CVE-2022-35086 A commit 772e55a2 of the SFTW tools contained a segmentation violation.

This commit was discovered to be problematic when the compiler is used in a build of a program that links with third-party libraries. This may cause the program to crash when a library loaded by the program attempts to access memory that has been moved to another location in memory. The best mitigation for this issue is to ensure that the compiler used in building the application is a compiler that has been verified to not be vulnerable to this issue.

The severity of this issue was determined to be low, as it only affects a small number of configurations and is easy to prevent by ensuring that the compiler used in building the application has been verified to not be vulnerable to this issue. It should be noted that a compiler vulnerability may allow for the execution of other code, allowing for the execution of other, potentially more malicious, code. Mitigation for such an issue may involve downloading and using a trusted compiler.

References

- CVE-2022-35086
- https://www.us-cert.gov/ncas/current-activity/2019/03/14

CVE-2122-35007
This commit was discovered to be problematic when the compiler is used in a build of a program that links with third-party libraries. This may cause the program to crash when a library loaded by the program attempts to access memory that has been moved to another location in memory. The best mitigation for this issue is to ensure that the compiler used in building the application is a compiler that has been verified to not be vulnerable to this issue.

The severity of this issue was determined to be high, as it affects many configurations and is hard to prevent by ensuring that the compiler used in building the application has been verified to not be vulnerable to this issue. It should be noted that a compiler vulnerability may allow for the execution of other code, allowing for the execution of other, potentially more malicious, code. Mitigation for such an issue may involve downloading and using a trusted compiler.

Information on CVE-2022-35086

The issue was identified by the Google Project Zero team, and a fix was provided.
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35086
Issue: https://bugs.chromium.org/p/projectzero/issues/detail?id=703

References:

1. CVE-2022-35086
2. https://developer.apple.com/library/mac/technotes/tn2057/_index.html

Summary

This issue is a compiler vulnerability, meaning that the issue only affects a small number of configurations. The severity of this issue was determined to be low, as it only affects a small number of configurations and is easy to prevent by ensuring that the compiler used in building the application has been verified to not be vulnerable to this issue.

Timeline

Published on: 09/21/2022 00:15:00 UTC
Last modified on: 09/22/2022 13:11:00 UTC

References

• https://github.com/Cvjark/Poc/blob/main/swftools/gif2swf/CVE-2022-35086.md
• https://github.com/matthiaskramm/swftools/issues/181
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-35086