Shadow bytes around the buggy address:
      0x601ffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x601fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x601fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x602000000000: fa fa 05 fa fa fa 00 06 fa fa fd fd fa fa fd fd
      0x602000000080: fa fa 00 07 fa fa 00 01 fa fa 00 01 fa fa 00 01
    =>0x602000000100: fa[fa]01 fa fa fa 01 fa fa fa fa fa fa fa fa fa
      0x602000000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x602000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x602000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x602000000300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x602000000380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==49164==ABORTING
    

Memory allocation in the pathwfs in mz_zip_reader_entry_save_file

    int32_t mz_zip_reader_entry_save_file(void *handle, const char *path) {
        mz_zip_reader *reader = (mz_zip_reader *)handle;
        void *stream = NULL;
        uint32_t target_attrib = 0;
        int32_t err_attrib = 0;
        int32_t err = MZ_OK;
        int32_t err_cb = MZ_OK;
        size_t path_length = 0;
        char *pathwfs = NULL;
        char *directory = NULL;
    
        if (mz_zip_reader_is_open(reader) != MZ_OK)
            return MZ_PARAM_ERROR;
        if (!reader->file_info || !path)
            return MZ_PARAM_ERROR;
    
        path_length = strlen(path);
    
        /* Convert to forward slashes for unix which doesn't like backslashes */
        pathwfs = (char *)calloc(path_length + 1, sizeof(char));
    

The error is triggered in the if statement below

    int32_t mz_path_has_slash(const char *path) {
        int32_t path_len = (int32_t)strlen(path);
        if (path[path_len - 1] != '\\' && path[path_len - 1] != '/')
            return MZ_EXIST_ERROR;
        return MZ_OK;
    }
    

This needs further analysis

CVE-2023-48107: Heap-buffer-overflow in mz_os.c:71 mz_path_has_slash · Issue #739 · zlib-ng/minizip-ng

IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.16.0could allow an authenticated user to obtain sensitive version information that could aid in further attacks against the system.  IBM X-Force ID:  233665.

CVE-2022-36777: Security Bulletin: QRadar Suite Software includes components with multiple known vulnerabilities

Libde265 v1.0.12 was discovered to contain multiple buffer overflows via the num_tile_columns and num_tile_row parameters in the function pic_parameter_set::dump.

**Summary**

There is a segmentation fault caused by a buffer over-read on pic\_parameter\_set::dump due to an incorrect value of num\_tile\_columns or num\_tile\_rows.

