Progress Ipswitch MoveIT 1.1.11 was discovered to contain a cross-site scripting (XSS) vulenrability via the API authentication function.

noetic-devel

Switch branches/tags

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**9** branches **69** tags

Code

*   Clone
    
    Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

 

ivatavuk and rhaschke Fix Jacobian calculation for planar joint (#3439)

67121a3

May 28, 2023

Fix Jacobian calculation for planar joint (#3439)

67121a3

**Git stats**

*   **7,879** commits

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

.docker

Dockerfile: Update ci-shadow-fixed -> ci-testing

September 3, 2022 06:52

.github

CI: Bump mamba-org/provision-with-micromamba from 14 to 16 (#3438)

May 28, 2023 12:28

moveit

1.1.12

May 13, 2023 20:56

moveit\_commander

1.1.12

May 13, 2023 20:56

moveit\_core

Fix Jacobian calculation for planar joint (#3439)

May 28, 2023 13:04

moveit\_experimental

Fix (some) doxygen warnings (#3315)

January 25, 2023 12:03

moveit\_kinematics

1.1.12

May 13, 2023 20:56

moveit\_planners

1.1.12

May 13, 2023 20:56

moveit\_plugins

1.1.12

May 13, 2023 20:56

moveit\_ros

1.1.12

May 13, 2023 20:56

moveit\_runtime

1.1.12

May 13, 2023 20:56

moveit\_setup\_assistant

1.1.12

May 13, 2023 20:56

.clang-format

Tweak penalties

August 11, 2020 08:28

.clang-tidy

add clang-tidy check for bind()

April 2, 2022 22:48

.dockerignore

Explicitly list all package.xml to include

August 26, 2021 16:40

.gitignore

Python bindings for moveit\_core (#2547)

April 3, 2021 09:56

.pre-commit-config.yaml

pre-commit: Update black version

March 29, 2022 18:43

CODE\_OF\_CONDUCT.md

Fix formatting errors

March 25, 2021 22:40

CONTRIBUTING.md

Remove ! from MoveIt name (#1590)

August 2, 2019 12:42

LICENSE.txt

Add license file to root of project (#349)

November 14, 2016 10:30

MIGRATION.md

rename MGI::getJointNames() to getVariableNames()

February 20, 2023 14:08

README.md

version.h: automatically bump patch number for devel builds (#3211)

December 19, 2022 15:17

codecov.yaml

\[maint\] Remove patch status from codecov (#2306)

September 12, 2020 12:27

moveit.rosinstall

Update panda\_moveit\_config to noetic-devel in .rosinstall files

September 9, 2022 08:17

Branches Policy MoveIt Status Continuous Integration Licenses ROS Buildfarm Stargazers over time

**README.md**

The MoveIt Motion Planning Framework for ROS. For the ROS 2 repository see MoveIt 2.

_Easy-to-use open source robotics manipulation platform for developing commercial applications, prototyping designs, and benchmarking algorithms._

*   Overview of MoveIt
*   Installation Instructions
*   Documentation
*   Get Involved

**Branches Policy**

*   We develop latest features on master.
*   The *-devel branches correspond to released and stable versions of MoveIt for specific distributions of ROS. noetic-devel is synced to master currently.
*   Bug fixes occasionally get backported to these released versions of MoveIt.
*   To facilitate compile-time switching, the patch version of MOVEIT_VERSION of a development branch will be incremented by 1 w.r.t. the package.xml's version number.

**MoveIt Status****Continuous Integration**

service

Melodic

Master

GitHub

 

 

CodeCov

build farm

  

**Licenses**

**ROS Buildfarm**

MoveIt Package

Melodic Source

Melodic Debian

Noetic Source

Noetic Debian

**moveit**

moveit\_core

moveit\_kinematics

**moveit\_planners**

moveit\_planners\_ompl

moveit\_planners\_chomp

chomp\_motion\_planner

moveit\_chomp\_optimizer\_adapter

pilz\_industrial\_motion\_planner

pilz\_industrial\_motion\_planner\_testutils

**moveit\_plugins**

moveit\_fake\_controller\_manager

moveit\_simple\_controller\_manager

moveit\_ros\_control\_interface

**moveit\_ros**

moveit\_ros\_planning

moveit\_ros\_move\_group

moveit\_ros\_planning\_interface

moveit\_ros\_benchmarks

moveit\_ros\_perception

moveit\_ros\_occupancy\_map\_monitor

moveit\_ros\_manipulation

moveit\_ros\_robot\_interaction

moveit\_ros\_visualization

moveit\_ros\_warehouse

moveit\_servo

**moveit\_runtime**

moveit\_commander

moveit\_setup\_assistant

**moveit\_msgs**

geometric\_shapes

srdfdom

moveit\_visual\_tools

moveit\_tutorials

**Stargazers over time**

CVE-2023-30394: GitHub - ros-planning/moveit: The MoveIt motion planning framework

