Jaroslav Lobačevski

**Nome do Software Vulnerável e Versões Afetadas** WilderForge (versões afetadas não especificadas) **Descrição** Foi identificado um problema crítico na organização WilderForge, originado pelo uso inseguro de variáveis controladas pelo usuário, como `${{ github.event.review.body }}`, diretamente dentro de contextos de script shell em workflows do GitHub Actions. Isso introduz um problema de injeção de código, permitindo que um ator malicioso execute código shell arbitrário no runner do GitHub Actions ao enviar um review de pull request manipulado. Isso pode levar à execução arbitrária de comandos com as permissões do workflow, potencialmente comprometendo a infraestrutura de CI, segredos e saídas de build. O problema afeta desenvolvedores que mantêm ou contribuem para repositórios específicos da WilderForge, bem como usuários que fazem fork desses repositórios e reutilizam workflows do GitHub Actions afetados. Usuários finais do software e usuários que apenas instalam releases pré-compilados ou artefatos não são afetados. **Recomendações** Como solução temporária, considere desativar o GitHub Actions nos repositórios afetados ou remover os workflows afetados. Restrinja o acesso aos workflows vulneráveis do GitHub Actions para minimizar o risco de exploração. Evite usar a variável `github.event.review.body` no endpoint de API afetado até que o problema seja resolvido. No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Nome do Software Vulnerável e Versões Afetadas** Versões do 7-Zip anteriores à 25.0.0 **Descrição** O 7-Zip é um compactador de arquivos que suporta a extração de Documentos Compostos. Uma desreferência de ponteiro nulo no manipulador de Compostos pode levar à negação de serviço. **Recomendações** Atualize para a versão 25.0.0 ou posterior.

**Name of the Vulnerable Software and Affected Versions** 7-Zip versions prior to 25.0.0 **Description** 7-Zip is a file archiver with a high compression ratio. A flaw exists in the RAR5 handler where writing zeroes outside of the heap buffer can cause memory corruption and denial of service. **Recommendations** Update to version 25.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** stb image (affected versions not specified) **Description** The issue is related to a crafted image file that may trigger an out of bounds memcpy read in the `stbi gif load next` function. This occurs because `two back` points to a memory address lower than the start of the buffer, potentially leading to the leak of internal memory allocation information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stb image (affected versions not specified) **Description** The issue is related to the stbi getn function in the stb image library, which reads a specified number of bytes from a context into a buffer. If the file stream points to the end, it returns zero. However, there are two places where its return value is not checked: in the `stbi hdr load` function and in the `stbi tga load` function. The latter is likely more exploitable as an attacker may also control the size of an uninitialized buffer. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stb vorbis (affected versions not specified) **Description** The issue is related to the processing of ogg vorbis files. A crafted file can trigger an out of bounds write in `f->vendor[i] = get8 packet(f);`. This is caused by an integer overflow in `setup malloc`, where a sufficiently large value in the variable `sz` overflows when added to 7, resulting in a negative value that passes the maximum available memory buffer check. This may lead to code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stb vorbis (affected versions not specified) **Description** The issue is related to the processing of ogg vorbis files. A crafted file can trigger an out of buffer write in the `start decoder` function. This occurs because the maximum value of `m->submaps` is 16, but the arrays `submap floor` and `submap residue` are declared with 15 elements. This can potentially lead to code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stb vorbis (affected versions not specified) **Description** The issue is related to a memory allocation failure in the `start decoder` function when processing a crafted ogg vorbis file. This failure causes the function to return early, setting `f->comment list` to `NULL` but not resetting `f->comment list length`. Later, in the `vorbis deinit` function, it attempts to dereference the `NULL` pointer, potentially leading to a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stb vorbis (affected versions not specified) **Description** The issue concerns a crafted file that may trigger an out of bounds read in the `DECODE` macro when the `var` is negative. According to the definition of `DECODE RAW`, a negative `var` is a valid value. This can potentially be used to leak internal memory allocation information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Notepad++ versions 8.5.6 and prior **Description** The issue is related to a global buffer read overflow in the `CharDistributionAnalysis::HandleOneChar` function. This may potentially be used to leak internal memory allocation information. The exploitability of this issue is not clear. **Recommendations** For Notepad++ versions 8.5.6 and prior, update to version 8.5.7 to resolve the issue. As a temporary workaround, consider disabling the `CharDistributionAnalysis::HandleOneChar` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Notepad++ versions 8.5.6 and prior **Description** The issue is related to a global buffer read overflow in the `nsCodingStateMachine::NextStater` function. This may potentially be used to leak internal memory allocation information. The exploitability of this issue is not clear. **Recommendations** For Notepad++ versions 8.5.6 and prior, update to version 8.5.