57 matches found
Eclipse Openj9 安全漏洞
Eclipse OpenJ9 is a Java application engine from the Eclipse Foundation. The product is primarily used to run Java applications. A security vulnerability exists in versions of Eclipse Openj9 prior to 0.35.0 that stems from its ability to inline interface calls without runtime type checking...
CVE-2020-26952
Incorrect bookkeeping of functions inlined during JIT compilation could have led to memory corruption and a potentially exploitable crash when handling out-of-memory errors. This vulnerability affects Firefox 83...
UBUNTU-CVE-2020-26952
Incorrect bookkeeping of functions inlined during JIT compilation could have led to memory corruption and a potentially exploitable crash when handling out-of-memory errors. This vulnerability affects Firefox 83...
gcc security and bug fix update
8.3.1-5.0.3 - Fix Orabug 29838827 - provide an option to adjust the maximum depth of nested include This is the same bug as gcc upstream PR90581 from Gcc9: gcc9-pr90581.patch - Fix Orabug 29541051 - confusing error message when there is a problem with ASANOPTIONS 'ERROR: expected '='' This is the...
Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation
Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation While fuzzing Spidermonkey, I encountered the following commented and modified JavaScript program which crashes debug builds of the latest release version of Spidermonkey from commit...
DEBIAN-CVE-2018-12387
A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content...
UBUNTU-CVE-2018-12387
A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content...
Microsoft Edge Chakra PathTypeHandlerBase::SetAttributesHelper Type Confusion
Microsoft Edge: Chakra: Type confusion with PathTypeHandlerBase::SetAttributesHelper CVE-2018-8384 Here's a snippet of PathTypeHandlerBase::SetAttributesHelper. PathTypeHandlerBase predTypeHandler = this; DynamicType currentType = instance-GetDynamicType; while predTypeHandler-GetPathLength...
Microsoft Edge Chakra - PathTypeHandlerBase::SetAttributesHelper Type Confusion
Microsoft Edge Chakra - PathTypeHandlerBase::SetAttributesHelper Type Confusion / Here's a snippet of PathTypeHandlerBase::SetAttributesHelper. PathTypeHandlerBase predTypeHandler = this; DynamicType currentType = instance-GetDynamicType; while predTypeHandler-GetPathLength propertyIndex...
Microsoft Edge Chakra PathTypeHandlerBase::SetAttributesHelper Type Confusion Exploit
Exploit for windows platform in category dos / poc Microsoft Edge: Chakra: Type confusion with PathTypeHandlerBase::SetAttributesHelper CVE-2018-8384 Here's a snippet of PathTypeHandlerBase::SetAttributesHelper. PathTypeHandlerBase predTypeHandler = this; DynamicType currentType =...
DEBIAN-CVE-2018-11408
The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.httputils is inlined by a container. NOTE: this issue exists because of an...
Microsoft Edge Chakra JIT - Stack-to-Heap Copy (Incomplete Fix) Exploit
Exploit for windows platform in category dos / poc / Here's a snippet of JavascriptArray::BoxStackInstance. To fix issue 1420 , "deepCopy" was introduced. But it only deep-copies the array when "instance-head" is on the stack. So simply by adding a single line of code that allocates "head" to the...
postgresql: CASE/WHEN with inlining can cause untrusted pointer dereference
A flaw was found in the way PostgreSQL server handled certain SQL statements containing CASE/WHEN commands. A remote, authenticated attacker could use a specially crafted SQL statement to cause PostgreSQL to crash or disclose a few bytes of server memory or possibly execute arbitrary code...
postgresql: CASE/WHEN with inlining can cause untrusted pointer dereference
A flaw was found in the way PostgreSQL server handled certain SQL statements containing CASE/WHEN commands. A remote, authenticated attacker could use a specially crafted SQL statement to cause PostgreSQL to crash or disclose a few bytes of server memory or possibly execute arbitrary code...
postgresql: CASE/WHEN with inlining can cause untrusted pointer dereference
A flaw was found in the way PostgreSQL server handled certain SQL statements containing CASE/WHEN commands. A remote, authenticated attacker could use a specially crafted SQL statement to cause PostgreSQL to crash or disclose a few bytes of server memory or possibly execute arbitrary code...
postgresql: CASE/WHEN with inlining can cause untrusted pointer dereference
A flaw was found in the way PostgreSQL server handled certain SQL statements containing CASE/WHEN commands. A remote, authenticated attacker could use a specially crafted SQL statement to cause PostgreSQL to crash or disclose a few bytes of server memory or possibly execute arbitrary code...
postgresql: CASE/WHEN with inlining can cause untrusted pointer dereference
A flaw was found in the way PostgreSQL server handled certain SQL statements containing CASE/WHEN commands. A remote, authenticated attacker could use a specially crafted SQL statement to cause PostgreSQL to crash or disclose a few bytes of server memory or possibly execute arbitrary code...