6585 matches found
smbfs -- chroot escape
Problem Description smbfs does not properly sanitize paths containing a backslash character; in particular the directory name '..' is interpreted as the parent directory by the SMB/CIFS server, but smbfs handles it in the same manner as any other directory. Impact When inside a chroot environment...
openssh -- remote denial of service
Problem description: Because OpenSSH and OpenPAM have conflicting designs one is event- driven while the other is callback-driven, it is necessary for OpenSSH to fork a child process to handle calls to the PAM framework. However, if the unprivileged child terminates while PAM authentication is...
ee -- temporary file privilege escalation
Problem description The ispellop function used by ee1 while executing spell check operations employs an insecure method of temporary file generation. This method produces predictable file names based on the process ID and fails to confirm which path will be over written with the user. It should b...
curl -- URL buffer overflow vulnerability
A Project cURL Security Advisory reports: libcurl's URL parser function can overflow a malloced buffer in two ways, if given a too long URL. 1 - pass in a URL with no protocol like "http://" prefix, using no slash and the string is 256 bytes or longer. This leads to a single zero byte overflow of...
gaim -- AIM/ICQ non-UTF-8 filename crash
The GAIM team reports: A remote user could cause Gaim to crash on some systems by sending the Gaim user a file whose filename contains certain invalid characters. It is unknown what combination of systems are affected, but it is suspected that Windows users and systems with older versions of GTK+...
devfs -- ruleset bypass
Problem description Due to insufficient parameter checking of the node type during device creation, any user can expose hidden device nodes on devfs mounted file systems within their jail. Device nodes will be created in the jail with their normal default access permissions. Impact Jailed process...
ekg -- insecure temporary file creation
Eric Romang reports that ekg creates temporary files in an insecure manner. This can be exploited by an attacker using a symlink attack to overwrite arbitrary files and possibly execute arbitrary commands with the permissions of the user running ekg...
acroread -- buffer overflow vulnerability
An Adobe Security Advisory reports: A vulnerability within Adobe Reader has been identified. Under certain circumstances, remote exploitation of a buffer overflow in Adobe Reader could allow an attacker to execute arbitrary code. If exploited, it could allow the execution of arbitrary code under...
kernel -- TCP connection stall denial of service
Problem Description Two problems have been discovered in the FreeBSD TCP stack. First, when a TCP packets containing a timestamp is received, inadequate checking of sequence numbers is performed, allowing an attacker to artificially increase the internal "recent" timestamp for a connection. Secon...
qpopper -- multiple privilege escalation vulnerabilities
Jens Steube reports that qpopper is vulnerable to a privilege escalation vulnerability. qpopper does not properly drop root privileges so that user supplied configuration and trace files can be processed with root privileges. This could allow a local attacker to create or modify arbitrary files...
kernel -- information disclosure when using HTT
Problem description and impact When running on processors supporting Hyper-Threading Technology, it is possible for a malicious thread to monitor the execution of another thread. Information may be disclosed to local users, allowing in many cases for privilege escalation. For example, on a...
qmail -- 64 bit integer overflows with possible remote code execution on large SMTP requests
Georgi Guninski writes: There are several issues with qmail on 64 bit platforms - classical integer overflow, pointer with signed index and signedness problem not counting the memory consumtion dos, which just helps. Update: the problem with the signed index is exploitable on Freebsd 5.4 amd64 wi...
portupgrade -- insecure temporary file handling vulnerability
Simon L. Nielsen discovered that portupgrade handles temporary files in an insecure manner. This could allow an unprivileged local attacker to execute arbitrary commands or overwrite arbitrary files with the permissions of the user running portupgrade, typically root, by way of a symlink attack...
phpmyadmin -- cross site scripting vulnerability
A phpMyAdmin security announcement reports: The convcharset parameter was not correctly validated, opening the door to a XSS attack...
sylpheed -- MIME-encoded file name buffer overflow vulnerability
Sylpheed is vulnerable to a buffer overflow when displaying emails with attachments that have MIME-encoded file names. This could be used by a remote attacker to crash sylpheed potentially allowing execution of arbitrary code with the permissions of the user running sylpheed...
xview -- multiple buffer overflows in xv_parse_one
A Debian Security Advisory reports: Erik Sjölund discovered that programs linked against xview are vulnerable to a number of buffer overflows in the XView library. When the overflow is triggered in a program which is installed setuid root a malicious user could perhaps execute arbitrary code as...
exim -- two buffer overflow vulnerabilities
The function hostaton can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. 2. The second report described a buffer overflow in the function spabase64tobits, which is part of the code for SPA authentication...
