Red Hat Security Advisory 2023-4704-01 - The subscription-manager packages provide programs and libraries to allow users to manage subscriptions and yum repositories from the Red Hat entitlement platform.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: subscription-manager security update  
Advisory ID:       RHSA-2023:4704-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4704  
Issue date:        2023-08-22  
CVE Names:         CVE-2023-3899  
====================================================================  
1. Summary:

An update for subscription-manager is now available for Red Hat Enterprise  
Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise  
Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux  
8.4 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v.8.4) - x86_64  
Red Hat Enterprise Linux AppStream E4S (v.8.4) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream TUS (v.8.4) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS AUS (v.8.4) - noarch, x86_64  
Red Hat Enterprise Linux BaseOS E4S (v.8.4) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS TUS (v.8.4) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The subscription-manager packages provide programs and libraries to allow  
users to manage subscriptions and yum repositories from the Red Hat  
entitlement platform.

Security Fix(es):

* subscription-manager: inadequate authorization of com.redhat.RHSM1 D-Bus  
interface allows local users to modify configuration (CVE-2023-3899)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2225407 - CVE-2023-3899 subscription-manager: inadequate authorization of com.redhat.RHSM1 D-Bus interface allows local users to modify configuration

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v.8.4):

x86_64:  
dnf-plugin-subscription-manager-debuginfo-1.28.13-7.el8_4.x86_64.rpm  
python3-subscription-manager-rhsm-debuginfo-1.28.13-7.el8_4.x86_64.rpm  
rhsm-gtk-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-debuginfo-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-debugsource-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-initial-setup-addon-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-migration-1.28.13-7.el8_4.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v.8.4):

aarch64:  
dnf-plugin-subscription-manager-debuginfo-1.28.13-7.el8_4.aarch64.rpm  
python3-subscription-manager-rhsm-debuginfo-1.28.13-7.el8_4.aarch64.rpm  
rhsm-gtk-1.28.13-7.el8_4.aarch64.rpm  
subscription-manager-debuginfo-1.28.13-7.el8_4.aarch64.rpm  
subscription-manager-debugsource-1.28.13-7.el8_4.aarch64.rpm  
subscription-manager-initial-setup-addon-1.28.13-7.el8_4.aarch64.rpm  
subscription-manager-migration-1.28.13-7.el8_4.aarch64.rpm

ppc64le:  
dnf-plugin-subscription-manager-debuginfo-1.28.13-7.el8_4.ppc64le.rpm  
python3-subscription-manager-rhsm-debuginfo-1.28.13-7.el8_4.ppc64le.rpm  
rhsm-gtk-1.28.13-7.el8_4.ppc64le.rpm  
subscription-manager-debuginfo-1.28.13-7.el8_4.ppc64le.rpm  
subscription-manager-debugsource-1.28.13-7.el8_4.ppc64le.rpm  
subscription-manager-initial-setup-addon-1.28.13-7.el8_4.ppc64le.rpm  
subscription-manager-migration-1.28.13-7.el8_4.ppc64le.rpm

s390x:  
dnf-plugin-subscription-manager-debuginfo-1.28.13-7.el8_4.s390x.rpm  
python3-subscription-manager-rhsm-debuginfo-1.28.13-7.el8_4.s390x.rpm  
rhsm-gtk-1.28.13-7.el8_4.s390x.rpm  
subscription-manager-debuginfo-1.28.13-7.el8_4.s390x.rpm  
subscription-manager-debugsource-1.28.13-7.el8_4.s390x.rpm  
subscription-manager-initial-setup-addon-1.28.13-7.el8_4.s390x.rpm  
subscription-manager-migration-1.28.13-7.el8_4.s390x.rpm

x86_64:  
dnf-plugin-subscription-manager-debuginfo-1.28.13-7.el8_4.x86_64.rpm  
python3-subscription-manager-rhsm-debuginfo-1.28.13-7.el8_4.x86_64.rpm  
rhsm-gtk-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-debuginfo-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-debugsource-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-initial-setup-addon-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-migration-1.28.13-7.el8_4.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v.8.4):

aarch64:  
dnf-plugin-subscription-manager-debuginfo-1.28.13-7.el8_4.aarch64.rpm  
python3-subscription-manager-rhsm-debuginfo-1.28.13-7.el8_4.aarch64.rpm  
rhsm-gtk-1.28.13-7.el8_4.aarch64.rpm  
subscription-manager-debuginfo-1.28.13-7.el8_4.aarch64.rpm  
subscription-manager-debugsource-1.28.13-7.el8_4.aarch64.rpm  
subscription-manager-initial-setup-addon-1.28.13-7.el8_4.aarch64.rpm  
subscription-manager-migration-1.28.13-7.el8_4.aarch64.rpm

ppc64le:  
dnf-plugin-subscription-manager-debuginfo-1.28.13-7.el8_4.ppc64le.rpm  
python3-subscription-manager-rhsm-debuginfo-1.28.13-7.el8_4.ppc64le.rpm  
rhsm-gtk-1.28.13-7.el8_4.ppc64le.rpm  
subscription-manager-debuginfo-1.28.13-7.el8_4.ppc64le.rpm  
subscription-manager-debugsource-1.28.13-7.el8_4.ppc64le.rpm  
subscription-manager-initial-setup-addon-1.28.13-7.el8_4.ppc64le.rpm  
subscription-manager-migration-1.28.13-7.el8_4.ppc64le.rpm

s390x:  
dnf-plugin-subscription-manager-debuginfo-1.28.13-7.el8_4.s390x.rpm  
python3-subscription-manager-rhsm-debuginfo-1.28.13-7.el8_4.s390x.rpm  
rhsm-gtk-1.28.13-7.el8_4.s390x.rpm  
subscription-manager-debuginfo-1.28.13-7.el8_4.s390x.rpm  
subscription-manager-debugsource-1.28.13-7.el8_4.s390x.rpm  
subscription-manager-initial-setup-addon-1.28.13-7.el8_4.s390x.rpm  
subscription-manager-migration-1.28.13-7.el8_4.s390x.rpm

x86_64:  
dnf-plugin-subscription-manager-debuginfo-1.28.13-7.el8_4.x86_64.rpm  
python3-subscription-manager-rhsm-debuginfo-1.28.13-7.el8_4.x86_64.rpm  
rhsm-gtk-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-debuginfo-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-debugsource-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-initial-setup-addon-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-migration-1.28.13-7.el8_4.x86_64.rpm

Red Hat Enterprise Linux BaseOS AUS (v.8.4):

