nhttpd in Nostromo before 2.1 is vulnerable to a path traversal that may allow an attacker to execute arbitrary commands on the remote server. The vulnerability occurs when the homedirs option is used.

$nostromo: ChangeLog,v 1.241 2022/12/15 19:18:41 hacki Exp $ 2.1 === - Fix a vulnerability reported by Riccardo Krauter @ SoterITSecurity: If nostromo runs non-chrooted, and with the 'homedirs' configuration option enabled (disabled by default), an attacker can exploit a vulnerability to access files or execute programs (as CGI) outside of the server root directory. For that a specific request URL needs to be crafted by the attacker. 2.0 === - Fix compiling on NetBSD by suppressing the -Wall compiler option. Otherwise compiling breaks due to snprintf() truncate warnings. - Fix sizeof(http\_url) to sizeof(http\_urls) for the http\_urls buffer. Had no impact since both buffers anyway have the same size. - Replace SSL\_CTX\_use\_certificate\_file() with SSL\_CTX\_use\_certificate\_chain\_file(), so that the full certificate chain can be verified. - Update to libmy-2.1, which makes libbsd obsolete, and fixes compiling on FreeBSD. 1.9.9 ===== - Stupid me, forgot to bump the version in the last release! 1.9.8 ===== - Fix a potential segfault which can happen during nhttpd startup when reading a malformed comment line in the nhttpd.conf file. This was was caused by a buffer overflow in the libmy-1.8 fparse() function. Therefore upgraded to libmy-1.9 which contains a fix for fparse(). The issue was reported by Christoffer Jerkeby. 1.9.7 ===== - Fix for CVE-2019-16278 discovered by sp0re. Issue: Due to the missing accounting of the '\\r' character in the libmy-1.7 strcutl() function, an attacker can bypass the directory traversal check in the http\_verify() function in a non-chrooted nhttpd server and thus remote execute unauthorized code. Solution: Fix the strcutl() function in libmy-1.8 as described in the libmy ChangeLog: - strcutl(): take account of the '\\r' character when it appears within a string instead of ignoring it. Improved logic and performance diff by Adrian Steinmann Therefore the injected '\\r' characters will now generate an invalid path resulting in a HTTP 404 response. - Fix for CVE-2019-16279 discovered by sp0re. Issue: The missing header count functionality in the http\_header\_comp() function allowed an attacker to transmit more headers than accepted by nhttpd resulting in a buffer overflow in the header array leading to DoS. Solution: Add the missing header count functionality to the http\_header\_comp() function. Transmission of too many headers will now result in a HTTP 413 response as initially intended. - Close the connection after an HTTP 413 response as we are allowed according to RFC 2626 HTTP/1.1 10.4.14. 1.9.6 ===== - Restore original errno value after handling SIGCHLD. Otherwise this could lead to a break out of the main select(2) loop and therefore of unexpected termination of nostromo. Spotted by Adam Wozniak, nice catch! - Change the crypt(3) API, which is used for basic authentication, to accept all supported algorithms not just DES. - Check crypt(3) for returning NULL to prevent the nhttpd process to core dump in this case. - Add server cache for basic authentication credentials to speed up performance. This will save us filesystem access to htpasswd and additional password encryption cpu cycles for crypt(3). - Add MD5, Blowfish-a, and Blowfish-b algorithm to the crypt(1) tool. - Replace rand(3) with arc4random(3) in the crypt(1) tool for OpenBSD, NetBSD, and FreeBSD. - Fix broken BSD authentication method for basic authentication. - Fix several bites to make nostromo compile cleanly on the tested platforms again which are OpenBSD, NetBSD, FreeBSD, and Linux. - Rewrote printenv CGI from perl to shell script. - Add support for SIGHUP configuration reload. - Make a child process use the default signals instead inheriting the parent process signal handler. This fixes some odd issues. - Update copyright year to 2004 - 2016 and add nostromo CVS Id to all files. 1.9.5 ===== - Handle "Location:" field correctly when passed by a CGI. Bug reported by Axel Gonzalez. 1.9.4 ===== - Update copyright year to 2004 - 2011. - Make nostromo compile again by default; Remove -Werror in src/nhttpd makefiles and #include to src/nhttpd/main.c. - Fix a bug where when nostromo doesn't run in chroot mode somebody can access files beyond our htdocs environment by using specific encoded characters in the request URI (security issue). Issue found and reported by RedTeam Pentesting GmbH. - Fix a bug where in certain conditions garbage is written into the access\_log user agent field. - Do proper handling of max. file descriptors and allow to bump the select(2) max. file descriptors limit (FD\_SETSIZE) via the CON define in config.h by dynamically allocating the fd\_sets. 1.9.3 ===== - Fix two err(3) calls which are lacking an \`%s' modifier (security issue). Patch from Simon Kuhnle. - Fix wrong select() / send\_file() looping (resulting in high process load occasionally), by fixing bogus EAGAIN error handling in sys\_write\_a(). - Fix missing \`\`.Ed'' in nhttpd.8 man page. 1.9.2 ===== - Fix a bug where a 403 response is returned instead of a 404 response. Patch from Szabolcs Nagy. - Style diff which fixes spacing from Daniel Ouellet. - Add optional \`\`homedirs\_public'' configuration parameter to restrict access within the home directories. Suggested by Simon Kuhnle. - Add mandatory \`\`serverlisten'' configuration parameter to allow specific interface binding. - Replaced libmy with latest version libmy-1.7. 1.9.1 ===== - Replace off\_t with intmax\_t integer type since problems have been reported with compiling on some 64bit Linux systems. Therefore we remove the GNU compiler option '-D\_FILE\_OFFSET\_BITS=64'. Initial diff received from Kurt Roeckx. - For unused, string based configuration options, use '\\0' instead strlcpy() '0' into the array. It's less disturbing and more straight. Diff received from Szabolcs Nagy. - Don't leave some alias specific buffers uninitialized, because it can happen that we access those later. Bug reported by Szabolcs Nagy. - According to RFC 3875 set the SERVER\_NAME environment variable dynamicly dependend on the "Host:" request header field instead setting it staticly to the configured servername. Bug reported by Szabolcs Nagy. - Fix a bug where a CGI "Status:" request for 403 or 404 caused a corrupt response header. Bug reported by Szabolcs Nagy. - The header field "Host:" is mandatory for HTTP/1.1 client requests. If it doesn't exist return 400 Bad Request instead of further processing the request. Bug reported by Szabolcs Nagy. - Drop MacOSX support. Too many tweaks with recent MacOSX versions for compiling. - Update copyright year to 2004 - 2009. - Fix sys\_log() by replacing syslog() with vsyslog() so the string arguments get passed. While here move from LOG\_DEBUG to LOG\_INFO. - Replaced libmy with latest version libmy-1.6. 1.9 === - Replace server log parameter entries in the man page by syslog(3). 1.8.9 ===== - send all server log messages to syslog(3) instead to our own log file The configuration parameter "logserver" is obsolete therefore and has been removed from nhttpd.conf. Suggested by Matthias-Christian Ott - Make "logpid" and "logaccess" configuration parameters optional, which allows it to disable pid and access log creation. Suggested by Matthias-Christian Ott. - Remove the whole BSD authentication code on non-OpenBSD systems. Diff received from Matthias-Christian Ott. 1.8.8 ===== - Fix a bug where a requested file with size 0 caused us to send an HTTP repsonse in a loop. Bug reported by Kai Hendry. - Fix a bug where a directory request without trailing "/" to a virtual host URL returned a wrong 301-Location field value. Bug reported by Kai Hendry. - Change mime types parsing to the default syntax; extensions are separated by spaces instead by commas. Our default mime types file (conf/mimes) has been changed to the new syntax therefore. - Also check if HTTPS requests do match to our default URL before searching for virtual hosts. 1.8.7 ===== - Fix security issue for none chroot environments reported by Ben Hutchings: Disallow any direct access to upper level directories (..). On occurrence of a "/../" string in the request URI we return 400 Bad Request now. This prevents access to files beyond of the serverroot directory. - Fix a bug reported by Szabolcs Nagy: If a CGI option ends with a "/" don't apply the docindex to it. - If the PID file can't be created also report about the full filename in the error log. Requested by Kai Hendry. 1.8.6 ===== - Handle POST requests with content length 0 correctly, diff received from Georg Wendenburg. 1.8.5 ===== - Added support for SSLv3. - Replaced a strlcpy() with memcpy() because at this point binary data could be involved. Pointed out by Georg Wendenburg. - Added CONTENT\_TYPE CGI env, diff received from Georg Wendenburg. - Quiet down error messages in the server log file by moving some common error messages to the debug mode output. 1.8.4 ===== - If a select(2) error in the main loop is not EINTR, we shutdown the server. EFAULT, EBADF, and EINVAL are not acceptable. - When a connection gets closed FD\_CLR() the write set also in either case. this fix should finally let get us rid from the select(2) EBADF error, and overwrites the EBADF workaround fix from version 1.8.3. 1.8.3 ===== - Fix a Linux tweak with off\_t by adding -D\_FILE\_OFFSET\_BITS=64 to the compiler options. - If a select(2) error in the main loop is not EINTR, close the connection. this avoids endless looping e.g. when EBADF occurs. - Typo corrections for nhttpd.conf-dist and nhttpd.8 from Will Maier. 1.8.2 ===== - Fix wrong version numbers. 1.8.1 ===== - Fixed gcc3 tweak with variable array definition which caused compiliation error on gcc2 platforms. - Replaced libmy with latest version libmy-1.5. 