mplayer -- multiple vulnerabilities
iDEFENSE and the MPlayer Team have found multiple vulnerabilities in MPlayer: Potential heap overflow in Real RTSP streaming code Potential stack overflow in MMST streaming code Multiple buffer overflows in BMP demuxer Potential heap overflow in pnm streaming code Potential buffer overflow in...
isc-dhcpd -- format string vulnerabilities
The ISC DHCP programs are vulnerable to several format string vulnerabilities which may allow a remote attacker to execute arbitrary code with the permissions of the DHCP programs, typically root for the DHCP server...
acroread5 -- mailListIsPdf() buffer overflow vulnerability
An iDEFENSE Security Advisory reports: Remote exploitation of a buffer overflow in version 5.09 of Adobe Acrobat Reader for Unix could allow for execution of arbitrary code. The vulnerability specifically exists in a the function mailListIsPdf. This function checks if the input file is an email...
mpg123 -- buffer overflow in URL handling
Carlos Barros reports that mpg123 contains two buffer overflows. These vulnerabilities can potentially lead to execution of arbitrary code. The first buffer overflow can occur when mpg123 parses a URL with a user-name/password field that is more than 256 characters long. This problem can be...
Boundary checking errors in syscons
The syscons CONSSCRSHOT ioctl2 does insufficient validation of its input arguments. In particular, negative coordinates or large coordinates may cause unexpected behavior. It may be possible to cause the CONSSCRSHOT ioctl to return portions of kernel memory. Such memory might contain sensitive...
apache -- apr_uri_parse IPv6 address handling vulnerability
The Apache Software Foundation Security Team discovered a programming error in the apr-util library function apruriparse. When parsing IPv6 literal addresses, it is possible that a length is incorrectly calculated to be negative, and this value is passed to memcpy. This may result in an exploitab...
URI handler vulnerabilities in several browsers
Karol Wiesek and Greg MacManus reported via iDEFENSE that the Opera web browser contains a flaw in the handling of certain URIs. When presented with these URIs, Opera would invoke external commands to process them after some validation. However, if the hostname component of a URI begins with a -'...
heimdal kadmind remote heap buffer overflow
An input validation error was discovered in the kadmind code that handles the framing of Kerberos 4 compatibility administration requests. The code assumed that the length given in the framing was always two or more bytes. Smaller lengths will cause kadmind to read an arbitrary amount of data int...
Buffer overflows and format string bugs in Emil
Ulf Härnhammar reports multiple buffer overflows in Emil, some of which are triggered during the parsing of attachment filenames. In addition, some format string bugs are present in the error reporting code. Depending upon local configuration, these vulnerabilities may be exploited using speciall...
electron32 -- multiple vulnerabilities
Electron developers report: This update fixes the following vulnerabilities: Security: backported fix for CVE-2024-10230. Security: backported fix for CVE-2024-10231. Security: backported fix for CVE-2024-10229. Security: backported fix for CVE-2024-10487...
expat -- multiple vulnerabilities
libexpat reports: CVE-2024-45490: Calling function XMLParseBuffer with len 0 without noticing and then calling XMLGetBuffer will have XMLParseBuffer fail to recognize the problem and XMLGetBuffer corrupt memory. With the fix, XMLParseBuffer now complains with error XMLERRORINVALIDARGUMENT just li...
electron{27,28,29} -- multiple vulnerabilities
Electron develpers report: This update fixes the following vulnerabilities: Security: backported fix for CVE-2024-3515. Security: backported fix for CVE-2024-3516. Security: backported fix for CVE-2024-3157. Security: backported fix for CVE-2024-1580...
chromium -- multiple security fixes
Chrome Releases reports: This update includes 3 security fixes: 325893559 High CVE-2024-2173: Out of bounds memory access in V8. Reported by 5fceb6172bbf7e2c5a948183b53565b9 on 2024-02-19 325866363 High CVE-2024-2174: Inappropriate implementation in V8. Reported by 5f46f4ee2e17957ba7b39897fb376be...
chromium -- multiple security fixes
Chrome Releases reports: This update includes 4 security fixes: 1515930 High CVE-2024-0517: Out of bounds write in V8. Reported by Toan suto Pham of Qrious Secure on 2024-01-06 1507412 High CVE-2024-0518: Type Confusion in V8. Reported by Ganjiang Zhou@refrainareu of ChaMd5-H1 team on 2023-12-03...
strongSwan -- vulnerability in charon-tkm
strongSwan reports: A vulnerability in charon-tkm related to processing DH public values was discovered in strongSwan that can result in a buffer overflow and potentially remote code execution. All versions since 5.3.0 are affected...