Source:  
subscription-manager-1.28.13-7.el8_4.src.rpm

noarch:  
rhsm-icons-1.28.13-7.el8_4.noarch.rpm  
subscription-manager-cockpit-1.28.13-7.el8_4.noarch.rpm

x86_64:  
dnf-plugin-subscription-manager-1.28.13-7.el8_4.x86_64.rpm  
dnf-plugin-subscription-manager-debuginfo-1.28.13-7.el8_4.x86_64.rpm  
python3-subscription-manager-rhsm-1.28.13-7.el8_4.x86_64.rpm  
python3-subscription-manager-rhsm-debuginfo-1.28.13-7.el8_4.x86_64.rpm  
python3-syspurpose-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-debuginfo-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-debugsource-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-plugin-ostree-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-rhsm-certificates-1.28.13-7.el8_4.x86_64.rpm

Red Hat Enterprise Linux BaseOS E4S (v.8.4):

Source:  
subscription-manager-1.28.13-7.el8_4.src.rpm

aarch64:  
dnf-plugin-subscription-manager-1.28.13-7.el8_4.aarch64.rpm  
dnf-plugin-subscription-manager-debuginfo-1.28.13-7.el8_4.aarch64.rpm  
python3-subscription-manager-rhsm-1.28.13-7.el8_4.aarch64.rpm  
python3-subscription-manager-rhsm-debuginfo-1.28.13-7.el8_4.aarch64.rpm  
python3-syspurpose-1.28.13-7.el8_4.aarch64.rpm  
subscription-manager-1.28.13-7.el8_4.aarch64.rpm  
subscription-manager-debuginfo-1.28.13-7.el8_4.aarch64.rpm  
subscription-manager-debugsource-1.28.13-7.el8_4.aarch64.rpm  
subscription-manager-plugin-ostree-1.28.13-7.el8_4.aarch64.rpm  
subscription-manager-rhsm-certificates-1.28.13-7.el8_4.aarch64.rpm

noarch:  
rhsm-icons-1.28.13-7.el8_4.noarch.rpm  
subscription-manager-cockpit-1.28.13-7.el8_4.noarch.rpm

ppc64le:  
dnf-plugin-subscription-manager-1.28.13-7.el8_4.ppc64le.rpm  
dnf-plugin-subscription-manager-debuginfo-1.28.13-7.el8_4.ppc64le.rpm  
python3-subscription-manager-rhsm-1.28.13-7.el8_4.ppc64le.rpm  
python3-subscription-manager-rhsm-debuginfo-1.28.13-7.el8_4.ppc64le.rpm  
python3-syspurpose-1.28.13-7.el8_4.ppc64le.rpm  
subscription-manager-1.28.13-7.el8_4.ppc64le.rpm  
subscription-manager-debuginfo-1.28.13-7.el8_4.ppc64le.rpm  
subscription-manager-debugsource-1.28.13-7.el8_4.ppc64le.rpm  
subscription-manager-plugin-ostree-1.28.13-7.el8_4.ppc64le.rpm  
subscription-manager-rhsm-certificates-1.28.13-7.el8_4.ppc64le.rpm

s390x:  
dnf-plugin-subscription-manager-1.28.13-7.el8_4.s390x.rpm  
dnf-plugin-subscription-manager-debuginfo-1.28.13-7.el8_4.s390x.rpm  
python3-subscription-manager-rhsm-1.28.13-7.el8_4.s390x.rpm  
python3-subscription-manager-rhsm-debuginfo-1.28.13-7.el8_4.s390x.rpm  
python3-syspurpose-1.28.13-7.el8_4.s390x.rpm  
subscription-manager-1.28.13-7.el8_4.s390x.rpm  
subscription-manager-debuginfo-1.28.13-7.el8_4.s390x.rpm  
subscription-manager-debugsource-1.28.13-7.el8_4.s390x.rpm  
subscription-manager-plugin-ostree-1.28.13-7.el8_4.s390x.rpm  
subscription-manager-rhsm-certificates-1.28.13-7.el8_4.s390x.rpm

x86_64:  
dnf-plugin-subscription-manager-1.28.13-7.el8_4.x86_64.rpm  
dnf-plugin-subscription-manager-debuginfo-1.28.13-7.el8_4.x86_64.rpm  
python3-subscription-manager-rhsm-1.28.13-7.el8_4.x86_64.rpm  
python3-subscription-manager-rhsm-debuginfo-1.28.13-7.el8_4.x86_64.rpm  
python3-syspurpose-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-debuginfo-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-debugsource-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-plugin-ostree-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-rhsm-certificates-1.28.13-7.el8_4.x86_64.rpm

Red Hat Enterprise Linux BaseOS TUS (v.8.4):

Source:  
subscription-manager-1.28.13-7.el8_4.src.rpm

aarch64:  
dnf-plugin-subscription-manager-1.28.13-7.el8_4.aarch64.rpm  
dnf-plugin-subscription-manager-debuginfo-1.28.13-7.el8_4.aarch64.rpm  
python3-subscription-manager-rhsm-1.28.13-7.el8_4.aarch64.rpm  
python3-subscription-manager-rhsm-debuginfo-1.28.13-7.el8_4.aarch64.rpm  
python3-syspurpose-1.28.13-7.el8_4.aarch64.rpm  
subscription-manager-1.28.13-7.el8_4.aarch64.rpm  
subscription-manager-debuginfo-1.28.13-7.el8_4.aarch64.rpm  
subscription-manager-debugsource-1.28.13-7.el8_4.aarch64.rpm  
subscription-manager-plugin-ostree-1.28.13-7.el8_4.aarch64.rpm  
subscription-manager-rhsm-certificates-1.28.13-7.el8_4.aarch64.rpm

noarch:  
rhsm-icons-1.28.13-7.el8_4.noarch.rpm  
subscription-manager-cockpit-1.28.13-7.el8_4.noarch.rpm

ppc64le:  
dnf-plugin-subscription-manager-1.28.13-7.el8_4.ppc64le.rpm  
dnf-plugin-subscription-manager-debuginfo-1.28.13-7.el8_4.ppc64le.rpm  
python3-subscription-manager-rhsm-1.28.13-7.el8_4.ppc64le.rpm  
python3-subscription-manager-rhsm-debuginfo-1.28.13-7.el8_4.ppc64le.rpm  
python3-syspurpose-1.28.13-7.el8_4.ppc64le.rpm  
subscription-manager-1.28.13-7.el8_4.ppc64le.rpm  
subscription-manager-debuginfo-1.28.13-7.el8_4.ppc64le.rpm  
subscription-manager-debugsource-1.28.13-7.el8_4.ppc64le.rpm  
subscription-manager-plugin-ostree-1.28.13-7.el8_4.ppc64le.rpm  
subscription-manager-rhsm-certificates-1.28.13-7.el8_4.ppc64le.rpm

