Brian Carpenter

**Name of the Vulnerable Software and Affected Versions** Tor versions prior to 0.4.9.7 **Description** An out-of-bounds read occurs during cell payload processing when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload. **Recommendations** Update to version 0.4.9.7 or later.

**Name of the Vulnerable Software and Affected Versions** Tor versions prior to 0.4.9.7 **Description** An out-of-bounds read of one byte can occur when processing a malformed BEGIN cell. **Recommendations** Update to version 0.4.9.7 or later.

**Name of the Vulnerable Software and Affected Versions** Tor versions prior to 0.4.9.7 **Description** A NULL pointer dereference occurs when a CERT cell is received out of order. A NULL pointer dereference is a runtime error that happens when a program attempts to read or write to a memory address that is NULL, often leading to a crash. **Recommendations** Update to version 0.4.9.7 or later.

**Name of the Vulnerable Software and Affected Versions** Tor versions prior to 0.4.9.7 **Description** A client crash can occur when circuit queue memory pressure exists due to a double close of a circuit. **Recommendations** Update to version 0.4.9.7 or later.

**Name of the Vulnerable Software and Affected Versions** Tor versions prior to 0.4.9.7 **Description** Tor mishandles the accounting of the conflux out-of-order queue during the process of clearing a queue. **Recommendations** Update to version 0.4.9.7 or later.

Name of the Vulnerable Software and Affected Versions: Firefox versions prior to 86 Description: The developer page about:memory has a Measure function for exploring what object types the browser has allocated and their sizes. When this function was invoked, the browser incorrectly called the sizeof function, instead of using the API method that checks for invalid pointers. Recommendations: For versions prior to 86, update to version 86 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the Measure function on the about:memory page until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 84 **Description** The issue arises from the lifecycle of IPC Actors, where managed actors can outlive their manager actors. In such cases, the managed actors must ensure they do not attempt to use a dead actor they have a reference to. However, a check for this was omitted in WebGL, resulting in a use-after-free and a potentially exploitable crash. **Recommendations** For versions prior to 84, update to version 84 or later to resolve the issue. As a temporary workaround, consider disabling WebGL until a patch is available. Restrict access to WebGL-related functionalities to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Firefox versions prior to 81 Description: The issue is related to the processing of surfaces, where the lifetime may outlive a persistent buffer, leading to memory corruption and a potentially exploitable crash. It is also associated with a WebGL component vulnerability that involves copying a buffer without checking the size of the input data, potentially allowing a remote attacker to execute arbitrary code. Recommendations: For versions prior to 81, update to version 81 or later to resolve the issue. As a temporary workaround, consider disabling the WebGL component until a patch is available. Restrict access to potentially vulnerable web pages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 68.6 Firefox versions prior to 74 Firefox ESR versions prior to 68.6 **Description** A use-after-free issue in the Quota manager can occur when removing data about an origin whose tab was recently closed, potentially leading to an exploitable crash. The issue is related to a memory management problem, where memory is accessed after it has been freed. This could allow a remote attacker to execute arbitrary code. **Recommendations** For Thunderbird versions prior to 68.6, update to version 68.6 or later. For Firefox versions prior to 74, update to version 74 or later. For Firefox ESR versions prior to 68.6, update to version 68.6 or later.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions 2.1.0 through 2.17.0 **Description** A cross-site scripting (XSS) issue exists in the View Filters page and Edit Filter page, allowing remote attackers to inject arbitrary code through a crafted PATH INFO, provided that the Content Security Policy (CSP) settings permit it. **Recommendations** For MantisBT versions 2.1.0 through 2.17.0, update to a version that includes a complete fix for the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libcurl versions 7.34.0 through 7.64.0 **Description** The issue is related to a heap out-of-bounds read in the code handling the end-of-response for SMTP. This occurs when the buffer passed to `smtp endofresp()` is not null terminated and contains no character ending the parsed number, and `len` is set to 5. As a result, the `strtol()` call reads beyond the allocated buffer, but the read contents are not returned to the caller. The exploitation of this issue may allow a remote attacker to impact the confidentiality, integrity, and availability of protected information, potentially leading to a denial of service. **Recommendations** For libcurl versions 7.34.0 through 7.64.0, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** curl versions 7.59.0 through 7.61.1 **Description** A heap use-after-free flaw was found in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct. **Recommendations** For curl versions 7.59.0 through 7.61.1, consider updating to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting the use of the `Curl close()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Curl versions 7.14.1 through 7.61.1 **Description** The issue is related to a heap-based buffer over-read in the `voutf()` function, which may result in information exposure and denial of service. This occurs due to flawed wrap logic when displaying warning and informational messages to stderr, causing the buffer arithmetic to calculate the remainder wrong and end up reading behind the end of the buffer. This could lead to information disclosure or crash, potentially resulting in a security issue if used in certain situations, such as a server using the curl command line to run something and showing stderr to the user, where user input can trigger the crash and disclose user memory contents. **Recommendations** For Curl versions 7.14.1 through 7.61.1, update to a version that contains a fix for this issue to prevent information exposure and denial of service. As a temporary workaround, consider restricting user input for parts of the command line input to prevent triggering the crash. Additionally, avoid using the `voutf()` function in situations where user input can cause the buffer over-read.

**Name of the Vulnerable Software and Affected Versions** Mozilla Network Security Services (NSS) (affected versions not specified) **Description** The issue allows context-dependent attackers to cause a denial of service, resulting in a floating point exception and crash, via a crafted cert8.db file. This is due to a problem in the ` hash open` function in hash.c. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libcurl (affected versions not specified) **Description** The issue arises when an IMAP FETCH response line indicates that the returned data is zero bytes. In this case, libcurl passes on the non-existing data with a pointer and the size (zero) to the deliver-data function. This function treats zero as a magic number and invokes strlen() on the data to figure out the length. However, the strlen() is called on a heap-based buffer that might not be zero-terminated, which can cause libcurl to read beyond the end of the buffer into adjacent memory or crash. As a result, libcurl may deliver the incorrectly read data to the application as if it were actually downloaded. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** tcpdump versions prior to 4.9.2 **Description** The issue is related to a buffer over-read in the PPP parser, specifically in the handle mlppp() function within print-ppp.c. **Recommendations** For versions prior to 4.9.2, update to version 4.9.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** tcpdump versions prior to 4.9.2 **Description** The issue is related to a buffer over-read in the DECnet parser. A remote attacker could obtain sensitive information by sending a specially crafted request to exploit this issue in the HNCP component. **Recommendations** For versions prior to 4.9.2, update to version 4.9.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the HNCP component until the update is applied.

**Name of the Vulnerable Software and Affected Versions** libzip (affected versions not specified) **Description** A double free vulnerability exists in the zip dirent read function in zip dirent.c, which may allow attackers to have an unspecified impact. The vectors by which this issue can be exploited are unknown. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** curl (affected versions not specified) **Description** The issue arises from the "globbing" function in curl that parses numerical ranges in URLs. If a user provides a carefully crafted or wrongly written URL, curl may read a byte beyond the end of the URL. This can lead to incorrect behavior instead of crashing, as the URL is stored in a heap-based buffer. An example of a URL that triggers this flaw is `http://ur%20[0-60000000000000000000`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Irssi versions prior to 1.0.4 **Description** An issue was discovered in Irssi where it would try to dereference a NULL pointer when receiving messages with invalid time stamps. **Recommendations** For versions prior to 1.0.4, update to version 1.0.4 or later to resolve the issue.