Gitlab -- Vulnerabilities
Gitlab reports: Disclosure of CI/CD variables using Custom project templates GitLab omnibus DoS crash via OOM with CI Catalogs Parsing gitlab-ci.yml with large string via timeout input leads to Denial of Service DoS - Blocking FIFO files in Tar archives Titles exposed by service-desk template...
xorg-server -- Multiple vulnerabilities
The X.Org project reports: ZDI-CAN-22153/CVE-2023-5367: X.Org server: OOB write in XIChangeDeviceProperty/RRChangeOutputProperty When prepending values to an existing property an invalid offset calculation causes the existing values to be appended at the wrong offset. The resulting memcpy would...
chromium -- multiple vulnerabilities
Chrome Releases reports: This release contains 15 security fixes, including: 1402270 High CVE-2023-0696: Type Confusion in V8. Reported by Haein Lee at KAIST Hacking Lab on 2022-12-18 1341541 High CVE-2023-0697: Inappropriate implementation in Full screen mode. Reported by Ahmed ElMasry on...
emacs -- arbitary shell command execution vulnerability of ctags
lu4nx reports: GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags " command suggeste...
FreeBSD -- Multiple vulnerabilities in Heimdal
Problem Description: Multiple security vulnerabilities have been discovered in the Heimdal implementation of the Kerberos 5 network authentication protocols and KDC. CVE-2022-42898 PAC parse integer overflows CVE-2022-3437 Overflows and non-constant time leaks in DES,3 and arcfour CVE-2021-44758...
PostgreSQL Server -- execute arbitrary SQL code as DBA user
The PostgreSQL project reports: Confine additional operations within "security restricted operation" sandboxes. Autovacuum, CLUSTER, CREATE INDEX, REINDEX, REFRESH MATERIALIZED VIEW, and pgamcheck activated the "security restricted operation" protection mechanism too late, or even not at all in...
chromium -- multiple vulnerabilities
Chrome Releases reports: This release contains 30 security fixes, including: 1313905 High CVE-2022-1477: Use after free in Vulkan. Reported by SeongHwan Park SeHwa on 2022-04-06 1299261 High CVE-2022-1478: Use after free in SwiftShader. Reported by SeongHwan Park SeHwa on 2022-02-20 1305190 High...
Ruby -- Double free in Regexp compilation
piao reports: Due to a bug in the Regexp compilation process, creating a Regexp object with a crafted source string could cause the same memory to be freed twice. This is known as a "double free" vulnerability. Note that, in general, it is considered unsafe to create and use a Regexp object...
zgrep -- arbitrary file write
RedHat reports: An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name for example, a crafted file name, this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to...
chromium -- multiple vulnerabilities
Chrome Releases reports: This release contains 11 security fixes, including: 1299422 Critical CVE-2022-0971: Use after free in Blink Layout. Reported by Sergei Glazunov of Google Project Zero on 2022-02-21 1301320 High CVE-2022-0972: Use after free in Extensions. Reported by Sergei Glazunov of...
openvpn -- Potential authentication by-pass with multiple deferred authentication plug-ins
David Sommerseth reports: OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials...
MariaDB -- Multiple vulnerabilities
MariaDB reports: MariaDB reports 5 vulnerabilities in supported versions resulting from fuzzing tests...
minio -- User privilege escalation
minio developers report: AddUser API endpoint was exposed to a legacy behavior. i.e it accepts a "policy" field This API is mainly used to create a user or update a user's password. However, a malicious client can hand-craft an HTTP API call that allows for updating Policy for a user and gaining...
go -- net/http: ReadRequest can stack overflow due to recursion with very large headers
The Go project reports: http.ReadRequest can stack overflow due to recursion when given a request with a very large header 8-10MB depending on the architecture. A http.Server which overrides the default max header of 1MB by setting Server.MaxHeaderBytes to a much larger value could also be...
curl -- TLS 1.3 session ticket proxy host mixup
Daniel Stenberg reports: Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arriv...
vault -- unauthenticated license read
vault developers report: Limited Unauthenticated License Read: We addressed a security vulnerability that allowed for the unauthenticated reading of Vault licenses from DR Secondaries...
mutt -- authentication credentials being sent over an unencrypted connection
Kevin J. McCarthy reports: Mutt had incorrect error handling when initially connecting to an IMAP server, which could result in an attempt to authenticate without enabling TLS...
go -- math/big: panic during recursive division of very large numbers; cmd/go: arbitrary code execution at build time through cgo
The Go project reports: A number of math/big.Int methods Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD can panic when provided crafted large inputs. For the panic to happen, the divisor or modulo argument must be larger than 3168 bits on 32-bit architectures or 633...