Red Hat Security Advisory 2022-4965-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.53. There are no images for this advisory. Issues addressed include a memory exhaustion vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.7.53 packages and security update  
Advisory ID:       RHSA-2022:4965-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4965  
Issue date:        2022-06-16  
CVE Names:         CVE-2022-1708   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.7.53 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.7.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 4.7 - ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.7.53. There are no images for this advisory.

Security Fix(es):

* cri-o: memory exhaustion on the node when access to the kube api  
(CVE-2022-1708)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.7 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html

4. Solution:

For OpenShift Container Platform 4.7 see the following documentation, which  
will be updated shortly for this release, for important instructions on how  
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html

Details on how to access this content are available at  
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html

5. Bugs fixed (https://bugzilla.redhat.com/):

2085361 - CVE-2022-1708 cri-o: memory exhaustion on the node when access to the kube api

6. Package List:

Red Hat OpenShift Container Platform 4.7:

Source:  
conmon-2.0.29-3.rhaos4.7.el7.src.rpm  
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el7.src.rpm

x86_64:  
conmon-2.0.29-3.rhaos4.7.el7.x86_64.rpm  
conmon-debuginfo-2.0.29-3.rhaos4.7.el7.x86_64.rpm  
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el7.x86_64.rpm  
cri-o-debuginfo-1.20.8-3.rhaos4.7.gitb9df556.el7.x86_64.rpm

Red Hat OpenShift Container Platform 4.7:

Source:  
conmon-2.0.29-3.rhaos4.7.el8.src.rpm  
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el8.src.rpm  
cri-tools-1.20.0-4.el8.src.rpm  
ignition-2.9.0-5.rhaos4.7.git1d56dc8.el8.src.rpm

ppc64le:  
conmon-2.0.29-3.rhaos4.7.el8.ppc64le.rpm  
conmon-debuginfo-2.0.29-3.rhaos4.7.el8.ppc64le.rpm  
conmon-debugsource-2.0.29-3.rhaos4.7.el8.ppc64le.rpm  
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el8.ppc64le.rpm  
cri-o-debuginfo-1.20.8-3.rhaos4.7.gitb9df556.el8.ppc64le.rpm  
cri-o-debugsource-1.20.8-3.rhaos4.7.gitb9df556.el8.ppc64le.rpm  
cri-tools-1.20.0-4.el8.ppc64le.rpm  
cri-tools-debuginfo-1.20.0-4.el8.ppc64le.rpm  
cri-tools-debugsource-1.20.0-4.el8.ppc64le.rpm  
ignition-2.9.0-5.rhaos4.7.git1d56dc8.el8.ppc64le.rpm  
ignition-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.ppc64le.rpm  
ignition-debugsource-2.9.0-5.rhaos4.7.git1d56dc8.el8.ppc64le.rpm  
ignition-validate-2.9.0-5.rhaos4.7.git1d56dc8.el8.ppc64le.rpm  
ignition-validate-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.ppc64le.rpm

s390x:  
conmon-2.0.29-3.rhaos4.7.el8.s390x.rpm  
conmon-debuginfo-2.0.29-3.rhaos4.7.el8.s390x.rpm  
conmon-debugsource-2.0.29-3.rhaos4.7.el8.s390x.rpm  
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el8.s390x.rpm  
cri-o-debuginfo-1.20.8-3.rhaos4.7.gitb9df556.el8.s390x.rpm  
cri-o-debugsource-1.20.8-3.rhaos4.7.gitb9df556.el8.s390x.rpm  
cri-tools-1.20.0-4.el8.s390x.rpm  
cri-tools-debuginfo-1.20.0-4.el8.s390x.rpm  
cri-tools-debugsource-1.20.0-4.el8.s390x.rpm  
ignition-2.9.0-5.rhaos4.7.git1d56dc8.el8.s390x.rpm  
ignition-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.s390x.rpm  
ignition-debugsource-2.9.0-5.rhaos4.7.git1d56dc8.el8.s390x.rpm  
ignition-validate-2.9.0-5.rhaos4.7.git1d56dc8.el8.s390x.rpm  
ignition-validate-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.s390x.rpm