Podofo v0.10.0 was discovered to contain a heap buffer overflow via the component PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3.

We found multiple heap-buffer-overflow in podofo 0.10.0(main/PdfEncrypt.cpp in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3).

**Command Input**

podofoencrypt -rc4v2 -u 1232321 -o 24 poc_file /dev/null

All poc\_file are attached.

**Sanitizer Dump**

    ==3904316==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000e0b at pc 0x0000004ab577 bp 0x7ffe4a6cc310 sp 0x7ffe4a6cbad8
    READ of size 32 at 0x603000000e0b thread T0
        #0 0x4ab576 in __asan_memcpy /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
        #1 0x5bcdd7 in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3(PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfPermissions, PoDoFo::PdfString, PoDoFo::PdfAESV3Revision) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:1908:5
        #2 0x5a39a5 in PoDoFo::PdfEncrypt::CreateFromObject(PoDoFo::PdfObject const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:586:47
        #3 0x6f2e88 in PoDoFo::PdfParser::ReadObjects(PoDoFo::InputStreamDevice&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:631:29
        #4 0x6f09f3 in PoDoFo::PdfParser::Parse(PoDoFo::InputStreamDevice&, bool) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:83:9
        #5 0x67071e in PoDoFo::PdfMemDocument::loadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:148:12
        #6 0x671fcd in PoDoFo::PdfMemDocument::LoadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:137:5
        #7 0x671bdb in PoDoFo::PdfMemDocument::Load(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:119:5
        #8 0x4dfd57 in encrypt(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfPermissions) /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:19:9
        #9 0x4e1112 in main /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:200:9
        #10 0x7fc7de7ed082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #11 0x430f6d in _start (/root/target/Invariants/podofo-0.10.0/build_clang/target/podofoencrypt+0x430f6d)
    
    0x603000000e0b is located 0 bytes to the right of 27-byte region [0x603000000df0,0x603000000e0b)
    allocated by thread T0 here:
        #0 0x4dd2dd in operator new(unsigned long) /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
        #1 0x7fc7dec9d87f in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::reserve(unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x14387f)
        #2 0x7d5c2a in PoDoFo::StandardStreamDevice::readChar(char&) /root/target/Invariants/podofo-0.10.0/src/podofo/auxiliary/StreamDevice.cpp:290:12
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0c067fff8170: fd fd fd fa fa fa 00 00 00 fa fa fa 00 00 00 fa
      0x0c067fff8180: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa 00 00
      0x0c067fff8190: 00 fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
      0x0c067fff81a0: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa
      0x0c067fff81b0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa 00 00
    =>0x0c067fff81c0: 00[03]fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
      0x0c067fff81d0: 00 00 00 fa fa fa fd fd fd fa fa fa 00 00 00 fa
      0x0c067fff81e0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa 00 00
      0x0c067fff81f0: 01 fa fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
      0x0c067fff8200: 00 00 00 fa fa fa fd fd fd fa fa fa 00 00 00 fa
      0x0c067fff8210: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3904316==ABORTING
    

**Environment**

*   OS: Ubuntu 20.04.1
*   clang:12.0.0
*   podofo:0.10.0

we built podofo with AddressSanitizer (ASAN) .

cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang -DCMAKE_C_FLAGS="-O0 -fsanitize=address" -DCMAKE_CXX_FLAGS="-O0 -fsanitize=address"

poc\_files.zip

CVE-2023-31567: Heap-buffer-overflow in podofo 0.10.0(main/PdfEncrypt.cpp in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3) · Issue #71 · podofo/podofo

Podofo v0.10.0 was discovered to contain a heap-use-after-free via the component PoDoFo::PdfEncrypt::IsMetadataEncrypted().

