Passing an attacker controlled size when creating an IOBuf could cause integer overflow, leading to an out of bounds write on the heap with the possibility of remote code execution. This issue affects versions of folly prior to v2021.07.22.00. This issue affects HHVM versions prior to 4.80.5, all versions between 4.81.0 and 4.102.1, all versions between 4.103.0 and 4.113.0, and versions 4.114.0, 4.115.0, 4.116.0, 4.117.0, 4.118.0 and 4.118.1.

A security update has been released for all supported HHVM versions. Please update to one of the following versions to get the update:

*   4.80.5
*   4.102.2
*   4.113.1
*   4.114.1
*   4.115.1
*   4.116.1
*   4.117.1
*   4.118.2

4.80.6 and 4.102.3 are also released for Debian 10 Buster and Ubuntu 18.04 Bionic, updating build system compatibility with those platforms.

This security update addresses:

*   CVE-2021-24036, a remote code execution vulnerability in Folly’s IOBuf class
*   an issue in HHVM that could lead to specially crafted XBox request parameter data being interpreted as other RPCServer commands.

CVE-2021-24036: Security Update

A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted WAV file.

Hi,  
fuzzing sndfile-info with AFL++ I found a heap-buffer-overflow in in msadpcm\_decode\_block /home/andreaf/real/libsndfile/src/ms\_adpcm.c:279

I'm on an x86-64 Ubuntu 20.04 with Clang 10.

The AddressSanitizer report is the following:

    =================================================================
    ==24888==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000001238 at pc 0x0000005ebedc bp 0x7ffced651bd0 sp 0x7ffced651bc8
    WRITE of size 2 at 0x621000001238 thread T0
        #0 0x5ebedb in msadpcm_decode_block /home/andreaf/libsndfile/src/ms_adpcm.c:279:31
        #1 0x5e9cf8 in wavlike_msadpcm_init /home/andreaf/libsndfile/src/ms_adpcm.c:171:3
        #2 0x566da9 in wav_open /home/andreaf/libsndfile/src/wav.c:258:14
        #3 0x4cc6d2 in psf_open_file /home/andreaf/libsndfile/src/sndfile.c:3080:13
        #4 0x4caa5e in sf_open /home/andreaf/libsndfile/src/sndfile.c:359:9
        #5 0x4c57dd in cart_dump /home/andreaf/libsndfile/programs/sndfile-info.c:479:14
        #6 0x4c36c3 in main /home/andreaf/libsndfile/programs/sndfile-info.c:96:13
        #7 0x7f114ca61bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
        #8 0x41b4c9 in _start (/home/andreaf/libsndfile/programs/sndfile-info+0x41b4c9)
    
    0x621000001238 is located 0 bytes to the right of 4408-byte region [0x621000000100,0x621000001238)
    allocated by thread T0 here:
        #0 0x493d82 in calloc (/home/andreaf/libsndfile/programs/sndfile-info+0x493d82)
        #1 0x5e90b4 in wavlike_msadpcm_init /home/andreaf/libsndfile/src/ms_adpcm.c:138:27
        #2 0x566da9 in wav_open /home/andreaf/libsndfile/src/wav.c:258:14
        #3 0x4cc6d2 in psf_open_file /home/andreaf/libsndfile/src/sndfile.c:3080:13
        #4 0x4caa5e in sf_open /home/andreaf/libsndfile/src/sndfile.c:359:9
        #5 0x4c57dd in cart_dump /home/andreaf/libsndfile/programs/sndfile-info.c:479:14
        #6 0x4c36c3 in main /home/andreaf/libsndfile/programs/sndfile-info.c:96:13
        #7 0x7f114ca61bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/andreaf/libsndfile/src/ms_adpcm.c:279:31 in msadpcm_decode_block
    Shadow bytes around the buggy address:
      0x0c427fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c427fff8240: 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa
      0x0c427fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==24888==ABORTING
    

To reproduce on git master:

    export CC='clang-10 -fsanitize=address'
    export CFLAGS='-g'
    ./configure --disable-shared
    make
    ./programs/sndfile-info --cart ./sndfile_heap_overflow
    

The testcase that triggers the bug is (decompress it before):

sndfile\_heap\_overflow.tar.gz

CVE-2021-3246: heap-buffer-overflow in in msadpcm_decode_block · Issue #687 · libsndfile/libsndfile

Crash in DNP dissector in Wireshark 3.4.0 to 3.4.6 and 3.2.0 to 3.2.14 allows denial of service via packet injection or crafted capture file

Skip to content

Open Issue created Jun 26, 2021 by **A Wireshark GitLab Utility@ws-gitlab-utility**Developer