1.8 === - Added homedirs support. - Added basic authentication via BSD authentication. - Moved variable type for filesizes from int to off\_t to enable proper transfers of very large files. - Directory listing files are sorted alphabetical now. - Make our HTML output HTML 4.01 transitional. - Fixed man page typos. 1.7.9 ===== - The rewritten http\_header\_comp() function implemented in version 1.7.7 could lead to a buffer overflow in some circumstances because the arrived header sequence was not checked for its minimum size. On my machines this effect ended up in a immediately process termination. Nasty bug fixed now. While we are at this function we also get rid of strlen() because we already have the current header size saved in our connection structure; safer and faster. - Fixed man page typos. 1.7.8 ===== - CGIs are no longer determined by a CGI alias. nhttpd checks now if a file has the world executable flag set, and if yes the file is handled as a CGI. this allows you to place CGIs anywhere in your document root, and also to use CGIs as index. the cgiroot and cgiindex config options are obsolete therefore and where removed from the configfile. cgi-bin has moved to htdocs/cgi-bin - Use stat(2) S\_IROTH instead of access(2) to check for file permissions, as we have that information already. - Added HTTP\_ACCEPT\_ENCODING CGI env - Simplified debug logging. - Fixed broken permissions checking on directories. - Fixed another binary data handling issue in CGI main loop. - Improved error handling for select(2) in CGI main loop. - On a fatal error at CGI execution send a 500 before exit(3). - Extended man page. 1.7.7 ===== - http\_header\_comp() which checks if a complete header sequence arrived got unreliable because of our new asynchronous connection handling since version 1.7.6. The function is fixed now and as a side effect much more simplified using less resources. 1.7.6 ===== - Rewrote nostromo to handle connections fully asynchronous over one single select(2) now. This change also fixes the problem that slow connections walked into a connection timeout. - The socket send buffer size is now kept to the operating system value by default. It can be changed optional in config.h by the SBS define. - Added debug mode option. - Added IF\_MODIFIED\_SINCE CGI env, diff received from Daniel Hartmeier. - Fixed unterminated childs leftover when parent is killed. - Fixed broken pipeline connection handling. - Fixed http\_chunk() to handle also binary data now. - Fixed double printing of server port in the signature. - Fixed double creation of Location header field for CGIs. - Fixed wrong Location string for 301 responses over SSL non-default port. - Fixed access log variable which could be used uninitialized. - Fixed broken custom responses. on large custom response files, the transfer was aborted. - Disabled chunking for HTTP/1.0 clients. - Disabled case sensitivy for HTTP protocol. - Reorderd configuration file. - Removed a unnecessary getpid(2) when daemonizing. - Replaced signal handlers SIGTERM code with a volatile sig\_atomic\_t flag. - Extended man page. - Improved style / KNF. 1.7.5 ===== - Set SO\_SNDBUF size on accepted client socket, not on the listener socket, because not every tcp/ip implementation supports inheritance. - Set sockets to O\_NONBLOCK to prevent any possible blocks. 1.7.4 ===== - Fixed POST content size limitation of 8KB. POST content can now be unlimited and is handled in the forked CGI process itself. - Removed all setenv(3) and unsetenv(3) functions and set CGI environment vars with execve(2) instead. This has increased the CGI serving performance about the factor 8. - The DOCUMENT\_ROOT CGI environment variable was set wrong in some cases. Bug fixed now. - In some cases the GMT offset was wrong calculated in the access log. Bug fixed now 1.7.3 ===== - Optimized performance and memory usage by source code optimization. - If a CGI post body included binary data the processing was aborted because we could not handle the binary part. Bug fixed now. - If a CGI post body was terminated with '\\r\\n' and some browsers count that to its content length (and some do not, what a mess!) the post was ignored. Bug fixed now - If the defined setuid user was not found, output a custom error instead the getpwnam(3) errno which almost says nothing. - Removed -ansi compile option to follow OpenBSD. - Fixed -pedantic compile option source code quirks. - Replaced libmy with latest version libmy-1.4. - Changed logo URL. - Applied typo diff for man page received from Marc Balmer@. 1.7.2 ===== - Added custom 401, 403, and 404 responses, requested by Marc Winiger. - Added nph CGI support. - Close all file descriptors which do not belong to the child after fork(2). - Replaced recv(2) with read(2) as we do not use flags. - Replaced send(2) with write(2) as we do not use flags. - Check more system calls for EINTR. - If a CGI post body was terminated with '\\r\\n', we did not parsed that and the post was ignored. Bug fixed now. - In some cases we had wrong data transmission because write(2) was not checked for short writes. Bug fixed now. - Fixed SSL memory leak. 1.7.1 ===== - Implemented HEAD method. - If on basic authentication the realm option in a htaccess file could not be parsed, we just kept the last value in the realm variable instead of overwriting it with "unknown realm". Bug fixed now. 1.7 === - Added 206 Partial Content. Forced by Delta. - Added example lines to configuration file how to change default port 80. - Excluded sin6\_len for Linux. - Imported new nostromo logo. - It is possible now to run IPv6 only. - Deny to run nhttpd as root. - Improved SSL handshake. - Main select(2) checks now writefds to cleanly serve partial file sends - Fixed typos and reviewed source code for BSD style. - If 301 Moved Permanently was called with https, we switched back to http because we did not check for the https flag. Bug fixed now. 1.6 === - Added IPv6 support. - Added pid file creation. - Set listener sockets to SO\_REUSEADDR. - Moved a bunch of static environment variables to dynamic ones, because of SSL and IPv6 introduction. - CGI https environment variable was set wrong because asking the wrong ssl flag variable. Bug fixed now. - If running in chroot mode, virtual hosts and aliases where not found because we accessed the full path to the config file. Bug fixed now. - If returning 500 on file send errors, open files where not closed. Bug fixed now. 1.5.1 ===== - chroot mode caused process hang if /dev/null where not found in the chroot environment. Bug fixed now. 1.5 === - Added SSL support. - Added 403 Forbidden, what means that files are checked for read permissions now instead returning 500 Internal Server Error if no access. - Added TODO file. - Corrected and extended man page. - If the content type was unknown the previous content type was sent, which is wrong. Now the html content type will be send per default on unknown content types. - select(2) for header and body read where using the same readset as the master select(2) which is wrong. Using now own readset. 1.4 === - Corrected the man page. - One of three access\_log functions was still logging with two lines per hit. Bug fixed now. 1.3 === - Makefiles have been ported to compile also on NetBSD, FreeBSD, Linux and MacOSX. - Reduced access\_log to one line per hit instead of two. - Filenames including spaces in directory listing wasn't found, because the href entry had no quotes. Bug fixed now. 1.2 === - If a CGI was called which didn't exist, the last called CGI was executed because the responsible variable, which holds the full executable path, wasn't overwritten. bug fixed now. - Replaced libmy with latest version libmy-1.3 (fixes important security issues). - Replaced last strcpy(3) with strlcpy(3). 1.1 === - Increased socket send buffer to avoid send(2) blocking when buffer is full. - In server log removed unnecessary log messages, made the existing ones more specific and added new log messages. - Removed pre-compiler debug informations because they made the source code hard to read and where not really usable in action. 1.0 === - Fixed memory leak. 0.9 === - A wrong if-condition caused the nhttpd parent process to exit(0) if a CGI was called which didn't exist. Bug fixed now. 0.8 === - Nostromo has been rewritten from a fork(2) server to a select(2) server. with this new method no more child forking for file requests is necessary and the server performance increases therefore. - Increased performance by optimizing source code. - Replaced libmy with latest version libmy-1.2 (faster). - Added pre-compiler debug option to config.h. 0.7 === - Sometimes a child process still hung because not all recv(2) was checked for connection timeout. placed select(2) in front of all recv(2) to check timeout. - Fixed wrong version numbering at several places. - Added install script (Install). 0.6 === - Sometimes a child process hung because of blocking recv(2). bug fixed now. - Replaced libmy with latest version libmy-1.1. - Added timestamps to server log file. - Added version option. 0.5 === - nhttpd didn't chroot(2) because chroot(2) where placed before all configuration files could be read. bug fixed now. 0.4 === - libmy had missing #include in flog.c, nsend.c, strlower.c some architectures (e.g. sparc64) complained and stopped at compiling. bug fixed now. 0.3 === - nhttpd didn't handle http control characters (\\r\\n\\r\\n) in POSTs body entity, and blocked at recv(2). bug fixed now. 0.2 === - Changed default configfile path to /var/nostromo/conf/nhttpd.conf. - chdir/chroot will directly done after reading the configfile successfully. - SIGPIPE, SIGHUP, SIGQUIT, SIGALRM will be silently ignored now and don't generate a server log anymore. 0.1 === - Initial version.

