swfrender v0.9.2 was discovered to contain a heap buffer overflow in the function enumerateUsedIDs_fillstyle at modules/swftools.c

**1.heap-buffer-overflow****env**

ubuntu20.04

gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)

swfrender - part of swftools 0.9.2

**sample**

id7\_heap-buffer-overflow.zip

**crash**

    ./swfrender id7_heap-buffer-overflow -o /dev/null
    ==1106906==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000003eb at pc 0x557c2e072578 bp 0x7ffd975b4940 sp 0x7ffd975b4930
    READ of size 1 at 0x6070000003eb thread T0
        #0 0x557c2e072577 in enumerateUsedIDs_fillstyle modules/swftools.c:509
        #1 0x557c2e0728d1 in enumerateUsedIDs_styles modules/swftools.c:565
        #2 0x557c2e05c7d9 in swf_ParseShapeData modules/swfshape.c:692
        #3 0x557c2e06020d in swf_ShapeToShape2 modules/swfshape.c:884
        #4 0x557c2e04c298 in extractDefinitions readers/swf.c:375
        #5 0x557c2e04c298 in swf_open readers/swf.c:736
        #6 0x557c2e04800a in main /mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender.c:174
        #7 0x7f8c197fa082 in __libc_start_main ../csu/libc-start.c:308
        #8 0x557c2e046ecd in _start (/mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender+0x24ecd)
    
    0x6070000003eb is located 0 bytes to the right of 75-byte region [0x6070000003a0,0x6070000003eb)
    allocated by thread T0 here:
        #0 0x7f8c19c40808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x557c2e0e4ab9 in rfx_alloc /mnt/hgfs/ubuntu/cve/swftools/swftools-master/lib/mem.c:30
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow modules/swftools.c:509 in enumerateUsedIDs_fillstyle
    Shadow bytes around the buggy address:
      0x0c0e7fff8020: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
      0x0c0e7fff8030: 00 00 00 00 00 00 03 fa fa fa fa fa 00 00 00 00
      0x0c0e7fff8040: 00 00 00 00 03 fa fa fa fa fa 00 00 00 00 00 00
      0x0c0e7fff8050: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c0e7fff8060: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 04
    =>0x0c0e7fff8070: fa fa fa fa 00 00 00 00 00 00 00 00 00[03]fa fa
      0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1106906==ABORTING
    

**2.negative-size-param****env**

ubuntu20.04

gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)

swfrender - part of swftools 0.9.2

**sample**

id107\_negative-size-param.zip

**crash**

    ./swfrender id107_negative-size-param -o /dev/null
    =1148866==ERROR: AddressSanitizer: negative-size-param: (size=-21465837888)
        #0 0x7fe31237dfdd in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
        #1 0x559b516b3c75 in memset /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
        #2 0x559b516b3c75 in newclip devices/render.c:538
        #3 0x559b516b41e1 in render_startpage devices/render.c:936
        #4 0x559b516348e1 in main /mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender.c:217
        #5 0x7fe311fdd082 in __libc_start_main ../csu/libc-start.c:308
        #6 0x559b51632ecd in _start (/mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender+0x24ecd)
    
    0x7fe2fef21800 is located 0 bytes inside of 8998592-byte region [0x7fe2fef21800,0x7fe2ff7b66c0)
    allocated by thread T0 here:
        #0 0x7fe312423a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
        #1 0x559b516d0bc1 in rfx_calloc /mnt/hgfs/ubuntu/cve/swftools/swftools-master/lib/mem.c:69
    
    SUMMARY: AddressSanitizer: negative-size-param ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset
    ==1148866==ABORTING
    

**3.heap-buffer-overflow****env**

ubuntu20.04

gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)

swfrender - part of swftools 0.9.2

**sample**

id157\_heap-buffer-overflow.zip

**crash**

    ./swfrender id157_heap-buffer-overflow -o /dev/null
    =1167329==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb50bafcc00 at pc 0x7fb50f696f3d bp 0x7fffa3c52d40 sp 0x7fffa3c524e8
    WRITE of size 16 at 0x7fb50bafcc00 thread T0
        #0 0x7fb50f696f3c in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
        #1 0x55ca7b7620cc in memset /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
        #2 0x55ca7b7620cc in render_startpage devices/render.c:922
        #3 0x55ca7b6e28e1 in main /mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender.c:217
        #4 0x7fb50f2f6082 in __libc_start_main ../csu/libc-start.c:308
        #5 0x55ca7b6e0ecd in _start (/mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender+0x24ecd)
    