**Buildbot crash output: fuzz-2021-06-26-9972.pcap**

Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2021-06-26-9972.pcap

stderr:

    Input file: /var/menagerie/menagerie/13795-multipleDNPFramesUDPSegment.pcapng
    
    Build host information:
    Linux runner-yq5rrvnm-project-7898047-concurrent-2 5.4.0-74-generic #83-Ubuntu SMP Sat May 8 02:35:39 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
    Distributor ID:	Ubuntu
    Description:	Ubuntu 20.04.2 LTS
    Release:	20.04
    Codename:	focal
    
    Return value:  0
    
    Dissector bug:  0
    
    Valgrind error count:  0
    
    
    
    Latest (but not necessarily the problem) commit:
    472eaf91 "config.h" need not and should not be included in any header
    
    
    Command and args: /builds/wireshark/wireshark/_install/bin/tshark -2  -nVxr
    Running as user "root" and group "root". This could be dangerous.
    =================================================================
    ==81662==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x60400040c730 in thread T0
    ==81662==WARNING: invalid path to external symbolizer!
    ==81662==WARNING: Failed to use and restart external symbolizer!
        #0 0x55ad73930492  (/builds/wireshark/wireshark/_install/bin/tshark+0xd9492)
        #1 0x7f821d2f7c00  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa337c00)
        #2 0x7f821e6962ae  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xb6d62ae)
        #3 0x7f821d2f608f  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa33608f)
        #4 0x7f821faa2dda  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcae2dda)
        #5 0x7f821fa98723  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8723)
        #6 0x7f821fa980b3  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad80b3)
        #7 0x7f821fa98ac2  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8ac2)
        #8 0x7f821e694507  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xb6d4507)
        #9 0x7f821e69ca19  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xb6dca19)
        #10 0x7f821e6972cd  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xb6d72cd)
        #11 0x7f821faa2dda  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcae2dda)
        #12 0x7f821fa98723  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8723)
        #13 0x7f821fa980b3  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad80b3)
        #14 0x7f821d8848ce  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa8c48ce)
        #15 0x7f821d889a4d  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa8c9a4d)
        #16 0x7f821faa2dda  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcae2dda)
        #17 0x7f821fa98723  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8723)
        #18 0x7f821fa980b3  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad80b3)
        #19 0x7f821fa98ac2  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8ac2)
        #20 0x7f821d473b53  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa4b3b53)
        #21 0x7f821faa2dda  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcae2dda)
        #22 0x7f821fa98723  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8723)
        #23 0x7f821fa9f990  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcadf990)
        #24 0x7f821fa94b44  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad4b44)
        #25 0x7f821d47095a  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa4b095a)
        #26 0x7f821d46f580  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa4af580)
        #27 0x7f821faa2dda  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcae2dda)
        #28 0x7f821fa98723  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8723)
        #29 0x7f821fa9f990  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcadf990)
        #30 0x7f821d4fa58b  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa53a58b)
        #31 0x7f821faa2dda  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcae2dda)
        #32 0x7f821fa98723  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8723)
        #33 0x7f821fa9f990  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcadf990)
        #34 0x7f821fa94b44  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad4b44)
        #35 0x7f821fa943b1  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad43b1)
        #36 0x7f821fa672a8  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcaa72a8)
        #37 0x55ad73995bcf  (/builds/wireshark/wireshark/_install/bin/tshark+0x13ebcf)
        #38 0x55ad73993dd2  (/builds/wireshark/wireshark/_install/bin/tshark+0x13cdd2)
        #39 0x55ad7398eb85  (/builds/wireshark/wireshark/_install/bin/tshark+0x137b85)
        #40 0x55ad73988f66  (/builds/wireshark/wireshark/_install/bin/tshark+0x131f66)
        #41 0x7f821267b0b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #42 0x55ad738b549d  (/builds/wireshark/wireshark/_install/bin/tshark+0x5e49d)
    
