mirror of
https://github.com/0xMarcio/cve.git
synced 2025-12-30 04:49:42 +00:00
1.6 KiB
1.6 KiB
CVE-2021-36159
Description
libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\0' terminator one byte too late.
POC
Reference
Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/Frannc0/test2
- https://github.com/NeXTLinux/griffon
- https://github.com/SilveiraLeonardo/experimenting_mkdown
- https://github.com/VAN-ALLY/Anchore
- https://github.com/anchore/grype
- https://github.com/aymankhder/scanner-for-container
- https://github.com/isgo-golgo13/gokit-gorillakit-enginesvc
- https://github.com/khulnasoft-labs/griffon
- https://github.com/metapull/attackfinder
- https://github.com/mmartins000/sinker
- https://github.com/mvbalamca/image-vulnerability-checker-lib
- https://github.com/step-security-bot/griffon
- https://github.com/thecyberbaby/Trivy-by-AquaSecurity
- https://github.com/thecyberbaby/Trivy-by-aquaSecurity
- https://github.com/vissu99/grype-0.70.0