CVE-2023-40294

Vulnerability

A heap-based buffer overflow exists in the ur_parseBlockI function within i_parse_blk.c in libboron version 2.0.8. The issue occurs when processing slightly malformed input, leading to a write beyond the allocated heap buffer. The vulnerable function is part of the Boron library, used by the boron executable. Affected versions: libboron 2.0.8.

Exploitation

An attacker can trigger the overflow by providing a crafted file to the boron application. No authentication is required if the attacker can supply the input file locally or remotely (e.g., over a network service). The provided proof-of-concept file ur_parseBlockI_overflow.b causes a crash with the message "malloc(): invalid size (unsorted)", as confirmed by address sanitizer. The vulnerability is reachable through standard input processing.

Impact

Successful exploitation results in heap memory corruption. This can lead to a denial of service (application crash) and potentially arbitrary code execution if the attacker can control the overflowed data. The exact impact depends on the surrounding memory layout and protections.

Mitigation

As of the publication date, no official fix or patched version has been released. Users are advised to monitor the project's repository [1] for updates and to avoid processing untrusted input with boron until a fix is available. No workaround is documented.