s390x:  
dnf-plugin-subscription-manager-1.28.13-7.el8_4.s390x.rpm  
dnf-plugin-subscription-manager-debuginfo-1.28.13-7.el8_4.s390x.rpm  
python3-subscription-manager-rhsm-1.28.13-7.el8_4.s390x.rpm  
python3-subscription-manager-rhsm-debuginfo-1.28.13-7.el8_4.s390x.rpm  
python3-syspurpose-1.28.13-7.el8_4.s390x.rpm  
subscription-manager-1.28.13-7.el8_4.s390x.rpm  
subscription-manager-debuginfo-1.28.13-7.el8_4.s390x.rpm  
subscription-manager-debugsource-1.28.13-7.el8_4.s390x.rpm  
subscription-manager-plugin-ostree-1.28.13-7.el8_4.s390x.rpm  
subscription-manager-rhsm-certificates-1.28.13-7.el8_4.s390x.rpm

x86_64:  
dnf-plugin-subscription-manager-1.28.13-7.el8_4.x86_64.rpm  
dnf-plugin-subscription-manager-debuginfo-1.28.13-7.el8_4.x86_64.rpm  
python3-subscription-manager-rhsm-1.28.13-7.el8_4.x86_64.rpm  
python3-subscription-manager-rhsm-debuginfo-1.28.13-7.el8_4.x86_64.rpm  
python3-syspurpose-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-debuginfo-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-debugsource-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-plugin-ostree-1.28.13-7.el8_4.x86_64.rpm  
subscription-manager-rhsm-certificates-1.28.13-7.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-3899  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk5RhRAAoJENzjgjWX9erEkFcQAJXsfy9Mcja8GUJAasrRvvWI  
8WX0dfXyFduP4MvuyEUJnciNQgegAtvFODdxLQN6d9NJckyhFhsLyQ5wAZHvzLcJ  
udLORc9cn42P4t2XuoWsXApeBTUYyxRW1fmJJzMyeTmGTtDEf4F/TTQEa/j/gjvI  
CJ1f58PdspccDQLhppj02bFdwDHM+W6uLaKookyn2DuZ5hlmoRMbWNV4N0mde+4i  
GI66+u22FjWjr3EzbwcOiScsuFUSYVELnul7lyaJ0oSdVvAbnHSoxJpUojmUJU0t  
7jZHGOuiXuae+4SA75cwDTm4ZYvyrreEYQnqVHsXkSa+6LBFYfO3m+cqF3rgJxzI  
/MD2VPq12iIreGP0iXQZRfpU29SL8A95G/D5X6N1Ch+g48SbxMlIUX2WzRC5HxyU  
32vpTNVNiJmTh+11Adc++Tj+qZAO1PEMsnc3jG+AiXEcGwgtmHVI8ZVT+hWZLdQt  
JYKA1Ow6ilWC0wNktl/REvSe3LSb1CLRMU1lyPeZ85fAg/Thlox7bpPz5ndCM35E  
MGchKCjYyEz16puV3fMFJbM5YKsVLPELed6Y52q8cA0pM7AZ8lpMOkWjcrHJFKMS  
nNE01Upgef/JdfIlDjXqIXUIzI1Fq9zVrz7zMM3QHa7K5jhnyg4weSVCV18fkw83  
KJ5IItPF26Ky/o5clbmc  
=xl+P  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4704-01

Buffer Overflow vulnerability in function bitwriter_grow_ in flac before 1.4.0 allows remote attackers to run arbitrary code via crafted input to the encoder.

we found wild-addr-write by fuzzing flac-master:

    ==217==ERROR: AddressSanitizer: SEGV on unknown address 0xb6029a2c (pc 0x0822a2ae bp 0xffeb31e8 sp 0xffeb30a0 T0)
    ==217==The signal is caused by a WRITE memory access.
    SCARINESS: 30 (wild-addr-write)
        #0 0x822a2ad in FLAC__bitwriter_write_raw_uint32_nocheck /src/flac/src/libFLAC/bitwriter.c
        #1 0x8229a42 in FLAC__bitwriter_write_raw_uint32 /src/flac/src/libFLAC/bitwriter.c:369:9
        #2 0x8218ec3 in FLAC__frame_add_header /src/flac/src/libFLAC/stream_encoder_framing.c:227:6
        #3 0x820557b in process_subframes_ /src/flac/src/libFLAC/stream_encoder.c:3365:7
        #4 0x81d940f in process_frame_ /src/flac/src/libFLAC/stream_encoder.c:3096:6
        #5 0x81f3770 in FLAC__stream_encoder_process_interleaved /src/flac/src/libFLAC/stream_encoder.c:2298:9
        #6 0x81bfa80 in FLAC::Encoder::Stream::process_interleaved(int const*, unsigned int) /src/flac/src/libFLAC++/stream_encoder.cpp:370:29
        #7 0x81ac167 in LLVMFuzzerTestOneInput /src/flac-fuzzers/fuzzer_encoder.cpp:141:46
        #8 0x80ac766 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
        #9 0x8098c13 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
        #10 0x809e318 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:774:9
        #11 0x80c3167 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
        #12 0xf7539636 in __libc_start_main (/lib32/libc.so.6+0x18636)
        #13 0x8073c38 in _start (/out/flac/fuzzer_encoder+0x8073c38)
    

here is my debug info:  
bw->buffer was realloc here

    bitwriter_grow_ (bw=0xf5a00a90, bits_to_add=62914562) at bitwriter.c:128
    128		if(new_buffer == 0)
    (gdb) n
    130		bw->buffer = new_buffer;
    (gdb) l
    125		FLAC__ASSERT(new_capacity >= bw->words + ((bw->bits + bits_to_add + FLAC__BITS_PER_WORD - 1) / FLAC__BITS_PER_WORD));
    126
    127		new_buffer = safe_realloc_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity);
    128		if(new_buffer == 0)
    129			return false;
    130		bw->buffer = new_buffer;
    131		bw->capacity = new_capacity;
    132		return true;
    133	}
    134
    (gdb) p new_buffer
    $1 = (bwword *) 0x7abd7800
    (gdb) p new_capacity
    $2 = 250956800
    

