RIOT-OS, an operating system that supports Internet of Things devices, contains a network stack with the ability to process 6LoWPAN frames. An attacker can send a crafted frame to the device resulting in a large out of bounds write beyond the packet buffer. The write will create a hard fault exception after reaching the last page of RAM. The hard fault is not handled and the system will be stuck until reset. Thus the impact is denial of service. Version 2022.10 fixes this issue. As a workaround, apply the patch manually.

@@ -760,8 +760,9 @@ void gnrc\_sixlowpan\_iphc\_recv(gnrc\_pktsnip\_t \*sixlo, void \*rbuf\_ptr, iface = gnrc\_netif\_hdr\_get\_netif(netif->data); payload\_offset = \_iphc\_ipv6\_decode(iphc\_hdr, netif->data, iface, ipv6->data); if (payload\_offset == 0) { /\* unable to parse IPHC header \*/ if ((payload\_offset == 0) || (payload\_offset > sixlo->size)) { /\* unable to parse IPHC header or malicious packet \*/ DEBUG("6lo iphc: malformed IPHC header\\n"); \_recv\_error\_release(sixlo, ipv6, rbuf); return; } @@ -781,7 +782,9 @@ void gnrc\_sixlowpan\_iphc\_recv(gnrc\_pktsnip\_t \*sixlo, void \*rbuf\_ptr, &prev\_nh\_offset, ipv6, &uncomp\_hdr\_len); if (payload\_offset == 0) { if ((payload\_offset == 0) || (payload\_offset > sixlo->size)) { /\* unable to parse IPHC header or malicious packet \*/ DEBUG("6lo iphc: malformed IPHC NHC IPv6 header\\n"); \_recv\_error\_release(sixlo, ipv6, rbuf); return; } @@ -796,7 +799,9 @@ void gnrc\_sixlowpan\_iphc\_recv(gnrc\_pktsnip\_t \*sixlo, void \*rbuf\_ptr, prev\_nh\_offset, ipv6, &uncomp\_hdr\_len); if (payload\_offset == 0) { if ((payload\_offset == 0) || (payload\_offset > sixlo->size)) { /\* unable to parse IPHC header or malicious packet \*/ DEBUG("6lo iphc: malformed IPHC NHC IPv6 header\\n"); \_recv\_error\_release(sixlo, ipv6, rbuf); return; } @@ -898,9 +903,11 @@ void gnrc\_sixlowpan\_iphc\_recv(gnrc\_pktsnip\_t \*sixlo, void \*rbuf\_ptr, /\* re-assign IPv6 header in case realloc changed the address \*/ ipv6\_hdr = ipv6->data; ipv6\_hdr->len = byteorder\_htons(payload\_len); memcpy(((uint8\_t \*)ipv6->data) + uncomp\_hdr\_len, ((uint8\_t \*)sixlo->data) + payload\_offset, sixlo->size - payload\_offset); if (sixlo->size > payload\_offset) { memcpy(((uint8\_t \*)ipv6->data) + uncomp\_hdr\_len, ((uint8\_t \*)sixlo->data) + payload\_offset, sixlo->size - payload\_offset); } if (rbuf != NULL) { rbuf->super.current\_size += (uncomp\_hdr\_len - payload\_offset); #ifdef MODULE\_GNRC\_SIXLOWPAN\_FRAG\_VRB

CVE-2023-24820: gnrc_sixlowpan: Various hardening fixes [backport 2022.10] by miri64 · Pull Request #18820 · RIOT-OS/RIOT

In Tenda AC15 V15.03.05.19, the function "getIfIp" contains a stack-based buffer overflow vulnerability.

Tenda AC15 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC15V1.0BR\_V15.03.05.19

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "getIfIp" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

范启航 220579866

CVE-2023-30375: Tenda/1.md at main · 2205794866/Tenda

In Tenda AC15 V15.03.05.19, the function "xian_pppoe_user" contains a stack-based buffer overflow vulnerability.

Tenda AC15 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC15V1.0BR\_V15.03.05.19

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "xian\_pppoe\_user" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

范启航 220579866

CVE-2023-30373: Tenda/8.md at main · 2205794866/Tenda

In Tenda AC15 V15.03.05.19, the function "henan_pppoe_user" contains a stack-based buffer overflow vulnerability.

Tenda AC15 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC15V1.0BR\_V15.03.05.19

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "henan\_pppoe\_user" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

范启航 220579866

CVE-2023-30376: Tenda/9.md at main · 2205794866/Tenda

In Tenda AC15 V15.03.05.19, The function "xkjs_ver32" contains a stack-based buffer overflow vulnerability.

Tenda AC15 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC15V1.0BR\_V15.03.05.19

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "xkjs\_ver32" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

范启航 220579866

CVE-2023-30372: Tenda/10.md at main · 2205794866/Tenda

In Tenda AC15 V15.03.05.19, the function "sub_8EE8" contains a stack-based buffer overflow vulnerability.

Tenda AC15 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC15V1.0BR\_V15.03.05.19

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "sub\_8EE8" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

范启航 220579866

CVE-2023-30378: Tenda/5.md at main · 2205794866/Tenda

In Tenda AC15 V15.03.05.19, the function "sub_ED14" contains a stack-based buffer overflow vulnerability.