CVE-2022-48253

** DISPUTED ** Insecure folder permissions in the Windows installation path of Shibboleth Service Provider (SP) before 3.4.1 allow an unprivileged local attacker to escalate privileges to SYSTEM via DLL planting in the service executable's folder. This occurs because the installation goes under C:\opt (rather than C:\Program Files) by default. NOTE: the vendor disputes the significance of this report, stating that "We consider the ACLs a best effort thing" and "it was a documentation mistake."

**Missing VC runtime**

If you encounter errors during the install or upgrade process that indicate the system can't start the shibd daemon/service process, it's likely that the installer is failing to install the Visual C++ runtime libraries for some reason, and you may have to pre-install those manually. At some point Microsoft is planning to make it impractical for us to redistribute these files with the installer, at which point this workaround is probably going to be universal.

These links may break at some point, but for now the 32-bit and 64-bit runtimes can be found at:

*   https://aka.ms/vs/15/release/VC\_redist.x86.exe
    
*   https://aka.ms/vs/15/release/VC\_redist.x64.exe
    

The top-level link to find them is https://visualstudio.microsoft.com/downloads/ via Other Tools.

*   *   1.1 Missing VC runtime
*   2 Installation
    *   2.1 Restricting ACLs
*   3 Upgrades
*   4 Web Server Overview
    *   4.1 Installation with IIS
    *   4.2 Upgrades with IIS
    *   4.3 Installation with Apache
    *   4.4 Installation with Netscape/Sun/Oracle Java Web Server
    *   4.5 FastCGI Unsupported
*   5 Running the Installer
    *   5.1 Shibboleth Service
    *   5.2 Monitoring the Service
    *   5.3 Failure to Install
        *   5.3.1 Installing with no service start
        *   5.3.2 Starting the Shibboleth Service from the command line
        *   5.3.3 Windows batch file to run MSI installer by drag and drop
*   6 Source Builds
*   7 Initial Testing

**Installation**

The SP is available for Windows with modules for all the supported web servers. There is an installer available for the supported Windows Server versions, 2008 and above.

Earlier Windows and Service Pack versions are **not** usable as of V3.

Desktop versions of Windows that are of subsequent vintage will generally work but are not formally supported.

The Windows installer contains a fourth version field that indicates the patch level within a particular SP release. Initially 0, it will be incremented if patches to software included with but not part of the SP need to be updated (e.g., OpenSSL). Subsequent patch level installers will safely upgrade older versions and the ReleaseNotes will always document exactly what library versions are included in each release.

**Restricting ACLs**

Note that prior to V3.4.1, the installer did not adjust file system ACLs based on your install path. As of that version, we have added changes that are designed to provide full access to the administrative/system accounts and read access to the standard “Users” group (primarily for IIS).

Wherever you choose to install the software, you should consider reviewing and hardening the file and folder access to that location. Most of these folders and files should be read only. The daemon process runs by default as a system account and should already have the necessary access. You should if possible prevent all other access to the private key file(s) as those need not be readable by anything else, and you need not allow any writing of files, or creation of folders or files by any other users.

If you run your web server under a different user account (not a member of the Administrators or Users groups) you will need to adjust the rights if you limit read access, but the web server should not in general require any write access whatsoever to those folders or files, as in-process logging is now routed to the Event Log by default.

**Upgrades**

Upgrading to new releases is handled automatically when the MSI installer is used. The system prevents configuration files from being overwritten and skips "initial install" tasks like generating keys. The Shibboleth daemon is restarted by the package but you will need to restart the web server you're using yourself.

**Web Server Overview****Installation with IIS**

The plugin modules in support of IIS are always installed. If IIS itself is installed you will be prompted "Configure IIS7 module?".  Check this box to actually configure Shibboleth to run with IIS, in practice this can be done with two command.

See this topic for details.

In contrast to older versions, no older IIS6 compatibility tools are needed.

**Upgrades with IIS**

Existing installations configured to work with IIS will continue to do so, with the older ISAPI plugin updated. See this topic for more details, particularly to migrating to the newer plugin.

**Installation with Apache**

The versions of Apache available from the http://www.apachelounge.com/ web site are known to work with the modules that come with the SP package with no known restrictions.

Other versions might work, but they also might not work. Versions with significantly altered header files, such as IBM's or Oracle's will definitely not work unless you build the Shibboleth module from source.

Only Apache 2.2 and 2.4 are supported.

For more details on Apache see this topic.

**Installation with Netscape/Sun/Oracle Java Web Server**

An NSAPI module continues to be included as a transition tool for anybody still using it, but it is deprecated and we suggest moving off it as soon as possible.

**FastCGI Unsupported**

As of V3, we no longer provide modules for FastCGI on Windows due to lack of formal support for the underlying FastCGI library.

**Running the Installer**

The installer is run in the usual way and can be run without a UI.

The following properties can be set

Property

Description

KEYGEN_EXTRAS

Allows extra parameters to be passed to the keygen command used during installation. For instance,

1
msiexec /i shibboleth-sp-3.0.0-win64.msi KEYGEN_EXTRAS="-h newSP.department.univerity.edu"

allows the addition of a subjectAltName in the generated certificate.

ALWAYS_START_SERVICE

Set this to FALSE to prevent the installer from starting the shibd service. This can be useful to debug installations (see below).

**Shibboleth Service**

Once installation is complete, you'll need to run the Shibboleth daemon, shibd, at all times that the SP is in use. shibd is a console application that is usually installed as a Windows service.

*   To run the process in console mode for testing or to diagnose major problems, supply a -console parameter when running it.
    
*   If shibd won't start, use the -check option from the command line to echo most logging information to the console for debugging.
    