later, bw->buffer was freed but it's value NOT set to 0

    156	static inline void *safe_realloc_(void *ptr, size_t size)
    157	{
    158		void *oldptr = ptr;
    159		void *newptr = realloc(ptr, size);
    160		if(size > 0 && newptr == 0)
    161			free(oldptr);
    162		return newptr;
    (gdb) n
    159		void *newptr = realloc(ptr, size);
    (gdb) n
    160		if(size > 0 && newptr == 0)
    (gdb) p newptr
    $4 = (void *) 0x0
    (gdb) p size
    $5 = 1006448640
    (gdb) n
    161			free(oldptr);
    (gdb) p oldptr
    $6 = (void *) 0x7abd7800
    (gdb) n
    162		return newptr;
    (gdb) n
    safe_realloc_mul_2op_ (ptr=0x7abd7800, size1=4, size2=251612160) at ../../include/share/alloc.h:206
    206	}
    (gdb) n
    bitwriter_grow_ (bw=0xf5a00a90, bits_to_add=20971521) at bitwriter.c:128
    128		if(new_buffer == 0)
    (gdb) l
    123		FLAC__ASSERT(0 == (new_capacity - bw->capacity) % FLAC__BITWRITER_DEFAULT_INCREMENT);
    124		FLAC__ASSERT(new_capacity > bw->capacity);
    125		FLAC__ASSERT(new_capacity >= bw->words + ((bw->bits + bits_to_add + FLAC__BITS_PER_WORD - 1) / FLAC__BITS_PER_WORD));
    126
    127		new_buffer = safe_realloc_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity);
    128		if(new_buffer == 0)
    129			return false;
    130		bw->buffer = new_buffer;
    131		bw->capacity = new_capacity;
    132		return true;
    (gdb) p bw->buffer
    $7 = (bwword *) 0x7abd7800
    (gdb) p bw->capacity
    $8 = 250956800
    (gdb) n
    129			return false

CVE-2020-22219: wild-addr-write found by fuzz · Issue #215 · xiph/flac

Bento4 v1.6.0-639 was discovered to contain a segmentation violation via the AP4_Processor::ProcessFragments function in mp4encrypt.

**Summary**

Hi, developers of Bento4:  
I tested the binary mp4encrypt with my fuzzer, and a crash incurred—SEGV on unknown address. The following is the details.

**Bug**

Detected SEGV on unknown address in mp4encrypt.

    root@2e47aa8b3277:/fuzz-mp4encrypt-ACBC/mp4encrypt# ./mp4encrypt --method MARLIN-IPMP-ACBC ../out/crashes/id:000000,sig:06,src:000718+000108,op:splice,rep:128,203819180 /dev/null
    WARNING: track ID 1 will not be encrypted
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==2391078==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x000000633817 bp 0x7fff9076b400 sp 0x7fff90769aa0 T0)
    ==2391078==The signal is caused by a READ memory access.
    ==2391078==Hint: address points to the zero page.
        #0 0x633817 in AP4_Processor::ProcessFragments(AP4_MoovAtom*, AP4_List<AP4_AtomLocator>&, AP4_ContainerAtom*, AP4_SidxAtom*, unsigned long long, AP4_ByteStream&, AP4_ByteStream&) (/fuzz-mp4encrypt-ACBC/mp4encrypt/mp4encrypt+0x633817)
        #1 0x658320 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) (/fuzz-mp4encrypt-ACBC/mp4encrypt/mp4encrypt+0x658320)
        #2 0x42128c in main (/fuzz-mp4encrypt-ACBC/mp4encrypt/mp4encrypt+0x42128c)
        #3 0x7fd8c26f7c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #4 0x407c99 in _start (/fuzz-mp4encrypt-ACBC/mp4encrypt/mp4encrypt+0x407c99)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/fuzz-mp4encrypt-ACBC/mp4encrypt/mp4encrypt+0x633817) in AP4_Processor::ProcessFragments(AP4_MoovAtom*, AP4_List<AP4_AtomLocator>&, AP4_ContainerAtom*, AP4_SidxAtom*, unsigned long long, AP4_ByteStream&, AP4_ByteStream&)
    ==2391078==ABORTING
    
    

**POC**

POC\_mp4encrypt\_203819180.zip

**Environment**

Ubuntu 18.04.6 LTS (docker)  
clang 12.0.1  
clang++ 12.0.1  
Bento4 master branch(5b7cc25) && Bento4 release version(1.6.0-639)

**Credit**

Xudong Cao (NCNIPC of China)  
Jiayuan Zhang (NCNIPC of China)  
Han Zheng (NCNIPC of China, Hexhive)

Thank you for your time!

CVE-2023-38666: SEGV on unknown address 0x000000000028 in mp4encrypt · Issue #784 · axiomatic-systems/Bento4

An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of crafted file.

XZ Utils is free general-purpose data compression software with a high compression ratio. XZ Utils were written for POSIX-like systems, but also work on some not-so-POSIX systems. XZ Utils are the successor to LZMA Utils.

The core of the XZ Utils compression code is based on LZMA SDK, but it has been modified quite a lot to be suitable for XZ Utils. The primary compression algorithm is currently LZMA2, which is used inside the .xz container format. With typical files, XZ Utils create 30 % smaller output than gzip and 15 % smaller output than bzip2.

XZ Utils consist of several components:

*   liblzma is a compression library with an API similar to that of zlib.
*   xz is a command line tool with syntax similar to that of gzip.
*   xzdec is a decompression-only tool smaller than the full-featured xz tool.
*   A set of shell scripts (xzgrep, xzdiff, etc.) have been adapted from gzip to ease viewing, grepping, and comparing compressed files.
*   Emulation of command line tools of LZMA Utils eases transition from LZMA Utils to XZ Utils.

While liblzma has a zlib-like API, liblzma doesn't include any file I/O functions. A separate I/O library is planned, which would abstract handling of .gz, .bz2, and .xz files with an easy to use API.

**Documentation**

Man page with a keyword index: xz(1)

Doxygen-generated liblzma API documentation is also included in the source packages since XZ Utils 5.4.2.

**Source code**

Versions 5.2.12, 5.4.3, and later have been signed with Jia Tan's OpenPGP key. The older files have been signed with Lasse Collin's OpenPGP key.

See the NEWS file for a summary of changes between versions.

**Stable**

5.4.4 was released on 2023-08-02. A minor bug fix release 5.2.12 to the old stable branch was made on 2023-05-04. This is probably the last release in the 5.2.x series.

XZ Utils releases are hosted on GitHub and thus some of the links below redirect to the XZ Utils release section on GitHub. Release files are also available in the XZ Utils files section on Sourceforge.

xz-5.4.4.tar.gz (2808 KiB) signature  
xz-5.4.4.tar.bz2 (2116 KiB) signature  
xz-5.4.4.tar.zst (1680 KiB) signature  
xz-5.4.4.tar.xz (1623 KiB) signature

Probably the last release of the old stable branch:

xz-5.2.12.tar.gz (2140 KiB) signature  
xz-5.2.12.tar.bz2 (1593 KiB) signature  
xz-5.2.12.tar.zst (1317 KiB) signature  
xz-5.2.12.tar.xz (1275 KiB) signature

**Development**

The new APIs, command line options etc. in development releases should be considered unstable. Incompatible changes to unstable features may be done before they get included in a stable release.