**Tested with:**

*   Commit: 6fc550f (master)
*   PoC: poc
*   cmd: ./dec265 -d poc

**Crash output:**

    INFO: ----------------- SPS -----------------
    INFO: video_parameter_set_id  : 0
    INFO: sps_max_sub_layers      : 1
    INFO: sps_temporal_id_nesting_flag : 1
    INFO:   general_profile_space     : 0
    INFO:   general_tier_flag         : 0
    INFO:   general_profile_idc       : Main
    INFO:   general_profile_compatibility_flags: 0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
    INFO:     general_progressive_source_flag : 0
    INFO:     general_interlaced_source_flag : 0
    INFO:     general_non_packed_constraint_flag : 0
    INFO:     general_frame_only_constraint_flag : 0
    INFO:   general_level_idc         : 60 (2.00)
    INFO: seq_parameter_set_id    : 0
    INFO: chroma_format_idc       : 1 (4:2:0)
    INFO: pic_width_in_luma_samples  : 416
    INFO: pic_height_in_luma_samples : 240
    INFO: conformance_window_flag    : 1
    INFO: conf_win_left_offset  : 0
    INFO: conf_win_right_offset : 0
    INFO: conf_win_top_offset   : 0
    INFO: conf_win_bottom_offset: 0
    INFO: bit_depth_luma   : 10
    INFO: bit_depth_chroma : 9
    INFO: log2_max_pic_order_cnt_lsb : 4
    INFO: sps_sub_layer_ordering_info_present_flag : 1
    INFO: Layer 0
    INFO:   sps_max_dec_pic_buffering      : 5
    INFO:   sps_max_num_reorder_pics       : 3
    INFO:   sps_max_latency_increase_plus1 : 0
    INFO: log2_min_luma_coding_block_size : 3
    INFO: log2_diff_max_min_luma_coding_block_size : 1
    INFO: log2_min_transform_block_size   : 2
    INFO: log2_diff_max_min_transform_block_size : 2
    INFO: max_transform_hierarchy_depth_inter : 0
    INFO: max_transform_hierarchy_depth_intra : 0
    INFO: scaling_list_enable_flag : 0
    INFO: amp_enabled_flag                    : 1
    INFO: sample_adaptive_offset_enabled_flag : 1
    INFO: pcm_enabled_flag                    : 0
    INFO: num_short_term_ref_pic_sets : 11
    INFO: ref_pic_set[  0 ]: X...X.X.X.......|................
    INFO: ref_pic_set[  1 ]: ..........X.X...|...X............
    INFO: ref_pic_set[  2 ]: ............X.X.|.X...X..........
    INFO: ref_pic_set[  3 ]: ...............X|X.X...X.........
    INFO: ref_pic_set[  4 ]: .............X.X|X...X...........
    INFO: ref_pic_set[  5 ]: ..........X.X.X.|.X..............
    INFO: ref_pic_set[  6 ]: ...........X...X|X.X.............
    INFO: ref_pic_set[  7 ]: .............X..|X.X.X...........
    INFO: ref_pic_set[  8 ]: ........X.......|................
    INFO: ref_pic_set[  9 ]: ............X...|...X............
    INFO: ref_pic_set[ 10 ]: ..............X.|.X...X..........
    INFO: long_term_ref_pics_present_flag : 0
    INFO: sps_temporal_mvp_enabled_flag      : 1
    INFO: strong_intra_smoothing_enable_flag : 1
    INFO: vui_parameters_present_flag        : 1
    INFO: sps_extension_present_flag    : 0
    INFO: sps_range_extension_flag      : 0
    INFO: sps_multilayer_extension_flag : 0
    INFO: sps_extension_6bits           : 0
    INFO: CtbSizeY     : 16
    INFO: MinCbSizeY   : 8
    INFO: MaxCbSizeY   : 16
    INFO: MinTBSizeY   : 4
    INFO: MaxTBSizeY   : 16
    INFO: PicWidthInCtbsY         : 26
    INFO: PicHeightInCtbsY        : 15
    INFO: SubWidthC               : 2
    INFO: SubHeightC              : 2
    INFO: ----------------- VUI -----------------
    INFO: sample aspect ratio        : 0:0
    INFO: overscan_info_present_flag : 0
    INFO: overscan_appropriate_flag  : 0
    INFO: video_signal_type_present_flag: 0
    INFO: chroma_loc_info_present_flag: 0
    INFO: neutral_chroma_indication_flag: 0
    INFO: field_seq_flag                : 0
    INFO: frame_field_info_present_flag : 0
    INFO: default_display_window_flag   : 1
    INFO:   def_disp_win_left_offset    : 0
    INFO:   def_disp_win_right_offset   : 0
    INFO:   def_disp_win_top_offset     : 0
    INFO:   def_disp_win_bottom_offset  : 0
    INFO: vui_timing_info_present_flag  : 0
    INFO: vui_poc_proportional_to_timing_flag : 0
    INFO: vui_num_ticks_poc_diff_one          : 1
    INFO: vui_hrd_parameters_present_flag : 0
    INFO: bitstream_restriction_flag         : 0
    INFO: ----------------- PPS -----------------
    INFO: pic_parameter_set_id       : 0
    INFO: seq_parameter_set_id       : 0
    INFO: dependent_slice_segments_enabled_flag : 1
    INFO: sign_data_hiding_flag      : 1
    INFO: cabac_init_present_flag    : 0
    INFO: num_ref_idx_l0_default_active : -84
    INFO: num_ref_idx_l1_default_active : 12
    INFO: pic_init_qp                : 25
    INFO: constrained_intra_pred_flag: 0
    INFO: transform_skip_enabled_flag: 1
    INFO: cu_qp_delta_enabled_flag   : 0
    INFO: pic_cb_qp_offset             : 1
    INFO: pic_cr_qp_offset             : 0
    INFO: pps_slice_chroma_qp_offsets_present_flag : 0
    INFO: weighted_pred_flag           : 0
    INFO: weighted_bipred_flag         : 1
    INFO: output_flag_present_flag     : 0
    INFO: transquant_bypass_enable_flag: 0
    INFO: tiles_enabled_flag           : 1
    INFO: entropy_coding_sync_enabled_flag: 0
    INFO: num_tile_columns    : 18815
    INFO: num_tile_rows       : 1
    INFO: uniform_spacing_flag: 1
    INFO: tile column boundaries: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3985 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 [1]    4017733 segmentation fault  ./dec265 -d poc
    

