Debian Linux Security Advisory 5573-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5573-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonDecember 09, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-6508 CVE-2023-6509 CVE-2023-6510 CVE-2023-6511                  CVE-2023-6512Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the oldstable distribution (bullseye), the updates are pending andwill be released shortly. When completed, fixes will be made availableas 120.0.6099.71-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 120.0.6099.71-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmVz/oUACgkQZF0CR8NudjeHiQ//b6jyIAPFtBShCoAqRE22aN0RvzWR2BNs0Dl7CaZxMf+/+W/c0dXH3P9UtfEDv4Wcf6l6N3SSwAkCSwQx/Fr1T3Fpm2Qgv4C1fBibU/HMK/McE47Ua22MD0ZZhuuVx6kiG3rmvlH0tfi7N9oBa+6MdlUbps2PAsa7sII7BGReYvj90z80HlPPFbSc94aw/5ywL1+14CqWEdnyRxRJj5Jk0HWolyuSAItdNF3fxExweSeYHha0UKJXwK8449833YdWXl3htjrrM0nqjOfkponeq8GbPUXXaV0hIHU0Vu3nRJ26rRiFsV9UV1gzc3JRihndHizFD+gnas2KI4EiMwFDns6u2yJv7r2YLcTGfamnPuBnwsiCFfphXA1h/1GUrhCPxxRZCXdRUS5DakiaXGNS9HhC6ELcwhMKY8YcQ3CFBubi+5Jj+nUXL+n98F1m6UwJ08KBPXMKAlNhqVlsoJ4vyPD0UlKxjsPXynnnGe0c+YJlnK4+Czo/rzTwhqPy0kStMea3I9jpsgu9iQuNODKiC1xrxt0G8iaaRePwaX/IbJyjw/8lumhMkTvQ8Os5HlZAZSiHRQUgYVonOup+QywJqidkDRqsp7dsz7yrR9n/k7H5j6/XjXkZRnb4BcB3AMJkyBy7wqL8r9UCTwBD5zdfYk3VrDqJ/Klg+tEFeRbNvik==t7or-----END PGP SIGNATURE-----

Debian Security Advisory 5573-1

Malwarebytes is offering customers its ThreatDown Vulnerability Assessment solution without extra costs to help reduce attack surfaces and improve their security posture

Every day, nearly 70 brand-new vulnerabilities are discovered in software products around the world. That’s almost 25,550 new problems each year, of which roughly 4,250 (or every one-in-six) will be classified as “critical.”

But with little guidance beyond “critical” classifications—and with the potential for non-critical vulnerabilities to still be exploited for devastating malware attacks—resource-constrained IT organizations need help. How can IT teams prioritize amongst potentially thousands of vulnerabilities if they don’t know which to fix first?

Malwarebytes analyzed the vulnerabilities identified by its ThreatDown Vulnerability Assessment module, now included at no additional cost in all ThreaDown bundles, to reveal the most common “critical” and “important” unpatched vulnerabilities on known endpoints.

The vulnerabilities compiled show up across four major software products:

*   Adobe Flash Player
*   Adobe Acrobat Reader
*   VideoLan VLC Media Player
*   Zoom

****The most prevalent vulnerabilities:****

In the 100 most prevalent unpatched vulnerabilities, the majority **(93 out of the 100) are found in software by Adobe, Zoom, and Mozilla.** \[MOU3\] 

No vulnerability listed as critical made it into the top 100 most prevalent vulnerabilities. But one critical vulnerability was close: CVE-2020-9633 in Adobe Flash Player. The vulnerable version of Flash is still in use because Adobe silently introduced a time bomb in later Flash Player versions that would prevent Flash Player from working and playing any Flash content after January 12, 2021. So organizations that have certain Flash content they need to play often to go back to that vulnerable version.