There currently are no development releases.

**Old versions**

Source and binary packages of old XZ Utils releases are available on a separate page.

**Git repository**

The primary repository is on GitHub:

git clone https://github.com/tukaani-project/xz

It is mirrored with some delay to git.tukaani.org:

git clone https://git.tukaani.org/xz.git

Gitweb

Branches:

*   **master**: the latest development code
*   **v5.4**: fixes for the next 5.4.x release
*   **v5.2**: fixes for the next 5.2.x release
*   **v5.0**: fixes for the next 5.0.x release (unmaintained)

Building the code from the git repository requires GNU Autotools. Here are the _minimum_ versions that should work with XZ Utils; using the latest versions is strongly recommended:

*   Autoconf 2.69
*   Automake 1.12
*   gettext 0.19.6 (Note: autopoint depends on cvs!)
*   Libtool 2.4

The following are optional dependencies. The autogen.sh script will fail if they are missing but autogen.sh takes command line arguments to disable these dependencies.

*   po4a is needed for translated documentation (man pages). To build without po4a, use --no-po4a with autogen.sh.
*   Doxygen is needed to generate liblzma API documentation. To build without Doxygen, use --no-doxygen with autogen.sh.

**Security issues****xzgrep CVE-2022-1271, ZDI-CAN-16587**

A patch to fix a security vulnerability in xzgrep (CVE-2022-1271, ZDI-CAN-16587) was made public on 2022-04-07. The patch applies to 4.999.9beta to 5.2.5, 5.3.1alpha, and 5.3.2alpha. Newer XZ Utils releases include an improved fix for the problem.

It is a severe issue if an attacker can control the filenames that are given on the xzgrep command line. The vulnerability was discovered by cleemy desu wayo working with Trend Micro Zero Day Initiative. For more information, see the detailed description in the patch file linked below.

xzgrep-ZDI-CAN-16587.patch  
xzgrep-ZDI-CAN-16587.patch.sig

**Bindings****Python**

Python 3.3 includes bindings for liblzma. A backport of these bindings are available for Python 2 in the backports.lzma package.

lzmaffi is another Python binding which adds random-access decompression support.

The original Python 2 binding for liblzma is PylibLZMA.

**Perl**

Perl bindings for liblzma: IO-Compress-Lzma and Compress-Raw-Lzma.

**Haskell**

Haskell bindings.

**Delphi and Free Pascal**

Bindings and example programs for Delphi and Free Pascal are available here.

**Pre-built binaries**

Many free software operating systems already provide easy-to-install XZ Utils binaries. It doesn't make sense to provide links to all those here. Instead, binaries or links to websites providing binaries are listed here only for operating systems that don't have well-known repositories where users would get software like this.

If you have a website that provides up-to-date XZ Utils binaries for an operating system that meets the the criteria above, let me know and I will include a link here. Note that I won't host the binaries themselves without a good reason.

**Windows**

The Windows version of XZ Utils includes binaries for 32-bit and 64-bit x86. The binaries only depend on msvcrt.dll, which is available on Windows 98 and later out of the box.

*   Command line tools: xz, xzdec, lzmadec, lzmainfo
*   Shared (DLL) and static liblzma, required C header files, and liblzma.def to create import libraries for non-GNU toolchains (no import library is needed with GNU toolchain)
*   Documentation is in plain text (UTF-8) format. The man pages of the command line tools are included also as PDF.

5.2.10, 5.2.11, or 5.2.12 do not have anything significant for Windows so only 5.2.9 is here. 5.4.x builds are not provided for now.

xz-5.2.9-windows.zip (1473 KiB) signature  
xz-5.2.9-windows.7z (708 KiB) signature

**DOS**

The DOS version of XZ Utils includes only the xz command line tool and some documentation. The xz tool should work e.g. on FreeDOS (also in DOSEMU), MS-DOS, and Windows 95/98/98SE/ME. This doesn't necessarily work in DOSBox at all, and at least some problems are expected under Windows XP Command Prompt (signal handling doesn't work).

Since the DOS version is naturally going to get very little testing, it is recommended to use the Windows version instead of the DOS version if you need xz under Windows 98 or later. It is likely that that the DOS version will be updated only occasionally.

5.2.0 and later have experimental support for 8.3 filenames. See xz-dos.txt in the binary package or dos/README.txt in the source package for details.

xz-5.4.0-dos.zip (277 KiB) signature

The package includes some copylefted code from DJGPP and CWSDPMI. The relevant source code is available from their home pages, and copies are also available below.

djlsr205.zip (2000 KiB)  
djtst205.zip (1061 KiB)  
csdpmi7s.zip (88 KiB)

Juan Manuel Guerrero has made a more complete port of XZ Utils to DOS. It also has support for short file names (8.3), but the naming method is different from the one found in 5.2.0 and later. It is available from DJGPP mirrors under /current/v2apps (e.g. xz-500b.zip for 5.0.0 binaries).

**Supported platforms**

Below is an incomplete and somewhat vague (version numbers mostly missing) list of operating systems on which XZ Utils should work. The compiler(s) or toolchains are mentioned in parenthesis. GCC refers to GCC 3 or later. If you have additions or corrections, please email them to me.

*   GNU/Linux (GCC, Clang, ICC, IBM XL C)
*   GNU/HURD (GCC)
*   DragonflyBSD (GCC)
*   FreeBSD (GCC, Clang)
*   MirBSD (GCC)
*   NetBSD (GCC)
*   OpenBSD (Clang, GCC)
*   MINIX 3 (GCC) \[1\]
*   Haiku (GCC4)
*   Mac OS X (GCC)
*   Solaris 8, 9, 10, 11 (GCC, Sun Studio) \[3\]
*   Solaris 2.6, 7 (GCC)
*   HP-UX (GCC, HP ANSI C) \[2\]
*   Tru64 (GCC, Compaq C compiler) \[1\]
*   IRIX (MIPSpro) \[1\]
*   AIX (GCC, IBM XL C)
*   z/OS (IBM XL C)
*   QNX (compilers?)
*   OpenVMS (HP C compiler) \[1\]
*   OpenVOS 17 (GCC)
*   SCO OpenServer 5.0.7 (GCC 3.4.6, 4.2.4) \[4\]
*   Windows 95 and later (GCC/MinGW, GCC/MinGW-w64, GCC/Cygwin, GCC/Interix, Visual Studio (VS can only build liblzma)) \[1\]
*   OS/2, eComStation (GCC)
*   DOS e.g. FreeDOS and MS-DOS (GCC/DJGPP) \[1\]

\[1\] See also the platform-specific notes in the INSTALL file.

\[2\] 2010-09-22: HP ANSI C compiler crashes when compiling XZ Utils on PA-RISC. On Itanium there are no problems.

\[3\] On Solaris 8 and 9 one may need to pass ac\_cv\_prog\_cc\_c99= to configure if using Sun Studio.

\[4\] Use --disable-threads when running configure.