x86_64:  
conmon-2.0.29-3.rhaos4.7.el8.x86_64.rpm  
conmon-debuginfo-2.0.29-3.rhaos4.7.el8.x86_64.rpm  
conmon-debugsource-2.0.29-3.rhaos4.7.el8.x86_64.rpm  
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el8.x86_64.rpm  
cri-o-debuginfo-1.20.8-3.rhaos4.7.gitb9df556.el8.x86_64.rpm  
cri-o-debugsource-1.20.8-3.rhaos4.7.gitb9df556.el8.x86_64.rpm  
cri-tools-1.20.0-4.el8.x86_64.rpm  
cri-tools-debuginfo-1.20.0-4.el8.x86_64.rpm  
cri-tools-debugsource-1.20.0-4.el8.x86_64.rpm  
ignition-2.9.0-5.rhaos4.7.git1d56dc8.el8.x86_64.rpm  
ignition-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.x86_64.rpm  
ignition-debugsource-2.9.0-5.rhaos4.7.git1d56dc8.el8.x86_64.rpm  
ignition-validate-2.9.0-5.rhaos4.7.git1d56dc8.el8.x86_64.rpm  
ignition-validate-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1708  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYqsa+9zjgjWX9erEAQjCBA//XuKHMB5VFNuOT18z4OljxD7g++8m5ajV  
HFQNdP5hmtcE3FLiPd5aJjyheDnHhr4wWH7GsjSQ7CUWRPZymh/1LJJNs5FZwUxT  
QGt2vY2Nms8qcwPo3kstKBLPNtY+0Fj6X7s2chcChsh+rc/pLXI1g6B1GkoT1Rj7  
sr+uVu1UuCbydao6duDRjIPTuSTEHGUHUPtVoOdrGXibGBObxaZlhsZuh8j0iNx9  
w0V2sEDxd34y8cohYfr/qvtMfHD3urGOKbMAVYDCBJPo0WoOLRqim4NN2YVHOgL4  
6pUlUNoVvrd5PQ4Gb+xg0E9LOwfNGpoYmOHU84BlH5GcOqVfJWJCD5zMEwp4/3uz  
hYgQNUH4JMur3Weg5Mum8bpQR3R5WirsPWF+wz6plL3VAL8mAHoJb9SEmVK6vkA/  
/LsMo6bDXRboliTuRTP7cggcV+Zl9IFCKbzQScMlOp8icsKWrczarhiPLNB3G1Nf  
k8I8LwzqwlZ/yBXmarPTRTbApqszNz5VITaUVOsDS+0tfZLXBP56IcYzR6z9q/HD  
J5WDx5c+UQ2PQKMiYIJR+kM2EBus1uxl+7l6QxVIDngYISdlcFi8Lgd6uw6CD/xn  
4/DEyT6BwVu6VfEO7jKBBqb/zuiy7hydIZOZWJHuxGjimBcJqezbJWD7DxU9a8Ov  
IsMS+CwIlZo=  
=quew  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-4965-01

Zyxel firewalls, AP controllers, and APs suffer from buffer overflow, format string, and command injection vulnerabilities.

Zyxel Buffer Overflow / Format String / Command Injection

Affected versions of this crate did not check that the public key the signature was created with matches the peer ID of the peer record. 
Any combination was considered valid.

This allows an attacker to republish an existing `PeerRecord` with a different `PeerId`.


**Failure to verify the public key of a \`SignedEnvelope\` against the \`PeerId\` in a \`PeerRecord\`**

High severity GitHub Reviewed Published Jun 17, 2022 • Updated Jun 17, 2022

GHSA-wc36-xgcc-jwpr: Failure to verify the public key of a `SignedEnvelope` against the `PeerId` in a `PeerRecord`

In GPAC MP4Box v1.1.0, there is a stack buffer overflow at src/utils/error.c:1769 which leads to a denial of service vulnerability.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Step to reproduce:

1.get latest commit code (GPAC version 1.1.0-DEV-rev1216-gb39aa09c0-master)  
2.compile with --enable-sanitizer  
3.run MP4Box -add poc.nhml -new new.mp4  
Env:  
Ubunut 20.04 , clang 12.0.1

