CVE-2023-42459 – Malformed DATA submessage leads to bad-free error in Fast-DDS
https://notcve.org/view.php?id=CVE-2023-42459
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). In affected versions specific DATA submessages can be sent to a discovery locator which may trigger a free error. This can remotely crash any Fast-DDS process. The call to free() could potentially leave the pointer in the attackers control which could lead to a double free. This issue has been addressed in versions 2.12.0, 2.11.3, 2.10.3, and 2.6.7. • https://github.com/eProsima/Fast-DDS/issues/3207 https://github.com/eProsima/Fast-DDS/pull/3824 https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-gq8g-fj58-22gm https://www.debian.org/security/2023/dsa-5568 • CWE-415: Double Free CWE-416: Use After Free CWE-590: Free of Memory not on the Heap •
CVE-2023-39947 – Another heap overflow in push_back_helper
https://notcve.org/view.php?id=CVE-2023-39947
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, even after the fix at commit 3492270, malformed `PID_PROPERTY_LIST` parameters cause heap overflow at a different program counter. This can remotely crash any Fast-DDS process. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a patch for this issue. eprosima Fast DDS es una implementación en C++ del estándar Data Distribution Service del Object Management Group. Antes de las versiones 2.11.1, 2.10.2, 2.9.2, y 2.6.6, incluso después de la corrección en el commit 3492270, los parámetros malformados `PID_PROPERTY_LIST` causan desbordamiento de heap en un contador de programa diferente. • https://github.com/eProsima/Fast-DDS/commit/349227005827e8a67a0406b823138b5068cc47dc https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-mf55-5747-c4pv https://www.debian.org/security/2023/dsa-5481 • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2023-39946 – Heap overflow in push_back_helper due to a CDR message
https://notcve.org/view.php?id=CVE-2023-39946
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, heap can be overflowed by providing a PID_PROPERTY_LIST parameter that contains a CDR string with length larger than the size of actual content. In `eprosima::fastdds::dds::ParameterPropertyList_t::push_back_helper`, `memcpy` is called to first copy the octet'ized length and then to copy the data into `properties_.data`. At the second memcpy, both `data` and `size` can be controlled by anyone that sends the CDR string to the discovery multicast port. This can remotely crash any Fast-DDS process. • https://github.com/eProsima/Fast-DDS/commit/349227005827e8a67a0406b823138b5068cc47dc https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-j297-rg6j-m7hx https://www.debian.org/security/2023/dsa-5481 • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •