21727 matches found
sfcb in sblim-sfcb places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory.
...
The theme editor in Bolt allows remote authenticated users to execute arbitrary code by renaming a crafted file
...
realmd allows remote attackers to inject arbitrary configurations in to sssd.conf and smb.conf
...
Multiple off-by-one errors in the (1) token and (2) linetoken functions in backend/dvi/mdvi-lib/afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a DVI file containing a crafted Adobe Font Metrics (AFM) file, different vulnerabilities than CVE-2010-2642 and CVE-2011-0433.
...
Heap-based buffer overflow in the linetoken function in afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a DVI file containing a crafted Adobe Font Metrics (AFM) file, a different vulnerability than CVE-2010-2642.
...
Heap-based buffer overflow in the AFM font parser in the dvi-backend component in Evince 2.32 and earlier, teTeX 3.0, t1lib 5.1.2, and possibly other products allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer.
...
FreeRADIUS RADIUS server allows remote attackers to cause a denial of service (CPU consumption) via a flood of Access-Request packets.
...
Multiple stack-based buffer overflows in the (1) ExtractRnick and (2) decrypt_topic_332 functions in FiSH allow remote attackers to execute arbitrary code via long strings.
...
The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Suhosin, when called without a second parameter, might allow remote attackers to overwrite arbitrary variables by specifying variable names and values in the string to be parsed. NOTE: it is not clear whether this is a design limitation of the function or a bug in PHP, although it is likely to be regarded as a bug in Hardened-PHP and Suhosin.
...
AS/400 Telnet 5250 terminal emulation clients, as implemented by (1) IBM client access, (2) Bosanova, (3) PowerTerm, (4) Mochasoft, and possibly other emulations, allows malicious AS/400 servers to execute arbitrary commands via a STRPCO (Start PC Organizer) command followed by STRPCCMD (Start PC command), as demonstrated by creating a backdoor account using REXEC.
...
Buffer overflow in the slc_add_reply function in various BSD-based Telnet clients, when handling LINEMODE suboptions, allows remote attackers to execute arbitrary code via a reply with a large number of Set Local Character (SLC) commands.
...
Buffer overflow in efax 0.9 and earlier, when installed setuid root, allows local users to execute arbitrary code via a long -x argument.
...
efax 0.9 and earlier, when installed setuid root, allows local users to read arbitrary files via the -d option, which prints the contents of the file in a warning message.
...
The default configuration of NCSA Telnet package for Macintosh and PC enables FTP, even though it does not include an "ftp=yes" line, which allows remote attackers to read and modify arbitrary files.
...
A race condition in how procmail handles .procmailrc files allows a local user to read arbitrary files available to the user who is running procmail.
...
Sendmail WIZ command enabled, allowing root access.
...
A syntax error in the component proxy_tensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service (DoS).
...
In PyTorch before 2.7.0, bitwise_right_shift produces incorrect output for certain out-of-bounds values of the "other" argument.
...
Libsoup: out-of-bounds read in cookie date handling of libsoup http library
...
In PyTorch through 2.6.0, when eager is used, nn.PairwiseDistance(p=2) produces incorrect results.
...
Libxslt: use-after-free with key data stored cross-rvt
...
Glib-networking: out of bound reads on glib-networking through tls/openssl/gtlscertificate-openssl.c via "g_tls_certificate_openssl_get_property()"
...
Glib-networking: uninitialized memory dereferences on glib-networking through glib-networking/tls/openssl/gtlsbio.c via g_tls_bio_new_from_iostream() and g_tls_bio_new_from_datagram_based()
...
Squid through 7.1 mishandles ASN.1 encoding of long SNMP OIDs. This occurs in asn_build_objid in lib/snmplib/asn1.c.
...
hwmon: (drivetemp) Fix driver producing garbage data when SCSI errors occur
...
riscv: mm: Fix the out of bound issue of vmemmap address
...
fs: relax assertions on failure to encode file handles
...
ALSA: seq: oss: Fix races at processing SysEx messages
...
drm/dp_mst: Fix resetting msg rx state after topology removal
...
ASoC: topology: Fix references to freed memory
...
block: Fix page refcounts for unaligned buffers in __bio_release_pages()
...
x86/efistub: Call mixed mode boot services on the firmware's stack
...
media: aspeed: Fix memory overwrite if timing is 1600x900
...
Insecure file handling vulnerability
...
Libtiff: libtiff write-what-where
...
Fallback tar extraction in pip doesn't check symbolic links point to extraction directory
...
astral-tokio-tar has a path traversal in tar extraction
...
virtio-net: fix overflow inside virtnet_rq_alloc
...
ksmbd: discard write access to the directory open
...
xfs: don't walk off the end of a directory data block
...
ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()
...
ACPI: CPPC: Use access_width over bit_width for system memory accesses
...
net: ks8851: Handle softirqs at the end of IRQ thread to fix hang
...
Bluetooth: L2CAP: Fix not validating setsockopt user input
...
drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()
...
dma-direct: Leak pages on dma_set_decrypted() failure
...
usb: typec: ucsi: Limit read size on v1.2
...
x86/coco: Require seeding RNG with RDRAND on CoCo systems
...
netfilter: bridge: replace physindev with physinif in nf_bridge_info
...
ceph: blocklist the kclient when receiving corrupted snap trace
...