    0x7fb50bafcc00 is located 0 bytes to the right of 13906944-byte region [0x7fb50adb9800,0x7fb50bafcc00)
    allocated by thread T0 here:
        #0 0x7fb50f73c808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x55ca7b77eab9 in rfx_alloc /mnt/hgfs/ubuntu/cve/swftools/swftools-master/lib/mem.c:30
        #2 0x7fb50f2f6082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset
    Shadow bytes around the buggy address:
      0x0ff721757930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff721757940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff721757950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff721757960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff721757970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0ff721757980:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff721757990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff7217579a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff7217579b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff7217579c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff7217579d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1167329==ABORTING

CVE-2023-29950: bug report -- swfrender · Issue #198 · matthiaskramm/swftools

Categories: News
Tags: ChatGPT

Tags:  How Secure is Code Generated by ChatGPT?

Tags:  Raphaël Khoury

Tags:  Anderson Avila

Tags:  Jacob Brunelle

Tags:  Baba Mamadou Camara

Tags:  Université du Québec

Tags:  ChatGPT makes insecure code

Researchers have found that ChatGPT, OpenAI's popular chatbot, is prone to generating insecure code.



(Read more...)




The post ChatGPT writes insecure code appeared first on Malwarebytes Labs.

Research by computer scientists associated with the Université du Québec in Canada has found that ChatGPT, OpenAI's popular chatbot, is prone to generating insecure code.

"_How Secure is Code Generated by ChatGPT?_" is the work of Raphaël Khoury, Anderson Avila, Jacob Brunelle, and Baba Mamadou Camara. The paper concludes that ChatGPT generates code that isn't robust, despite claiming awareness of its vulnerabilities. 

"The results were worrisome," the researchers say in the paper. "We found that, in several cases, the code generated by ChatGPT fell well below minimal security standards applicable in most contexts."

> "In fact, when prodded to whether or not the produced code was secure, ChatGPT was able to recognize that it was not. The chatbot, however, was able to provide a more secure version of the code in many cases if explicitly asked to do so."

In the experiment, the researchers assumed the role of a novice programmer who doesn't have security in mind. They asked ChatGPT to generate code, specifying in some cases that the code would be used in a "security-sensitive context." What they didn't do, however, was specifically ask the AI chatbot to create secure code or include certain security features.

ChatGPT generated 21 applications written in five programming languages: C, C++, HTML, Java, and Python. The programs are simple, with 97 lines of code at most.

In its first run, ChatGPT produced five secure applications out of 21. When prompted for changes, it made seven more secure applications from the remaining 16.

The authors note that ChatGPT can only create "secure" code when a user requests it. When tasked with creating a simple FTP server for file sharing, it generated code without applying input sanitization (where code is checked for harmful characters and removed where necessary). ChatGPT only added the security feature _after_ the authors prompted it to do so.

"Part of the problem seems to be that ChatGPT simply doesn't assume an adversarial model of execution," the authors say, explaining why the AI bot cannot create secure code by default. Despite this, the bot readily admits to errors in its code.

"If asked specifically on this topic, the chatbot will provide the user with a cogent explanation of why the code is potentially exploitable. However, any explanatory benefit would only be available to a user who 'asks the right questions'. i.e.; a security-conscious programmer who queries ChatGPT about security issues."

Additionally, the authors point to the chatbot's ethical inconsistency when it refuses to create attack code but _will_ create insecure code.

It might refuse to create attack code, but there are ways round it. Malwarebytes Security Evangelist Mark Stockley decided to try to create ransomware using ChatGPT. The AI bot refused to create malware code at first, but Stockley found his way around the initial safeguards and managed to get it to create (admittedly quite dubious) ransomware anyway.

In an interview with _The Register_, one of the Université du Québec researchers said he had concerns about ChatGPT. "We have actually already seen students use this, and programmers will use this in the wild," Khoury said. "So having a tool that generates insecure code is really dangerous. We need to make students aware that if code is generated with this type of tool, it very well might be insecure."

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

ChatGPT writes insecure code

Red Hat Security Advisory 2023-1966-01 - The Public Key Infrastructure Core contains fundamental packages required by Red Hat Certificate System.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: pki-core:10.6 security update  
Advisory ID:       RHSA-2023:1966-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1966  
Issue date:        2023-04-25  
CVE Names:         CVE-2022-2414  
====================================================================  
1. Summary:

An update for the pki-core:10.6 module is now available for Red Hat  
Enterprise Linux 8.4 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The Public Key Infrastructure (PKI) Core contains fundamental packages  
required by Red Hat Certificate System.