    0x60400040c730 is located 32 bytes inside of 46-byte region [0x60400040c710,0x60400040c73e)
    allocated by thread T0 here:
        #0 0x55ad739306fd  (/builds/wireshark/wireshark/_install/bin/tshark+0xd96fd)
        #1 0x7f82128e8e98  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57e98)
        #2 0x7f821f98a11f  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xc9ca11f)
        #3 0x7f821f98159e  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xc9c159e)
        #4 0x7f821d2f7286  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa337286)
        #5 0x7f821e6962ae  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xb6d62ae)
        #6 0x7f821d2f608f  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa33608f)
        #7 0x7f821faa2dda  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcae2dda)
        #8 0x7f821fa98723  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8723)
        #9 0x7f821fa980b3  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad80b3)
        #10 0x7f821fa98ac2  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8ac2)
        #11 0x7f821e694507  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xb6d4507)
        #12 0x7f821e69ca19  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xb6dca19)
        #13 0x7f821e6972cd  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xb6d72cd)
        #14 0x7f821faa2dda  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcae2dda)
        #15 0x7f821fa98723  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8723)
        #16 0x7f821fa980b3  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad80b3)
        #17 0x7f821d8848ce  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa8c48ce)
        #18 0x7f821d889a4d  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa8c9a4d)
        #19 0x7f821faa2dda  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcae2dda)
        #20 0x7f821fa98723  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8723)
        #21 0x7f821fa980b3  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad80b3)
        #22 0x7f821fa98ac2  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8ac2)
        #23 0x7f821d473b53  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa4b3b53)
        #24 0x7f821faa2dda  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcae2dda)
        #25 0x7f821fa98723  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8723)
        #26 0x7f821fa9f990  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcadf990)
        #27 0x7f821fa94b44  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad4b44)
        #28 0x7f821d47095a  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa4b095a)
        #29 0x7f821d46f580  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa4af580)
    
    SUMMARY: AddressSanitizer: bad-free (/builds/wireshark/wireshark/_install/bin/tshark+0xd9492) 
    ==81662==ABORTING
    
    fuzz-test.sh stderr:
    Running as user "root" and group "root". This could be dangerous.

_no debug trace_

CVE-2021-22235: Buildbot crash output: fuzz-2021-06-26-9972.pcap (#17462) · Issues · Wireshark Foundation / wireshark · GitLab

Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2021-06-26-9972.pcap

stderr:

    Input file: /var/menagerie/menagerie/13795-multipleDNPFramesUDPSegment.pcapng
    
    Build host information:
    Linux runner-yq5rrvnm-project-7898047-concurrent-2 5.4.0-74-generic #83-Ubuntu SMP Sat May 8 02:35:39 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
    Distributor ID:	Ubuntu
    Description:	Ubuntu 20.04.2 LTS
    Release:	20.04
    Codename:	focal
    
    Return value:  0
    
    Dissector bug:  0
    
    Valgrind error count:  0
    
    
    
    Latest (but not necessarily the problem) commit:
    472eaf91 "config.h" need not and should not be included in any header
    
    
    Command and args: /builds/wireshark/wireshark/_install/bin/tshark -2  -nVxr
    Running as user "root" and group "root". This could be dangerous.
    =================================================================
    ==81662==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x60400040c730 in thread T0
    ==81662==WARNING: invalid path to external symbolizer!
    ==81662==WARNING: Failed to use and restart external symbolizer!
        #0 0x55ad73930492  (/builds/wireshark/wireshark/_install/bin/tshark+0xd9492)
        #1 0x7f821d2f7c00  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa337c00)
        #2 0x7f821e6962ae  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xb6d62ae)
        #3 0x7f821d2f608f  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa33608f)
        #4 0x7f821faa2dda  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcae2dda)
        #5 0x7f821fa98723  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8723)
        #6 0x7f821fa980b3  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad80b3)
        #7 0x7f821fa98ac2  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8ac2)
        #8 0x7f821e694507  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xb6d4507)
        #9 0x7f821e69ca19  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xb6dca19)
        #10 0x7f821e6972cd  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xb6d72cd)
        #11 0x7f821faa2dda  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcae2dda)
        #12 0x7f821fa98723  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8723)
        #13 0x7f821fa980b3  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad80b3)
        #14 0x7f821d8848ce  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa8c48ce)
        #15 0x7f821d889a4d  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa8c9a4d)
        #16 0x7f821faa2dda  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcae2dda)
        #17 0x7f821fa98723  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8723)
        #18 0x7f821fa980b3  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad80b3)
        #19 0x7f821fa98ac2  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8ac2)
        #20 0x7f821d473b53  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa4b3b53)
        #21 0x7f821faa2dda  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcae2dda)
        #22 0x7f821fa98723  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8723)
        #23 0x7f821fa9f990  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcadf990)
        #24 0x7f821fa94b44  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad4b44)
        #25 0x7f821d47095a  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa4b095a)
        #26 0x7f821d46f580  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa4af580)
        #27 0x7f821faa2dda  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcae2dda)
        #28 0x7f821fa98723  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8723)
        #29 0x7f821fa9f990  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcadf990)
        #30 0x7f821d4fa58b  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa53a58b)
        #31 0x7f821faa2dda  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcae2dda)
        #32 0x7f821fa98723  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8723)
        #33 0x7f821fa9f990  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcadf990)
        #34 0x7f821fa94b44  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad4b44)
        #35 0x7f821fa943b1  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad43b1)
        #36 0x7f821fa672a8  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcaa72a8)
        #37 0x55ad73995bcf  (/builds/wireshark/wireshark/_install/bin/tshark+0x13ebcf)
        #38 0x55ad73993dd2  (/builds/wireshark/wireshark/_install/bin/tshark+0x13cdd2)
        #39 0x55ad7398eb85  (/builds/wireshark/wireshark/_install/bin/tshark+0x137b85)
        #40 0x55ad73988f66  (/builds/wireshark/wireshark/_install/bin/tshark+0x131f66)
        #41 0x7f821267b0b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #42 0x55ad738b549d  (/builds/wireshark/wireshark/_install/bin/tshark+0x5e49d)
    