**Licensing**

The most interesting parts of XZ Utils (e.g. liblzma) are in the public domain. You can do whatever you want with the public domain parts.

Some parts of XZ Utils (e.g. build system and some utilities) are under different free software licenses such as GNU LGPLv2.1, GNU GPLv2, or GNU GPLv3.

See the file COPYING for more details.

CVE-2020-22916: XZ Utils

Buffer Overflow vulnerability in ExtractorInformation function in streamExtractor.cpp in oggvideotools 0.9.1 allows remaote attackers to run arbitrary code via opening of crafted ogg file.

I use AddressSanitizer to build oggvideotools 0.9.1 and get segment fault as below. I use the command:  
oggLength <testcase>  
The testcase I used is put in the attachment.  
This software can also be installed by command apt install oggvideotools but the version is 0.8a-7, which can also get segment fault with the same testcase.</testcase>

MediaConverter::setAvailable(): decoder is not configured or has ended  
MediaConverter::setAvailable(): decoder is not configured or has ended  
MediaConverter::setAvailable(): decoder is not configured or has ended  
\=================================================================  
\==32390==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000e4b8 at pc 0x00000046e493 bp 0x7ffe9af99060 sp 0x7ffe9af99050  
WRITE of size 4 at 0x60600000e4b8 thread T0  
#0 0x46e492 in ExtractorInformation::operator=(ExtractorInformation const&) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/base/streamExtractor.cpp:17  
#1 0x4407e2 in StreamConfig::operator=(StreamConfig const&) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/base/streamConfig.h:12  
#2 0x43ea66 in StreamSerializer::getStreamConfig(std::vector<streamconfig, std::allocator<streamconfig=""> >&) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/main/streamSerializer.cpp:210  
#3 0x43b0c4 in oggLengthCmd(int, char\*\*) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:93  
#4 0x43b4e5 in main /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:136  
#5 0x7f13e016782f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)  
#6 0x43aa78 in \_start (/home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/install/bin/oggLength+0x43aa78)</streamconfig,>

0x60600000e4b8 is located 0 bytes to the right of 56-byte region \[0x60600000e480,0x60600000e4b8)  
allocated by thread T0 here:  
#0 0x7f13e0b42532 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99532)  
#1 0x4468b4 in \_\_gnu\_cxx::new\_allocator<streamconfig>::allocate(unsigned long, void const_) /usr/include/c++/5/ext/new\_allocator.h:104  
#2 0x4460b3 in std::allocator\_traits<std::allocator<streamconfig> >::allocate(std::allocator<streamconfig>&, unsigned long) /usr/include/c++/5/bits/alloc\_traits.h:491  
#3 0x4451fd in std::\_Vector\_base<streamconfig, std::allocator<streamconfig=""> >::\_M\_allocate(unsigned long) /usr/include/c++/5/bits/stl\_vector.h:170  
#4 0x443257 in std::vector<streamconfig, std::allocator<streamconfig=""> >::\_M\_default\_append(unsigned long) (/home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/install/bin/oggLength+0x443257)  
#5 0x441d5e in std::vector<streamconfig, std::allocator<streamconfig=""> >::resize(unsigned long) (/home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/install/bin/oggLength+0x441d5e)  
#6 0x43e9a5 in StreamSerializer::getStreamConfig(std::vector<streamconfig, std::allocator<streamconfig=""> >&) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/main/streamSerializer.cpp:206  
#7 0x43b0c4 in oggLengthCmd(int, char</streamconfig,></streamconfig,></streamconfig,></streamconfig,></streamconfig></std::allocator<streamconfig>_\*) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:93  
#8 0x43b4e5 in main /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:136  
#9 0x7f13e016782f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)</streamconfig>

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/base/streamExtractor.cpp:17 ExtractorInformation::operator=(ExtractorInformation const&)  
Shadow bytes around the buggy address:  
0x0c0c7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c0c7fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c0c7fff9c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c0c7fff9c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c0c7fff9c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
\=>0x0c0c7fff9c90: 00 00 00 00 00 00 00\[fa\]fa fa fa fa 00 00 00 00  
0x0c0c7fff9ca0: 00 00 05 fa fa fa fa fa fd fd fd fd fd fd fd fa  
0x0c0c7fff9cb0: fa fa fa fa 00 00 00 00 00 00 07 fa fa fa fa fa  
0x0c0c7fff9cc0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd  
0x0c0c7fff9cd0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 06 fa  
0x0c0c7fff9ce0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==32390==ABORTING

My system is:  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04

The software information:  
oggvideotools:  
Installed: 0.8a-7  
Candidate: 0.8a-7  
Version table:  
\*\*\* 0.8a-7 500  
500 https://mirrors.tuna.tsinghua.edu.cn/ubuntu xenial/universe amd64 Packages  
500 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages  
100 /var/lib/dpkg/status

ProblemType: Bug  
DistroRelease: Ubuntu 16.04  
Package: oggvideotools 0.8a-7  
ProcVersionSignature: Ubuntu 4.15.0-66.75~16.04.1-generic 4.15.18  
Uname: Linux 4.15.0-66-generic x86\_64  
ApportVersion: 2.20.1-0ubuntu2.21  
Architecture: amd64  
CurrentDesktop: Unity  
Date: Thu Nov 14 19:56:47 2019  
InstallationDate: Installed on 2019-01-24 (293 days ago)  
InstallationMedia: Ubuntu 16.04.5 LTS "Xenial Xerus" - Release amd64 (20180731)  
SourcePackage: oggvideotools  
UpgradeStatus: No upgrade log present (probably fresh install)

**1 Attachments**

CVE-2020-21724: Ogg Video Tools / Bugs

An issue was discovered in hwclock.13-v2.27 allows attackers to gain escalated privlidges or execute arbitrary commands via the path parameter when setting the date.

CVE-2020-21583: #786804 - hwclock(8) SUID privilege escalation

Crypto++ through 8.4 contains a timing side channel in ECDSA signature generation. Function FixedSizeAllocatorWithCleanup could write to memory outside of the allocation if the allocated memory was not 16-byte aligned. NOTE: this issue exists because the CVE-2019-14318 fix was intentionally removed for functionality reasons.