ASAN report  
poc.zip

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==344428==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7fcb7d118779 bp 0x7ffe1832c550 sp 0x7ffe1832c480 T0)
    ==344428==The signal is caused by a READ memory access.
    ==344428==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x7fcb7d118779 in gf_blob_get /home/lly/pro/gpac_asan/src/utils/error.c:1769:12
        #1 0x7fcb7d0eb2ea in gf_fileio_from_blob /home/lly/pro/gpac_asan/src/utils/os_file.c:1287:13
        #2 0x7fcb7d0eb2ea in gf_fopen_ex /home/lly/pro/gpac_asan/src/utils/os_file.c:1314:14
        #3 0x7fcb7dc90328 in nhmldmx_send_sample /home/lly/pro/gpac_asan/src/filters/dmx_nhml.c:1101:9
        #4 0x7fcb7dc90328 in nhmldmx_process /home/lly/pro/gpac_asan/src/filters/dmx_nhml.c:1341:7
        #5 0x7fcb7dbbc997 in gf_filter_process_task /home/lly/pro/gpac_asan/src/filter_core/filter.c:2441:7
        #6 0x7fcb7db9e965 in gf_fs_thread_proc /home/lly/pro/gpac_asan/src/filter_core/filter_session.c:1664:3
        #7 0x7fcb7db9de60 in gf_fs_run /home/lly/pro/gpac_asan/src/filter_core/filter_session.c:1901:2
        #8 0x7fcb7d6bf708 in gf_media_import /home/lly/pro/gpac_asan/src/media_tools/media_import.c:1486:2
        #9 0x526ea9 in import_file /home/lly/pro/gpac_asan/applications/mp4box/fileimport.c:1289:7
        #10 0x4eb996 in do_add_cat /home/lly/pro/gpac_asan/applications/mp4box/main.c:4257:10
        #11 0x4e7d46 in mp4boxMain /home/lly/pro/gpac_asan/applications/mp4box/main.c:5746:13
        #12 0x7fcb7c9400b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #13 0x429a4d in _start (/home/lly/pro/gpac_asan/bin/gcc/MP4Box+0x429a4d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/lly/pro/gpac_asan/src/utils/error.c:1769:12 in gf_blob_get
    ==344428==ABORTING

CVE-2021-41458: SEGV on unknown address in MP4Box at src/utils/error.c:1769 in gf_blob_get · Issue #1910 · gpac/gpac

A memory leak (out-of-memory) in gif2rgb in util/gif2rgb.c in giflib 5.1.4 allows remote attackers trigger an out of memory exception or denial of service via a gif format file.

*   Summary
*   Files
*   Reviews
*   Support
*   Wiki
*   Mailing Lists
*   Code
*   Cvs
*   Tickets ▾
    *   Bugs
    *   Feature Requests
    *   Support Requests
    *   Patches
*   News
*   Discussion

Menu ▾ ▴

Status: open

Owner: nobody

Labels: None

Priority: 1

Updated: 2021-09-02

Created: 2021-09-02

Private: No

**System Env**

Ubuntu 16.04(server)

Kernel: _Linux ubuntu 5.0.5-050005-generic #201903271212 SMP Wed Mar 27 16:14:07 UTC 2019 x8664 x8664 x8664 GNU/Linux_

gif2rgb 5.14

gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)

**Configure**

export CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" \\  
export LDFLAGS="-g -fsanitize=address -fno-omit-frame-pointer"