Security Fix(es):

* pki-core: access to external entities when parsing XML can lead to XXE  
(CVE-2022-2414)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2104676 - CVE-2022-2414 pki-core: access to external entities when parsing XML can lead to XXE

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
jss-4.8.1-2.module+el8.4.0+10451+3e5b5448.src.rpm  
ldapjdk-4.22.0-1.module+el8.3.0+6784+6e1e4c62.src.rpm  
pki-core-10.10.5-6.module+el8.4.0+17580+3370c7a3.src.rpm  
tomcatjss-7.6.1-1.module+el8.4.0+8778+d07929ff.src.rpm

aarch64:  
jss-4.8.1-2.module+el8.4.0+10451+3e5b5448.aarch64.rpm  
jss-debuginfo-4.8.1-2.module+el8.4.0+10451+3e5b5448.aarch64.rpm  
jss-debugsource-4.8.1-2.module+el8.4.0+10451+3e5b5448.aarch64.rpm  
jss-javadoc-4.8.1-2.module+el8.4.0+10451+3e5b5448.aarch64.rpm  
pki-core-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.aarch64.rpm  
pki-core-debugsource-10.10.5-6.module+el8.4.0+17580+3370c7a3.aarch64.rpm  
pki-symkey-10.10.5-6.module+el8.4.0+17580+3370c7a3.aarch64.rpm  
pki-symkey-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.aarch64.rpm  
pki-tools-10.10.5-6.module+el8.4.0+17580+3370c7a3.aarch64.rpm  
pki-tools-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.aarch64.rpm

noarch:  
ldapjdk-4.22.0-1.module+el8.3.0+6784+6e1e4c62.noarch.rpm  
ldapjdk-javadoc-4.22.0-1.module+el8.3.0+6784+6e1e4c62.noarch.rpm  
pki-acme-10.10.5-6.module+el8.4.0+17580+3370c7a3.noarch.rpm  
pki-base-10.10.5-6.module+el8.4.0+17580+3370c7a3.noarch.rpm  
pki-base-java-10.10.5-6.module+el8.4.0+17580+3370c7a3.noarch.rpm  
pki-ca-10.10.5-6.module+el8.4.0+17580+3370c7a3.noarch.rpm  
pki-kra-10.10.5-6.module+el8.4.0+17580+3370c7a3.noarch.rpm  
pki-server-10.10.5-6.module+el8.4.0+17580+3370c7a3.noarch.rpm  
python3-pki-10.10.5-6.module+el8.4.0+17580+3370c7a3.noarch.rpm  
tomcatjss-7.6.1-1.module+el8.4.0+8778+d07929ff.noarch.rpm

ppc64le:  
jss-4.8.1-2.module+el8.4.0+10451+3e5b5448.ppc64le.rpm  
jss-debuginfo-4.8.1-2.module+el8.4.0+10451+3e5b5448.ppc64le.rpm  
jss-debugsource-4.8.1-2.module+el8.4.0+10451+3e5b5448.ppc64le.rpm  
jss-javadoc-4.8.1-2.module+el8.4.0+10451+3e5b5448.ppc64le.rpm  
pki-core-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.ppc64le.rpm  
pki-core-debugsource-10.10.5-6.module+el8.4.0+17580+3370c7a3.ppc64le.rpm  
pki-symkey-10.10.5-6.module+el8.4.0+17580+3370c7a3.ppc64le.rpm  
pki-symkey-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.ppc64le.rpm  
pki-tools-10.10.5-6.module+el8.4.0+17580+3370c7a3.ppc64le.rpm  
pki-tools-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.ppc64le.rpm

s390x:  
jss-4.8.1-2.module+el8.4.0+10451+3e5b5448.s390x.rpm  
jss-debuginfo-4.8.1-2.module+el8.4.0+10451+3e5b5448.s390x.rpm  
jss-debugsource-4.8.1-2.module+el8.4.0+10451+3e5b5448.s390x.rpm  
jss-javadoc-4.8.1-2.module+el8.4.0+10451+3e5b5448.s390x.rpm  
pki-core-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.s390x.rpm  
pki-core-debugsource-10.10.5-6.module+el8.4.0+17580+3370c7a3.s390x.rpm  
pki-symkey-10.10.5-6.module+el8.4.0+17580+3370c7a3.s390x.rpm  
pki-symkey-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.s390x.rpm  
pki-tools-10.10.5-6.module+el8.4.0+17580+3370c7a3.s390x.rpm  
pki-tools-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.s390x.rpm

