552 matches found
CVE-2018-14337
The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in mruby 1.4.1 contains a signed integer overflow, possibly leading to out-of-bounds memory access because the mrbstrresize function in string.c does not check for a negative length...
CVE-2018-14337
The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in mruby 1.4.1 contains a signed integer overflow, possibly leading to out-of-bounds memory access because the mrbstrresize function in string.c does not check for a negative length...
Natus Xltek EEG NeuroWorks RequestForPatientInfoEEGfile Code Execution Vulnerability
Summary An exploitable Code Execution vulnerability exists in the RequestForPatientInfoEEGfile functionality of Natus Xltek NeuroWorks 8. A specially crafted network packet can cause a stack buffer overflow resulting in arbitrary command execution. An attacker can send a malicious packet to trigg...
ruby: Buffer underrun vulnerability in Kernel.sprintf
A buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the interpreter...
ruby: Buffer underrun vulnerability in Kernel.sprintf
A buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the interpreter...
EulerOS 2.0 SP1 : ruby (EulerOS-SA-2018-1066)
According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could...
CVE-2018-7867
There is a heap-based buffer overflow in the getString function of util/decompile.c in libming 0.4.8 during a RegisterNumber sprintf. A Crafted input will lead to a denial of service attack...
ruby: Buffer underrun vulnerability in Kernel.sprintf
A buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the interpreter...
Debian DSA-4031-1 : ruby2.3 - security update
Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2017-0898 aerodudrizzt reported a buffer underrun vulnerability in the sprintf method of the Kernel module resulting in...
Medium: ruby24
Issue Overview: Arbitrary heap exposure during a JSON.generate call Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a...
Internet Bug Bounty: Format string implementation vulnerability, resulting in code execution
In a security audit to the sprintf implementation in perl version 5.24.1 I found a major security vulnerability, here are the full details. Timeline: ====== 6th of May, 2017 - disclosure to the PERL security mailing list 8th of May, 2017 - vulnerability confirmed by PERL's security group, found...
Buffer underrun vulnerability in Kernel.sprintf
There is a buffer underrun vulnerability in the sprintf method of Kernel module. If a malicious format string which contains a precious specifier is passed and a huge minus value is also passed to the specifier, buffer underrun may be caused. In such situation, the result may contains heap, or th...
Ruby: sprintf combined format string attack
In a ticket that was also reported to "shopify-scripts" regarding "MRuby", I reported in details a combined attack against the sprintf gem: Information leak Heap buffer underflow The full ticket details can be found in: Ticket 212239 The ticked was opened several minutes ago but I add it in case ...
shopify-scripts: sprintf gem - format string combined attack
In the sprintf gem, NOT included in mruby-engine, there are severe vulnerabilities, including information leak, and heap buffer overflow. Here are the technical details. Technical Error 1: ============== The CHECKl macro can sometimes receive negative values, that will bypass the size checks, sin...
shopify-scripts: segafult in mruby's sprintf - mrb_str_format
The mruby sprintf gem out of scope of mruby-engine can be crashed when using a hostile "width" value in the format string. Exploit Script =========== ruby s = "hello" sprintf"abcdefghijklmnopqrstuvwxyz % 2147483640s", s Here is the core dump: Core was generated by...
Unbreakable Enterprise kernel security update
kernel-uek 3.8.13-118.16.2 - net: avoid signed overflows for SOSND|RCVBUFFORCE Eric Dumazet Orabug: 25203623 CVE-2016-9793 3.8.13-118.16.1 - nvme: Limit command retries Ashok Vairavan Orabug: 25374794 - tcp: fix use after free in tcpxmitretransmitqueue Eric Dumazet Orabug: 25374371 CVE-2016-6828 ...
Ruby: Buffer underflow in sprintf
Hi, So I found this in mruby as part of the shopify-scripts program, and I notice that my patch also landed upstream in ruby as well. Shame on me for not checking ruby as well! Wondered if it counted for a bounty here as well? https://github.com/mruby/mruby/issues/3347 - issue that shopify guys...
shopify-scripts: Invalid memory access in `mrb_str_format`
Only affects mruby because mruby-engine doesn't have sprintf. I should have filed this last friday before I went to the pub, so missed out on higher bounties. Oh well! Crash file is: sprintf"%1$c", 0 Crash is: $ lldb ./bin/mruby ../crash.rb lldb target create "./bin/mruby" Current executable set ...
Debian DLA-513-1 : nspr security update
It was discovered that there was a buffer overflow in a sprintf utility within nspr, the NetScape Portable Runtime library. For Debian 7 'Wheezy', this issue has been fixed in nspr version 2:4.9.2-1+deb7u4. We recommend that you upgrade your nspr packages. NOTE: Tenable Network Security has...
DLA-513-1 nspr - security update
Bulletin has no description...