Tenda AC15 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC15V1.0BR\_V15.03.05.19

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "sub\_ED14" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

范启航 220579866

CVE-2023-30371: Tenda/4.md at main · 2205794866/Tenda

In Tenda AC15 V15.03.05.19, the function GetValue contains a stack-based buffer overflow vulnerability.

Tenda AC15 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC15V1.0BR\_V15.03.05.19

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "GetValue" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

范启航 220579866

CVE-2023-30370: Tenda/7.md at main · 2205794866/Tenda

Debian Linux Security Advisory 5393-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5393-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffApril 22, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-2133 CVE-2023-2134 CVE-2023-2135 CVE-2023-2136                  CVE-2023-2137Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 112.0.5615.138-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmREBtkACgkQEMKTtsN8TjZHjA//Xt54GrjHMIT1eis48gYiXhfhUxNl1MiA4eeSYFJuidwGLoZbG8AGmT+2OHUvwjOCiJ4RHV06fnpPuftn95Q9Ehz79WkNeeZSIKCuZPeNK6u6c2LZv3enU3ojFejG5y6k/L6kwBx7VUPNnvraZVZcB0zwbL/f9B5wXgAwluxqynyX3vZBPRjTsJATLQs/PMhx7wWVFXspQjIm6+9bVySuNEsIUTIsDNnRlLnSVler3THdcmlHLBVDU1Qb3CIN6bAzDDnJSOUQIHWKIPLSr84ygeT6n0/eeC7qzqJ4WvG7TKhsyXrH1z+XzRdMFajVDrOhYmofmRG4WgyXibcOfi0eR7aEahNVG4aLZlP+hZvKDlDrSJ5kzI8IH4NaXZid9IGZaOXvxKaTOsKaBuC3uHDlWny1aU5MBb/itSeYbXmNVzIip7BJ10wG9rjaQ4d6VEbrMDEEWy5rqP1PUexW5wNDAwNhMHhV2pgPHnDzkC3ScQM6uN4X2vxs58oGMaSsjqjYpR5MOIEoh2SnNdz4NDXxjP8+bdpOu7MOIh4nYBC/zcWf84DgeMq1tv3RR2LDXfwdMZyxlZc7thPvtZhXfUsDJRX38LD0S0B4JR1ERRqYerpj3ixAuOk6OyyJA0CcdiI1Yave1rFGzjzitxYkpgYG+uRYa/GWgDOuG1Ebbk6R2cE==vqQn-----END PGP SIGNATURE-----

Debian Security Advisory 5393-1

Debian Linux Security Advisory 5392-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5392-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
April 22, 2023                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : thunderbird  
CVE ID         : CVE-2023-0547 CVE-2023-1945 CVE-2023-28427 CVE-2023-29479   
                 CVE-2023-29533 CVE-2023-29535 CVE-2023-29536 CVE-2023-29539   
                 CVE-2023-29541 CVE-2023-29548 CVE-2023-29550

Multiple security issues were discovered in Thunderbird, which could  
result in denial of service or the execution of arbitrary code.

For the stable distribution (bullseye), these problems have been fixed in  
version 1:102.10.0-1~deb11u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmREBsEACgkQEMKTtsN8  
TjZX4w/+OuttNpDWu8m7daY/USfgb3U7pVI+wbMrqMKxSjQ6BRCUaCcXN1VXZpXn  
cOGTqSoFB+qBgYrSjJ0buH9L1yWAQXfaw43wF9eDAfRZB1Svzhl+W164GGks1YKZ  
9WbJ255lvCuXuNbmP+I1xYtuN5epP1saNAET/3HDkJUbXre5T3wdGCjgJnfyE6vf  
JhAwqVYEbOabRisnEhkP67yHk6mEz2QzH+KbbxyS7hCHp+I4RIMNhxPeoPb2Mn/t  
3oja8bC1WGpJaOaQy99UlCD11L8li30LbVb95V8l91tVzbXJwfOCmdjdRp+8/xA/  
fSpNdjCa7rbX8FWeU/FNunia/KkkJgc3qa65+e0muq99gdBk/+1HrrysjZt2oya5  
/vOMLjDfRmfqyB2fn65Isl2PhJnJN9EtPXeEFGLGNmRfqVlg2w4qXm2UUGDPmeuF  
rQrsYJ7YLLfQp7JejtNbPZbH+csEXFn2DRVv9YdOX5/H+a/boqe0h+9Wtmywzfw1  
uH+A5iY5JyLhknMyzfopCfpZIcV4ieRxeOdKvkUom67zKr2OAigSGxpz7EFdnunn  
gITqkbFqHtdjcCq/Vuj+vlfcUP7iLrWNSR9FZc9k9QcN0kaot8CqUmXF4zjkH/le  
sZMm+pcds9XpShSb3SXatKj3YY/O+DbHEcuKFSjg6DSHwEz4GLI=  
=tV7a  
-----END PGP SIGNATURE-----

Tag

#dos