**Analysis**

While executing decoder_context::read_pps_NAL, parameters are read in

bool success = new\_pps->read(&reader,this);

Inside the function, there is a check when setting num_tile_columns in case it goes over DE265_MAX_TILE_COLUMNS, which is 10.

  if (tiles\_enabled\_flag) {
    num\_tile\_columns = get\_uvlc(br);
    if (num\_tile\_columns == UVLC\_ERROR ||
	num\_tile\_columns+1 > DE265\_MAX\_TILE\_COLUMNS) {
      ctx->add\_warning(DE265\_WARNING\_PPS\_HEADER\_INVALID, false);
      return false;
    }

After exiting due to reading more than DE265_MAX_TILE_COLUMNS, the headers are dumped by calling dump:

  bool success = new\_pps->read(&reader,this);

  if (param\_pps\_headers\_fd>=0) {
    new\_pps->dump(param\_pps\_headers\_fd);
  }

  if (success) {
    pps\[ (int)new\_pps->pic\_parameter\_set\_id \] = new\_pps;
  }

In dump, the following code is executed to dump the tile column boundaries:

    LOG0("tile column boundaries: ");
    for (int i=0;i<=num\_tile\_columns;i++) {
      LOG1("\*%d ",colBd\[i\]);
    }
    LOG0("\*\\n");

As previously shown, num_tile_columns while be set to a higher number than DE265_MAX_TILE_COLUMNS. colBd is defined as:

int colBd    [ DE265_MAX_TILE_COLUMNS+1 ];

Therefore, that loop will go over colBd and will print all the data pointed by the values found after the limits of colBd in memory until the end of the loop or the next memory address is invalid.

**Impact**

*   Information leak from memory
*   Crash

If using a carefully crafted exploit, the impact could be an information leak without a crash.

**Patch**

In order to prevent this, the success value should be checked before printing the information:

diff --git a/libde265/decctx.cc b/libde265/decctx.cc
index 223a6aaf..1b79adec 100644
\--- a/libde265/decctx.cc
+++ b/libde265/decctx.cc
@@ -583,11 +583,10 @@ de265\_error decoder\_context::read\_pps\_NAL(bitreader& reader)
 
   bool success = new\_pps->read(&reader,this);
 
\-  if (param\_pps\_headers\_fd>=0) {
\-    new\_pps->dump(param\_pps\_headers\_fd);
\-  }
\-
   if (success) {
+    if (param\_pps\_headers\_fd>=0) {
+      new\_pps->dump(param\_pps\_headers\_fd);
+    }
     pps\[ (int)new\_pps->pic\_parameter\_set\_id \] = new\_pps;
   }

Another possibility could be to perform length checks inside the dump function to handle the case:

diff --git a/libde265/pps.cc b/libde265/pps.cc
index de3bcda1..a5abd9b3 100644
\--- a/libde265/pps.cc
+++ b/libde265/pps.cc
@@ -903,14 +903,22 @@ void pic\_parameter\_set::dump(int fd) const
     LOG1("uniform\_spacing\_flag: %d\\n", uniform\_spacing\_flag);
 
     LOG0("tile column boundaries: ");
\-    for (int i=0;i<=num\_tile\_columns;i++) {
\-      LOG1("\*%d ",colBd\[i\]);
+    if (num\_tile\_columns+1 > DE265\_MAX\_TILE\_COLUMNS) {
+      LOG0("Number of tile columns is invalid");
+    } else {
+      for (int i=0;i<=num\_tile\_columns;i++) {
+        LOG1("\*%d ",colBd\[i\]);
+      }
     }
     LOG0("\*\\n");
 
     LOG0("tile row boundaries: ");
\-    for (int i=0;i<=num\_tile\_rows;i++) {
\-      LOG1("\*%d ",rowBd\[i\]);
+    if (num\_tile\_rows+1 > DE265\_MAX\_TILE\_ROWS) {
+      LOG0("Number of tile rows is invalid");
+    } else {
+      for (int i=0;i<=num\_tile\_rows;i++) {
+        LOG1("\*%d ",rowBd\[i\]);
+      }
     }
     LOG0("\*\\n");

**Other notes**

The same issue occurs with num_tile_rows.

Tag

#buffer_overflow