Relatedly, the most prevalent vulnerabilities labeled “Critical” come from a more diverse group of software vendors, with four distinct top contributors:

*   30 % UltraVNC (Server and Viewer)
*   20 % Python (versions 3.6 to 3.10)
*   18% Microsoft (Edge and Visual Studio)
*   14 % Adobe (Flash Player, Acrobat, and Reader)

Read on to see details of the top 5 unpatched critical vulnerabilities and the top 5 unpatched important vulnerabilities, as uncovered by ThreatDown, powered by Malwarebytes.

****The top 5 unpatched CRITICAL vulnerabilities:****

**Adobe Flash Player**

CVE-2020-9633: Adobe Flash Player Desktop Runtime 32.0.0.371 and earlier, Adobe Flash Player for Google Chrome 32.0.0.371 and earlier, and Adobe Flash Player for Microsoft Edge and Internet Explorer 32.0.0.330 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution. Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS.

**Zoom:**

CVE-2022-22785: The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send an unsuspecting users Zoom-scoped session cookies to a non-Zoom domain. This could potentially allow for spoofing of a Zoom user.

CVE-2022-22786: The Zoom Client for Meetings for Windows before version 5.10.0 and Zoom Rooms for Conference Room for Windows before version 5.10.0, fails to properly check the installation version during the update process. This issue could be used in a more sophisticated attack to trick a user into downgrading their Zoom client to a less secure version.

**Adobe Acrobat Reader**

CVE-2016-1038: Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors. Installing a more recent version eliminates this vulnerability.

CVE-2016-1044: Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors. Installing a more recent version eliminates this vulnerability.

****The top 5 unpatched IMPORTANT vulnerabilities:****

**Zoom:**

CVE-2023-39211: Improper privilege management in Zoom Desktop Client for Windows and Zoom Rooms for Windows may allow an authenticated user to enable an information disclosure via local access. Upgrading to 5.15.5 or later eliminates this vulnerability.

CVE-2023-34116: Improper input validation in the Zoom Desktop Client for Windows may allow an unauthorized user to enable an escalation of privilege via network access. Upgrading to version 5.15.0 or later eliminates this vulnerability.

CVE-2023-39213: Improper neutralization of special elements in Zoom Desktop Client for Windows and Zoom VDI Client may allow an unauthenticated user to enable an escalation of privilege via network access. Upgrading to version 5.15.2 or later eliminates this vulnerability.

**Adobe:**

CVE-2023-29320: Adobe Acrobat Reader versions 23.003.20244 (and earlier) and 20.005.30467 (and earlier) are affected by an Violation of Secure Design Principles vulnerability that could result in arbitrary code execution in the context of the current user by bypassing the API blacklisting feature. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Updating to the latest version eliminates the vulnerability.

**VLC media player**

CVE-2020-26664: A vulnerability in VideoLAN VLC media player 3.0.11 allows attackers to trigger a heap-based buffer overflow via a specially crafted file. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap. A buffer overflow may result in arbitrary code execution. Installing the 3.0.20 release of VLC eliminates the vulnerability.

**You Can’t Fix What You Can’t See**

While only on very rare occasions do vulnerabilities make mainstream news headlines, but when they do, the impact can be enormous. The exploitation of the MOVEit vulnerability by Cl0p ransomware operators impacted over 60 million individual victims (between May and September of 2023. And remember that not every “critical” vulnerability is synonymous with an exploited vulnerability. With an additional 1,000 entries added to CISA’s known, exploited vulnerabilities catalog in just the past two years, few organizations have the IT staff to keep track of everything.

Many organizations only have limited visibility into which vulnerabilities might impact them, and nearly every organization relies on the Common Vulnerabilities and Exposures (CVE) database, which lists publicly disclosed computer security flaws. But this isn’t a perfect resource.

In 2023, CVE-2023-4863 was discovered, originally described as a heap buffer overflow in WebP  within Google Chrome. The average person, upon learning about this vulnerability, may have thought that the problem was limited to Chrome, or maybe even realize that other Chromium based browsers could be affected. Yet the reality was quite different. It turned out that the bug was deeply rooted in the libwebp library, which is not only used by Chrome but by virtually every application that handles WebP images. So anyone that patched their Chrome browser might think they thwarted that vulnerability, when in reality they might still be vulnerable, just in different software.