We found a heap-use-after-free in podofo 0.10.0(main/PdfEncrypt.h:352:47 in PoDoFo::PdfEncrypt::IsMetadataEncrypted()).

**Command Input**

podofoencrypt -rc4v2 -u 1232321 -o 24 poc_file /dev/null

poc\_file are attached.

**Sanitizer Dump**

    ==3903368==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000000300 at pc 0x00000071995b bp 0x7ffffefd2300 sp 0x7ffffefd22f8
    READ of size 1 at 0x613000000300 thread T0
        #0 0x71995a in PoDoFo::PdfEncrypt::IsMetadataEncrypted() const /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.h:352:47
        #1 0x717ec2 in PoDoFo::PdfParserObject::parseStream() /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParserObject.cpp:219:45
        #2 0x716a06 in PoDoFo::PdfParserObject::DelayedLoadStreamImpl() /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParserObject.cpp:90:13
        #3 0x69c223 in PoDoFo::PdfObject::delayedLoadStream() const /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfObject.cpp:359:35
        #4 0x699211 in PoDoFo::PdfObject::DelayedLoadStream() const /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfObject.cpp:351:5
        #5 0x69a130 in PoDoFo::PdfObject::Write(PoDoFo::OutputStream&, PoDoFo::PdfWriteFlags, PoDoFo::PdfEncrypt const*, PoDoFo::charbuff_t<void>&) const /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfObject.cpp:212:5
        #6 0x756b85 in PoDoFo::PdfWriter::WritePdfObjects(PoDoFo::OutputStreamDevice&, PoDoFo::PdfIndirectObjectList const&, PoDoFo::PdfXRef&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfWriter.cpp:175:18
        #7 0x753a27 in PoDoFo::PdfWriter::Write(PoDoFo::OutputStreamDevice&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfWriter.cpp:97:9
        #8 0x67467b in PoDoFo::PdfMemDocument::Save(PoDoFo::OutputStreamDevice&, PoDoFo::PdfSaveOptions) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:249:16
        #9 0x67426f in PoDoFo::PdfMemDocument::Save(std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfSaveOptions) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:233:11
        #10 0x4dfe62 in encrypt(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfPermissions) /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:49:9
        #11 0x4e1112 in main /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:200:9
        #12 0x7f70c1549082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #13 0x430f6d in _start (/root/target/Invariants/podofo-0.10.0/build_clang/target/podofoencrypt+0x430f6d)
    
    0x613000000300 is located 256 bytes inside of 352-byte region [0x613000000200,0x613000000360)
    freed by thread T0 here:
        #0 0x4ddb3d in operator delete(void*) /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:160:3
        #1 0x5c0821 in PoDoFo::PdfEncryptAESV3::~PdfEncryptAESV3() /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.h:623:7
        #2 0x4e1cd6 in std::default_delete<PoDoFo::PdfEncrypt>::operator()(PoDoFo::PdfEncrypt*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2
        #3 0x6778a7 in std::unique_ptr<PoDoFo::PdfEncrypt, std::default_delete<PoDoFo::PdfEncrypt> >::reset(PoDoFo::PdfEncrypt*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4
        #4 0x6768ec in std::unique_ptr<PoDoFo::PdfEncrypt, std::default_delete<PoDoFo::PdfEncrypt> >::operator=(std::unique_ptr<PoDoFo::PdfEncrypt, std::default_delete<PoDoFo::PdfEncrypt> >&&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:307:2
        #5 0x675e46 in PoDoFo::PdfMemDocument::SetEncrypted(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfPermissions, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfKeyLength) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:321:15
        #6 0x4dfe4b in encrypt(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfPermissions) /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:48:9
        #7 0x4e1112 in main /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:200:9
        #8 0x7f70c1549082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    previously allocated by thread T0 here:
        #0 0x4dd2dd in operator new(unsigned long) /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
        #1 0x5a387f in PoDoFo::PdfEncrypt::CreateFromObject(PoDoFo::PdfObject const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:586:43
        #2 0x6f2e88 in PoDoFo::PdfParser::ReadObjects(PoDoFo::InputStreamDevice&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:631:29
        #3 0x6f09f3 in PoDoFo::PdfParser::Parse(PoDoFo::InputStreamDevice&, bool) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:83:9
        #4 0x67071e in PoDoFo::PdfMemDocument::loadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:148:12
        #5 0x671fcd in PoDoFo::PdfMemDocument::LoadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:137:5
        #6 0x671bdb in PoDoFo::PdfMemDocument::Load(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:119:5
        #7 0x4dfd57 in encrypt(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfPermissions) /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:19:9
        #8 0x4e1112 in main /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:200:9
        #9 0x7f70c1549082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-use-after-free /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.h:352:47 in PoDoFo::PdfEncrypt::IsMetadataEncrypted() const
    Shadow bytes around the buggy address:
      0x0c267fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c267fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c267fff8030: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c267fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c267fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    =>0x0c267fff8060:[fd]fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
      0x0c267fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c267fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c267fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c267fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c267fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3903368==ABORTING
    

