From 2e83c655377aa04ef2c67537fbd0a9622be4c188 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 1 Oct 2025 15:09:09 -0400 Subject: [PATCH 1/3] Grr typo on bold Signed-off-by: Tod Beardsley --- content/cve.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cve.md b/content/cve.md index 4767189..92f8b72 100644 --- a/content/cve.md +++ b/content/cve.md @@ -210,7 +210,7 @@ When we publish CVEs, we will tend to use this [template], adjusted to taste. | CVE | Meeting | Issue | GCVE | | ----------------- | --------- | ------------------------------------------ | ---- | | [CVE-2025-8452] | 0x00e2 | **Brother Printer Serial Number Disclosure** | [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111011111010111111001000000000000000000000000000000000000000000000000000000001] | -| [CVE-2025-35027] | 0x00e4 | **Unitree Robotics Command Injection ** | [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010] | +| [CVE-2025-35027] | 0x00e4 | **Unitree Robotics Command Injection** | [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010] | ## Reserved GCVEs From d35a0dc0a3b2cc40e2054f991d0bd2a4c5c571ff Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 1 Oct 2025 16:51:41 -0400 Subject: [PATCH 2/3] Most timestamps done Signed-off-by: Tod Beardsley --- content/cves/CVE-2023-5841.md | 31 ++++++++++++++++--------------- content/cves/CVE-2024-4224.md | 1 + content/cves/CVE-2025-2894.md | 1 + content/cves/CVE-2025-32455.md | 1 + content/cves/CVE-2025-32456.md | 1 + content/cves/CVE-2025-32457.md | 1 + content/cves/CVE-2025-32458.md | 1 + content/cves/CVE-2025-32459.md | 1 + content/cves/CVE-2025-3459.md | 1 + content/cves/CVE-2025-3460.md | 1 + content/cves/CVE-2025-3461.md | 1 + content/cves/CVE-2025-35004.md | 5 +++-- content/cves/CVE-2025-35005.md | 5 +++-- content/cves/CVE-2025-35006.md | 5 +++-- content/cves/CVE-2025-35007.md | 5 +++-- content/cves/CVE-2025-35008.md | 7 ++++--- content/cves/CVE-2025-35009.md | 1 + content/cves/CVE-2025-35010.md | 1 + content/cves/CVE-2025-35027.md | 1 + content/cves/CVE-2025-8452.md | 1 + 20 files changed, 46 insertions(+), 26 deletions(-) diff --git a/content/cves/CVE-2023-5841.md b/content/cves/CVE-2023-5841.md index 576d8d0..61f7483 100644 --- a/content/cves/CVE-2023-5841.md +++ b/content/cves/CVE-2023-5841.md @@ -1,6 +1,7 @@ --- title: CVE-2023-5841 aliases: ["/cves/CVE-2023-5841.html"] +pubDate: 2024-01-31T13:37:00-05:00 --- # CVE-2023-5841: Academy Software Foundation OpenEXR Heap Overflow in Scanline Deep Data Parsing @@ -27,7 +28,7 @@ src/lib/OpenEXRCore/unpack.c 1214 uint8_t* cdata; 1215 int w, h, bpc, ubpc; 1216 size_t totsamps = 0; -1217 +1217 ... ... 1253 for (int x = 0; x < w; ++x) @@ -38,18 +39,18 @@ src/lib/OpenEXRCore/unpack.c 1258 { 1259 int32_t tmp = samps - prevsamps; 1260 prevsamps = samps; -1261 samps = tmp; -1262 } -1263 +1261 samps = tmp; +1262 } +1263 1264 UNPACK_SAMPLES (samps) -1265 +1265 1266 srcbuffer += bpc * samps; 1267 if (incr_tot) totsamps += (size_t) samps; -1268 } -1269 } +1268 } +1269 } 1270 sampbuffer += w; -1271 } -1272 +1271 } +1272 1273 return EXR_ERR_SUCCESS; 1274 } ``` @@ -179,7 +180,7 @@ src/lib/OpenEXRCore/unpack.c 1090 } ``` -This vulernability is by default unreachable through the exr\* utilities provided with +This vulernability is by default unreachable through the exr\* utilities provided with the OpenEXR library because of a conditional in the `checkCoreFile` function (lines 1489-1492 below) which prevent the processing of EXR image files with the `DEEP_SCANLINE`/`DEEP_TILE` storage modes. This however only prevents the exr\* utilities from reaching the vulnerable code and direct calls @@ -192,21 +193,21 @@ src/lib/OpenEXRUtil/ImfCheckFile.cpp 1476 { 1477 exr_result_t rv; 1478 int numparts; -1479 +1479 1480 rv = exr_get_count (f, &numparts); 1481 if (rv != EXR_ERR_SUCCESS) return true; -1482 +1482 1483 for (int p = 0; p < numparts; ++p) 1484 { 1485 exr_storage_t store; 1486 rv = exr_get_storage (f, p, &store); 1487 if (rv != EXR_ERR_SUCCESS) return true; -1488 +1488 1489 // TODO: Need to fill this in 1490 if (store == EXR_STORAGE_DEEP_SCANLINE || 1491 store == EXR_STORAGE_DEEP_TILED) 1492 continue; -1493 +1493 1494 if (store == EXR_STORAGE_SCANLINE) 1495 { 1496 if (readCoreScanlinePart (f, p, reduceMemory, reduceTime)) @@ -217,7 +218,7 @@ src/lib/OpenEXRUtil/ImfCheckFile.cpp 1501 if (readCoreTiledPart (f, p, reduceMemory, reduceTime)) return true; 1502 } 1503 } -1504 +1504 1505 return false; 1506 } ``` diff --git a/content/cves/CVE-2024-4224.md b/content/cves/CVE-2024-4224.md index f277845..4c1fae5 100644 --- a/content/cves/CVE-2024-4224.md +++ b/content/cves/CVE-2024-4224.md @@ -1,6 +1,7 @@ --- title: CVE-2024-4224 aliases: ["/cves/CVE-2024-4224.html"] +pubDate: 2024-07-15T14:34:53.699-05:00 --- # CVE-2024-4224: TP-Link TL-SG1016DE XSS diff --git a/content/cves/CVE-2025-2894.md b/content/cves/CVE-2025-2894.md index 59388d7..460caa7 100644 --- a/content/cves/CVE-2025-2894.md +++ b/content/cves/CVE-2025-2894.md @@ -2,6 +2,7 @@ title: CVE-2025-2894 aliases: - /cves/CVE-2025-2894.html +pubDate: 2025-03-27T20:57:13-05:00 --- # CVE-2025-2894: Unitree Go1 Backdoor Control Channel diff --git a/content/cves/CVE-2025-32455.md b/content/cves/CVE-2025-32455.md index 90621ad..892257c 100644 --- a/content/cves/CVE-2025-32455.md +++ b/content/cves/CVE-2025-32455.md @@ -2,6 +2,7 @@ title: CVE-2025-32455 aliases: - /cves/CVE-2025-32455.html +pubDate: 2025-06-08T15:58:51-05:00 --- # CVE-2025-32455: ON Semiconductor Quantenna router_command.sh run_cmd Argument Injection diff --git a/content/cves/CVE-2025-32456.md b/content/cves/CVE-2025-32456.md index 4288b5c..7c42dc8 100644 --- a/content/cves/CVE-2025-32456.md +++ b/content/cves/CVE-2025-32456.md @@ -2,6 +2,7 @@ title: CVE-2025-32456 aliases: - /cves/CVE-2025-32456.html +pubDate: 2025-06-08T15:58:51-05:00 --- # CVE-2025-32456: ON Semiconductor Quantenna router_command.sh put_file_to_qtn Argument Injection diff --git a/content/cves/CVE-2025-32457.md b/content/cves/CVE-2025-32457.md index 80b6b8d..273f83f 100644 --- a/content/cves/CVE-2025-32457.md +++ b/content/cves/CVE-2025-32457.md @@ -2,6 +2,7 @@ title: CVE-2025-32457 aliases: - /cves/CVE-2025-32457.html +pubDate:2025-06-08T15:58:51-05:00 --- # CVE-2025-32457: ON Semiconductor Quantenna router_command.sh get_file_from_qtn Argument Injection diff --git a/content/cves/CVE-2025-32458.md b/content/cves/CVE-2025-32458.md index cf6e630..82db181 100644 --- a/content/cves/CVE-2025-32458.md +++ b/content/cves/CVE-2025-32458.md @@ -2,6 +2,7 @@ title: CVE-2025-32458 aliases: - /cves/CVE-2025-32458.html +pubDate: 2025-06-08T15:58:51-05:00 --- # CVE-2025-32458: ON Semiconductor Quantenna router_command.sh get_syslog_from_qtn Argument Injection diff --git a/content/cves/CVE-2025-32459.md b/content/cves/CVE-2025-32459.md index 26c371f..46af2ff 100644 --- a/content/cves/CVE-2025-32459.md +++ b/content/cves/CVE-2025-32459.md @@ -2,6 +2,7 @@ title: CVE-2025-32459 aliases: - /cves/CVE-2025-32459.html +pubDate: 2025-06-08T15:58:51-05:00 --- # CVE-2025-32459: ON Semiconductor Quantenna router_command.sh sync_time Argument Injection diff --git a/content/cves/CVE-2025-3459.md b/content/cves/CVE-2025-3459.md index 8177778..1117e2d 100644 --- a/content/cves/CVE-2025-3459.md +++ b/content/cves/CVE-2025-3459.md @@ -2,6 +2,7 @@ title: CVE-2025-3459 aliases: - /cves/CVE-2025-3459.html +pubDate: 2025-06-08T15:58:51-05:00 --- # CVE-2025-3459: ON Semiconductor Quantenna transmit_file Argument Injection diff --git a/content/cves/CVE-2025-3460.md b/content/cves/CVE-2025-3460.md index 4af7b78..f088644 100644 --- a/content/cves/CVE-2025-3460.md +++ b/content/cves/CVE-2025-3460.md @@ -2,6 +2,7 @@ title: CVE-2025-3460 aliases: - /cves/CVE-2025-3460.html +pubDate: 2025-06-08T15:58:51-05:00 --- # CVE-2025-3460: ON Semiconductor Quantenna set_tx_pow Argument Injection diff --git a/content/cves/CVE-2025-3461.md b/content/cves/CVE-2025-3461.md index 4354d5e..d47849e 100644 --- a/content/cves/CVE-2025-3461.md +++ b/content/cves/CVE-2025-3461.md @@ -2,6 +2,7 @@ title: CVE-2025-3461 aliases: - /cves/CVE-2025-3461.html +pubDate: 2025-06-08T15:58:51-05:00 --- # CVE-2025-3461: ON Semiconductor Quantenna Telnet Missing Authentication diff --git a/content/cves/CVE-2025-35004.md b/content/cves/CVE-2025-35004.md index cc991d3..8e7e0a0 100644 --- a/content/cves/CVE-2025-35004.md +++ b/content/cves/CVE-2025-35004.md @@ -2,6 +2,7 @@ title: CVE-2025-35004 aliases: - /cves/CVE-2025-35004.html +pubDate: 2025-06-08T15:58:51-05:00 --- # CVE-2025-35004: Microhard Bullet-LTE and IPn4Gii AT+MFIP Argument Injection @@ -47,7 +48,7 @@ size_t FUN_0000e9a0(undefined4 param_1,char *param_2,void *param_3,size_t param_ FILE *__stream; char *__s; size_t sVar1; - + __stream = popen(param_2,"r"); if (__stream != (FILE *)0x0) { memset(param_3,0,param_4); @@ -115,7 +116,7 @@ This vulnerability was discovered and documented by Ricky "HeadlessZeke" Lawshae * 2025-04-02 (Wed): Contact initiated to several guessed email aliases, such as info@microhardcorp.com, support@microhardcorp.com, etc. * 2025-04-02 (Wed): Bounces collected from media@, press@, security@, and secure@. No bounce notification was generated from info@ and support@, though a customer account was required to further communicate with support@, which [AHA!] does not have. * 2025 (April and May): No further communication from the vendor was received. -* 2025-06-08 (Sun): Verified current IPn4Gii/BulletLTE [firmware] remains at v1.2.0-r1132 +* 2025-06-08 (Sun): Verified current IPn4Gii/BulletLTE [firmware] remains at v1.2.0-r1132 * 2025-06-08 (Sun): Public disclosure of [CVE-2025-35004] ---- diff --git a/content/cves/CVE-2025-35005.md b/content/cves/CVE-2025-35005.md index 29f68ff..eaa91fa 100644 --- a/content/cves/CVE-2025-35005.md +++ b/content/cves/CVE-2025-35005.md @@ -2,6 +2,7 @@ title: CVE-2025-35005 aliases: - /cves/CVE-2025-35005.html +pubDate: 2025-06-08T15:58:51-05:00 --- # CVE-2025-35005: Microhard Bullet-LTE and IPn4Gii AT+MFMAC Argument Injection @@ -44,7 +45,7 @@ size_t FUN_0000e9a0(undefined4 param_1,char *param_2,void *param_3,size_t param_ FILE *__stream; char *__s; size_t sVar1; - + __stream = popen(param_2,"r"); if (__stream != (FILE *)0x0) { memset(param_3,0,param_4); @@ -112,7 +113,7 @@ This vulnerability was discovered and documented by Ricky "HeadlessZeke" Lawshae * 2025-04-02 (Wed): Contact initiated to several guessed email aliases, such as info@microhardcorp.com, support@microhardcorp.com, etc. * 2025-04-02 (Wed): Bounces collected from media@, press@, security@, and secure@. No bounce notification was generated from info@ and support@, though a customer account was required to further communicate with support@, which [AHA!] does not have. * 2025 (April and May): No further communication from the vendor was received. -* 2025-06-08 (Sun): Verified current IPn4Gii/BulletLTE [firmware] remains at v1.2.0-r1132 +* 2025-06-08 (Sun): Verified current IPn4Gii/BulletLTE [firmware] remains at v1.2.0-r1132 * 2025-06-08 (Sun): Public disclosure of [CVE-2025-35005] ---- diff --git a/content/cves/CVE-2025-35006.md b/content/cves/CVE-2025-35006.md index 37d8969..174b548 100644 --- a/content/cves/CVE-2025-35006.md +++ b/content/cves/CVE-2025-35006.md @@ -2,6 +2,7 @@ title: CVE-2025-35006 aliases: - /cves/CVE-2025-35006.html +pubDate: 2025-06-08T15:58:51-05:00 --- I​CVE-2025-35006: Microhard Bullet-LTE and IPn4Gii AT+MFPORTFWD Argument Injection @@ -40,7 +41,7 @@ size_t FUN_0000e9a0(undefined4 param_1,char *param_2,void *param_3,size_t param_ FILE *__stream; char *__s; size_t sVar1; - + __stream = popen(param_2,"r"); if (__stream != (FILE *)0x0) { memset(param_3,0,param_4); @@ -109,7 +110,7 @@ This vulnerability was discovered and documented by Ricky "HeadlessZeke" Lawshae * 2025-04-02 (Wed): Contact initiated to several guessed email aliases, such as info@microhardcorp.com, support@microhardcorp.com, etc. * 2025-04-02 (Wed): Bounces collected from media@, press@, security@, and secure@. No bounce notification was generated from info@ and support@, though a customer account was required to further communicate with support@, which [AHA!] does not have. * 2025 (April and May): No further communication from the vendor was received. -* 2025-06-08 (Sun): Verified current IPn4Gii/BulletLTE [firmware] remains at v1.2.0-r1132 +* 2025-06-08 (Sun): Verified current IPn4Gii/BulletLTE [firmware] remains at v1.2.0-r1132 * 2025-06-08 (Sun): Public disclosure of [CVE-2025-35006] ---- diff --git a/content/cves/CVE-2025-35007.md b/content/cves/CVE-2025-35007.md index 638b002..85ccdd3 100644 --- a/content/cves/CVE-2025-35007.md +++ b/content/cves/CVE-2025-35007.md @@ -2,6 +2,7 @@ title: CVE-2025-35007 aliases: - /cves/CVE-2025-35007.html +pubDate: 2025-06-08T15:58:51-05:00 --- # CVE-2025-35007: Microhard Bullet-LTE and IPn4Gii AT+MFRULE Argument Injection @@ -52,7 +53,7 @@ size_t FUN_0000e9a0(undefined4 param_1,char *param_2,void *param_3,size_t param_ FILE *__stream; char *__s; size_t sVar1; - + __stream = popen(param_2,"r"); if (__stream != (FILE *)0x0) { memset(param_3,0,param_4); @@ -120,7 +121,7 @@ This vulnerability was discovered and documented by Ricky "HeadlessZeke" Lawshae * 2025-04-02 (Wed): Contact initiated to several guessed email aliases, such as info@microhardcorp.com, support@microhardcorp.com, etc. * 2025-04-02 (Wed): Bounces collected from media@, press@, security@, and secure@. No bounce notification was generated from info@ and support@, though a customer account was required to further communicate with support@, which [AHA!] does not have. * 2025 (April and May): No further communication from the vendor was received. -* 2025-06-08 (Sun): Verified current IPn4Gii/BulletLTE [firmware] remains at v1.2.0-r1132 +* 2025-06-08 (Sun): Verified current IPn4Gii/BulletLTE [firmware] remains at v1.2.0-r1132 * 2025-06-08 (Sun): Public disclosure of [CVE-2025-35007] ---- diff --git a/content/cves/CVE-2025-35008.md b/content/cves/CVE-2025-35008.md index af6f878..bc8634c 100644 --- a/content/cves/CVE-2025-35008.md +++ b/content/cves/CVE-2025-35008.md @@ -2,6 +2,7 @@ title: CVE-2025-35008 aliases: - /cves/CVE-2025-35008.html +pubDate: 2025-06-08T15:58:51-05:00 --- # CVE-2025-35008: Microhard Bullet-LTE and IPn4Gii AT+MMNAME Argument Injection @@ -41,7 +42,7 @@ undefined4 FUN_0000ea24(undefined4 param_1,undefined4 param_2,char *param_3) char *pcVar3; char local_198 [128]; char acStack_118 [256]; - + memset(local_198,0,0x80); memset(acStack_118,0,0x100); memset(param_3,0,4); @@ -58,7 +59,7 @@ size_t FUN_0000e9a0(undefined4 param_1,char *param_2,void *param_3,size_t param_ FILE *__stream; char *__s; size_t sVar1; - + __stream = popen(param_2,"r"); if (__stream != (FILE *)0x0) { memset(param_3,0,param_4); @@ -126,7 +127,7 @@ This vulnerability was discovered and documented by Ricky "HeadlessZeke" Lawshae * 2025-04-02 (Wed): Contact initiated to several guessed email aliases, such as info@microhardcorp.com, support@microhardcorp.com, etc. * 2025-04-02 (Wed): Bounces collected from media@, press@, security@, and secure@. No bounce notification was generated from info@ and support@, though a customer account was required to further communicate with support@, which [AHA!] does not have. * 2025 (April and May): No further communication from the vendor was received. -* 2025-06-08 (Sun): Verified current IPn4Gii/BulletLTE [firmware] remains at v1.2.0-r1132 +* 2025-06-08 (Sun): Verified current IPn4Gii/BulletLTE [firmware] remains at v1.2.0-r1132 * 2025-06-08 (Sun): Public disclosure of [CVE-2025-35008] ---- diff --git a/content/cves/CVE-2025-35009.md b/content/cves/CVE-2025-35009.md index 27ddb7c..02298ed 100644 --- a/content/cves/CVE-2025-35009.md +++ b/content/cves/CVE-2025-35009.md @@ -2,6 +2,7 @@ title: CVE-2025-35009 aliases: - /cves/CVE-2025-35009.html +pubDate: 2025-06-08T15:58:51-05:00 --- # CVE-2025-35009: Microhard Bullet-LTE and IPn4Gii AT+MNNETSP Argument Injection diff --git a/content/cves/CVE-2025-35010.md b/content/cves/CVE-2025-35010.md index d32e3e0..811bd1a 100644 --- a/content/cves/CVE-2025-35010.md +++ b/content/cves/CVE-2025-35010.md @@ -2,6 +2,7 @@ title: CVE-2025-35010 aliases: - /cves/CVE-2025-35010.html +pubDate: 2025-06-08T15:58:51-05:00 --- # CVE-2025-35010: Microhard Bullet-LTE