This type of library oversight happens quite often. Most people, including thoroughly trained and experienced IT staff, have no idea about all the building blocks that were used to create the environment and software that they use.

This is where dedicated software to alert staff about existing vulnerabilities in their environment integrated with patch management capabilities can help save the day.

**Free Vulnerability Assessment**

Today Malwarebytes announced its offering customers its ThreatDown Vulnerability Assessment solution without extra costs to help reduce attack surfaces and improve their security posture. The full featured comprehensive vulnerability scanning is now included in every ThreatDown Bundle at no additional cost via its integrated console.

Learn more about how ThreatDown bundles can help you to improve your security by quickly finding and fixing vulnerabilities here.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Insights into your unpatched vulnerabilities 

An oversight in BCB handling of reboot reason that allows for persistent code execution

_Published December 5, 2023_

The Chromecast Security Bulletin contains details of security vulnerabilities affecting supported Chromecast with Google TV devices (Chromecast devices). For Chromecast devices, security patch levels of 2023-10-01 or later address all applicable issues in the October 2023 Android Security Bulletin and all issues in this bulletin. To learn how to check a device's security patch level, see Chromecast firmware versions & release notes.

All supported Chromecast devices will receive an update to the 2023-10-01 patch level. We encourage all customers to accept these updates to their devices.

**Announcements**

*   In addition to the security vulnerabilities described in the October 2023 Android Security Bulletin, Chromecast devices also contain patches for the security vulnerabilities described below.

**Security patches**

Vulnerabilities are grouped under the component that they affect. There is a description of the issue and a table with the CVE, associated references, type of vulnerability, severity, and updated Android Open Source Project (AOSP) versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**AMLogic**

    

CVE

References

Severity

Subcomponent

CVE-2023-48425  

A-291138519

High

U-Boot

CVE-2023-48424  

A-286458481

High

U-Boot

CVE-2023-6181  

A-291138116

Moderate

U-Boot

**System**

    

CVE

References

Severity

Subcomponent

CVE-2023-48417  

A-288311233

Moderate

KeyChain

**Functional patches**

For details on the new bug fixes and functional patches included in this release, refer to the Chromecast firmware versions & release notes.

**Acknowledgements**

Researchers

CVEs

Nolen Johnson, DirectDefense and Jan Altensen, Ray Volpe

CVE-2023-6181, CVE-2023-48425,

Lennert Wouters, rqu, Thomas Roth aka stacksmashing

CVE-2023-48424

Rocco Calvi (TecR0c), SickCodes

CVE-2023-48417

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

Security patch levels of 2023-10-01 or later address all issues associated with the 2023-10-01 security patch level and all previous patch levels. To learn how to check a device's security patch level, read the instructions on the Chromecast firmware versions & release notes.

**2\. Why are security vulnerabilities split between this bulletin and the Android Security Bulletins?**

Security vulnerabilities that are documented in the Android Security Bulletins are required to declare the latest security patch level on Android devices. Additional security vulnerabilities, such as those documented in this bulletin are not required for declaring a security patch level.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the Android bug ID in the _References_ column.

**Versions**

  

Version

Date

Notes

1.0

December 5, 2023

CVE-2023-6181: Chromecast Security Bulletin—December 2023

SyncTrayzor 1.1.29 enables CEF (Chromium Embedded Framework) remote debugging, allowing a local attacker to control the application.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-46899: Remove RemoteDebuggingPort for release builds · Issue #666 · canton7/SyncTrayzor

By Waqas
Another day, another Bluetooth vulnerability impacting billions of devices worldwide!
This is a post from HackRead.com Read the original post: Bluetooth Vulnerability Enables Keystroke Injection on Android, Linux, macOS, iOS

Keystroke injection is a method wherein malicious commands or keystrokes are remotely injected into a system to compromise or manipulate its functionality, often exploited for unauthorized access or control.