**Environment**

*   OS: Ubuntu 20.04.1
*   clang:12.0.0
*   podofo:0.10.0

we built podofo with AddressSanitizer (ASAN) .

cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang -DCMAKE_C_FLAGS="-O0 -fsanitize=address" -DCMAKE_CXX_FLAGS="-O0 -fsanitize=address"

poc\_file.zip

CVE-2023-31566: Heap-use-after-free in podofo 0.10.0(main/PdfEncrypt.h:352:47 in PoDoFo::PdfEncrypt::IsMetadataEncrypted()) · Issue #70 · podofo/podofo

xpdf pdfimages v4.04 was discovered to contain a stack overflow in the component Catalog::readEmbeddedFileTree(Object*). This vulnerability allows attackers to cause a Denial of Service (DoS).

CVE-2023-31557: A stack-overflow in xpdf4.04 - forum.xpdfreader.com

Podofo v0.10.0 was discovered to contain a heap buffer overflow via the component PoDoFo::PdfEncryptRC4::PdfEncryptRC4.

We found a heap-buffer-overflow in podofo 0.10.0(main/PdfEncrypt.cpp:1132:5 in PoDoFo::PdfEncryptRC4::PdfEncryptRC4).

**Command Input**

podofopdfinfo poc_file 

poc\_file is attached.

**Sanitizer Dump**

    ==3975233==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000122f at pc 0x0000004ab677 bp 0x7ffc5060df20 sp 0x7ffc5060d6e8
    READ of size 32 at 0x60300000122f thread T0
        #0 0x4ab676 in __asan_memcpy /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
        #1 0x64570f in PoDoFo::PdfEncryptRC4::PdfEncryptRC4(PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfPermissions, int, PoDoFo::PdfEncryptAlgorithm, int, bool) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:1132:5
        #2 0x638356 in PoDoFo::PdfEncrypt::CreateFromObject(PoDoFo::PdfObject const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:556:43
        #3 0x79b3a8 in PoDoFo::PdfParser::ReadObjects(PoDoFo::InputStreamDevice&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:631:29
        #4 0x798f13 in PoDoFo::PdfParser::Parse(PoDoFo::InputStreamDevice&, bool) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:83:9
        #5 0x71c42e in PoDoFo::PdfMemDocument::loadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:148:12
        #6 0x71dcdd in PoDoFo::PdfMemDocument::LoadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:137:5
        #7 0x71d8eb in PoDoFo::PdfMemDocument::Load(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:119:5
        #8 0x4e1be9 in PdfInfoHelper::PdfInfoHelper(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /root/target/Invariants/podofo-0.10.0/tools/podofopdfinfo/pdfinfo.cpp:16:12
        #9 0x4e06b7 in main /root/target/Invariants/podofo-0.10.0/tools/podofopdfinfo/podofopdfinfo.cpp:94:23
        #10 0x7f5ed7b54082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #11 0x43106d in _start (/root/target/Invariants/podofo-0.10.0/build_clang/target/podofopdfinfo+0x43106d)
    
