lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b54b4cb5-8036-0976-d361-384aa8025894@gmail.com>
Date: Sat, 27 Jan 2024 10:15:40 +1100
From: Matthew Fernandez <matthew.fernandez@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Buffer Overflow in graphviz via via a crafted config6a file



On 1/20/24 15:07, Meng Ruijie wrote:
> [Vulnerability description]
> Buffer Overflow vulnerability in graphviz v.2.43.0 allows a remote attacker to execute arbitrary code via a crafted config6a file.
> 
> [Vulnerability Type]
> Buffer Overflow

More specifically, this issue is an out-of-bounds read.

> [Vendor of Product]
> graphviz
> 
> [Affected Product Code Base]
> graphviz - 2.43.0

AFAICT the issue was actually introduced in Graphviz 2.36. It was fixed 
in commit a95f977f5d809915ec4b14836d2b5b7f5e74881e (essentially 
reverting cf95714837f06f684929b54659523c2c9b1fc19f that introduced the 
issue), but there has been no release yet since then. The next release 
will be 10.0.0. So affected versions would be [2.36, 10.0.0).

To exploit this issue, you need to modify a typically-root-owned file. I 
am not suggesting it is hard to exploit, but see my remarks below.

> [CVE Reference]
> The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-46045 to this vulnerability.

Why was this issue gifted a CVE? If you want an out-of-bounds access in 
Graphviz, there is much lower hanging fruit.

As Alan Coopersmith has noted in a separate thread,¹ this stream of 
issues seems to have been bulk-created without much analysis. The CVE 
details still appear to be RESERVED in NVD. The Graphviz maintainers do 
not intend to contest this CVE, but I expect the details to be 
inaccurate when released as I’ve noted above.

¹ https://seclists.org/oss-sec/2024/q1/59
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