Other parameters can be used to install (or remove) shibd from the service database and subsequent control is generally via the Service Control Manager applet.

**Monitoring the Service**

Newer versions of Windows support automatic restart of failed services. We suggest using this feature to restart shibd when it fails. Although stability is good, maximum reliability will be achieved by monitoring the process.

**Failure to Install**

The most common reason for the installation failing is that the Shibboleth service (above) does not start correctly. First, refer to the note at the top of this page and rule that out. If that doesn't bear fruit, in order to debug this you can instruct the installer to **not** try to start the service by specifying that the  ALWAYS\_START\_SERVICE property contain the value FALSE.  Do this from the command line:

****Installing with no service start****

1
c:\> msiexec /i Installer.msi ALWAYS_START_SERVICE=FALSE

You can then use the -check option described above to debug why the service will not start. Usually the problem tends to be a DLL conflict with some existing copy of one of the libraries we ship, but we have generally worked around this risk by renaming all our libraries in ways that tend not to cause conflicts.

Once this is completed you can start the service manually.

****Starting the Shibboleth Service from the command line****

1
c:\> sc start shibd_default

In some situations attempting the installer may appear to do nothing when double-clicked, and if invoked with _msiexec /i_ on the command line may throw the error "This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package." If this occurs, a viable workaround has found to be to create a new .bat file containing the msi install command listed below, and then drag the downloaded msi onto it.

****Windows batch file to run MSI installer by drag and drop****

1
msiexec /i %1

**Source Builds**

We do not recommend this option, but we have a description of the process.

**Initial Testing**

CVE-2023-22947: Install on Windows - Service Provider 3

Red Hat Security Advisory 2023-0046-01 - X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Issues addressed include out of bounds access and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: xorg-x11-server security update  
Advisory ID:       RHSA-2023:0046-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0046  
Issue date:        2023-01-09  
CVE Names:         CVE-2022-4283 CVE-2022-46340 CVE-2022-46341   
                   CVE-2022-46342 CVE-2022-46343 CVE-2022-46344   
=====================================================================

1. Summary:

An update for xorg-x11-server is now available for Red Hat Enterprise Linux  
7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64

3. Description:

X.Org is an open-source implementation of the X Window System. It provides  
the basic low-level functionality that full-fledged graphical user  
interfaces are designed upon.

Security Fix(es):

* xorg-x11-server: X.Org Server XkbGetKbdByName use-after-free  
(CVE-2022-4283)

* xorg-x11-server: X.Org Server XTestSwapFakeInput stack overflow  
(CVE-2022-46340)

* xorg-x11-server: X.Org Server XIPassiveUngrab out-of-bounds access  
(CVE-2022-46341)

* xorg-x11-server: X.Org Server XvdiSelectVideoNotify use-after-free  
(CVE-2022-46342)

* xorg-x11-server: X.Org Server ScreenSaverSetAttributes use-after-free  
(CVE-2022-46343)

* xorg-x11-server: X.Org Server XIChangeProperty out-of-bounds access  
(CVE-2022-46344)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2151755 - CVE-2022-46340 xorg-x11-server: X.Org Server XTestSwapFakeInput stack overflow  
2151756 - CVE-2022-46341 xorg-x11-server: X.Org Server XIPassiveUngrab out-of-bounds access  
2151757 - CVE-2022-46342 xorg-x11-server: X.Org Server XvdiSelectVideoNotify use-after-free  
2151758 - CVE-2022-46343 xorg-x11-server: X.Org Server ScreenSaverSetAttributes use-after-free  
2151760 - CVE-2022-46344 xorg-x11-server: X.Org Server XIChangeProperty out-of-bounds access  
2151761 - CVE-2022-4283 xorg-x11-server: X.Org Server XkbGetKbdByName use-after-free

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
xorg-x11-server-1.20.4-21.el7_9.src.rpm

x86_64:  
xorg-x11-server-Xephyr-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-Xorg-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-common-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-21.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:  
xorg-x11-server-source-1.20.4-21.el7_9.noarch.rpm

x86_64:  
xorg-x11-server-Xdmx-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-Xnest-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-Xvfb-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-Xwayland-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-21.el7_9.i686.rpm  
xorg-x11-server-debuginfo-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-devel-1.20.4-21.el7_9.i686.rpm  
xorg-x11-server-devel-1.20.4-21.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

Source:  
xorg-x11-server-1.20.4-21.el7_9.src.rpm

noarch:  
xorg-x11-server-source-1.20.4-21.el7_9.noarch.rpm

x86_64:  
xorg-x11-server-Xdmx-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-Xephyr-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-Xnest-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-Xorg-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-Xvfb-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-Xwayland-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-common-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-21.el7_9.i686.rpm  
xorg-x11-server-debuginfo-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-devel-1.20.4-21.el7_9.i686.rpm  
xorg-x11-server-devel-1.20.4-21.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
xorg-x11-server-1.20.4-21.el7_9.src.rpm

ppc64:  
xorg-x11-server-Xephyr-1.20.4-21.el7_9.ppc64.rpm  
xorg-x11-server-Xorg-1.20.4-21.el7_9.ppc64.rpm  
xorg-x11-server-common-1.20.4-21.el7_9.ppc64.rpm  
xorg-x11-server-debuginfo-1.20.4-21.el7_9.ppc64.rpm

ppc64le:  
xorg-x11-server-Xephyr-1.20.4-21.el7_9.ppc64le.rpm  
xorg-x11-server-Xorg-1.20.4-21.el7_9.ppc64le.rpm  
xorg-x11-server-common-1.20.4-21.el7_9.ppc64le.rpm  
xorg-x11-server-debuginfo-1.20.4-21.el7_9.ppc64le.rpm

s390x:  
xorg-x11-server-Xephyr-1.20.4-21.el7_9.s390x.rpm  
xorg-x11-server-common-1.20.4-21.el7_9.s390x.rpm  
xorg-x11-server-debuginfo-1.20.4-21.el7_9.s390x.rpm

x86_64:  
xorg-x11-server-Xephyr-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-Xorg-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-common-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-21.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:  
xorg-x11-server-source-1.20.4-21.el7_9.noarch.rpm

ppc64:  
xorg-x11-server-Xdmx-1.20.4-21.el7_9.ppc64.rpm  
xorg-x11-server-Xnest-1.20.4-21.el7_9.ppc64.rpm  
xorg-x11-server-Xvfb-1.20.4-21.el7_9.ppc64.rpm  
xorg-x11-server-Xwayland-1.20.4-21.el7_9.ppc64.rpm  
xorg-x11-server-debuginfo-1.20.4-21.el7_9.ppc.rpm  
xorg-x11-server-debuginfo-1.20.4-21.el7_9.ppc64.rpm  
xorg-x11-server-devel-1.20.4-21.el7_9.ppc.rpm  
xorg-x11-server-devel-1.20.4-21.el7_9.ppc64.rpm

ppc64le:  
xorg-x11-server-Xdmx-1.20.4-21.el7_9.ppc64le.rpm  
xorg-x11-server-Xnest-1.20.4-21.el7_9.ppc64le.rpm  
xorg-x11-server-Xvfb-1.20.4-21.el7_9.ppc64le.rpm  
xorg-x11-server-Xwayland-1.20.4-21.el7_9.ppc64le.rpm  
xorg-x11-server-debuginfo-1.20.4-21.el7_9.ppc64le.rpm  
xorg-x11-server-devel-1.20.4-21.el7_9.ppc64le.rpm

s390x:  
xorg-x11-server-Xdmx-1.20.4-21.el7_9.s390x.rpm  
xorg-x11-server-Xnest-1.20.4-21.el7_9.s390x.rpm  
xorg-x11-server-Xvfb-1.20.4-21.el7_9.s390x.rpm  
xorg-x11-server-Xwayland-1.20.4-21.el7_9.s390x.rpm  
xorg-x11-server-debuginfo-1.20.4-21.el7_9.s390x.rpm