    0x60300000122f is located 0 bytes to the right of 31-byte region [0x603000001210,0x60300000122f)
    allocated by thread T0 here:
        #0 0x4dd3dd in operator new(unsigned long) /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
        #1 0x7f5ed800487f in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::reserve(unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x14387f)
        #2 0x87564a in PoDoFo::StandardStreamDevice::readChar(char&) /root/target/Invariants/podofo-0.10.0/src/podofo/auxiliary/StreamDevice.cpp:290:12
        #3 0x868d29 in PoDoFo::InputStream::Read(char&) /root/target/Invariants/podofo-0.10.0/src/podofo/auxiliary/InputStream.cpp:53:12
        #4 0x7e319a in readHexString(PoDoFo::InputStreamDevice&, PoDoFo::charbuff_t<void>&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfTokenizer.cpp:801:16
    LLVMSymbolizer: error reading file: No such file or directory
        #5 0x7ffc50612342  ([stack]+0x20342)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0c067fff81f0: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
      0x0c067fff8200: fd fd fd fa fa fa 00 00 00 fa fa fa fd fd fd fa
      0x0c067fff8210: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
      0x0c067fff8220: 00 fa fa fa fd fd fd fa fa fa 00 00 00 fa fa fa
      0x0c067fff8230: 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd fd fa
    =>0x0c067fff8240: fa fa 00 00 00[07]fa fa 00 00 00 fa fa fa 00 00
      0x0c067fff8250: 00 00 fa fa fd fd fd fa fa fa fd fd fd fa fa fa
      0x0c067fff8260: 00 00 00 fa fa fa fd fd fd fd fa fa 00 00 00 00
      0x0c067fff8270: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa 00 00
      0x0c067fff8280: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
      0x0c067fff8290: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3975233==ABORTING
    

**Environment**

*   OS: Ubuntu 20.04.1
*   clang:12.0.0
*   podofo:0.10.0

we built podofo with AddressSanitizer (ASAN) .

cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang -DCMAKE_C_FLAGS="-O0 -fsanitize=address" -DCMAKE_CXX_FLAGS="-O0 -fsanitize=address"

poc\_file.zip

CVE-2023-31568: Heap-buffer-overflow in podofo 0.10.0(main/PdfEncrypt.cpp:1132:5 in PoDoFo::PdfEncryptRC4::PdfEncryptRC4) · Issue #72 · podofo/podofo

podofoinfo 0.10.0 was discovered to contain a segmentation violation via the function PoDoFo::PdfDictionary::findKeyParent.

CVE-2023-31556: [podofo-0.10.0]Stack-Overflow · Issue #66 · podofo/podofo

xpdf pdfimages v4.04 was discovered to contain a stack overflow in the component Catalog::readPageLabelTree2(Object*). This vulnerability allows attackers to cause a Denial of Service (DoS).

CVE-2023-31554: A stack-overflow in pdfimages xpdf4.04

podofoinfo 0.10.0 was discovered to contain a segmentation violation via the function PoDoFo::PdfObject::DelayedLoad.

When using podofopdfinfo to parse a PDF file, a SIGSEGV error occurs. By debugging with gdb, it was found that the error occurred at line 163 in podofo-0.10.0/src/podofo/main/PdfObject.cpp:

if (m\_IsDelayedLoadDone)

When checking the value of m\_IsDelayedLoadDone with "p" command, it was found that the value was 0x31. As a boolean value, it should only be assigned either 0 or 1, but not any other numbers. Previously, PoDoFo::PdfObject::DelayedLoad was also called and executed normally, but calling this function in the getString() function would result in a failure. The specific gdb bt stack trace is as follows.

**Command Input**

podofopdfinfo poc\_file

poc\_file are attached.

**Environment**

*   OS: Ubuntu 20.04.1
*   clang:12.0.0
*   podofo:0.10.0

poc\_file.zip

CVE-2023-31555: [podofo-0.10.0]a SIGSEGV error occurs · Issue #67 · podofo/podofo

Uncontrolled search path in some Intel(R) oneAPI Toolkit and component software installers before version 4.3.0.251 may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® oneAPI Toolkit and Component Software Installers Advisory**

**Summary: **

A potential security vulnerability in some Intel® oneAPI Toolkit and component software installers may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2023-22355

Description: Uncontrolled search path in some Intel(R) oneAPI Toolkit and component software installers before version 4.3.0.251 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

**Affected Products:**

Intel® Advisor for oneAPI before version 2023.0.

Intel® CPU Runtime for OpenCL™ Applications before version 2023.0.

Intel® Distribution for Python\* programming language before version 2023.0.

Intel® DPC++ Compatibility Tool before version 2023.0.

Intel® Embree Ray Tracing Kernel Library before version 2023.0.

Intel® Fortran Compiler before version 2023.0.

Intel® Implicit SPMD Program Compiler before version 1.18.1.

Intel® Inspector for oneAPI before version 2023.0.

Intel® Integrated Performance Primitives before version 2021.7.