    0x60400040c730 is located 32 bytes inside of 46-byte region [0x60400040c710,0x60400040c73e)
    allocated by thread T0 here:
        #0 0x55ad739306fd  (/builds/wireshark/wireshark/_install/bin/tshark+0xd96fd)
        #1 0x7f82128e8e98  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57e98)
        #2 0x7f821f98a11f  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xc9ca11f)
        #3 0x7f821f98159e  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xc9c159e)
        #4 0x7f821d2f7286  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa337286)
        #5 0x7f821e6962ae  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xb6d62ae)
        #6 0x7f821d2f608f  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa33608f)
        #7 0x7f821faa2dda  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcae2dda)
        #8 0x7f821fa98723  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8723)
        #9 0x7f821fa980b3  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad80b3)
        #10 0x7f821fa98ac2  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8ac2)
        #11 0x7f821e694507  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xb6d4507)
        #12 0x7f821e69ca19  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xb6dca19)
        #13 0x7f821e6972cd  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xb6d72cd)
        #14 0x7f821faa2dda  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcae2dda)
        #15 0x7f821fa98723  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8723)
        #16 0x7f821fa980b3  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad80b3)
        #17 0x7f821d8848ce  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa8c48ce)
        #18 0x7f821d889a4d  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa8c9a4d)
        #19 0x7f821faa2dda  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcae2dda)
        #20 0x7f821fa98723  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8723)
        #21 0x7f821fa980b3  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad80b3)
        #22 0x7f821fa98ac2  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8ac2)
        #23 0x7f821d473b53  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa4b3b53)
        #24 0x7f821faa2dda  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcae2dda)
        #25 0x7f821fa98723  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad8723)
        #26 0x7f821fa9f990  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcadf990)
        #27 0x7f821fa94b44  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xcad4b44)
        #28 0x7f821d47095a  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa4b095a)
        #29 0x7f821d46f580  (/builds/wireshark/wireshark/_install/lib/libwireshark.so.0+0xa4af580)
    
    SUMMARY: AddressSanitizer: bad-free (/builds/wireshark/wireshark/_install/bin/tshark+0xd9492) 
    ==81662==ABORTING
    
    fuzz-test.sh stderr:
    Running as user "root" and group "root". This could be dangerous.

_no debug trace_

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

CVE-2021-22235: Buildbot crash output: fuzz-2021-06-26-9972.pcap (#17462) · Issues · Wireshark Foundation / wireshark

A global buffer overflow vulnerability in jfif_encode at jfif.c:701 of ffjpeg through 2020-06-22 allows attackers to cause a Denial of Service (DOS) via a crafted jpeg file.

**Describe**

A global-buffer-overflow was discovered in ffjpeg. The issue is being triggered in function jfif\_encode at jfif.c:701

**Reproduce**

Tested in Ubuntu 18.04, 64bit. Compile ffjpeg with address sanitizer as I changed CCFLAGS src/Makefile as:

# ASan
CCFLAGS = -Wall -g -fsanitize=address -fno-omit-frame-pointer -O1

And do this command to reproduce this issue:  
ffjpeg -e $poc  
poc is here

**Expected behavior**

An attacker can exploit this vulnerability by submitting a malicious jpeg that exploits this issue. This will result in a Denial of Service (DoS) and when the application attempts to process the file.

**ASAN Reports**

\==81140==ERROR: AddressSanitizer: global-buffer-overflow on address 0x56063a6c1b92 at pc 0x7f2c96918733 bp 0x7ffe503e7fe0 sp 0x7ffe503e7788
READ of size 272 at 0x56063a6c1b92 thread T0
    #0 0x7f2c96918732  (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0x79732)
    #1 0x56063a6a88e7 in memcpy /usr/include/x86\_64-linux-gnu/bits/string\_fortified.h:34
    #2 0x56063a6a88e7 in jfif\_encode /root/study/ffjpeg/src/jfif.c:701
    #3 0x56063a69b382 in main /root/study/ffjpeg/src/ffjpeg.c:30
    #4 0x7f2c964cfb96 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21b96)
    #5 0x56063a69b829 in \_start (/root/study/ffjpeg/test/ffjpeg+0x2829)