x86_64:  
jss-4.8.1-2.module+el8.4.0+10451+3e5b5448.x86_64.rpm  
jss-debuginfo-4.8.1-2.module+el8.4.0+10451+3e5b5448.x86_64.rpm  
jss-debugsource-4.8.1-2.module+el8.4.0+10451+3e5b5448.x86_64.rpm  
jss-javadoc-4.8.1-2.module+el8.4.0+10451+3e5b5448.x86_64.rpm  
pki-core-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.x86_64.rpm  
pki-core-debugsource-10.10.5-6.module+el8.4.0+17580+3370c7a3.x86_64.rpm  
pki-symkey-10.10.5-6.module+el8.4.0+17580+3370c7a3.x86_64.rpm  
pki-symkey-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.x86_64.rpm  
pki-tools-10.10.5-6.module+el8.4.0+17580+3370c7a3.x86_64.rpm  
pki-tools-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2414  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZEe/PNzjgjWX9erEAQg4CQ//RnrpSmI7T6BcHybiaeWTeQzwZb0BpQX8  
vEQCJ9LRyHuuFZSsGH0yTNg6/i9tHBms3CJUKsyf4BvdeUTEl1lRFbVC1yqRfbbh  
Fq6+AqFe28mjG6DeJAlH+zZcpRnDwsBLQxnMKi30JAzcZKSXVa5imBS3EFx64HnG  
uvHuRu9Tf7FJiJAwWJhmZN7Njrqs/GbKNBHvIOjkWgDlpBPpAEl4nW7MZSZiuQ5I  
q5MAf9gcRwToYPV1tgAUTbYPbEXFA+0SsIrhC++y8+SRCkcdYfJzJB32N4hQenPa  
ErKC5zZ31AmwVdg6yIuDokUHkVFl0TPOPWwJEIAdn184dTmEyohCnIyPwakikc2v  
QSZ/3pUtc5q3b2fCgUxCGG17jrlg8kxtNCjmXlmAPcdRMG40SMme7djNXJRPvAQO  
me9ezRvlFKpESEklYg0AznDeZmEnYh3Wir5Xqmuoe2xgS5T9ZWvVDWR7X6Y2Zb8R  
xi3DCZIFWI5TRaZlPqI82MMFwxeI9nl88KjCZZ+eig3Hs/OiL7qE1bSBLerviq8j  
tLdXqTPV3Dc9FNHZWTvEAOXcKplmCNbd1w+ipq0Koxz5/FPsj1V7XpYBOOZngzXI  
u6umMRmxF8i+yjhosOy2wBLHl7uwXLghhBc0u3Wz0HRI9T5RgmzV9DHT1B/rEarc  
jhTEpvPmreA=EN+k  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1966-01

Red Hat Security Advisory 2023-1907-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: java-1.8.0-openjdk security update  
Advisory ID:       RHSA-2023:1907-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1907  
Issue date:        2023-04-25  
CVE Names:         CVE-2023-21930 CVE-2023-21937 CVE-2023-21938  
                   CVE-2023-21939 CVE-2023-21954 CVE-2023-21967  
                   CVE-2023-21968  
====================================================================  
1. Summary:

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise  
Linux 8.4 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v. 8.4) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime  
Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* OpenJDK: improper connection handling during TLS handshake (8294474)  
(CVE-2023-21930)

* OpenJDK: Swing HTML parsing issue (8296832) (CVE-2023-21939)

* OpenJDK: incorrect enqueue of references in garbage collector (8298191)  
(CVE-2023-21954)

* OpenJDK: certificate validation issue in TLS session negotiation  
(8298310) (CVE-2023-21967)

* OpenJDK: missing string checks for NULL characters (8296622)  
(CVE-2023-21937)

* OpenJDK: incorrect handling of NULL characters in ProcessBuilder  
(8295304) (CVE-2023-21938)