x86_64:  
xorg-x11-server-Xdmx-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-Xnest-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-Xvfb-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-Xwayland-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-21.el7_9.i686.rpm  
xorg-x11-server-debuginfo-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-devel-1.20.4-21.el7_9.i686.rpm  
xorg-x11-server-devel-1.20.4-21.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
xorg-x11-server-1.20.4-21.el7_9.src.rpm

x86_64:  
xorg-x11-server-Xephyr-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-Xorg-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-common-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-21.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:  
xorg-x11-server-source-1.20.4-21.el7_9.noarch.rpm

x86_64:  
xorg-x11-server-Xdmx-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-Xnest-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-Xvfb-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-Xwayland-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-21.el7_9.i686.rpm  
xorg-x11-server-debuginfo-1.20.4-21.el7_9.x86_64.rpm  
xorg-x11-server-devel-1.20.4-21.el7_9.i686.rpm  
xorg-x11-server-devel-1.20.4-21.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4283  
https://access.redhat.com/security/cve/CVE-2022-46340  
https://access.redhat.com/security/cve/CVE-2022-46341  
https://access.redhat.com/security/cve/CVE-2022-46342  
https://access.redhat.com/security/cve/CVE-2022-46343  
https://access.redhat.com/security/cve/CVE-2022-46344  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7xCFdzjgjWX9erEAQgq6g/+L0950hh2j3EBg8bwxgsC8Hbre3PKR/Ao  
mY+X/GccXjSu35dMiHafw8/+8V4i94uwSP7mru3as6EsdEA+vg4jVcTRV0rrsu8c  
jRQR169LBB31LQ7EkS/xPK0Vb0xhB+XJNzuVoliRGpdBaT4nn3Oe+c1g8AQdmboI  
chbO7r1JIpb1VDh8KsncKHZla4+IWTePploeB8vePbD8zLpJSNPWm/EfpcfsUUNP  
uuwCzmg5cPBSJ7IUbkDIvzEiV+6VQpumxUwvniuT1crpbg3fCiTlk5cXfHBwjRBX  
yFs4ARmICZHRS09iIGWrh+ImW4WQHHD3/uJuw81HbhQhNq6T+eon45NNVefhYp6S  
Ey0GizSia44mxNp+dIn/5YHbgo5BY/paW8Hojri6qljCITGr2Twa7xwRFU4gy3LF  
UdJzUg+ZiUaiMYXGUcw8XbHvNy/ig+Z7gj2v3RRHOim3aR/DWuciHk9//AeDWnoG  
v4zoCsMP532tlmMFs9O1pll4K7tueA3kYOCKlAdYFrWeVHmyVzYY87NY2zKcyg/J  
uRe07sJ3m6e/VitQbq5CGZXKBe5e9eRaEcKk3yKJ4N4hGSdMlpCkMit68eTMgvps  
1tZhyytwYSO70zYoKc+yi5p6hjizVtN9tVSl8AQWu5Nqi1PtduYEpB6QNuSN5m2r  
KWi2L8c8npw=  
=P7fh  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0046-01

It's imperative we collaborate and partner to improve software security. This may require developing tools and standards that can enrich SBOMs and provide deeper analysis.

Many in our industry are weighing the benefits that software bills of materials (SBOMs) could possibly bring to software quality and security. I think SBOMs are needed to understand and assess risk in software because they should provide visibility into the software construction process for a given software system. At some level, SBOMs already exist for certain products and software systems; however, their application for evaluating quality and security as stipulated in Executive Order 14028, Improving the Nation's Cybersecurity and recent federal guidance by the US Office of Management and Budget, the National Institute of Standards and Technology, and the Cybersecurity Infrastructure and Security Agency is fairly new and unproven at scale.

**The Royce Bill That Never Passed****

Around 2013, SBOM legislation H.R.5793 – Cyber Supply Chain Management and Transparency Act (known as the Royce Bill) was introduced but never gained the momentum it needed to pass as a mandate, bill, or requirement. The industry did not then have the appetite for transparency to manage software supply chain risk.

The issues this legislation would have addressed are outlined in the Congressional Record – Extensions of Remarks. These issues have now been exacerbated given the overwhelming amount of complexity and growing size in modern software development, and the increasing rate of attacks against open source software. With the increasing consumption rate of open source software in modern software development, consumers must be aware of the technical debt in open source software projects that has accumulated over time to better manage software risk. The idea of more software complexity, larger software systems, and mounting technical debt does not bode well for the federal government's desire for software integrity and trustworthiness through the software supply chain.

The fact that the Royce Bill didn't pass can be seen as a missed opportunity to address the growing threats and risk in software security at the time. Almost a decade later, the industry is still struggling to figure out how to implement SBOMs and strike the right balance to make them useful and not a target for adversaries to exploit. This raises major concern in industry about whether SBOMs are ready for prime time given the skepticism regarding the current requirements outlined in federal guidance.

****SBOM Must Inform About Unknown Risk****

One of the challenges for SBOMs is advancing and understanding how risky software is determined. I use the term "risky" because all software has vulnerabilities, and the SBOM must be able to differentiate or provide context to the level of risk associated with a software component, whether in isolation or once it has been implemented and integrated into a software system. To simply say you can't use this software component because it has CVEs (common vulnerabilities and exposures) associated with it becomes moot because all software can have vulnerabilities. SBOMs must be able to succinctly qualify which CVEs are the most dangerous and exploitable given the context the software will be implemented and used — the component function (logging, encryption, access control, authorization), the environment, and whether it can be hardened to reduce a given attack surface. The way in which software components are integrated into a system matters because software components can be implemented poorly or incorrectly, exposing vulnerabilities in software systems.

Using CVEs to establish a security baseline for open source software consumption make sense; however, tallying a bunch of CVEs to determine what software is less risky or riskier only focuses on the "known knowns" (as shown in the figure below) and does very little to help organizations understand what weaknesses are lurking that may expose vulnerabilities and impact the overall hygiene of that software component (over a period of time). Furthermore, the current state of practice regarding SBOMs doesn't encourage software supply chainers to understand the defect proneness or attack proneness rates associated with software. This is important because some software components are highly targeted and require significant patching due to inherent technical debt, low code quality, and security issues that expose vulnerabilities. More patching means developers and engineering teams are spending less time on creating and delivering new features and functionality to customers.

Defect proneness refers to the likelihood that a software component will be defective after a software product is released. There are various socio-technical factors that contribute to defect proneness such as low code quality and design flaws. Attack proneness refers to the rate at which software components can be successfully exploited, or the likelihood that software components will contain exploitable weaknesses — bug, defect, or flaw — or vulnerabilities.

    

Source: Kevin Greene

SBOM solutions must give organizations visibility into potential risk for a given software component as shown in the figure above, helping organizations make informed decisions about which software components to use and which software components to avoid. For instance, advice in the National Security Agency (NSA) Cybersecurity Information Sheet encourages developers to avoid using software developed in C and C++ because those programming languages were not intended to enforce good memory management checks. It will be interesting to see how this advice will affect the software supply chain, mainly for embedded safety critical systems, and whether suppliers will turn to programming languages that are memory safe, such as Rust and Go.

****Go Deeper to Guide SBOM****

SBOMs are not going away, so it's imperative we all collaborate and partner to improve software security. This may require developing tools and standards that can enrich SBOMs and provide deeper analysis and insight about the characteristics of software that help inform about software risk. This will help organizations effectively evaluate and attest to software integrity, as well as other software assurance properties. Ultimately, it's important for software supply chainers to understand not just the risk associated with a given software component but the potential maintenance associated with using that software component over a period of time, given the challenges in industry to remediate vulnerabilities in software in a timely fashion. The use of defect and attack proneness rates could provide actionable intelligence that helps lower the consumption of risky software with poor hygiene, and guide software supply chainers in building software systems that are more resilient to cyberattacks. 

In theory, software components with high defect and attack proneness rates should be avoided to help stimulate and encourage the use of alternatives with better hygiene. In my opinion, SBOMs don't improve code quality and security directly, but they can make software supply chainers more aware of risk in their software construction process. Improving code quality and security for open source software requires a culture shift given that having many eyes does not make all bugs shallow.

