Security Vulnerability - Action Required: Out-of-bounds Write vulnerability may in your project

Question

Security Vulnerability - Action Required: Out-of-bounds Write vulnerability may in your project

Closed this issue 3 months ago · 1 comments

Crispy-fried-chicken commented 3 months ago

Describe the bug.

Hi,
we have detected that your project may be vulnerable to Out-of-bounds Write in the function of nfc_device_load_mifare_ul_data in the file of lib/nfc/nfc_device.c . It shares similarities to a recent CVE disclosure https://nvd.nist.gov/vuln/detail/CVE-2022-40363 in the https://github.com/flipperdevices/flipperzero-firmware.
The source vulnerability information is as follows:

Vulnerability Detail:
CVE Identifier: CVE-2022-40363
Description: A buffer overflow in the component nfc_device_load_mifare_ul_data of Flipper Devices Inc., Flipper Zero before v0.65.2 allows attackers to cause a Denial of Service (DoS) via a crafted NFC file.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-40363
Patch: flipperdevices/flipperzero-firmware@8d8481b

Would you help to check if this bug is true? If it's true, I'd like to open a PR for that if necessary. Thank you for your effort and patience!

Reproduction

It is similiar to CVE-2022-40363

Target

No response

Logs

No response

Anything else?

No response

Answer 1 · 2024-09-09T12:46:43.000Z

Hello!
nfc_device_load_mifare_ul_data is not present in codebase since NFC refactor, the link you provided points to issue that was fixed 2 years ago in official firmware then merged in our project