and IPn4Gii AT+MNPINGTM Argument Injection diff --git a/content/cves/CVE-2025-35027.md b/content/cves/CVE-2025-35027.md index 624fb50..3e322e8 100644 --- a/content/cves/CVE-2025-35027.md +++ b/content/cves/CVE-2025-35027.md @@ -3,6 +3,7 @@ title: CVE-2025-35027 aliases: - /cves/CVE-2025-35027.html - /gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010 +publishDate: 2025-09-26T01:41:10-05:00 --- # CVE-2025-35027: Unitree Robotics wpa_supplicant_restart.sh Command Injection diff --git a/content/cves/CVE-2025-8452.md b/content/cves/CVE-2025-8452.md index f42f007..aa8ad32 100644 --- a/content/cves/CVE-2025-8452.md +++ b/content/cves/CVE-2025-8452.md @@ -3,6 +3,7 @@ title: CVE-2025-8452 aliases: - /cves/CVE-2025-8452.html - /gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111011111010111111001000000000000000000000000000000000000000000000000000000001 +publishDate: 2025-08-15T00:08:19-05:00 --- # CVE-2025-8452: Brother Printer Serial Number Disclosure From 49ab3d1a170326c5543c87774982ca6d84d65260 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 1 Oct 2025 17:54:57 -0400 Subject: [PATCH 3/3] Fixed a bugged timestamp, added rest Signed-off-by: Tod Beardsley --- content/cves/CVE-2023-0666.md | 1 + content/cves/CVE-2023-0667.md | 3 ++- content/cves/CVE-2023-0668.md | 23 ++++++++++++----------- content/cves/CVE-2023-2905.md | 3 ++- content/cves/CVE-2023-2906.md | 5 +++-- content/cves/CVE-2023-4504.md | 6 +++--- content/cves/CVE-2025-32457.md | 2 +- 7 files changed, 24 insertions(+), 19 deletions(-) diff --git a/content/cves/CVE-2023-0666.md b/content/cves/CVE-2023-0666.md index aefa08a..dfc767b 100644 --- a/content/cves/CVE-2023-0666.md +++ b/content/cves/CVE-2023-0666.md @@ -1,6 +1,7 @@ --- title: CVE-2023-0666 🤘 aliases: ["/cves/CVE-2023-0666.html"] +pubDate: 2023-06-06T13:37:00-05:00 --- # CVE-2023-0666: Wireshark RTPS Parsing Buffer Overflow diff --git a/content/cves/CVE-2023-0667.md b/content/cves/CVE-2023-0667.md index 7467375..aeb27d1 100644 --- a/content/cves/CVE-2023-0667.md +++ b/content/cves/CVE-2023-0667.md @@ -1,6 +1,7 @@ --- title: CVE-2023-0667 aliases: ["/cves/CVE-2023-0667.html"] +pubDate: 2023-06-06T13:37:00-05:00 --- # CVE-2023-0667: Wireshark MSMMS parsing buffer overflow @@ -63,7 +64,7 @@ Following, on line 471, the length is multiplied by 8, then 8 is subtracted from 472 ``` -Following the length remaining calculation, the `command_id` retrieved earlier is used to determine the command type and on line 480, the `dissect_client_transport_info` is called +Following the length remaining calculation, the `command_id` retrieved earlier is used to determine the command type and on line 480, the `dissect_client_transport_info` is called `/wireshark/epan/dissectors/packet-ms-mms.c` ``` diff --git a/content/cves/CVE-2023-0668.md b/content/cves/CVE-2023-0668.md index f77e512..b54a59e 100644 --- a/content/cves/CVE-2023-0668.md +++ b/content/cves/CVE-2023-0668.md @@ -1,6 +1,7 @@ --- title: CVE-2023-0668 aliases: ["/cves/CVE-2023-0668.html"] +pubDate: 2023-06-06T13:37:00-05:00 --- @@ -20,12 +21,12 @@ This crash is caused by an out of bounds read from the global buffer `conf_phaso `wireshark/epan/dissectors/packet-synphasor.c` ``` - 363 static const value_string conf_phasor_type[] = { + 