A critical vulnerability in Bluetooth allows attackers to take control of Android, Linux, macOS, and iOS devices, including devices in Lockdown Mode. This vulnerability is tracked as **CVE-2023-45866** and disclosed by security researcher Marc Newlin. 

It enables attackers to connect to vulnerable devices without user confirmation and inject keystrokes, potentially allowing them to install malicious apps, run arbitrary commands, and perform other unauthorized actions (except those requiring password/biometric authentication). The software vendors were notified about the flaw in August 2023.

This vulnerability was first identified in 2016 in non-Bluetooth wireless mice and keyboards. Back then, it was assumed that Bluetooth was secure and promoted as a better alternative to vulnerable custom protocols.

In 2023, a challenge forced Newlin to focus on Apple’s Magic Keyboard due to its **reliance on Bluetooth** and Apple’s security reputation. Initial research revealed limited information about Bluetooth, macOS, and iOS, necessitating extensive learning. 

Later, unauthenticated Bluetooth keystroke injection vulnerabilities in macOS and iOS were discovered, which were exploitable even when **Lockdown Mode** was enabled. Similar flaws were identified in Linux and Android, suggesting a broader issue beyond individual implementations. The Bluetooth HID specification analysis revealed a combination of protocol design and implementation bugs.

Newlin explained in his **post on GitHub** that multiple Bluetooth stacks had authentication bypass vulnerabilities. The attack exploits an “unauthenticated pairing mechanism” defined within the Bluetooth specification, tricking the target device into accepting a fake keyboard.

This deception allows an attacker in close proximity to connect and inject keystrokes, potentially enabling them to install apps and execute arbitrary commands. It is worth noting that unpatched devices are vulnerable under specific conditions, such as:

*   Android: Bluetooth must be enabled.
*   Linux/BlueZ: Bluetooth must be discoverable/connectable.
*   iOS/macOS: Bluetooth must be enabled, and a Magic Keyboard must be paired with the device.

These vulnerabilities can be exploited with a standard Bluetooth adapter on a Linux computer. Notably, some vulnerabilities predate “**MouseJack**“, affecting Android devices as far back as version 4.2.2 (released in 2012). 

In a comment to Hackread.com, Ken Dunham, Director of Cyber Threat at Qualys said “The two new Bluetooth vulnerabilities that exist for Android, Linux, MacOS, and iOS enable unauthorized attackers to perform an “unauthenticated pairing”, then possibly enable execution of code and to run arbitrary commands.”

“Bluetooth attacks are limited to close physical proximity. As a workaround, users of vulnerable systems can limit their attack surface and risk until patched by disabling Bluetooth,” Dunham advised.

While a fix for the Linux vulnerability existed since 2020 (**CVE-2020-0556**), it was surprisingly left disabled by default. Despite announcements by major Linux distributions, only ChromeOS is known to have implemented the fix. The latest BlueZ patch for CVE-2023-45866 finally enables this crucial fix by default.

It is a serious vulnerability impacting a vast array of devices, exposing potential security risks inherent to Bluetooth technology. However, according to Google, “fixes for these issues that affect Android 11 through 14 are available to impacted OEMs. All currently-supported Pixel devices will receive this fix via December OTA updates.”

1.  **BlueRepli attack bypasses Bluetooth authentication on Android**
2.  **BleedingTooth Bluetooth vulnerability allows RCE in Linux devices**
3.  **Update your devices: New Bluetooth flaw lets attackers monitor traffic**
4.  **BlueBorne Bluetooth Flaw Affects Millions of Smartphones, IoT and PCs**
5.  **Hackers can crash Google’s Nest Dropcams by exploiting Bluetooth flaws**

Bluetooth Vulnerability Enables Keystroke Injection on Android, Linux, macOS, iOS

The North Korean threat actor known as Kimsuky has been observed targeting research institutes in South Korea as part of a spear-phishing campaign with the ultimate goal of distributing backdoors on compromised systems.
"The threat actor ultimately uses a backdoor to steal information and execute commands," the AhnLab Security Emergency Response Center (ASEC) said in an

Cyber Espionage / Cryptocurrency

The North Korean threat actor known as **Kimsuky** has been observed targeting research institutes in South Korea as part of a spear-phishing campaign with the ultimate goal of distributing backdoors on compromised systems.