**Command**

./gif2rgb @@

**Output**

\[ 4389.814860\] Call Trace:
\[ 4389.815518\]  dump\_stack+0x63/0x8a
\[ 4389.815529\]  dump\_header+0x54/0x308
\[ 4389.815540\]  ? sched\_clock+0x9/0x10
\[ 4389.815549\]  oom\_kill\_process.cold.29+0xb/0x1d6
\[ 4389.815558\]  out\_of\_memory+0x1bc/0x480
\[ 4389.815568\]  \_\_alloc\_pages\_slowpath+0xb68/0xea0
\[ 4389.815578\]  \_\_alloc\_pages\_nodemask+0x2c4/0x2e0
\[ 4389.815589\]  alloc\_pages\_current+0x81/0xe0
\[ 4389.815599\]  \_\_page\_cache\_alloc+0x6a/0xa0
\[ 4389.815609\]  filemap\_fault+0x403/0x8a0
\[ 4389.815619\]  ? xas\_load+0xc/0x80
\[ 4389.815628\]  ? xas\_find+0x157/0x190
\[ 4389.815637\]  ? filemap\_map\_pages+0x84/0x380
\[ 4389.815647\]  ext4\_filemap\_fault+0x31/0x44
\[ 4389.815657\]  \_\_do\_fault+0x3c/0x130
\[ 4389.815667\]  \_\_handle\_mm\_fault+0xe4b/0x1280
\[ 4389.815677\]  ? \_\_switch\_to\_asm+0x34/0x70
\[ 4389.815687\]  handle\_mm\_fault+0xe1/0x210
\[ 4389.815696\]  \_\_do\_page\_fault+0x23a/0x4c0
\[ 4389.815706\]  do\_page\_fault+0x2e/0xe0
\[ 4389.815715\]  ? page\_fault+0x8/0x30
\[ 4389.815723\]  page\_fault+0x1e/0x30
\[ 4389.815743\] RIP: 0033:0x560d4760fed8
\[ 4389.815755\] Code: Bad RIP value.
\[ 4389.815763\] RSP: 002b:000000c420251cb0 EFLAGS: 00010283
\[ 4389.815771\] RAX: 0000560d491fcde0 RBX: 0000000000000001 RCX: 0000560d48a716c0
\[ 4389.815780\] RDX: 0000000000000018 RSI: 40442b34b36c38f7 RDI: 000000c420413970
\[ 4389.815788\] RBP: 000000c420251ce0 R08: 00007fff4c5c30b0 R09: 00007fff4c5c3080
\[ 4389.815796\] R10: 00000000000a1c8e R11: 0000000000001125 R12: 0000000000000000
\[ 4389.815803\] R13: 0000000000000018 R14: 0000000000000054 R15: 0000000000000100
\[ 4389.815812\] Mem-Info:
\[ 4389.815823\] active\_anon:772579 inactive\_anon:154814 isolated\_anon:0
                active\_file:14 inactive\_file:19 isolated\_file:0
                unevictable:0 dirty:0 writeback:0 unstable:0
                slab\_reclaimable:9443 slab\_unreclaimable:19149
                mapped:21 shmem:1 pagetables:4096 bounce:0
                free:21609 free\_pcp:0 free\_cma:0
\[ 4389.815832\] Node 0 active\_anon:3090316kB inactive\_anon:619256kB active\_file:56kB inactive\_file:76kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:84kB dirty:0kB writeback:0kB shmem:4kB shmem\_thp: 0kB shmem\_pmdmapped: 0kB anon\_thp: 0kB writeback\_tmp:0kB unstable:0kB all\_unreclaimable? yes
\[ 4389.815840\] Node 0 DMA free:15620kB min:268kB low:332kB high:396kB active\_anon:252kB inactive\_anon:0kB active\_file:0kB inactive\_file:0kB unevictable:0kB writepending:0kB present:15988kB managed:15904kB mlocked:0kB kernel\_stack:0kB pagetables:0kB bounce:0kB free\_pcp:0kB local\_pcp:0kB free\_cma:0kB
\[ 4389.815850\] lowmem\_reserve\[\]: 0 2908 3843 3843 3843
\[ 4389.815859\] Node 0 DMA32 free:54632kB min:50932kB low:63664kB high:76396kB active\_anon:2357544kB inactive\_anon:618328kB active\_file:112kB inactive\_file:224kB unevictable:0kB writepending:0kB present:3129152kB managed:3039312kB mlocked:0kB kernel\_stack:16kB pagetables:7248kB bounce:0kB free\_pcp:0kB local\_pcp:0kB free\_cma:0kB
…….
\[ 4389.815932\] Node 0 hugepages\_total\=0 hugepages\_free\=0 hugepages\_surp\=0 hugepages\_size\=1048576kB
\[ 4389.815940\] Node 0 hugepages\_total\=0 hugepages\_free\=0 hugepages\_surp\=0 hugepages\_size\=2048kB
\[ 4389.815948\] 116 total pagecache pages
\[ 4389.815957\] 25 pages in swap cache
\[ 4389.815965\] Swap cache stats: add 1380554, delete 1380498, find 9812/20857
\[ 4389.815973\] Free swap  \= 0kB
\[ 4389.815981\] Total swap \= 998396kB
\[ 4389.815989\] 1048429 pages RAM
\[ 4389.815996\] 0 pages HighMem/MovableOnly
\[ 4389.816004\] 45224 pages reserved
\[ 4389.816012\] 0 pages cma reserved
\[ 4389.816019\] 0 pages hwpoisoned
\[ 4389.816027\] Tasks state (memory values in pages):
\[ 4389.816035\] \[  pid  \]   uid  tgid total\_vm      rss pgtables\_bytes swapents oom\_score\_adj name
    ……
\[ 4389.817580\] \[   1640\]     0  1640     5702        1    90112      477             0 bash
\[ 4389.817588\] \[   1901\]     0  1901    24862        9   233472      238             0 sshd
\[ 4389.817597\] \[   1956\]     0  1956     5724       61    86016      439             0 bash
\[ 4389.817607\] \[   2416\]     0  2416 5368727780   926778 11087872   221610             0 gif2rgb
\[ 4389.817615\] oom-kill:constraint\=CONSTRAINT\_NONE,nodemask\=(null),cpuset\=/,mems\_allowed\=0,global\_oom,task\_memcg\=/user.slice,task\=gif2rgb,pid\=2416,uid\=0
\[ 4389.817643\] Out of memory: Kill process 2416 (gif2rgb) score 918 or sacrifice child
\[ 4389.819906\] Killed process 2416 (gif2rgb) total-vm:21474911120kB, anon-rss:3707108kB, file-rss:4kB, shmem-rss:0kB
\[ 4389.912731\] oom\_reaper: reaped process 2416 (gif2rgb), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2021-40633: GIFLIB / Bugs / #157 An OutofMemory-Exception or Memory Leak in gif2rgb