Crypto++ 8.4 was released on January 1, 2021. The 8.4 release was a minor, unplanned release. There was no CVEs and one memory error fixed. A recompile of programs is required due to an unintentional ABI break in Crypto++ 8.3.

The Crypto++ 8.4 release reverted the changes for constant-time elliptic curve algorithms. Marcel Keller reported some operations broke under the new algorithm in Issue 992. The revert reactivated CVE-2019-14318.

The release also cleared a memory error reported by Daniel McRobb in Issue 988. McRobb discovered FixedSizeAllocatorWithCleanup could write to memory outside of the allocation if the allocated memory was not 16-byte aligned.

**Release Notes**

*   fix SIGILL on POWER8 when compiling with GCC 10
*   fix potential out-of-bounds write in FixedSizeAllocatorWithCleanup
*   fix compile on AIX POWER7 with IBM XLC 12.01
*   fix compile on Solaris with SunCC 12.6
*   revert changes for constant-time elliptic curve algorithms
*   fix makefile clean and distclean recipes

**FIPS DLL deprecation**

The FIPS DLL used to be an important artifact for Windows builds. NIST moved the Crypto++ library to the Historical Validation List in 2014. The Windows DLL is no longer validated.

The project files to build the FIPS DLL are cryptdll.vcxproj and dlltest.vcxproj. The projects are now deprecated and subject to removal.

CVE-2022-48570: Release Crypto++ 8.4 release · weidai11/cryptopp

Buffer Overflow vulnerability in FreeImage_Load function in FreeImage Library 3.19.0(r1828) allows attackers to cuase a denial of service via crafted PFM file.

**SEGV in function Load() in PluginPFM.cpp****Summary:**

There is a SEGV in PluginPFM.cpp while loading image with FreeImage_Load function。

**Version Affected: 3.19.0 (r1828)****ASAN Details**

AddressSanitizer:DEADLYSIGNAL
\=================================================================
\==24231\==ERROR: AddressSanitizer: SEGV on unknown address 0x613fa5f646c0 (pc 0x0000005a86b3 bp 0x7ffee3d2c080 sp 0x7ffee3d2b8e0 T0)
\==24231\==The signal is caused by a WRITE memory access.
    #0 0x5a86b2 in Load(FreeImageIO\*, void\*, int, int, void\*) /home/src/freeimage-svn/FreeImage/trunk/Source/FreeImage/PluginPFM.cpp
    #1 0x5252fc in FreeImage\_LoadFromHandle /home/src/freeimage-svn/FreeImage/trunk/Source/FreeImage/Plugin.cpp:388:24
    #2 0x52550c in FreeImage\_Load /home/src/freeimage-svn/FreeImage/trunk/Source/FreeImage/Plugin.cpp:408:22
    #3 0x50640c in main /home/src/freeimage-svn/FreeImage/trunk/load\-test.c:16:18
    #4 0x7f6f56aa6b6a in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x26b6a)
    #5 0x428569 in \_start (/home/src/freeimage-svn/FreeImage/trunk/load\-test+0x428569)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/src/freeimage-svn/FreeImage/trunk/Source/FreeImage/PluginPFM.cpp in Load(FreeImageIO\*, void\*, int, int, void\*)
\==24231\==ABORTING

**Reproduce**

To reproduce it ,compile FreeImage with ASAN. Then compile and execute the test file in the attachment as follows:

Clang++ \-g \-fsanitize\=address load\-test.c \-lfreeimage \-L. \-lm \-o load\-test
./load\-test SEGV\_PluginPFM\_cpp

**Credit**

ADLab of Venustech

CVE-2020-22524: FreeImage / Bugs / #319 SEGV in function Load() in PluginPFM.cpp

An issue was discovered in json-c through 0.15-20200726. A stack-buffer-overflow exists in the function parseit located in json_parse.c. It allows an attacker to cause code Execution.

cmake ..-DCMAKE\_CXX\_FLAGS="-fsanitize=address -g" -DCMAKE\_C\_FLAGS="-fsanitize=address -g" -DCMAKE\_EXE\_LINKER\_FLAGS="-fsanitize=address"

    =================================================================
    ==12668==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffea9c409b0 at pc 0x00000051747b bp 0x7ffea9c388b0 sp 0x7ffea9c388a8
    READ of size 1 at 0x7ffea9c409b0 thread T0
        #0 0x51747a in parseit /home/seviezhou/jsonc/apps/json_parse.c:89:44
        #1 0x51747a in main /home/seviezhou/jsonc/apps/json_parse.c:182
        #2 0x7fc02a77783f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
        #3 0x41a928 in _start (/home/seviezhou/jsonc/build/apps/json_parse+0x41a928)
    
    Address 0x7ffea9c409b0 is located in stack of thread T0 at offset 33008 in frame
        #0 0x51651f in main /home/seviezhou/jsonc/apps/json_parse.c:159
    
      This frame has 3 object(s):
        [32, 176) 'rusage.i.i.i' (line 42)
        [240, 33008) 'buf.i' (line 52) <== Memory access at offset 33008 overflows this variable
        [33264, 33408) 'rusage.i' (line 42)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/seviezhou/jsonc/apps/json_parse.c:89:44 in parseit
    Shadow bytes around the buggy address:
      0x1000553800e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x1000553800f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055380100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055380110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055380120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x100055380130: 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x100055380140: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x100055380150: f2 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
      0x100055380160: f8 f8 f8 f8 f8 f8 f8 f8 f3 f3 f3 f3 f3 f3 f3 f3
      0x100055380170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055380180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==12668==ABORTING

CVE-2021-32292: A stack-buffer-overflow in json_parse.c:89:44 · Issue #654 · json-c/json-c

A NULL pointer dereference was discovered in SExpressionWasmBuilder::makeBlock in wasm/wasm-s-parser.c in Binaryen 1.38.26. A crafted wasm input can cause a segmentation fault, leading to denial-of-service, as demonstrated by wasm-as.

Hi, there.

A Heap-buffer-overflow problem was discovered in wasm::WasmBinaryBuilder::visitBlock(wasm::Block\*) function in simple\_ast.h in /src/wasm/wasm-binary.cpp, as distributed in Binaryen 1.38.26. A crafted wasm input can cause segment faults and I have confirmed them with address sanitizer too.