* OpenJDK: missing check for slash characters in URI-to-path conversion  
(8298667) (CVE-2023-21968)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2187435 - CVE-2023-21930 OpenJDK: improper connection handling during TLS handshake (8294474)  
2187441 - CVE-2023-21954 OpenJDK: incorrect enqueue of references in garbage collector (8298191)  
2187704 - CVE-2023-21967 OpenJDK: certificate validation issue in TLS session negotiation (8298310)  
2187724 - CVE-2023-21939 OpenJDK: Swing HTML parsing issue (8296832)  
2187758 - CVE-2023-21938 OpenJDK: incorrect handling of NULL characters in ProcessBuilder (8295304)  
2187790 - CVE-2023-21937 OpenJDK: missing string checks for NULL characters (8296622)  
2187802 - CVE-2023-21968 OpenJDK: missing check for slash characters in URI-to-path conversion (8298667)

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
java-1.8.0-openjdk-1.8.0.372.b07-1.el8_4.src.rpm

aarch64:  
java-1.8.0-openjdk-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-demo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-devel-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-headless-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-src-1.8.0.372.b07-1.el8_4.aarch64.rpm

noarch:  
java-1.8.0-openjdk-javadoc-1.8.0.372.b07-1.el8_4.noarch.rpm  
java-1.8.0-openjdk-javadoc-zip-1.8.0.372.b07-1.el8_4.noarch.rpm

ppc64le:  
java-1.8.0-openjdk-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-demo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-devel-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-headless-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-src-1.8.0.372.b07-1.el8_4.ppc64le.rpm

s390x:  
java-1.8.0-openjdk-1.8.0.372.b07-1.el8_4.s390x.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.372.b07-1.el8_4.s390x.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.372.b07-1.el8_4.s390x.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.372.b07-1.el8_4.s390x.rpm  
java-1.8.0-openjdk-demo-1.8.0.372.b07-1.el8_4.s390x.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.372.b07-1.el8_4.s390x.rpm  
java-1.8.0-openjdk-devel-1.8.0.372.b07-1.el8_4.s390x.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.372.b07-1.el8_4.s390x.rpm  
java-1.8.0-openjdk-headless-1.8.0.372.b07-1.el8_4.s390x.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.372.b07-1.el8_4.s390x.rpm  
java-1.8.0-openjdk-src-1.8.0.372.b07-1.el8_4.s390x.rpm

x86_64:  
java-1.8.0-openjdk-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-src-1.8.0.372.b07-1.el8_4.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v. 8.4):

aarch64:  
java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.372.b07-1.el8_4.aarch64.rpm

ppc64le:  
java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.372.b07-1.el8_4.ppc64le.rpm

x86_64:  
java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-fastdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-fastdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-fastdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-fastdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-src-fastdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-21930  
https://access.redhat.com/security/cve/CVE-2023-21937  
https://access.redhat.com/security/cve/CVE-2023-21938  
https://access.redhat.com/security/cve/CVE-2023-21939  
https://access.redhat.com/security/cve/CVE-2023-21954  
https://access.redhat.com/security/cve/CVE-2023-21967  
https://access.redhat.com/security/cve/CVE-2023-21968  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZEe/PtzjgjWX9erEAQjNMA//bpp1jGrB3u5Q2khidQCghVv1Ggpr0Pzl  
n/9ujekG6aztyaTFSfJsX2CFZJmlCVT8v6UncZgSxeQ7KiOqNhESoTVQr+KyxVoZ  
YmpDr0HXWsa6y3KNERUBUdJ4vlbegky1jDvBPsQkzO9rijAl7/KRcP/cxntWupk0  
LyYrZWD9G8mBAalNDMozQD2C0DwFsi/R+GOQRFcP5GdIUUE+/676Xnloua+5W2wJ  
7MDi0LDQ2DpIm2DjYxpDOEgvxxMdy2OitDVJMs49xEvUkTKQtW0wNi3afMZhnvVJ  
SuWiqeavY7L9x6IAphIZXt2Ox9H3gCCflF1gk+00V0UI1OpKTTsTeZrHBN9QMy+F  
Bfq5No79e/tP5eK+NIcaWW7vHtTp3RIf08KBj4Vfh0tY4iSRx5NzQrJD94tQiZTj  
CnooNmgwOiZ6u5C9EoEpe6lkEsBXqzT3MdrxDr1m2gbGU6i4xWK9xmCYhMaoZ4XA  
mwJauSnF6z2WeET6U/qA7N816aRe2dDwTwUox8XQIdJDd2fFCi70OkbKMmyMzrGM  
GggQdCv0doE18/+g352FnsGgVVM2dsKY/Kmn5Ow+cyJLyvmu5D+3Z/8uzjJzgKr0  
1RBrVDjOL+VJv1NMi6PtjSWvuxD4JiXx4MW4yYksAoN9LGjbcgDxOc8vgGGmkqUG  
U/hqThgIrAE=jYFe  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1907-01

yasm 1.3.0.55.g101bc was discovered to contain a stack overflow via the function parse_expr5 at /nasm/nasm-parse.c.

