CVE-2022-23884: Mojang Bedrock Dedicated Server 1.18.2 is affected by an integer overflow leading to a bound check bypass caused by PurchaseReceiptPacket::_read (packet deserializer). No idea about affected versions, or a fix.
Is there more source than a picture? I am also not sure, what version is affected. Picture shows "1.18.2.i64". I guess, 1.18.2.03 could be affected then, which is stable in tree. But we do also have 1.18.12.01, which is testing, but the newest one. https://nvd.nist.gov/vuln/detail/CVE-2022-23884 speaks clealy about 1.18.2.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8cf87323fc984138c9c11e8a4eab0a85bf2c136 commit e8cf87323fc984138c9c11e8a4eab0a85bf2c136 Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2022-03-28 16:42:42 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2022-03-28 16:42:58 +0000 games-server/bedrock-server: drop 1.18.2.03 Bug: https://bugs.gentoo.org/836327 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> games-server/bedrock-server/Manifest | 1 - .../bedrock-server/bedrock-server-1.18.2.03.ebuild | 54 ---------------------- 2 files changed, 55 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e1f6bd12afbbfb6b8627e4f7e8aa2b56fc6786b commit 2e1f6bd12afbbfb6b8627e4f7e8aa2b56fc6786b Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2022-03-28 16:42:08 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2022-03-28 16:42:08 +0000 games-server/bedrock-server: amd64 stable Bug: https://bugs.gentoo.org/836327 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> games-server/bedrock-server/bedrock-server-1.18.12.01.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
https://github.com/nt1dr/CVE-2021-45383 include a POC. But I am not really shure, if I want to test that. Dump seems binary and I don't trust it from an unknown Github source. But Github clearly speaks of 1.18.2.03.
I've been able to confirm that 1.18.2.03 is affected and 1.18.12.01 is fixed. GLSAs are unlikely to be helpful for a software like this, so no GLSA. Minimal impact anyway. All done!
Thank you!