0x56063a6c1b92 is located 0 bytes to the right of global variable 'STD\_HUFTAB\_LUMIN\_AC' defined in 'huffman.c:388:12' (0x56063a6c1ae0) of size 178
SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0x79732) 
Shadow bytes around the buggy address:
  0x0ac1474d0320: 00 00 00 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9
  0x0ac1474d0330: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ac1474d0340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 f9
  0x0ac1474d0350: f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9 00 00 00 00
  0x0ac1474d0360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=\>0x0ac1474d0370: 00 00\[02\]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ac1474d0380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac1474d0390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac1474d03a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac1474d03b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac1474d03c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==81140==ABORTING

CVE-2020-23705: global-buffer-overflow in function jfif_encode at jfif.c:701 · Issue #25 · rockcarry/ffjpeg

A heap buffer overflow vulnerability in Ap4TrunAtom.cpp of Bento 1.5.1-628 may lead to an out-of-bounds write while running mp42aac, leading to system crashes and a denial of service (DOS).

There is a heap buffer overflow in Ap4TrunAtom.cpp when running mp42aac.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial  
gcc: 5.4.0

To reproduce the bug,  
compile the project with flag  
'-DCMAKE\_C\_FLAGS=-g -m32 -fsanitize=address,undefined'

then run:  
'./mp42aac input /dev/null'

\==147243==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4208b40 at pc 0x083eb6d5 bp 0xffef35d8 sp 0xffef35c8  
WRITE of size 4 at 0xf4208b40 thread T0  
#0 0x83eb6d4 in AP4\_Array<AP4\_TrunAtom::Entry>::SetItemCount(unsigned int) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4TrunAtom.h:58  
#1 0x83d7d9b in AP4\_TrunAtom::AP4\_TrunAtom(unsigned int, unsigned char, unsigned int, AP4\_ByteStream&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4TrunAtom.cpp:127  
#2 0x83dde35 in AP4\_TrunAtom::Create(unsigned int, AP4\_ByteStream&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4TrunAtom.cpp:51  
#3 0x82dd3b4 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:408  
#4 0x8301ca3 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:225  
#5 0x82b6bae in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#6 0x82b6bae in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#7 0x841a898 in AP4\_MoovAtom::AP4\_MoovAtom(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4MoovAtom.cpp:80  
#8 0x82e2631 in AP4\_MoovAtom::Create(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4MoovAtom.h:56  
#9 0x82e2631 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:363  
#10 0x82fa1f7 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:225  
#11 0x82fa1f7 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, AP4\_Atom\*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:151  
#12 0x809a044 in AP4\_File::ParseStream(AP4\_ByteStream&, AP4\_AtomFactory&, bool) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4File.cpp:104  
#13 0x809a044 in AP4\_File::AP4\_File(AP4\_ByteStream&, bool) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4File.cpp:78  
#14 0x8082ce7 in main /mnt/data/playground/mp42-a/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250  
#15 0xf6a26636 in \_\_libc\_start\_main (/lib/i386-linux-gnu/libc.so.6+0x18636)  
#16 0x808df1b (/mnt/data/playground/mp42-patch/Build/mp42aac+0x808df1b)

0xf4208b40 is located 0 bytes to the right of 34624-byte region \[0xf4200400,0xf4208b40)  
allocated by thread T0 here:  
#0 0xf729dcd6 in operator new(unsigned int) (/usr/lib32/libasan.so.2+0x97cd6)  
#1 0x83e9fa7 in AP4\_Array<AP4\_TrunAtom::Entry>::EnsureCapacity(unsigned int) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4Array.h:172  
#2 0x83e9fa7 in AP4\_Array<AP4\_TrunAtom::Entry>::SetItemCount(unsigned int) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4Array.h:210

SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/data/playground/mp42-a/Source/C++/Core/Ap4TrunAtom.h:58 AP4\_Array<AP4\_TrunAtom::Entry>::SetItemCount(unsigned int)  
Shadow bytes around the buggy address:  
0x3e841110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x3e841120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x3e841130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x3e841140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x3e841150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x3e841160: 00 00 00 00 00 00 00 00\[fa\]fa fa fa fa fa fa fa  
0x3e841170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x3e841180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x3e841190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x3e8411a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x3e8411b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==147243==ABORTING

poc\_input5.zip

CVE-2020-19721: Heap buffer overflow in Ap4TrunAtom.cpp when running mp42aac · Issue #415 · axiomatic-systems/Bento4

A buffer overflow vulnerability in the Databuf function in types.cpp of Exiv2 v0.27.1 leads to a denial of service (DOS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Assignees

**Comments**

There is a buffer overflow in exiv2 in file types.cpp.

Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial  
gcc: 5.4.0

The compile command is:  
cmake ./ ;make

To reproduce the issue, run:  
./exiv2 input

Here is the trace reported by asan:

#0 0x7faff55ba631 (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0xa0631)  
#1 0x7faff55bf5e3 in \_\_sanitizer::CheckFailed(char const\*, int, char const\*, unsigned long long, unsigned long long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0xa55e3)  
#2 0x7faff5537425 (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x1d425)  
#3 0x7faff55bd865 (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0xa3865)  
#4 0x7faff553cb4d (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x22b4d)  
#5 0x7faff55b367e in operator new\[\](unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x9967e)  
#6 0x7faff0f63d25 in Exiv2::DataBuf::DataBuf(long) /home/heqing/playground/exiv2-0.27.1-Source-a/src/types.cpp:141  
#7 0x7faff0dc8995 in Exiv2::RafImage::readMetadata() /home/heqing/playground/exiv2-0.27.1-Source-a/src/rafimage.cpp:300  
#8 0x77b36d in Action::Print::printSummary() /home/heqing/playground/exiv2-0.27.1-Source-a/src/actions.cpp:286  
#9 0x79935f in Action::Print::run(std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&) /home/heqing/playground/exiv2-0.27.1-Source-a/src/actions.cpp:246  
#10 0x410f18 in main /home/heqing/playground/exiv2-0.27.1-Source-a/src/exiv2.cpp:169  
#11 0x7fafecfe282f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)  
#12 0x41abb8 in \_start (/home/heqing/playground/exiv2-0.27.1-Source-a/build/bin/exiv2+0x41abb8)

The reason is that DataBuf in types.cpp does not check the malloced buffer is a null pointer or not yet directly use memcpy to write the buffer.  

The attachment is the poc input.  
poc\_input2.zip

Thank you for reporting this.

I am unable to reproduce your report.

I have build 0.27.1-Source on Ubuntu 18.04  
and 0.27.2 (the current release)  
and master (the development branch)

    rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/exiv2-0.27.1-Source/asan_build$ ls -l /media/psf/Home/Downloads/poc_input2
    -rw------- 1 rmills rmills 25 Aug  9 09:45 /media/psf/Home/Downloads/poc_input2
    rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/exiv2-0.27.1-Source/asan_build$ bin/exiv2 /media/psf/Home/Downloads/poc_input2
    Exiv2 exception in print action for file /media/psf/Home/Downloads/poc_input2:
    Failed to read image data
    rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/exiv2-0.27.1-Source/asan_build$ 
    

This one is reproducible on my server with exiv2 0.27.1.

I use  
cmake ../ ; make  
to compile the project.

Maybe this related to the system environment?  
But the reason is that exiv2 try to allocate a very large memory space from the heap, 0xfffffffffffffff4 bytes without prior checking or failure handling.

\==182864==WARNING: AddressSanitizer failed to allocate 0xfffffffffffffff4 bytes  
\==182864==AddressSanitizer's allocator is terminating the process instead of returning 0  
\==182864==If you don't like this behavior set allocator\_may\_return\_null=1  
\==182864==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer\_common/sanitizer\_allocator.cc:147 "((0)) != (0)" (0x0, 0x0)  
#0 0x7f02ba1ec631 (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0xa0631)  
#1 0x7f02ba1f15e3 in \_\_sanitizer::CheckFailed(char const\*, int, char const\*, unsigned long long, unsigned long long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0xa55e3)  
#2 0x7f02ba169425 (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x1d425)  
#3 0x7f02ba1ef865 (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0xa3865)  
#4 0x7f02ba16eb4d (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x22b4d)  
#5 0x7f02ba1e567e in operator new\[\](unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x9967e)  
#6 0x7f02b5b95d25 in Exiv2::DataBuf::DataBuf(long) /home/heqing/playground/exiv2-0.27.1-Source-a/src/types.cpp:141  
#7 0x7f02b59fa995 in Exiv2::RafImage::readMetadata() /home/heqing/playground/exiv2-0.27.1-Source-a/src/rafimage.cpp:300  
#8 0x77b36d in Action::Print::printSummary() /home/heqing/playground/exiv2-0.27.1-Source-a/src/actions.cpp:286  
#9 0x79935f in Action::Print::run(std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&) /home/heqing/playground/exiv2-0.27.1-Source-a/src/actions.cpp:246  
#10 0x410f18 in main /home/heqing/playground/exiv2-0.27.1-Source-a/src/exiv2.cpp:169  
#11 0x7f02b1c1482f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)  
#12 0x41abb8 in \_start (/home/heqing/playground/exiv2-0.27.1-Source-a/build/bin/exiv2+0x41abb8)

It cannot produce at the 0.27.2 version with this input, but I have checked the code which is the same to the 0.27.1 version.  
I think the reason is that there are some upper-level check for the file format,  
however, the unhandled exhaustive memory usage can still cause the problem if this part of the code is reached.