"The threat actor ultimately uses a backdoor to steal information and execute commands," the AhnLab Security Emergency Response Center (ASEC) said in an analysis posted last week.

The attack chains commence with an import declaration lure that's actually a malicious JSE file containing an obfuscated PowerShell script, a Base64-encoded payload, and a decoy PDF document.

The next stage entails opening the PDF file as a diversionary tactic, while the PowerShell script is executed in the background to launch the backdoor.

The malware, for its part, is configured to collect network information and other relevant data (i.e., host name, user name, and operating system version) and transmit the encoded details to a remote server.

It's also capable of running commands, executing additional payloads, and terminating itself, turning it into a backdoor for remote access to the infected host.

UPCOMING WEBINAR

Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

Kimsuky, active since at least 2012, started off targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, before expanding its victimology footprint to encompass Europe, Russia, and the U.S.

Earlier this month, the U.S. Treasury Department sanctioned Kimsuky for gathering intelligence to support North Korea's strategic objectives, including geopolitical events, foreign policy, and diplomatic efforts.

"Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions," cybersecurity firm ThreatMon noted in a recent report.

The state-sponsored group has also been observed leveraging booby-trapped URLs that, when clicked, download a bogus ZIP archive masquerading as an update for the Chrome browser to deploy a malicious VBScript from Google Drive that employs the cloud storage as a conduit for data exfiltration and command-and-control (C2).

**Lazarus Group Goes Phishing on Telegram**

The development comes as blockchain security company SlowMist implicated the notorious North Korea-backed outfit called the Lazarus Group in a widespread phishing campaign on Telegram targeting the cryptocurrency sector.

"More recently, these hackers have escalated their tactics by posing as reputable investment institutions to execute phishing scams against various cryptocurrency project teams," the Singapore-based firm said.

After establishing rapport, the targets are deceived into downloading a malicious script under the guise of sharing an online meeting link that facilitates crypto theft.

It also follows a report from the Seoul Metropolitan Police Agency (SMPA) that accused the Lazarus sub-cluster codenamed Andariel of stealing technical information about anti-aircraft weapon systems from domestic defense companies and laundering ransomware proceeds back to North Korea.

It is estimated that more than 250 files amounting to 1.2 terabytes have been stolen in the attacks. To cover up the tracks, the adversary is said to have used servers from a local company that "rents servers to subscribers with unclear identities" as an entry point.

In addition, the group extorted 470 million won ($356,000) worth of bitcoin from three South Korean firms in ransomware attacks and laundered them through virtual asset exchanges such as Bithumb and Binance. It's worth noting that Andariel has been linked to the deployment of Maui ransomware in the past.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

N. Korean Kimsuky Targeting South Korean Research Institutes with Backdoor Attacks

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVE-2023-35618

Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

CVE-2023-38174

CVE-2023-36880

libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci.

**Description**

heap-use-after-free/SEGV/heap-buffer-overflow libheif/libheif/uncompressed_image.cc:537 in UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci

**Version**

    commit: 64ece913266609789f5dc70fe7de9eb759badd7f
    
    heif-convert  libheif version: 1.17.5
    -------------------------------------------
    Usage: heif-convert [options]  <input-image> [output-image]
    
    The program determines the output file format from the output filename suffix.
    These suffixes are recognized: jpg, jpeg, png, y4m. If no output filename is specified, 'jpg' is used.
    