Here are the POC files. Please use "./wasm-opt $POC" to reproduce the error.  
POC.zip

git log

    commit 153ba18ba99dc4dcef29a61e1e586af3df8d921d (HEAD -> master, tag: version_65, origin/master, origin/HEAD)
    Author: Alon Zakai <alonzakai@gmail.com>
    Date:   Mon Jan 28 11:32:19 2019 -0800
    
        Handle EM_ASM/EM_JS in LLVM wasm backend O0 output (#1888)
    
        See emscripten-core/emscripten#7928 - we have been optimizing all wasms until now, and noticed this when the wasm object file path did not do so. When not optimizing, our methods of handling EM_ASM and EM_JS fail since the patterns are different.
    
        Specifically, for EM_ASM we hunt for emscripten_asm_const(X, where X is a constant, but without opts it may be a get of a local. For EM_JS, the function body may not just contain a const, but a block with a set of the const and a return of a get later.
    
        This adds logic to track gets and sets in basic blocks, which is sufficient to handle this.
    

The ASAN dumps the stack trace as follows:

    =================================================================
    ==10623==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e000000456 at pc 0x55961cae7862 bp 0x7ffd73795210 sp 0x7ffd73795200
    READ of size 1 at 0x60e000000456 thread T0
        #0 0x55961cae7861 in wasm::WasmBinaryBuilder::visitBlock(wasm::Block*) /binaryen/src/wasm/wasm-binary.cpp:1805
        #1 0x55961cad63bc in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) /binaryen/src/wasm/wasm-binary.cpp:1687
        #2 0x55961cada7fa in wasm::WasmBinaryBuilder::skipUnreachableCode() /binaryen/src/wasm/wasm-binary.cpp:1417
        #3 0x55961cadba97 in wasm::WasmBinaryBuilder::processExpressions() /binaryen/src/wasm/wasm-binary.cpp:1392
        #4 0x55961cae7f6e in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) /binaryen/src/wasm/wasm-binary.cpp:1846
        #5 0x55961caf83d2 in wasm::WasmBinaryBuilder::visitIf(wasm::If*) /binaryen/src/wasm/wasm-binary.cpp:1871
        #6 0x55961cad3bb0 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) /binaryen/src/wasm/wasm-binary.cpp:1688
        #7 0x55961cada7fa in wasm::WasmBinaryBuilder::skipUnreachableCode() /binaryen/src/wasm/wasm-binary.cpp:1417
        #8 0x55961cadba97 in wasm::WasmBinaryBuilder::processExpressions() /binaryen/src/wasm/wasm-binary.cpp:1392
        #9 0x55961cae7f6e in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) /binaryen/src/wasm/wasm-binary.cpp:1846
        #10 0x55961caf83d2 in wasm::WasmBinaryBuilder::visitIf(wasm::If*) /binaryen/src/wasm/wasm-binary.cpp:1871
        #11 0x55961cad3bb0 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) /binaryen/src/wasm/wasm-binary.cpp:1688
        #12 0x55961cada7fa in wasm::WasmBinaryBuilder::skipUnreachableCode() /binaryen/src/wasm/wasm-binary.cpp:1417
        #13 0x55961cadba97 in wasm::WasmBinaryBuilder::processExpressions() /binaryen/src/wasm/wasm-binary.cpp:1392
        #14 0x55961cae7f6e in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) /binaryen/src/wasm/wasm-binary.cpp:1846
        #15 0x55961caed21f in wasm::WasmBinaryBuilder::readFunctions() /binaryen/src/wasm/wasm-binary.cpp:1129
        #16 0x55961caf597f in wasm::WasmBinaryBuilder::read() /binaryen/src/wasm/wasm-binary.cpp:678
        #17 0x55961cba18f7 in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /binaryen/src/wasm/wasm-io.cpp:52
        #18 0x55961cba7d97 in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /binaryen/src/wasm/wasm-io.cpp:71
        #19 0x55961c764faf in main /binaryen/src/tools/wasm-opt.cpp:144
        #20 0x7fce29513b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #21 0x55961c77ec39 in _start (/binaryen/build/bin/wasm-opt+0x1c5c39)
    
    0x60e000000456 is located 0 bytes to the right of 150-byte region [0x60e0000003c0,0x60e000000456)
    allocated by thread T0 here:
        #0 0x7fce2a302458 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0458)
        #1 0x55961df084ef in __gnu_cxx::new_allocator<char>::allocate(unsigned long, void const*) /usr/include/c++/7/ext/new_allocator.h:111
        #2 0x55961df084ef in std::allocator_traits<std::allocator<char> >::allocate(std::allocator<char>&, unsigned long) /usr/include/c++/7/bits/alloc_traits.h:436
        #3 0x55961df084ef in std::_Vector_base<char, std::allocator<char> >::_M_allocate(unsigned long) /usr/include/c++/7/bits/stl_vector.h:172
        #4 0x55961df084ef in std::_Vector_base<char, std::allocator<char> >::_M_create_storage(unsigned long) /usr/include/c++/7/bits/stl_vector.h:187
        #5 0x55961df084ef in std::_Vector_base<char, std::allocator<char> >::_Vector_base(unsigned long, std::allocator<char> const&) /usr/include/c++/7/bits/stl_vector.h:138
        #6 0x55961df084ef in std::vector<char, std::allocator<char> >::vector(unsigned long, char const&, std::allocator<char> const&) /usr/include/c++/7/bits/stl_vector.h:297
        #7 0x55961df084ef in std::vector<char, std::allocator<char> > wasm::read_file<std::vector<char, std::allocator<char> > >(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, wasm::Flags::BinaryOption, wasm::Flags::DebugOption) /binaryen/src/support/file.cpp:42
        #8 0x55961cb9fbf2 in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /binaryen/src/wasm/wasm-io.cpp:44
        #9 0x55961cba7d97 in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /binaryen/src/wasm/wasm-io.cpp:71
        #10 0x55961c764faf in main /binaryen/src/tools/wasm-opt.cpp:144
        #11 0x7fce29513b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /binaryen/src/wasm/wasm-binary.cpp:1805 in wasm::WasmBinaryBuilder::visitBlock(wasm::Block*)
    Shadow bytes around the buggy address:
      0x0c1c7fff8030: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
      0x0c1c7fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1c7fff8050: fd fd fd fa fa fa fa fa fa fa fa fa 00 00 00 00
      0x0c1c7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa
      0x0c1c7fff8070: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
    =>0x0c1c7fff8080: 00 00 00 00 00 00 00 00 00 00[06]fa fa fa fa fa
      0x0c1c7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==10623==ABORTING

CVE-2020-18378: Heap-buffer-overflow in /src/wasm/wasm-binary.cpp in wasm::WasmBinaryBuilder::visitBlock(wasm::Block*) in Binaryen 1.38.26 · Issue #1900 · WebAssembly/binaryen

Tag

#c++