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `nsCodingStateMachine::NextStater` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Notepad++ versions 8.5.6 and prior **Description** The issue is related to a heap buffer read overflow in the `FileManager::detectLanguageFromTextBegining()` function. This may potentially be used to leak internal memory allocation information. The exploitability of this issue is not clear. **Recommendations** For versions 8.5.6 and prior, update to version 8.5.7 or later to resolve the issue. As a temporary workaround, consider disabling the `FileManager::detectLanguageFromTextBegining()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Notepad++ versions 8.5.6 and prior **Description** The issue is related to a heap buffer write overflow in the `Utf8 16 Read::convert` function, which may lead to arbitrary code execution when a user opens a specially crafted file. This can potentially allow an attacker to execute arbitrary code. **Recommendations** For versions 8.5.6 and prior, update to version 8.5.7 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the `Utf8 16 Read::convert` function until a patch is available. Restrict access to potentially vulnerable files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** stb image (affected versions not specified) **Description** The issue is related to the `stbi load gif main` function in the stb image library, which may lead to a memory leak or double-free if the caller chooses to free the `delays` memory only when the function returns a non-null value. The function may return a null value but fail to free the memory in `delays` if internally `stbi convert format` is called and fails. This could allow a remote attacker to access confidential data, compromise its integrity, or cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stb vorbis (affected versions not specified) **Description** The issue is related to a potential integer overflow in `sizeof(char*) * (f->comment list length)` which may cause `setup malloc` to allocate less memory than required. This can lead to a memory write past an allocated heap buffer in `start decoder` when a crafted file is processed. An attacker may exploit this issue to gain access to confidential data, disrupt data integrity, and cause a denial of service. The issue may also lead to code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stb image (affected versions not specified) **Description** The issue is related to the `stbi set flip vertically on load` function in the stb image library. When this function is set to `TRUE` and `req comp` is set to a number that doesn’t match the real number of components per pixel, the library attempts to flip the image vertically. This can trigger an out-of-bounds read in `memcpy` because `bytes per pixel` used to calculate `bytes per row` doesn’t match the real image array dimensions. A crafted image file can exploit this, potentially allowing a remote attacker to access confidential data or cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stb vorbis (affected versions not specified) **Description** The issue is related to a crafted file that may trigger an out of bounds write in `f->vendor[len] = (char)'0';`. This occurs when the length read in `start decoder` is `-1` and `len + 1` becomes 0 when passed to `setup malloc`. The `setup malloc` function behaves differently when `f->alloc.alloc buffer` is pre-allocated, shifting the pre-allocated buffer by zero and returning the currently available memory block instead of returning `NULL` as in the `malloc` case. This may lead to code execution. The vulnerability may allow an attacker to access confidential data, compromise its integrity, and cause a denial of service using a specially crafted file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Nome do software vulnerável e versões afetadas** jsonxx (versões afetadas não especificadas) **Descrição** O problema está relacionado à análise de JSON no jsonxx, o que pode levar ao esgotamento da pilha em uma compilação com sanitização de endereços (ASAN). Isso pode causar uma negação de serviço caso o programa que utiliza a biblioteca jsonxx trave. O projeto foi arquivado e não há previsão de atualizações. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** jsonxx (versões afetadas não especificadas) **Descrição** O problema está relacionado ao uso da classe Value no jsonxx, o que pode levar à corrupção de memória por meio de uma liberação dupla ou de um uso após a liberação. Isso ocorre porque a classe Value possui um operador de atribuição padrão que pode ser usado com tipos de ponteiro, potencialmente apontando para dados alteráveis sem atualizar o próprio ponteiro. O projeto jsonxx foi arquivado e não são esperadas atualizações. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Nome do software vulnerável e versões afetadas** Não há informações disponíveis sobre o software vulnerável e suas versões afetadas. **Descrição** A questão está relacionada a um problema de segurança, mas não foram fornecidos detalhes. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.