Thanks. We're working together.

I've built 0.27.1, 0.27.2 and master without ASAN on Ubuntu and get:  
**0.27.1**

    rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/exiv2-0.27.1-Source/build$ bin/exiv2 --version | head -1
    exiv2 0.27.1
    rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/exiv2-0.27.1-Source/build$ bin/exiv2 /media/psf/Home/Downloads/poc_input2
    Uncaught exception: std::bad_alloc
    

**0.27.2**

    rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/0.27-maintenance/build$ bin/exiv2 --version | head -1
    exiv2 0.27.2
    rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/0.27-maintenance/build$ bin/exiv2 /media/psf/Home/Downloads/poc_input2
    Exiv2 exception in print action for file /media/psf/Home/Downloads/poc_input2:
    Failed to read image data
    rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/0.27-maintenance/build$
    

**master:**

    rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/master/build$ bin/exiv2 --version | head -1
    exiv2 0.27.99.0
    rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/master/build$ bin/exiv2 /media/psf/Home/Downloads/poc_input2
    Exiv2 exception in print action for file /media/psf/Home/Downloads/poc_input2:
    Failed to read image data
    

We added a check a couple of years ago:

    if (alloc_size > file.size() ) throw crazy_alloc;
    

I think poc\_input2 uses a code path that didn't have that test. And it's been fixed in 0.27.2 and master. I'm going to close this issue. However happy to re-open and continue the discussion if you wish.

Thank You very much for looking into this and the other issue you reported earlier. We take security and crashes very seriously. We have quarterly "dot" releases of Exiv2 v0.27 to ensure that fixes can be adopted quickly in the field.

Fixed by commit 109d5df  
Author: Kevin Backhouse kev@semmle.com  
Date: Thu May 16 14:30:12 2019 +0100

    Check bounds of jpg_img_off and jpg_img_len. (#858)

CVE-2020-19716: Buffer overflow caused by exhaustive memory usage  · Issue #980 · Exiv2/exiv2

An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.3 x64. A specially crafted HTML web page can cause a use-after-free condition, resulting in remote code execution. The victim needs to visit a malicious web site to trigger the vulnerability.

CVE-2021-21806: TALOS-2020-1214 || Cisco Talos Intelligence Group

It was discovered that the get_pid_info() function in data/apport did not properly parse the /proc/pid/status file from the kernel.

Vulnerabilities in Apport in ubuntu 20.04/18.04

\=======\=======\=======\=======\=======\=======\======

Author information

\------------------

Itai Greenhut(@Gr33nh4t)

Aleph Research by HCL Appscan

<email address hidden>

SUMMARY

\-------

We found several vulnerabilities in apport program which work on default installations of ubuntu 20.04/18.04.

We were able to chain those vulnerabilities together to get local privilege escalation to root from an unprivileged user.

Issue 1: Bypass drop\_privileges and set Uid and Gid to arbitrary value

\-------\-------\-------\-------\-------\-------\-------\-------\------

real\_uid and real\_gid are set by reading /proc/pid/status file and parsing its content.

"get\_pid\_info" function will iterate through each line and if a line starts with "Uid:" or "Gid:" it takes the first argument in that line and puts it into real\_uid and real\_gid variables.

We were able to bypass this by crashing a process with a file name set to "a\\rUid: 0\\rGid: 0".

When the process crashed, we "injected" those values to /proc/pid/status file (in the Name field), causing apport to never really drop privileges in the function drop\_privileges( real\_uid now is 0 and real\_gid is also 0).

By having full control over real\_uid and real\_gid we were able to bypass the suid check on "write\_user\_coredump" function.

Issue 2: Bypass get\_process\_startime check

\-------\-------\-------\-------\-------\-------\-------\-------\-

Apport checks if the process was replaced after the crash by comparing between apport\_start and process\_start.

process\_start gets the start time of the process by parsing the content of /proc/pid/stat file.

The start time is extracted from the 22 column of the /proc/pid/stat file.

We were able to bypass this check by recycle the pid with a process with " "(space) in its filename, causing get\_process\_starttime to return the wrong value (which is smaller than apport\_start).

Issue 3: delay apport get\_pid\_info by 30 seconds and recycle pid to suid process

\-------\-------\-------\-------\-------\-------\-------\-------\-------\-------\-------\----

We were able to delay apport get\_pid by 30 seconds from the process creation by acquiring the lock file of apport.