CVE-2023-29583: stack-overflow yasm/modules/parsers/nasm/nasm-parse.c:1303 in parse_expr5 · Issue #218 · yasm/yasm

yasm 1.3.0.55.g101bc was discovered to contain a stack overflow via the function parse_expr1 at /nasm/nasm-parse.c.

CVE-2023-29582: fuzz_vuln/readme.md at main · z1r00/fuzz_vuln

yasm 1.3.0.55.g101bc was discovered to contain a stack overflow via the component yasm/yasm+0x43b466 in vsprintf.

**stack-buffer-overflow yasm/yasm+0x43b466 in vsprintf****project address**

https://github.com/yasm/yasm

**info**

OS：Ubuntu20.04 TLS

Build: ./autogen.sh && make distclean && CC=gcc CXX=g++ CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" CXXFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" ./configure --prefix=$PWD/build --disable-shared && make -j && make install

**Poc**

https://github.com/z1r00/fuzz\_vuln/blob/main/yasm/stack-buffer-overflow/yasm/id:000055%2Csig:06%2Csrc:008089%2B007532%2Cop:splice%2Crep:128

**ASAN Info**

./yasm id:000055,sig:06,src:008089+007532,op:splice,rep:128

yasm: file name already has no extension: output will be in \`yasm.out'
\=================================================================
\==1107138==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffb43ff890 at pc 0x00000043b467 bp 0x7fffb43ff760 sp 0x7fffb43feef8
WRITE of size 21 at 0x7fffb43ff890 thread T0
    #0 0x43b466 in vsprintf (/home/z1r0/fuzzing/yasm/yasm/yasm+0x43b466)
    #1 0x43c3f3 in sprintf (/home/z1r0/fuzzing/yasm/yasm/yasm+0x43c3f3)
    #2 0x54e503 in x86\_dir\_cpu /home/z1r0/fuzzing/yasm/yasm/modules/arch/x86/x86arch.c:169:17
    #3 0x539e14 in yasm\_object\_directive /home/z1r0/fuzzing/yasm/yasm/libyasm/section.c:377:5
    #4 0x57bfe2 in nasm\_parser\_directive /home/z1r0/fuzzing/yasm/yasm/modules/parsers/nasm/nasm-parse.c:1569:10
    #5 0x579361 in parse\_line /home/z1r0/fuzzing/yasm/yasm/modules/parsers/nasm/nasm-parse.c:377:17
    #6 0x579361 in nasm\_parser\_parse /home/z1r0/fuzzing/yasm/yasm/modules/parsers/nasm/nasm-parse.c:231:18
    #7 0x577618 in nasm\_do\_parse /home/z1r0/fuzzing/yasm/yasm/modules/parsers/nasm/nasm-parser.c:66:5
    #8 0x577618 in nasm\_parser\_do\_parse /home/z1r0/fuzzing/yasm/yasm/modules/parsers/nasm/nasm-parser.c:83:5
    #9 0x4c6eae in do\_assemble /home/z1r0/fuzzing/yasm/yasm/frontends/yasm/yasm.c:521:5
    #10 0x4c6eae in main /home/z1r0/fuzzing/yasm/yasm/frontends/yasm/yasm.c:753:12
    #11 0x7f833dc86082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #12 0x41c47d in \_start (/home/z1r0/fuzzing/yasm/yasm/yasm+0x41c47d)
Address 0x7fffb43ff890 is located in stack of thread T0 at offset 48 in frame
    #0 0x54e38f in x86\_dir\_cpu /home/z1r0/fuzzing/yasm/yasm/modules/arch/x86/x86arch.c:153
  This frame has 1 object(s):
    \[32, 48) 'strcpu' (line 168) <== Memory access at offset 48 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/z1r0/fuzzing/yasm/yasm/yasm+0x43b466) in vsprintf
Shadow bytes around the buggy address:
  0x100076877ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877f00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
\=>0x100076877f10: 00 00\[f3\]f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877f30: f1 f1 f1 f1 f8 f3 f3 f3 00 00 00 00 00 00 00 00
  0x100076877f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877f50: 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 f8 f8 f2 f2
  0x100076877f60: f8 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==1107138==ABORTING