363 static const value_string conf_phasor_type[] = { 364 { 0, "Voltage, Zero sequence" }, 365 { 1, "Voltage, Positive sequence" }, 366 { 2, "Voltage, Negative sequence" }, - 367 { 3, "Voltage, Reserved" }, - 368 { 4, "Voltage, Phase A" }, + 367 { 3, "Voltage, Reserved" }, + 368 { 4, "Voltage, Phase A" }, 369 { 5, "Voltage, Phase B" }, 370 { 6, "Voltage, Phase C" }, 371 { 7, "Voltage, Reserved" }, @@ -48,36 +49,36 @@ In `dissect_PHSCALE` (which can be found in the top frame of the stack trace.) o ``` 1190 static gint dissect_PHSCALE(tvbuff_t *tvb, proto_tree *tree, gint offset, gint cnt) -1191 { +1191 { 1192 proto_tree *temp_tree; 1193 gint i; -1194 +1194 1195 if (0 == cnt) { 1196 return offset; 1197 } -1198 +1198 1199 temp_tree = proto_tree_add_subtree_format(tree, tvb, offset, 12 * cnt, ett_conf_phconv, NULL, 1200 "Phasor scaling and data flags (%u)", cnt); -1201 +1201 1202 for (i = 0; i < cnt; i++) { 1203 proto_tree *single_phasor_scaling_and_flags_tree; 1204 proto_tree *phasor_flag1_tree; 1205 proto_tree *phasor_flag2_tree; 1206 proto_tree *data_flag_tree; -1207 +1207 1208 single_phasor_scaling_and_flags_tree = proto_tree_add_subtree_format(temp_tree, tvb, offset, 12, 1209 ett_conf_phlist, NULL, 1210 "Phasor #%u", i + 1); -1211 +1211 1212 data_flag_tree = proto_tree_add_subtree_format(single_phasor_scaling_and_flags_tree, tvb, offset, 4, 1213 ett_conf_phflags, NULL, "Phasor Data flags: %s", 1214 conf_phasor_type[tvb_get_guint8(tvb, offset + 2)].strptr); -1215 +1215 1216 /* first and second bytes - phasor modification flags*/ 1217 phasor_flag1_tree = proto_tree_add_subtree_format(data_flag_tree, tvb, offset, 2, ett_conf_phmod_flags, 1218 NULL, "Modification Flags: 0x%04x", 1219 tvb_get_ntohs(tvb, offset)); -1220 +1220 ``` A Base64 encoded blob of an example PCAP that can trigger the issue is below. diff --git a/content/cves/CVE-2023-2905.md b/content/cves/CVE-2023-2905.md index 1ccf022..74a17f3 100644 --- a/content/cves/CVE-2023-2905.md +++ b/content/cves/CVE-2023-2905.md @@ -1,6 +1,7 @@ --- title: CVE-2023-2905 aliases: ["/cves/CVE-2023-2905.html"] +pubDate: 2023-08-08T13:37:00-05:00 --- # CVE-2023-2905: Cesanta Mongoose MQTT Message Parsing Heap Overflow @@ -61,7 +62,7 @@ src/mqtt.c 406 m->props_size = decode_variable_length((char *) p, &len_len); ``` -The below shows the buffer from the crash file showing a 10 byte mqtt message with the 8th byte having the MSB set. +The below shows the buffer from the crash file showing a 10 byte mqtt message with the 8th byte having the MSB set. ``` Thread 1 "fuzzer" hit Breakpoint 7, LLVMFuzzerTestOneInput (data=0xffffb4500790 "5\b", size=10) at test/fuzz.c:38 diff --git a/content/cves/CVE-2023-2906.md b/content/cves/CVE-2023-2906.md index d6955db..4cdce1c 100644 --- a/content/cves/CVE-2023-2906.md +++ b/content/cves/CVE-2023-2906.md @@ -1,6 +1,7 @@ --- title: CVE-2023-2906 aliases: ["/cves/CVE-2023-2906.html"] +pubDate: 2023-08-24T13:37:00-05:00 --- # CVE-2023-2906: Wireshark CP2179 Parsing Divide By Zero DoS @@ -25,11 +26,11 @@ The relevant code snippet from `epan/dissectors/packet-cp2179.c` is: 719 { 720 proto_tree_add_item(cp2179_proto_tree, hf_cp2179_timetag_moredata, tvb, offset, 1, ENC_LITTLE_ENDIAN); 721 