A vulnerability was found in Microsoft O365 and classified as critical. This issue affects the Conditional Access Policy which leads to improper access controls. By default the policy is not verified for every request. The attack may be initiated remotely. Exploit details have been disclosed to the public. It is recommended to change the configuration settings. NOTE: Vendor claims that pre-requisites are very high, the feature works as intended, and that configuration settings might mitigate the issue.

CVE-2022-2077: Suspected Russian Activity Targeting Government and Business Entities Around the Globe

A Chinese advanced persistent threat (APT) known as Gallium has been observed using a previously undocumented remote access trojan in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa.
Called PingPull, the "difficult-to-detect" backdoor is notable for its use of the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications,

A Chinese advanced persistent threat (APT) known as Gallium has been observed using a previously undocumented remote access trojan in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa.

Called **PingPull**, the "difficult-to-detect" backdoor is notable for its use of the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications, according to new research published by Palo Alto Networks Unit 42 today.

Gallium is known for its attacks primarily aimed at telecom companies dating as far back as 2012. Also tracked under the name Soft Cell by Cybereason, the state-sponsored actor has been connected to a broader set of attacks targeting five major telecom companies located in Southeast Asian countries since 2017.

Over the past year, however, the group is said to have expanded its victimology footprint to include financial institutions and government entities located in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.

PingPull, a Visual C++-based malware, provides a threat actor the ability to access a reverse shell and run arbitrary commands on a compromised host. This encompasses carrying out file operations, enumerating storage volumes, and timestomping files.

"PingPull samples that use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server," the researchers detailed. "The C2 server will reply to these Echo requests with an Echo Reply packet to issue commands to the system."

Also identified are PingPull variants that rely on HTTPS and TCP to communicate with its C2 server instead of ICMP and over 170 IP addresses associated with the group since late 2020.

It's not immediately clear how the targeted networks are breached, although the threat actor is known to exploit internet-exposed applications to gain an initial foothold and deploy a modified version of the China Chopper web shell to establish persistence.

"Gallium remains an active threat to telecommunications, finance and government organizations across Southeast Asia, Europe and Africa," the researchers noted.

"While the use of ICMP tunneling is not a new technique, PingPull uses ICMP to make it more difficult to detect its C2 communications, as few organizations implement inspection of ICMP traffic on their networks."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese 'Gallium' Hackers Using New PingPull Malware in Cyberespionage Attacks

Use After Free in GitHub repository vim/vim prior to 8.2.

**Description**

When fuzzing vim commit 1d97db3d9 (works with latest build and latest commit 3760bfddc per this time of this report), I discovered a use after free.

**Proof of Concept**

Here is the minimized poc

    spe!ﬂ
    norm0z=
    norm0yy
    no0 P]svc
    sil!norm0
    norm0
    

How to build

    LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
    make -j$(nproc)
    

Proof of Concept

Run crafted file with this command

./vim -u NONE -X -Z -e -s -S poc_skipwhite -c :qa!