**Reference**

https://github.com/z1r00/fuzz\_vuln/blob/main/yasm/stack-buffer-overflow/yasm/readmd.md

CVE-2023-29579: stack-buffer-overflow yasm/yasm+0x43b466 in vsprintf · Issue #214 · yasm/yasm

Bento4 v1.6.0-639 was discovered to contain an out-of-memory bug in the mp42aac component.

out-of-memory (/home/ubuntu/fuzz/asan\_bento4/Bento4/cmakebuild/mp42aac+0x4c44dd) in operator new(unsigned long)

    export CC=clang
    export CXX=clang++
    export CFLAGS="-fsanitize=address -g"
    export CXXFLAGS="-fsanitize=address -g"
    mkdir build
    cd build
    cmake -DCMAKE_BUILD_TYPE=Release ..
    make
    

    ./mp42aac poc4.mp4 /dev/null
    
    =================================================================
    ==1258592==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x800000010 bytes
        #0 0x4c44dd in operator new(unsigned long) (/home/ubuntu/fuzz/asan_bento4/Bento4/cmakebuild/mp42aac+0x4c44dd)
        #1 0x6054ee in AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity(unsigned int) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4Array.h:172:25
        #2 0x6054ee in AP4_Array<AP4_TrunAtom::Entry>::SetItemCount(unsigned int) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4Array.h:210:25
        #3 0x6054ee in AP4_TrunAtom::AP4_TrunAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4TrunAtom.cpp:150:9
        #4 0x604de2 in AP4_TrunAtom::Create(unsigned int, AP4_ByteStream&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4TrunAtom.cpp:51:16
        #5 0x53a0dd in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:438:20
        #6 0x5390e1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #7 0x57718b in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
        #8 0x5763de in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
        #9 0x5763de in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
        #10 0x53a8dc in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
        #11 0x5390e1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #12 0x57718b in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
        #13 0x5763de in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
        #14 0x5763de in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
        #15 0x53a8dc in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
        #16 0x5390e1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #17 0x53890b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
        #18 0x4ceffe in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4File.cpp:104:12
        #19 0x4cf50a in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4File.cpp:78:5
        #20 0x4c7232 in main /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250:22
        #21 0x7fb9e650c082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    
    ==1258592==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory (/home/ubuntu/fuzz/asan_bento4/Bento4/cmakebuild/mp42aac+0x4c44dd) in operator new(unsigned long)
    ==1258592==ABORTING

CVE-2023-29575: fuzz_vuln/readme.md at main · z1r00/fuzz_vuln

The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors.
Google-owned Mandiant, which is tracking the attack event under the moniker UNC4736, said the incident marks the first time it has seen a "software supply chain attack lead to another software

The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors.

Google-owned Mandiant, which is tracking the attack event under the moniker **UNC4736**, said the incident marks the first time it has seen a "software supply chain attack lead to another software supply chain attack."

The Matryoshka doll-style cascading attack against 3CX first came to light on March 29, 2023, when it emerged that Windows and macOS versions of its communication software were trojanized to deliver a C/C++-based data miner named ICONIC Stealer by means of a downloader, SUDDENICON, that used icon files hosted on GitHub to extract the server containing the stealer.

"The malicious application next attempts to steal sensitive information from the victim user's web browser," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an analysis of the malware. "Specifically it will target the Chrome, Edge, Brave, or Firefox browsers."

Select attacks targeting cryptocurrency companies also entailed the deployment of a next-stage backdoor referred to as Gopuram that's capable of running additional commands and interacting with the victim's file system.

Mandiant's investigation into the sequence of events has now revealed the patient zero to be a malicious version of a now-discontinued software provided by a fintech company called Trading Technologies, which was downloaded by a 3CX employee to their personal computer.

It described the initial intrusion vector as "a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X\_TRADER."

This rogue installer, in turn, contained a setup binary that dropped two trojanized DLLs and an innocuous executable, the latter of which is used to side-load one of the DLLs that's camouflaged as a legitimate dependency.

The attack chain then made use of open source tools like SIGFLIP and DAVESHELL to ultimately extract and execute VEILEDSIGNAL, a multi-stage modular backdoor written in C that's capable of sending data, executing shellcode, and terminating itself.

The initial compromise of the employee's personal computer using VEILEDSIGNAL enabled the threat actor to obtain the individual's corporate credentials, two after which the first unauthorized access to its network took place via a VPN by taking advantage of the stolen credentials.