Intel® IPP Cryptography before version 2021.6.3.

Intel® MPI Library before version 2021.8.

Intel® oneAPI Base Toolkit before version 2023.0.

Intel® oneAPI Data Analytics Library before version 2023.0.

Intel® oneAPI Deep Neural Network Library before version 2023.0.

Intel® oneAPI DPC++/C++ Compiler before version 2023.0.

Intel® oneAPI DPC++ Library (oneDPL) before version 2022.0.

Intel® oneAPI HPC Toolkit before version 2023.0.

Intel® oneAPI IoT Toolkit before version 2023.0.

Intel® oneAPI Math Kernel Library before version 2023.0.

Intel® oneAPI Rendering Toolkit before version 2023.0.

Intel® oneAPI Threading Building Blocks before version 2021.8.

Intel® oneAPI Video Processing Library before version 2023.0.

Intel® Open Image Denoise before version 1.4.3.

Intel® Open Volume Kernel Library before version 2023.0.

Intel® OSPRay before version 2023.0.

Intel® OSPRay Studio before version 2023.0.

Intel® Trace Analyzer and Collector before version 2021.8.0.

Intel® VTune™ Profiler for oneAPI before version 2023.0.

**Recommendations:**

Intel recommends updating Intel® oneAPI Toolkits to version 2023.0.0 or later.

Updates are available for download at this location:

https://www.intel.com/content/www/us/en/developer/tools/oneapi/toolkits.html

Intel recommends updating any installed Intel® oneAPI standalone component software to the latest versions.

Updates are available for download at these locations:

https://www.intel.com/content/www/us/en/developer/articles/tool/oneapi-standalone-components.html

**Acknowledgements:**

The following issues was found externally.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/09/2023

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

© Intel Corporation.  Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries United States and other countries.  Other names and brands may be claimed as the property of others.

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2023-22355: INTEL-SA-00819

Government organizations in Central Asia are the target of a sophisticated espionage campaign that leverages a previously undocumented strain of malware dubbed DownEx.
Bitdefender, in a report shared with The Hacker News, said the activity remains active, with evidence likely pointing to the involvement of Russia-based threat actors.
The Romanian cybersecurity firm said it first detected the

Government organizations in Central Asia are the target of a sophisticated espionage campaign that leverages a previously undocumented strain of malware dubbed **DownEx**.

Bitdefender, in a report shared with The Hacker News, said the activity remains active, with evidence likely pointing to the involvement of Russia-based threat actors.

The Romanian cybersecurity firm said it first detected the malware in a highly targeted attack aimed at foreign government institutions in Kazakhstan in late 2022. Subsequently, another attack was observed in Afghanistan.

The use of a diplomat-themed lure document and the campaign's focus on data exfiltration suggests the involvement of a state-sponsored group, although the exact identity of the hacking outfit remains indeterminate at this stage.

The initial intrusion vector for the campaign is suspected to be a spear-phishing email bearing a booby-trapped payload, which is a loader executable that masquerades as a Microsoft Word file.

Opening the attachment leads to the extraction of two files, including a decoy document that's displayed to the victim while a malicious HTML application (.HTA) with embedded VBScript code runs in the background.

The HTA file, for its part, is designed to establish contact with a remote command-and-control (C2) server to retrieve a next-stage payload. While the exact nature of the malware is not unknown, it's said to be a backdoor to establish persistence.

The attacks are also notable for employing a variety of custom tools for carrying out post-exploitation activities. This includes -

*   Two C/C++-based binaries (wnet.exe and utility.exe) to enumerate all the resources on a network,
*   A Python script (help.py) to establish an infinite communication loop with the C2 server and receive instructions to steal files with certain extensions, delete files created by other malware, and capture screenshots, and
*   A C++-based malware (diagsvc.exe aka DownEx) that's chiefly designed to exfiltrate files to the C2 server

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

Two other variants of DownEx have also been earthed, the first of which executes an intermediate VBScript to harvest and transmit the files in the form of a ZIP archive.

The other version, which is downloaded via a VBE script (slmgr.vbe) from a remote server, eschews C++ for VBScript, but retains the same functionality as the former.

"This is a fileless attack – the DownEx script is executed in memory and never touches the disk," Bitdefender said. "This attack highlights the sophistication of a modern cyberattack. Cybercriminals are finding new methods for making their attacks more reliable."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#c++