ASan stack trace:

    aldo@vps:~/vim/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S poc_skipwhite -c :qa!
    =================================================================
    ==3075856==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000a6b0 at pc 0x000000ecfe2d bp 0x7fffffff6310 sp 0x7fffffff6308
    READ of size 1 at 0x60200000a6b0 thread T0
        #0 0xecfe2c in skipwhite /home/aldo/vimtes/src/charset.c:1428:12
        #1 0xb6e45f in spell_move_to /home/aldo/vimtes/src/spell.c:1490:11
        #2 0x924ea0 in nv_brackets /home/aldo/vimtes/src/normal.c:4580:10
        #3 0x8ffa60 in normal_cmd /home/aldo/vimtes/src/normal.c:939:5
        #4 0xee6537 in main_loop /home/aldo/vimtes/src/main.c:1516:3
        #5 0x737610 in open_cmdwin /home/aldo/vimtes/src/ex_getln.c:4528:5
        #6 0x7273f3 in getcmdline_int /home/aldo/vimtes/src/ex_getln.c:1952:7
        #7 0x723da8 in getcmdline /home/aldo/vimtes/src/ex_getln.c:1570:12
        #8 0x91bde8 in nv_search /home/aldo/vimtes/src/normal.c:4155:22
        #9 0x8ffa60 in normal_cmd /home/aldo/vimtes/src/normal.c:939:5
        #10 0x6ffb9d in exec_normal /home/aldo/vimtes/src/ex_docmd.c:8800:6
        #11 0x6ff7a3 in exec_normal_cmd /home/aldo/vimtes/src/ex_docmd.c:8763:5
        #12 0x6ff503 in ex_normal /home/aldo/vimtes/src/ex_docmd.c:8681:6
        #13 0x6da762 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2568:2
        #14 0x6ce492 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:992:17
        #15 0xb04ed5 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1674:5
        #16 0xb02920 in do_source /home/aldo/vimtes/src/scriptfile.c:1801:12
        #17 0xb02459 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1174:14
        #18 0xb01f3d in ex_source /home/aldo/vimtes/src/scriptfile.c:1200:2
        #19 0x6da762 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2568:2
        #20 0x6ce492 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:992:17
        #21 0x6d1720 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:586:12
        #22 0xee5274 in exe_commands /home/aldo/vimtes/src/main.c:3106:2
        #23 0xee2fa9 in vim_main2 /home/aldo/vimtes/src/main.c:780:2
        #24 0xedc890 in main /home/aldo/vimtes/src/main.c:432:12
        #25 0x7ffff7824082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #26 0x41eded in _start (/home/aldo/vimtes/src/vim+0x41eded)
    