**

Don't Be Blindsided by Software Bills of Materials

GPAC MP4box 2.1-DEV-rev649-ga8f438d20 is vulnerable to buffer overflow in h263dmx_process filters/reframe_h263.c:609

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels,

**Description**

buffer overflow in h263dmx\_process filters/reframe\_h263.c:609

**Version info**

latest version atm

    MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_bof13.mp4
    

Crash reported by sanitizer

    [H263Dmx] garbage before first frame!
    Track Importing H263 - Width 704 Height 576 FPS 15000/1000
    =================================================================
    ==735609==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e000000620 at pc 0x7ff71222b397 bp 0x7ffeaf3c2280 sp 0x7ffeaf3c1a28
    READ of size 4294967295 at 0x60e000000620 thread T0
        #0 0x7ff71222b396 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
        #1 0x7ff70fbae101 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
        #2 0x7ff70fbae101 in h263dmx_process filters/reframe_h263.c:609
        #3 0x7ff70f7a6f1d in gf_filter_process_task filter_core/filter.c:2815
        #4 0x7ff70f7665a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #5 0x7ff70f772ece in gf_fs_run filter_core/filter_session.c:2120
        #6 0x7ff70f1b59c1 in gf_media_import media_tools/media_import.c:1551
        #7 0x5617e36bfb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #8 0x5617e36ca5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #9 0x5617e3674130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #10 0x5617e3674130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #11 0x7ff70c73cd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #12 0x7ff70c73ce3f in __libc_start_main_impl ../csu/libc-start.c:392
        #13 0x5617e3650cb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    0x60e000000620 is located 0 bytes to the right of 160-byte region [0x60e000000580,0x60e000000620)
    allocated by thread T0 here:
        #0 0x7ff7122a5867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
        #1 0x7ff70f7b4528 in gf_filter_parse_args filter_core/filter.c:2033
        #2 0x7ff70f7b5234 in gf_filter_new_finalize filter_core/filter.c:510
        #3 0x7ff70f7b65d7 in gf_filter_new filter_core/filter.c:439
        #4 0x7ff70f7021c7 in gf_filter_pid_resolve_link_internal filter_core/filter_pid.c:3611
        #5 0x7ff70f7258b2 in gf_filter_pid_resolve_link_check_loaded filter_core/filter_pid.c:3711
        #6 0x7ff70f7258b2 in gf_filter_pid_init_task filter_core/filter_pid.c:4883
        #7 0x7ff70f7665a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #8 0x7ff70f772ece in gf_fs_run filter_core/filter_session.c:2120
        #9 0x7ff70f1b59c1 in gf_media_import media_tools/media_import.c:1551
        #10 0x5617e36bfb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #11 0x5617e36ca5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #12 0x5617e3674130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #13 0x5617e3674130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #14 0x7ff70c73cd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
    Shadow bytes around the buggy address:
      0x0c1c7fff8070: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1c7fff8080: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
      0x0c1c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff80a0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c1c7fff80c0: 00 00 00 00[fa]fa fa fa fa fa fa fa 00 00 00 00
      0x0c1c7fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff80e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1c7fff80f0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
      0x0c1c7fff8100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff8110: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==735609==ABORTING
    

Looks like the oob read happens in filters/reframe\_h263.c

    READ of size 4294967295 at 0x60e000000620 thread T0
       #0 0x7ff71222b396 in __interceptor_memcpy 
       ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
       #1 0x7ff70fbae101 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
       #2 0x7ff70fbae101 in h263dmx_process filters/reframe_h263.c:609
    

if compile without ASAN and run the same poc

    ./configure --static-bin
    make
    ./MP4Box import -cat poc_bof13.mp4
    

there will be segment fault

    [H263Dmx] garbage before first frame!
    Track Importing H263 - Width 704 Height 576 FPS 15000/1000
    Segmentation fault=          | (50/100)
    

backtrace atm

    pwndbg> bt
    #0  0x0000000000afc1cc in __memmove_avx_unaligned_erms ()
    #1  0x00000000007f0dbf in h263dmx_process ()
    #2  0x00000000006d9c90 in gf_filter_process_task ()
    #3  0x00000000006c5dbc in gf_fs_thread_proc ()
    #4  0x00000000006cb3bb in gf_fs_run ()
    #5  0x00000000006008ed in gf_media_import ()
    #6  0x00000000004313d1 in import_file ()
    #7  0x00000000004375f1 in cat_isomedia_file ()
    #8  0x0000000000411e78 in mp4box_main ()
    #9  0x0000000000a8c47a in __libc_start_call_main ()
    #10 0x0000000000a8dcd7 in __libc_start_main_impl ()
    #11 0x0000000000402c55 in _start ()
    

**POC**

poc\_bof13.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47663: buffer overflow in h263dmx_process filters/reframe_h263.c:609 · Issue #2360 · gpac/gpac

GPAC MP4box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to Buffer Overflow in gf_bs_read_data

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

stack-buffer-overflow utils/bitstream.c:732 in gf\_bs\_read\_data

**Version info**

latest version atm

    MP4Box - GPAC version 2.1-DEV-rev644-g5c4df2a67-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_bof11.mp4
    

Crash reported by sanitizer

    Track Importing AAC  - SampleRate 88200 Num Channels 8
    =================================================================
    ==325854==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc52ec0940 at pc 0x7fa1e477c501 bp 0x7ffc52ebf3a0 sp 0x7ffc52ebf390
    WRITE of size 1 at 0x7ffc52ec0940 thread T0
        #0 0x7fa1e477c500 in gf_bs_read_data utils/bitstream.c:732
        #1 0x7fa1e59d0a8c in latm_dmx_sync_frame_bs filters/reframe_latm.c:170
        #2 0x7fa1e59d289f in latm_dmx_sync_frame_bs filters/reframe_latm.c:86
        #3 0x7fa1e59d289f in latm_dmx_process filters/reframe_latm.c:526
        #4 0x7fa1e55eabac in gf_filter_process_task filter_core/filter.c:2795
        #5 0x7fa1e55aa703 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #6 0x7fa1e55b700e in gf_fs_run filter_core/filter_session.c:2120
        #7 0x7fa1e4ff9a21 in gf_media_import media_tools/media_import.c:1551
        #8 0x55a84c1ccb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #9 0x55a84c1d75d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #10 0x55a84c181130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #11 0x55a84c181130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #12 0x7fa1e2580d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #13 0x7fa1e2580e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #14 0x55a84c15dcb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    Address 0x7ffc52ec0940 is located in stack of thread T0 at offset 5088 in frame
        #0 0x7fa1e59d20af in latm_dmx_process filters/reframe_latm.c:456
    
      This frame has 19 object(s):
        [48, 52) 'pck_size' (line 461)
        [64, 68) 'latm_frame_size' (line 525)
        [80, 84) 'dsi_s' (line 312)
        [96, 104) 'output' (line 460)
        [128, 136) 'dsi_b' (line 311)
        [160, 184) '<unknown>'
        [224, 248) '<unknown>'
        [288, 312) '<unknown>'
        [352, 376) '<unknown>'
        [416, 440) '<unknown>'
        [480, 504) '<unknown>'
        [544, 568) '<unknown>'
        [608, 632) '<unknown>'
        [672, 696) '<unknown>'
        [736, 760) '<unknown>'
        [800, 824) '<unknown>'
        [864, 888) '<unknown>'
        [928, 952) '<unknown>'
        [992, 5088) 'latm_buffer' (line 524) <== Memory access at offset 5088 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow utils/bitstream.c:732 in gf_bs_read_data
    Shadow bytes around the buggy address:
      0x10000a5d00d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d00e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d00f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10000a5d0120: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3
      0x10000a5d0130: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
      0x10000a5d0140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==325854==ABORTING
    

**POC**

poc\_bof11.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47659: stack-buffer-overflow utils/bitstream.c:732 in gf_bs_read_data · Issue #2354 · gpac/gpac

GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 is vulnerable to Buffer Overflow via media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels,

**Description**

heap-buffer-overflow media\_tools/av\_parsers.c:4988 in gf\_media\_nalu\_add\_emulation\_bytes

**Version info**

latest version atm

    MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -catx poc_bof14.mp4
    

Crash reported by sanitizer

    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message type 71 size error (71 but 27 remain), keeping full SEI untouched
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message has less than 2 bytes remaining but no end of sei found
    =================================================================
    ==745696==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000014780 at pc 0x7f373f26d683 bp 0x7ffd5a01c290 sp 0x7ffd5a01c280
    WRITE of size 1 at 0x615000014780 thread T0
        #0 0x7f373f26d682 in gf_media_nalu_add_emulation_bytes media_tools/av_parsers.c:4988
        #1 0x7f373f26d682 in gf_avc_reformat_sei media_tools/av_parsers.c:6355
        #2 0x7f373fccee25 in naludmx_push_prefix filters/reframe_nalu.c:2398
        #3 0x7f373fcee8ac in naludmx_parse_nal_avc filters/reframe_nalu.c:2821
        #4 0x7f373fcee8ac in naludmx_process filters/reframe_nalu.c:3333
        #5 0x7f373f8a5f1d in gf_filter_process_task filter_core/filter.c:2815
        #6 0x7f373f8655a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #7 0x7f373f871ece in gf_fs_run filter_core/filter_session.c:2120
        #8 0x7f373f2b49c1 in gf_media_import media_tools/media_import.c:1551
        #9 0x55b1ec0f1b4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #10 0x55b1ec0fc5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #11 0x55b1ec0a6130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #12 0x55b1ec0a6130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #13 0x7f373c83bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #14 0x7f373c83be3f in __libc_start_main_impl ../csu/libc-start.c:392
        #15 0x55b1ec082cb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    0x615000014780 is located 0 bytes to the right of 512-byte region [0x615000014580,0x615000014780)
    allocated by thread T0 here:
        #0 0x7f37423a4867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
        #1 0x7f373ea2c72a in gf_bs_new utils/bitstream.c:154
        #2 0x7f373f26c993 in gf_avc_reformat_sei media_tools/av_parsers.c:6227
        #3 0x7f373fccee25 in naludmx_push_prefix filters/reframe_nalu.c:2398
        #4 0x7f373fcee8ac in naludmx_parse_nal_avc filters/reframe_nalu.c:2821
        #5 0x7f373fcee8ac in naludmx_process filters/reframe_nalu.c:3333
        #6 0x7f373f8a5f1d in gf_filter_process_task filter_core/filter.c:2815
        #7 0x7f373f8655a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #8 0x7f373f871ece in gf_fs_run filter_core/filter_session.c:2120
        #9 0x7f373f2b49c1 in gf_media_import media_tools/media_import.c:1551
        #10 0x55b1ec0f1b4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #11 0x55b1ec0fc5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #12 0x55b1ec0a6130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #13 0x55b1ec0a6130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #14 0x7f373c83bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes
    Shadow bytes around the buggy address:
      0x0c2a7fffa8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2a7fffa8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2a7fffa8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2a7fffa8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c2a7fffa8f0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==745696==ABORTING
    

if compile without ASAN and run the same poc

    ./configure --static-bin
    make
    ./MP4Box import -catx poc_bof14.mp4
    

The crash will happen at another place

    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message type 71 size error (71 but 27 remain), keeping full SEI untouched
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message has less than 2 bytes remaining but no end of sei found
    [avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 16962257
    [AVC|H264] Error parsing NAL unit type 7
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message type 16 size error (45 but 7 remain), keeping full SEI untouched
    [avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 32527
    [AVC|H264] Error parsing NAL unit type 7
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 16964897
    [AVC|H264] Error parsing NAL unit type 7
    [avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
    [avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 63
    [AVC|H264] Error parsing NAL unit type 7
    [avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
    realloc(): invalid next size
    Aborted
    

realloc(): invalid next size indicates that there was a bof on heap indeed, overwriting the size field of a heap chunk.

**POC**

poc\_bof14.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47661: heap-buffer-overflow media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes · Issue #2358 · gpac/gpac

GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 has a segment fault (/stack overflow) due to infinite recursion in Media_GetSample isomedia/media.c:662

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels,

**Description**

segment fault (/stack overflow) due to infinite recursion in Media\_GetSample isomedia/media.c:662

**Version info**

latest version atm

    MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_segfault2.mp4
    

Crash reported by sanitizer

    [HEVC] Error parsing NAL unit type 63
    Track Importing L-HEVC - Width 1 Height 6 FPS 25000/1000
    [HEVC] NAL Unit type 26 not handled - adding
    [HEVC] xPS changed but could not flush frames before signaling state change !
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Invalid log2_max_pic_order_cnt_lsb_minus4 80, max shall be 12
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [HEVC] Error parsing NAL unit type 34
    [HEVC] Error parsing NAL unit type 0
    [HEVC] Error parsing NAL unit type 32         
    [HEVC] Error parsing NAL unit type 32
    HEVC Import results: 7 samples (39 NALUs) - Slices: 0 I 0 P 1 B - 0 SEI - 0 IDR - 0 CRA
    HEVC L-HEVC Import results: Slices: 3 I 0 P 2 B
    HEVC Stream uses forward prediction - stream CTS offset: 6 frames
    HEVC Max NALU size is 106 - stream could be optimized by setting nal_length=1
    Appending file /home/sumuchuan/Desktop/gpac_fuzz/cat_gpac/bin/gcc/out/default/crashes/160.mp4
    No suitable destination track found - creating new one (type vide)
    AddressSanitizer:DEADLYSIGNAL   | (57/100)
    =================================================================
    ==738673==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdae782bc0 (pc 0x7f415d384491 bp 0x7ffdae783400 sp 0x7ffdae782bc0 T0)
        #0 0x7f415d384491 in __sanitizer::StackTrace::StackTrace(unsigned long const*, unsigned int) ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:52
        #1 0x7f415d384491 in __sanitizer::BufferedStackTrace::BufferedStackTrace() ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:105
        #2 0x7f415d384491 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
        #3 0x7f415787f858 in __GI__IO_free_backup_area libio/genops.c:190
        #4 0x7f415787cae3 in _IO_new_file_seekoff libio/fileops.c:975
        #5 0x7f415787ad52 in __fseeko libio/fseeko.c:40
        #6 0x7f4159a1536a in BS_SeekIntern utils/bitstream.c:1338
        #7 0x7f4159a1536a in gf_bs_seek utils/bitstream.c:1373
        #8 0x7f4159fbbfc9 in gf_isom_fdm_get_data isomedia/data_map.c:501
        #9 0x7f4159fbbfc9 in gf_isom_datamap_get_data isomedia/data_map.c:279
        #10 0x7f415a0a1f40 in Media_GetSample isomedia/media.c:641
        #11 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
        #12 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
        #13 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
        #14 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
        #15 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
        #16 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
        #17 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
        #18 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
        #19 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
        #20 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
        #21 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
        #22 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
        #23 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
        #24 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
        ...
    

looks like an infinite recursion

    Media_GetSample isomedia/media.c:662
     -> gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
     -> gf_isom_get_sample_ex isomedia/isom_read.c:1916
     -> Media_GetSample isomedia/media.c:662
    

if compile without ASAN and run the same poc

    ./configure --static-bin
    make
    ./MP4Box import -cat poc_segfault2.mp4
    

there will be a segment fault

    [HEVC] Error parsing NAL unit type 63
    Track Importing L-HEVC - Width 1 Height 6 FPS 25000/1000
    [HEVC] NAL Unit type 26 not handled - adding
    [HEVC] xPS changed but could not flush frames before signaling state change !
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Invalid log2_max_pic_order_cnt_lsb_minus4 80, max shall be 12
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [HEVC] Error parsing NAL unit type 34
    [HEVC] Error parsing NAL unit type 0
    [HEVC] Error parsing NAL unit type 32         
    [HEVC] Error parsing NAL unit type 32
    HEVC Import results: 7 samples (39 NALUs) - Slices: 0 I 0 P 1 B - 0 SEI - 0 IDR - 0 CRA
    HEVC L-HEVC Import results: Slices: 3 I 0 P 2 B
    HEVC Stream uses forward prediction - stream CTS offset: 6 frames
    HEVC Max NALU size is 106 - stream could be optimized by setting nal_length=1
    Appending file /home/sumuchuan/Desktop/gpac_fuzz/cat_gpac/bin/gcc/out/default/crashes/160.mp4
    No suitable destination track found - creating new one (type vide)
    Segmentation fault=====         | (57/100)
    