    Options:
      -h, --help                     show help
      -v, --version                  show version
      -q, --quality                  quality (for JPEG output)
      -o, --output FILENAME          write output to FILENAME (optional)
      -d, --decoder ID               use a specific decoder (see --list-decoders)
          --with-aux                 also write auxiliary images (e.g. depth images)
          --with-xmp                 write XMP metadata to file (output filename with .xmp suffix)
          --with-exif                write EXIF metadata to file (output filename with .exif suffix)
          --skip-exif-offset         skip EXIF metadata offset bytes
          --no-colons                replace ':' characters in auxiliary image filenames with '_'
          --list-decoders            list all available decoders (built-in and plugins)
          --quiet                    do not output status messages to console
      -C, --chroma-upsampling ALGO   Force chroma upsampling algorithm (nn = nearest-neighbor / bilinear)
          --png-compression-level #  Set to integer between 0 (fastest) and 9 (best). Use -1 for default.
    

**Replay**

    cd libheif
    mkdir build && cd build
    CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" cmake -DCMAKE_BUILD_TYPE=Debug -DWITH_UNCOMPRESSED_CODEC=ON ..
    make -j
    ./examples/heif-convert ./poc test.png
    

**ASAN**

> I just show the uaf case, you can use my poc to reproduce the others.

    ==88148==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000000910 at pc 0x7f7a88d9ab47 bp 0x7ffef17996e0 sp 0x7ffef17996d0
    READ of size 2 at 0x60e000000910 thread T0
        #0 0x7f7a88d9ab46 in UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci(HeifFile const&, unsigned int) libheif/libheif/uncompressed_image.cc:537
        #1 0x7f7a88c96f95 in HeifFile::get_luma_bits_per_pixel_from_configuration(unsigned int) const libheif/libheif/file.cc:609
        #2 0x7f7a88c58d54 in HeifContext::Image::get_luma_bits_per_pixel() const libheif/libheif/context.cc:1225
        #3 0x7f7a88c1abf7 in heif_image_handle_get_luma_bits_per_pixel libheif/libheif/heif.cc:846
        #4 0x55fa40c34835 in main libheif/examples/heif_convert.cc:475
        #5 0x7f7a88694082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #6 0x55fa40c2fadd in _start (libheif/build/examples/heif-convert+0xbadd)
    