    0x60200000a6b0 is located 0 bytes inside of 1-byte region [0x60200000a6b0,0x60200000a6b1)
    freed by thread T0 here:
        #0 0x499a42 in free (/home/aldo/vimtes/src/vim+0x499a42)
        #1 0x4cb508 in vim_free /home/aldo/vimtes/src/alloc.c:621:2
        #2 0x880a6e in ml_flush_line /home/aldo/vimtes/src/memline.c:4063:2
        #3 0x88ee8c in ml_get_buf /home/aldo/vimtes/src/memline.c:2651:2
        #4 0xb6d6d7 in spell_move_to /home/aldo/vimtes/src/spell.c:1347:6
        #5 0x924ea0 in nv_brackets /home/aldo/vimtes/src/normal.c:4580:10
        #6 0x8ffa60 in normal_cmd /home/aldo/vimtes/src/normal.c:939:5
        #7 0xee6537 in main_loop /home/aldo/vimtes/src/main.c:1516:3
        #8 0x737610 in open_cmdwin /home/aldo/vimtes/src/ex_getln.c:4528:5
        #9 0x7273f3 in getcmdline_int /home/aldo/vimtes/src/ex_getln.c:1952:7
        #10 0x723da8 in getcmdline /home/aldo/vimtes/src/ex_getln.c:1570:12
        #11 0x91bde8 in nv_search /home/aldo/vimtes/src/normal.c:4155:22
        #12 0x8ffa60 in normal_cmd /home/aldo/vimtes/src/normal.c:939:5
        #13 0x6ffb9d in exec_normal /home/aldo/vimtes/src/ex_docmd.c:8800:6
        #14 0x6ff7a3 in exec_normal_cmd /home/aldo/vimtes/src/ex_docmd.c:8763:5
        #15 0x6ff503 in ex_normal /home/aldo/vimtes/src/ex_docmd.c:8681:6
        #16 0x6da762 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2568:2
        #17 0x6ce492 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:992:17
        #18 0xb04ed5 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1674:5
        #19 0xb02920 in do_source /home/aldo/vimtes/src/scriptfile.c:1801:12
        #20 0xb02459 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1174:14
        #21 0xb01f3d in ex_source /home/aldo/vimtes/src/scriptfile.c:1200:2
        #22 0x6da762 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2568:2
        #23 0x6ce492 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:992:17
        #24 0x6d1720 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:586:12
        #25 0xee5274 in exe_commands /home/aldo/vimtes/src/main.c:3106:2
        #26 0xee2fa9 in vim_main2 /home/aldo/vimtes/src/main.c:780:2
        #27 0xedc890 in main /home/aldo/vimtes/src/main.c:432:12
        #28 0x7ffff7824082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    previously allocated by thread T0 here:
        #0 0x499cad in malloc (/home/aldo/vimtes/src/vim+0x499cad)
        #1 0x4cb100 in lalloc /home/aldo/vimtes/src/alloc.c:246:11
        #2 0x4cb059 in alloc /home/aldo/vimtes/src/alloc.c:151:12
        #3 0xaca43c in do_put /home/aldo/vimtes/src/register.c:2126:14
        #4 0x935553 in nv_put_opt /home/aldo/vimtes/src/normal.c:7355:2
        #5 0x922656 in nv_put /home/aldo/vimtes/src/normal.c:7234:5
        #6 0x92cb00 in nv_zet /home/aldo/vimtes/src/normal.c:2823:16
        #7 0x8ffa60 in normal_cmd /home/aldo/vimtes/src/normal.c:939:5
        #8 0xee6537 in main_loop /home/aldo/vimtes/src/main.c:1516:3
        #9 0x737610 in open_cmdwin /home/aldo/vimtes/src/ex_getln.c:4528:5
        #10 0x7273f3 in getcmdline_int /home/aldo/vimtes/src/ex_getln.c:1952:7
        #11 0x723da8 in getcmdline /home/aldo/vimtes/src/ex_getln.c:1570:12
        #12 0x91bde8 in nv_search /home/aldo/vimtes/src/normal.c:4155:22
        #13 0x8ffa60 in normal_cmd /home/aldo/vimtes/src/normal.c:939:5
        #14 0x6ffb9d in exec_normal /home/aldo/vimtes/src/ex_docmd.c:8800:6
        #15 0x6ff7a3 in exec_normal_cmd /home/aldo/vimtes/src/ex_docmd.c:8763:5
        #16 0x6ff503 in ex_normal /home/aldo/vimtes/src/ex_docmd.c:8681:6
        #17 0x6da762 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2568:2
        #18 0x6ce492 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:992:17
        #19 0xb04ed5 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1674:5
        #20 0xb02920 in do_source /home/aldo/vimtes/src/scriptfile.c:1801:12
        #21 0xb02459 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1174:14
        #22 0xb01f3d in ex_source /home/aldo/vimtes/src/scriptfile.c:1200:2
        #23 0x6da762 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2568:2
        #24 0x6ce492 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:992:17
        #25 0x6d1720 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:586:12
        #26 0xee5274 in exe_commands /home/aldo/vimtes/src/main.c:3106:2
        #27 0xee2fa9 in vim_main2 /home/aldo/vimtes/src/main.c:780:2
        #28 0xedc890 in main /home/aldo/vimtes/src/main.c:432:12
        #29 0x7ffff7824082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/aldo/vimtes/src/charset.c:1428:12 in skipwhite
    Shadow bytes around the buggy address:
      0x0c047fff9480: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff9490: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff94a0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
      0x0c047fff94b0: fa fa fd fa fa fa 02 fa fa fa 00 00 fa fa 02 fa
      0x0c047fff94c0: fa fa 02 fa fa fa 01 fa fa fa fd fa fa fa fd fa
    =>0x0c047fff94d0: fa fa 00 00 fa fa[fd]fa fa fa fd fa fa fa fd fa
      0x0c047fff94e0: fa fa fd fa fa fa 02 fa fa fa fa fa fa fa fa fa
      0x0c047fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3075856==ABORTING
    

**Impact**

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

CVE-2022-2042: use after free in skipwhite in vim

An issue was discovered in Bento4 v1.2. There is an allocation size request error in /Ap4RtpAtom.cpp.