Because it ran out of stack space, making rsp and rbp point to an unmapped memory, causing seg fault. backtrace atm

    pwndbg> bt
    ...
    #16487 0x000000000054d599 in gf_isom_get_sample_ex ()
    #16488 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
    #16489 0x0000000000570e13 in Media_GetSample ()
    #16490 0x000000000054d599 in gf_isom_get_sample_ex ()
    #16491 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
    #16492 0x0000000000570e13 in Media_GetSample ()
    #16493 0x000000000054d599 in gf_isom_get_sample_ex ()
    #16494 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
    #16495 0x0000000000570e13 in Media_GetSample ()
    ...
    

**POC**

poc-segfault2.zip

**Impact**

Potentially causing DoS

**Credit**

Xdchase

CVE-2022-47662: Infinite recursion in Media_GetSample isomedia/media.c:662 · Issue #2359 · gpac/gpac

Libde265 1.0.9 is vulnerable to Buffer Overflow in function void put_qpel_fallback<unsigned short>

**Description**

stack-buffer-overflow (libde265/build/libde265/libde265.so+0x17d304) in void put\_qpel\_fallback(short\*, long, unsigned short const\*, long, int, int, short\*, int, int, int)

**Version info**

     dec265  v1.0.9
    --------------
    usage: dec265 [options] videofile.bin
    The video file must be a raw bitstream, or a stream with NAL units (option -n).
    
    options:
      -q, --quiet       do not show decoded image
      -t, --threads N   set number of worker threads (0 - no threading)
      -c, --check-hash  perform hash check
      -n, --nal         input is a stream with 4-byte length prefixed NAL units
      -f, --frames N    set number of frames to process
      -o, --output      write YUV reconstruction
      -d, --dump        dump headers
      -0, --noaccel     do not use any accelerated code (SSE)
      -v, --verbose     increase verbosity level (up to 3 times)
      -L, --no-logging  disable logging
      -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
      -m, --measure YUV compute PSNRs relative to reference YUV
      -T, --highest-TID select highest temporal sublayer to decode
          --disable-deblocking   disable deblocking filter
          --disable-sao          disable sample-adaptive offset filter
      -h, --help        show help
    

**Reproduce**

    git clone https://github.com/strukturag/libde265.git
    cd libde265
    mkdir build
    cd build
    cmake ../ -DCMAKE_CXX_FLAGS="-fsanitize=address"
    make -j$(nproc)
    ./dec265/dec265 poc.bin
    

**ASAN**

    WARNING: coded parameter out of range
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: non-existing PPS referenced
    =================================================================
    ==3829==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffea52d35f at pc 0x7f8966bd5305 bp 0x7fffea52ac00 sp 0x7fffea52abf0
    READ of size 2 at 0x7fffea52d35f thread T0
        #0 0x7f8966bd5304 in void put_qpel_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, short*, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x17d304)
        #1 0x7f8966bd08c2 in put_qpel_1_0_fallback_16(short*, long, unsigned short const*, long, int, int, short*, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1788c2)
        #2 0x7f8966c0152e in acceleration_functions::put_hevc_qpel(short*, long, void const*, long, int, int, short*, int, int, int) const (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a952e)
        #3 0x7f8966c02c0f in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1aac0f)
        #4 0x7f8966bf3a8b in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x19ba8b)
        #5 0x7f8966c00a2e in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a8a2e)
        #6 0x7f8966c3dd2a in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e5d2a)
        #7 0x7f8966c3f774 in read_coding_unit(thread_context*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e7774)
        #8 0x7f8966c40762 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8762)
        #9 0x7f8966c405a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
        #10 0x7f8966c405a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
        #11 0x7f8966c405a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
        #12 0x7f8966c37d49 in read_coding_tree_unit(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1dfd49)
        #13 0x7f8966c40f06 in decode_substream(thread_context*, bool, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8f06)
        #14 0x7f8966c42c3f in read_slice_segment_data(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1eac3f)
        #15 0x7f8966b95e6f in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13de6f)
        #16 0x7f8966b96673 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13e673)
        #17 0x7f8966b95311 in decoder_context::decode_some(bool*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d311)
        #18 0x7f8966b9505b in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d05b)
        #19 0x7f8966b97be6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
        #20 0x7f8966b9824c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
        #21 0x7f8966b7e3f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
        #22 0x562ac9c989a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
        #23 0x7f8966526d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #24 0x7f8966526e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #25 0x562ac9c967c4 in _start (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x57c4)
    
    Address 0x7fffea52d35f is located in stack of thread T0 at offset 9391 in frame
        #0 0x7f8966c02203 in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1aa203)
    
      This frame has 2 object(s):
        [48, 9136) 'mcbuffer' (line 71)
        [9392, 15072) 'padbuf' (line 129) <== Memory access at offset 9391 partially underflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x17d304) in void put_qpel_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, short*, int, int, int)
    Shadow bytes around the buggy address:
      0x10007d49da10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49da20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49da30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49da40: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
      0x10007d49da50: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
    =>0x10007d49da60: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2[f2]00 00 00 00
      0x10007d49da70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49da80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49da90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49daa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49dab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3829==ABORTING
    

**POC**

poc.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47655: Another stack-buffer-overflow in function void put_qpel_fallback<unsigned short> · Issue #367 · strukturag/libde265

GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the afrt_box_read function at box_code_adobe.c.

A memory leak has occurred when running program MP4Box, this can reproduce on the lattest commit.

**Version**

    $ ./MP4Box -version                              
    MP4Box - GPAC version 2.1-DEV-rev505-gb9577e6ad-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-build --extra-cflags=-fsanitize=address -g --extra-ldflags=-fsanitize=address -g
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB
    

git log

    commit b9577e6ad91ef96decbcd369227ab02b2842c77f (HEAD -> master, origin/master, origin/HEAD)
    Author: jeanlf <jeanlf@gpac.io>
    Date:   Fri Nov 25 16:53:55 2022 +0100
    

**Verification steps**

    export CFLAGS='-fsanitize=address -g'
    export CC=/usr/bin/clang
    export CXX=/usr/bin/clang++ 
    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --static-build --extra-cflags="${CFLAGS}" --extra-ldflags="${CFLAGS}"
    make
    cd bin/gcc
    ./MP4Box -info $poc
    

**POC file**

https://github.com/HotSpurzzZ/testcases/blob/main/gpac/gpac\_Direct\_leak\_afrt\_box\_read.mp4

**AddressSanitizer output**

    $ ./MP4Box -info gpac_Direct_leak_afrt_box_read.mp4       
    [isom] not enough bytes in box afrt: 0 left, reading 1 (file isomedia/box_code_adobe.c, line 713)
    [iso file] Read Box "afrt" (start 0) failed (Invalid IsoMedia File) - skipping
    Error opening file gpac_Direct_leak_afrt_box_read.mp4: Invalid IsoMedia File
    
    =================================================================
    ==10525==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 24 byte(s) in 1 object(s) allocated from:
        #0 0x4a186d in malloc (/root/Desktop/gpac/bin/gcc/MP4Box+0x4a186d)
        #1 0x902c18 in afrt_box_read /root/Desktop/gpac/src/isomedia/box_code_adobe.c:706:35
    
    SUMMARY: AddressSanitizer: 24 byte(s) leaked in 1 allocation(s).

Tag

#c++