Saidakbarxon Maxsudxonov

An integer overflow in the mtar next() function in src/microtar.c in rxi microtar 0.1.0 allows a remote attacker to cause a denial of service (uncontrolled CPU consumption / infinite loop) via a crafted tar archive. mtar next() computes the offset to the next record as round up(h.size, 512) + sizeof(mtar raw header t) using 32-bit arithmetic. When the header size field is a multiple of 512 in the range 0xFFFFFC01-0xFFFFFE00 (e.g. 0xFFFFFE00), the addition wraps to 0, so mtar next() seeks to the current record position instead of advancing. As a result, mtar find() and any loop that iterates entries with mtar next() repeat indefinitely over the same record, hanging the process at 100% CPU with no recovery.

**Name of the Vulnerable Software and Affected Versions** rxi microtar version 0.1.0 **Description** A stack-based buffer overflow occurs in the `raw to header()` function within `src/microtar.c`. The function uses `strcpy()` to copy 100-byte name and linkname fields of a TAR header without ensuring the source is null-terminated. Because the POSIX ustar format allows these fixed-width fields to be fully populated with non-null bytes, a crafted archive where the linkname field and subsequent padding lack a null terminator causes `strcpy()` to read and write beyond the boundaries of the 512-byte raw header stack buffer. A remote attacker can trigger this by providing a malicious TAR archive to be processed via `mtar open()`, `mtar read header()`, or `mtar find()`, leading to an out-of-bounds read and a stack buffer overflow, which may result in a denial of service or arbitrary code execution. **Recommendations** For version 0.1.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pimcore CMS/DXP version 12.3.8 **Description** A sandbox bypass allows authenticated administrative attackers to execute arbitrary methods on PHP objects. This occurs due to empty `checkMethodAllowed()` and `checkPropertyAllowed()` implementations within the custom Twig SecurityPolicy. By supplying malicious Twig templates through the 'DataObject ClassDefinition LayoutText' component, attackers can perform arbitrary file reads and execute arbitrary database queries. Furthermore, the `pimcore *` function wildcard extends the bypass to all Pimcore Twig functions, potentially leading to remote code execution via PHP object gadget chains. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Typemill versions prior to 2.24.0 **Description** Authenticated attackers with Author-level privileges can read arbitrary files outside the content directory. This is possible by supplying traversal sequences in the `path` query parameter passed to the `getFile()` function within the `Storage` class when an empty folder argument is used. This action bypasses the traversal-prevention controls implemented in the `getFolderPath()` function. **Recommendations** Update to version 2.24.0 or later. As a temporary workaround, restrict access to the `getFile()` function or monitor the `path` parameter for traversal sequences.

**Name of the Vulnerable Software and Affected Versions** LiamBindle MQTT-C versions prior to 1.1.7 **Description** A heap-based out-of-bounds read and integer underflow exist in the `mqtt unpack publish response()` function within `src/mqtt.c`. A remote unauthenticated attacker who controls an MQTT broker or can inject traffic into an unencrypted session can cause a subscribed client to crash and potentially disclose adjacent heap memory by sending a crafted PUBLISH packet. The issue occurs because the function fails to verify that the `topic name size` field, read from the packet, plus overhead fits within the `remaining length` of the fixed-header. This leads to an integer underflow when calculating `application message size` using unsigned arithmetic, which is then passed to `memmove()`. For example, a packet with `topic name size` set to 0xFFFF and `remaining length` set to 7 causes the parse pointer to advance 65535 bytes beyond the receive buffer and results in an `application message size` near 2^32, crashing the process. **Recommendations** Update to a version later than 1.1.6. As a temporary workaround, restrict access to the `mqtt unpack publish response()` function or avoid connecting to untrusted MQTT brokers until a patch is applied.

microtar through 0.1.0 contains a stack-based buffer overflow vulnerability in the raw to header() function in src/microtar.c that allows attackers to corrupt adjacent stack memory by supplying a crafted TAR archive with non-null-terminated name or linkname fields. The function uses strcpy() to copy 100-byte ustar format fields that lack null terminators, causing writes of up to 355 bytes into a 100-byte destination buffer when mtar open(), mtar find(), or mtar read header() process attacker-supplied TAR archives.