SUMMARY: AddressSanitizer: requested allocation size 0xfffffffffffffffd in /Source/C++/Core/Ap4RtpAtom.cpp:49

*   Version

    $ ./mp42hls 
    MP4 To HLS File Converter - Version 1.2
    (Bento4 Version 1.6.0.0)
    (c) 2002-2018 Axiomatic Systems, LLC
    

branch d02ef82

*   Platform

    $ gcc --version
    gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
    Copyright (C) 2019 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    
    $ uname -r
    5.13.0-40-generic
    
    $ lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 20.04.4 LTS
    Release:	20.04
    Codename:	focal
    

*   Steps to reproduce

    $ mkdir build
    $ cd build
    $ cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"
    $ make
    
    $ ./mp42hls poc
    

*   Asan

    $ ./mp42hls poc
    =================================================================
    ==2656357==ERROR: AddressSanitizer: requested allocation size 0xfffffffffffffffd (0x800 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
        #0 0x7f94774c8787 in operator new[](unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:107
        #1 0x55c100eee930 in AP4_RtpAtom::AP4_RtpAtom(unsigned int, AP4_ByteStream&) /home/wulearn/Bento4/Source/C++/Core/Ap4RtpAtom.cpp:49
        #2 0x55c100e75f4d in AP4_RtpAtom::Create(unsigned int, AP4_ByteStream&) (/home/wulearn/Bento4/build/mp42hls+0x352f4d)
        #3 0x55c100e744da in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:689
        #4 0x55c100e70f7a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
        #5 0x55c100e70549 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154
        #6 0x55c100ea1392 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/wulearn/Bento4/Source/C++/Core/Ap4File.cpp:104
        #7 0x55c100ea0fe0 in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/wulearn/Bento4/Source/C++/Core/Ap4File.cpp:78
        #8 0x55c100e5bb38 in main /home/wulearn/Bento4/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:1894
        #9 0x7f9476e9f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    
    ==2656357==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: allocation-size-too-big ../../../../src/libsanitizer/asan/asan_new_delete.cc:107 in operator new[](unsigned long)
    ==2656357==ABORTING
    

poc: poc.zip

Thanks!

CVE-2022-31287: requested allocation size 0xfffffffffffffffd in /Source/C++/Core/Ap4RtpAtom.cpp:49 · Issue #703 · axiomatic-systems/Bento4

An issue was discovered in Bento4 1.2. The allocator is out of memory in /Source/C++/Core/Ap4Array.h.

SUMMARY: AddressSanitizer: allocator is out of memory in /Source/C++/Core/Ap4Array.h:172

*   Version

    $ ./mp42hls 
    MP4 To HLS File Converter - Version 1.2
    (Bento4 Version 1.6.0.0)
    (c) 2002-2018 Axiomatic Systems, LLC
    

branch d02ef82

*   Platform

    $ gcc --version
    gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
    Copyright (C) 2019 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    
    $ uname -r
    5.13.0-40-generic
    
    $ lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 20.04.4 LTS
    Release:	20.04
    Codename:	focal
    

*   Steps to reproduce

    $ mkdir build
    $ cd build
    $ cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"
    $ make
    
    $ ./mp42hls poc
    

*   Asan

    $ ./mp42hls poc
    =================================================================
    ==2569847==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x64f7ff3b0 bytes
        #0 0x7f4dacc42587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
        #1 0x55b48862ff7c in AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity(unsigned int) (/home/wulearn/Bento4/build/mp42hls+0x40af7c)
        #2 0x55b48862fcf0 in AP4_Array<AP4_TrunAtom::Entry>::SetItemCount(unsigned int) /home/wulearn/Bento4/Source/C++/Core/Ap4Array.h:210
        #3 0x55b48862e470 in AP4_TrunAtom::AP4_TrunAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /home/wulearn/Bento4/Source/C++/Core/Ap4TrunAtom.cpp:127
        #4 0x55b48862de8a in AP4_TrunAtom::Create(unsigned int, AP4_ByteStream&) /home/wulearn/Bento4/Source/C++/Core/Ap4TrunAtom.cpp:51
        #5 0x55b4885751ab in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:438
        #6 0x55b488572f7a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
        #7 0x55b488572549 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154
        #8 0x55b4885a3392 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/wulearn/Bento4/Source/C++/Core/Ap4File.cpp:104
        #9 0x55b4885a2fe0 in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/wulearn/Bento4/Source/C++/Core/Ap4File.cpp:78
        #10 0x55b48855db38 in main /home/wulearn/Bento4/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:1894
        #11 0x7f4dac6190b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    
    ==2569847==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory ../../../../src/libsanitizer/asan/asan_new_delete.cc:104 in operator new(unsigned long)
    ==2569847==ABORTING
    

poc: poc.zip

Thanks!

Tag

#c++