proto_tree_add_item(cp2179_proto_tree, hf_cp2179_timetag_numsets, tvb, offset, 1, ENC_LITTLE_ENDIAN); - 722 + 722 723 num_records = tvb_get_guint8(tvb, offset) & 0x7F; 724 recordsize = (numberofcharacters-1) / num_records; 725 num_values = (recordsize-6) / 2; /* Determine how many 16-bit analog values are present in each event record */ - 726 + 726 727 offset += 1; ``` diff --git a/content/cves/CVE-2023-4504.md b/content/cves/CVE-2023-4504.md index b58a020..6c96041 100644 --- a/content/cves/CVE-2023-4504.md +++ b/content/cves/CVE-2023-4504.md @@ -1,6 +1,7 @@ --- title: CVE-2023-4504 aliases: ["/cves/CVE-2023-4504.html"] +pubDate: 2023-09-21T13:37:00-05:00 --- # CVE-2023-4504: OpenPrinting CUPS/libppd Postscript Parsing Heap Overflow @@ -17,7 +18,7 @@ Due to failure in validating the length provided by an attacker-crafted CUPS PPD # Technical Details -The `scan_ps` function in the CUPS codebase provides functionality that scans through a string looking for the next Postscript object. When iterating through a string which contains an open parenthesis and ends with a single backslash (0x5c) character, the code incorrectly iterates forward a character without properly checking the bounds of the string resulting in a 1 byte read beyond the allocated heap buffer. +The `scan_ps` function in the CUPS codebase provides functionality that scans through a string looking for the next Postscript object. When iterating through a string which contains an open parenthesis and ends with a single backslash (0x5c) character, the code incorrectly iterates forward a character without properly checking the bounds of the string resulting in a 1 byte read beyond the allocated heap buffer. Snippet of the vulnerable code: @@ -107,7 +108,7 @@ Line 1085 contains the case statement which provides the logic used to iterate t On line 1091, the for loop within the case statement is used to iterate through each character after encountering an open paranthesis character (0x28), storing the pointer to the current character in `cur`. -On line 1111, the code checks if the current character is a backslash and finally, in line 1117, the character index is incremented without checking the length, now pointing to the null byte terminating the string. +On line 1111, the code checks if the current character is a backslash and finally, in line 1117, the character index is incremented without checking the length, now pointing to the null byte terminating the string. Upon the next iteration of the loop, on line 1094, the loop now begins iterating through unallocated memory resulting in undefined behaviour. @@ -142,4 +143,3 @@ This issue is being disclosed through the AHA! CNA and is credited to: [zenofex] [disclosure policy]: https://takeonme.org/cve.html [AHA!]: https://takeonme.org/ [CWE-122]: https://cwe.mitre.org/data/definitions/122.html - diff --git a/content/cves/CVE-2025-32457.md b/content/cves/CVE-2025-32457.md index 273f83f..35fc9ab 100644 --- a/content/cves/CVE-2025-32457.md +++ b/content/cves/CVE-2025-32457.md @@ -2,7 +2,7 @@ title: CVE-2025-32457 aliases: - /cves/CVE-2025-32457.html -pubDate:2025-06-08T15:58:51-05:00 +pubDate: 2025-06-08T15:58:51-05:00 --- # CVE-2025-32457: ON Semiconductor Quantenna router_command.sh get_file_from_qtn Argument Injection