We were able to lock the file by creating a fifo file with a predictable name file crash in /var/log, and then create a new instance of apport.

Now when we create another apport instance it will then be locked for 30 seconds before getting a timeout.

We can release the lock file of the first instance by writing to the fifo file.

Exploitation:

\-------\-------\-------\-------\-------\-------\-------\-------\-

Our main goal in the exploitation is to write core file owned by root with our content to an arbitrary directory.

Apport creates a core file in the current directory of the crashed process.

As seen before on other apport exploits, we will create a core file in /etc/logrotate.d/ directory and execute a root shell.

In order to exploit those issues to gain local privilege escalation we need to perform the following steps:

1\. Create unpackaged=true configuration in ~/.conf/apport/settings

2\. mkfifo a predictable file of a decoy process.

3\. Run the decoy process causing the first apport instance to "hang".

4\. Create a symlink to /usr/bin/sudo with the name "a\\rUid: 0\\rGid: 0"

5\. chdir to desired directory.

6\. Create the crash program.

7\. Fork lots of new processes to make the pid wrap to crash\_program\_pid - 1.

8\. Send SIGSEGV to crash the program and trigger an additional apport instance.

9\. Send SIGKILL to terminate the program and release crash\_program\_pid.

10\. Create new process with fork and execve("a/rUid: 0\\rGid: 0"). (The crafted file name)

11\. Release the first process by writing to the fifo file.

The second apport instance will continue with execution and create a core dump in the current directory of the new suid process.

Now we have a root owned core file in desired directory, we can exploit this by having a valid configuration for logrotate inside the core dump and place the core dump inside /etc/logrotate.d/ directory.

CREDITS

\-------\-------\-------\-------\-------\-------\-------\-------\-

Please credit "Itai Greenhut(@Gr33nh4t) from Aleph Research by HCL Appscan" for those issues.

Please note that we follow the community standard of 90 days before public disclosure please coordinate your patch release date with us.

Attaching poc of the exploit, run as follows:  
1\. tar zxvfm exploit.tar.gz  
2\. cd exploit  
3\. ./exploit.sh

Best regards,  
Itai Greenhut  
Aleph Research by HCL Appscan

CVE-2021-25682: Bug #1912326 “Privilege escalation to root with core file dump” : Bugs : apport package : Ubuntu

A null pointer dereference was discovered lzo_decompress_buf in stream.c in Irzip 0.621 which allows an attacker to cause a denial of service (DOS) via a crafted compressed file.

Bug #1893641 reported by Doudou Huang on 2020-08-31

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

lrzip (Ubuntu)

Confirmed

Undecided

Unassigned

**Bug Description**

Hi, there.

There is invalid memory access in lzo\_decompress\_buf, stream.c 589 in the lrzip version 0.621 (newest branch 597be1f).  
According to the trace, it seems to be an incomplete fix of CVE-2017-8845 and CVE-2019-10654.  
System:

DISTRIB\_ID=Ubuntu  
DISTRIB\_RELEASE=16.04  
DISTRIB\_CODENAME=xenial  
DISTRIB\_DESCRIPTION="Ubuntu 16.04.6 LTS"

To reproduce, run:

lrzip -t seg-stream589

This is the output from the terminal:

Decompressing...  
Segmentation fault  
This is the trace reported by ASAN:

\==177389==ERROR: AddressSanitizer: SEGV on unknown address 0x606000010000 (pc 0x7f19986a0144 bp 0x62100001cd54 sp 0x7f1994afed60 T1)  
    #0 0x7f19986a0143 in lzo1x\_decompress (/lib/x86\_64-linux-gnu/liblzo2.so.2+0x13143)  
    #1 0x43faff in lzo\_decompress\_buf ../stream.c:589  
    #2 0x43faff in ucompthread ../stream.c:1529  
    #3 0x7f199804d6b9 in start\_thread (/lib/x86\_64-linux-gnu/libpthread.so.0+0x76b9)  
    #4 0x7f199747f41c in clone (/lib/x86\_64-linux-gnu/libc.so.6+0x10741c)

AddressSanitizer can not provide additional info.  
SUMMARY: AddressSanitizer: SEGV ??:0 lzo1x\_decompress  
Thread T1 created by T0 here:  
    #0 0x7f19988e51e3 in pthread\_create (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x361e3)  
    #1 0x451505 in create\_pthread ../stream.c:133  
    #2 0x451505 in fill\_buffer ../stream.c:1694  
    #3 0x451505 in read\_stream ../stream.c:1781  
    #4 0x18 (<unknown module>)

\==177389==ABORTING

Tag

#ubuntu