    0x60e000000910 is located 16 bytes inside of 160-byte region [0x60e000000900,0x60e0000009a0)
    freed by thread T0 here:
        #0 0x7f7a88f6c0d0 in operator delete(void*) (/lib/x86_64-linux-gnu/libasan.so.4+0xe20d0)
        #1 0x7f7a88c038d9 in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/include/c++/7/ext/new_allocator.h:125
        #2 0x7f7a88bfef61 in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> > >::deallocate(std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> >&, std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/include/c++/7/bits/alloc_traits.h:462
        #3 0x7f7a88bf4553 in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> > >::~__allocated_ptr() /usr/include/c++/7/bits/allocated_ptr.h:73
        #4 0x7f7a88c1019d in std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() /usr/include/c++/7/bits/shared_ptr_base.h:543
        #5 0x7f7a88b94163 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/7/bits/shared_ptr_base.h:170
        #6 0x7f7a88b938c3 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/7/bits/shared_ptr_base.h:684
        #7 0x7f7a88bc23e3 in std::__shared_ptr<Box, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/7/bits/shared_ptr_base.h:1123
        #8 0x7f7a88bc24a3 in std::shared_ptr<Box>::~shared_ptr() /usr/include/c++/7/bits/shared_ptr.h:93
        #9 0x7f7a88be9854 in void std::_Destroy<std::shared_ptr<Box> >(std::shared_ptr<Box>*) /usr/include/c++/7/bits/stl_construct.h:98
        #10 0x7f7a88be4eb8 in void std::_Destroy_aux<false>::__destroy<std::shared_ptr<Box>*>(std::shared_ptr<Box>*, std::shared_ptr<Box>*) /usr/include/c++/7/bits/stl_construct.h:108
        #11 0x7f7a88bdafef in void std::_Destroy<std::shared_ptr<Box>*>(std::shared_ptr<Box>*, std::shared_ptr<Box>*) /usr/include/c++/7/bits/stl_construct.h:137
        #12 0x7f7a88bce3b8 in void std::_Destroy<std::shared_ptr<Box>*, std::shared_ptr<Box> >(std::shared_ptr<Box>*, std::shared_ptr<Box>*, std::allocator<std::shared_ptr<Box> >&) /usr/include/c++/7/bits/stl_construct.h:206
        #13 0x7f7a88bc3acf in std::vector<std::shared_ptr<Box>, std::allocator<std::shared_ptr<Box> > >::~vector() /usr/include/c++/7/bits/stl_vector.h:434
        #14 0x7f7a88bc02f8 in Box::~Box() (libheif/build/libheif/libheif.so.1+0xa22f8)
        #15 0x7f7a88bc053e in FullBox::~FullBox() (libheif/build/libheif/libheif.so.1+0xa253e)
        #16 0x7f7a88c09a8c in Box_meta::~Box_meta() (libheif/build/libheif/libheif.so.1+0xeba8c)
        #17 0x7f7a88c12579 in void __gnu_cxx::new_allocator<Box_meta>::destroy<Box_meta>(Box_meta*) /usr/include/c++/7/ext/new_allocator.h:140
        #18 0x7f7a88c111de in void std::allocator_traits<std::allocator<Box_meta> >::destroy<Box_meta>(std::allocator<Box_meta>&, Box_meta*) /usr/include/c++/7/bits/alloc_traits.h:487
        #19 0x7f7a88c10310 in std::_Sp_counted_ptr_inplace<Box_meta, std::allocator<Box_meta>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/include/c++/7/bits/shared_ptr_base.h:535
        #20 0x7f7a88b940ec in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/7/bits/shared_ptr_base.h:154
        #21 0x7f7a88b938c3 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/7/bits/shared_ptr_base.h:684
        #22 0x7f7a88bc23e3 in std::__shared_ptr<Box, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/7/bits/shared_ptr_base.h:1123
        #23 0x7f7a88bc24a3 in std::shared_ptr<Box>::~shared_ptr() /usr/include/c++/7/bits/shared_ptr.h:93
        #24 0x7f7a88b9d8b5 in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:436
        #25 0x7f7a88b9edac in Box::read_children(BitstreamRange&, int) libheif/libheif/box.cc:749
        #26 0x7f7a88bab707 in Box_iprp::parse(BitstreamRange&) libheif/libheif/box.cc:1731
        #27 0x7f7a88b9d7eb in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:672
        #28 0x7f7a88b9edac in Box::read_children(BitstreamRange&, int) libheif/libheif/box.cc:749
        #29 0x7f7a88ba14a0 in Box_meta::parse(BitstreamRange&) libheif/libheif/box.cc:920
    