Besides identifying tactical similarities between the compromised X\_TRADER and 3CXDesktopApp apps, Mandiant found that the threat actor subsequently laterally moved within the 3CX environment and breached the Windows and macOS build environments.

"On the Windows build environment, the attacker deployed a TAXHAUL launcher and COLDCAT downloader that persisted by performing DLL side-loading through the IKEEXT service and ran with LocalSystem privileges," Mandiant said. "The macOS build server was compromised with POOLRAT backdoor using Launch Daemons as a persistence mechanism."

POOLRAT, previously classified by the threat intelligence firm as SIMPLESEA, is a C/C++ macOS implant capable of collecting basic system information and executing arbitrary commands, including carrying out file operations.

UNC4736 is suspected to be a threat group with North Korean nexus, an assessment that's been reinforced by ESET's discovery of an overlapping command-and-control (C2) domain (journalide\[.\]org) employed in the supply chain attack and that of a Lazarus Group campaign called Operation Dream Job.

Evidence gathered by Mandiant shows that the group exhibits commonalities with another intrusion set tracked as Operation AppleJeus, which has a track record of carrying out financially motivated attacks.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

What's more, the breach of Trading Technologies' website is said to have taken place in early February 2022 by weaponizing a then zero-day flaw in Google Chrome (CVE-2022-0609) to activate a multi-stage infection chain responsible for serving unknown payloads to the site visitors.

"The site www.tradingtechnologies\[.\]com was compromised and hosting a hidden IFRAME to exploit visitors, just two months before the site was known to deliver a trojanized X\_TRADER software package," Mandiant explained.

Another link connecting it to AppleJeus is the threat actor's previous use of an older version of POOLRAT as part of a long-running campaign disseminating booby-trapped trading applications like CoinGoTrade to facilitate cryptocurrency theft.

The entire scale of the campaign remains unknown, and it's currently not clear if the compromised X\_TRADER software was used by other firms. The platform was purportedly decommissioned in April 2020, but it was still available to download from the site in 2022.

3CX, in an update shared on April 20, 2023, said it's taking steps to harden its systems and minimize the risk of nested software-in-software supply chain attacks by enhancing product security, incorporating tools to ensure the integrity of its software, and establishing a new department for Network Operations and Security.

"Cascading software supply chain compromises demonstrate that North Korean operators can exploit network access in creative ways to develop and distribute malware, and move between target networks while conducting operations aligned with North Korea's interests," Mandiant said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX

The notorious North Korea-aligned state-sponsored actor known as the Lazarus Group has been attributed to a new campaign aimed at Linux users.
The attacks are part of a persistent and long-running activity tracked under the name Operation Dream Job, ESET said in a new report published today.
The findings are crucial, not least because it marks the first publicly documented example of the

The notorious North Korea-aligned state-sponsored actor known as the **Lazarus Group** has been attributed to a new campaign aimed at Linux users.

The attacks are part of a persistent and long-running activity tracked under the name **Operation Dream Job**, ESET said in a new report published today.

The findings are crucial, not least because it marks the first publicly documented example of the adversary using Linux malware as part of this social engineering scheme.

Operation Dream Job, also known as DeathNote or NukeSped, refers to multiple attack waves wherein the group leverages fraudulent job offers as a lure to trick unsuspecting targets into downloading malware. It also exhibits overlaps with two other Lazarus clusters known as Operation In(ter)ception and Operation North Star.

The attack chain discovered by ESET is no different in that it delivers a fake HSBC job offer as a decoy within a ZIP archive file that's then used to launch a Linux backdoor named SimplexTea distributed via an OpenDrive cloud storage account.

While the exact method used to distribute the ZIP file is not known, it's suspected to be either spear-phishing or direct messages on LinkedIn. The backdoor, written in C++, bears similarities to BADCALL, a Windows trojan previously attributed to the group.

Furthermore, ESET said it identified commonalities between artifacts used in the Dream Job campaign and those unearthed as part of the supply chain attack on VoIP software developer 3CX that came to light last month.

UPCOMING WEBINAR

Defend with Deception: Advancing Zero Trust Security

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

This also includes the command-and-control (C2) domain "journalide\[.\]org," which was listed as one of the four C2 servers used by malware families detected within the 3CX environment.

Indications are that preparations for the supply chain attack had been underway since December 2022, when some of the components were committed to the GitHub code-hosting platform.

The findings not only strengthen the existing link between Lazarus Group and the 3CX compromise, but also demonstrates the threat actor's continued success with staging supply chain attacks since 2020.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#c++