    previously allocated by thread T0 here:
        #0 0x7f7a88f6b258 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.4+0xe1258)
        #1 0x7f7a88c038a8 in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> >::allocate(unsigned long, void const*) /usr/include/c++/7/ext/new_allocator.h:111
        #2 0x7f7a88bfeeb4 in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> > >::allocate(std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> >&, unsigned long) /usr/include/c++/7/bits/alloc_traits.h:436
        #3 0x7f7a88bf44b9 in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> > > std::__allocate_guarded<std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> > >(std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> >&) /usr/include/c++/7/bits/allocated_ptr.h:104
        #4 0x7f7a88bea393 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count<Box_hdlr, std::allocator<Box_hdlr>>(std::_Sp_make_shared_tag, Box_hdlr*, std::allocator<Box_hdlr> const&) /usr/include/c++/7/bits/shared_ptr_base.h:635
        #5 0x7f7a88be5955 in std::__shared_ptr<Box_hdlr, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<Box_hdlr>>(std::_Sp_make_shared_tag, std::allocator<Box_hdlr> const&) /usr/include/c++/7/bits/shared_ptr_base.h:1295
        #6 0x7f7a88bdc441 in std::shared_ptr<Box_hdlr>::shared_ptr<std::allocator<Box_hdlr>>(std::_Sp_make_shared_tag, std::allocator<Box_hdlr> const&) /usr/include/c++/7/bits/shared_ptr.h:344
        #7 0x7f7a88bcf8a2 in std::shared_ptr<Box_hdlr> std::allocate_shared<Box_hdlr, std::allocator<Box_hdlr>>(std::allocator<Box_hdlr> const&) /usr/include/c++/7/bits/shared_ptr.h:691
        #8 0x7f7a88bc4768 in std::shared_ptr<Box_hdlr> std::make_shared<Box_hdlr>() /usr/include/c++/7/bits/shared_ptr.h:707
        #9 0x7f7a88b9bcf3 in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:448
        #10 0x7f7a88b9edac in Box::read_children(BitstreamRange&, int) libheif/libheif/box.cc:749
        #11 0x7f7a88ba14a0 in Box_meta::parse(BitstreamRange&) libheif/libheif/box.cc:920
        #12 0x7f7a88b9d7eb in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:672
        #13 0x7f7a88b9edac in Box::read_children(BitstreamRange&, int) libheif/libheif/box.cc:749
        #14 0x7f7a88bab707 in Box_iprp::parse(BitstreamRange&) libheif/libheif/box.cc:1731
        #15 0x7f7a88b9d7eb in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:672
        #16 0x7f7a88b9edac in Box::read_children(BitstreamRange&, int) libheif/libheif/box.cc:749
        #17 0x7f7a88ba14a0 in Box_meta::parse(BitstreamRange&) libheif/libheif/box.cc:920
        #18 0x7f7a88b9d7eb in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:672
        #19 0x7f7a88b9edac in Box::read_children(BitstreamRange&, int) libheif/libheif/box.cc:749
        #20 0x7f7a88ba14a0 in Box_meta::parse(BitstreamRange&) libheif/libheif/box.cc:920
        #21 0x7f7a88b9d7eb in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:672
        #22 0x7f7a88c9217e in HeifFile::parse_heif_file(BitstreamRange&) libheif/libheif/file.cc:254
        #23 0x7f7a88c8ffc6 in HeifFile::read(std::shared_ptr<StreamReader> const&) libheif/libheif/file.cc:107
        #24 0x7f7a88c8f8c6 in HeifFile::read_from_file(char const*) libheif/libheif/file.cc:88
        #25 0x7f7a88c4b3d7 in HeifContext::read_from_file(char const*) libheif/libheif/context.cc:429
        #26 0x7f7a88c163ff in heif_context_read_from_file libheif/libheif/heif.cc:451
        #27 0x55fa40c33e68 in main libheif/examples/heif_convert.cc:410
        #28 0x7f7a88694082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    
    SUMMARY: AddressSanitizer: heap-use-after-free libheif/libheif/uncompressed_image.cc:537 in UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci(HeifFile const&, unsigned int)
    Shadow bytes around the buggy address:
      0x0c1c7fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1c7fff80e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c1c7fff80f0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
      0x0c1c7fff8100: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1c7fff8110: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
    =>0x0c1c7fff8120: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1c7fff8130: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
      0x0c1c7fff8140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
      0x0c1c7fff8150: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c1c7fff8160: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
      0x0c1c7fff8170: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==88148==ABORTING
    

**POC**

*   poc-heap-overflow
*   poc-heap-uaf
*   poc-segv

**Environment**

    Description:	Ubuntu 22.04.2 LTS
    gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
    

**Credit**

Yuchuan Meng (Fudan University)

CVE-2023-49464: heap-use-after-free/SEGV/heap-buffer-overflow in UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci · Issue #1044 · strukturag/libheif

Tag

#chrome