The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel before 3.4.5 does not properly validate a certain length value, which allows local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device.

'816289?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2012-2136: Invalid Bug ID

Integer overflow in the phar_parse_tarfile function in tar.c in the phar extension in PHP before 5.3.14 and 5.4.x before 5.4.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted tar file that triggers a heap-based buffer overflow.

CVE-2012-2386

The rose_parse_ccitt function in net/rose/rose_subr.c in the Linux kernel before 2.6.39 does not validate the FAC_CCITT_DEST_NSAP and FAC_CCITT_SRC_NSAP fields, which allows remote attackers to (1) cause a denial of service (integer underflow, heap memory corruption, and panic) via a small length value in data sent to a ROSE socket, or (2) conduct stack-based buffer overflow attacks via a large length value in data sent to a ROSE socket.

'770777?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2011-4913: Invalid Bug ID

Heap-based buffer overflow in the proxy_connect function in src/client.c in CVS 1.11 and 1.12 allows remote HTTP proxy servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted HTTP response.

Image

Featured Details

**Multiple ways to consume Secunia Research**

Secunia delivers software security research that provides reliable, curated and actionable vulnerability intelligence. Organizations can expect to receive standardized, validated and enriched vulnerability research on a specific version of a software product. Secunia Research supports four solutions:

SVG

**Data Platform**

Data Platform leverages Secunia Research to provide high-level insights based on major or minor versions of software in your normalized inventory

Learn More

SVG

**Flexera One**

Flexera One utilizes Secunia Research (alongside public NVD data) to provide more granular matching of build-level versions of software in your normalized inventory within its IT Asset Management and IT Visibility solutions

Learn More

How it works

**Accurate, reliable vulnerability insights at your fingertips**

The Secunia Research team from Flexera is comprised of several security specialists who conduct vulnerability research in various products in addition to testing, verifying and validating public vulnerability reports. Since its inception in 2002, the goal of the Secunia Research team is to provide the most accurate and reliable source of vulnerability intelligence.

Delivering the world’s best vulnerability intelligence requires skill and passion. Team members continually develop their skills exploring various high-profile closed and open-source software using a variety of approaches, focusing chiefly on thorough code audits and binary analysis. The team has received industry recognition, including naming members to Microsoft’s Most Valuable Security Researchers list.

Secunia researchers discover hard-to-find vulnerabilities that aren’t normally identified with techniques such as fuzzing, and the results have been impressive. Members of the Secunia Research team have discovered critical vulnerabilities in products from vendors including Microsoft, Symantec, IBM, Adobe, RealNetworks, Trend Micro, HP, Blue Coat, Samba, CA, Mozilla and Apple.

The team produces invaluable security advisories based on research of the vulnerabilities affecting any given software update. Sometimes a single update can address multiple vulnerabilities of varying criticalities and threats; but these advisories aggregate and distill findings down to a single advisory perfect for the prioritization of patching efforts within Software Vulnerability Manager. Criticality scores are consistently applied along with details around attack vector and other valuable details within Software Vulnerability Research. Illegitimate vulnerability reports are also investigated and rejected so you can focus only on what truly matters.

CVE-2012-0804: About Secunia Research | Flexera

protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.

CVE-2012-0053: Apache HTTP Server 2.2 vulnerabilities

Buffer overflow in the xfs_readlink function in fs/xfs/xfs_vnodeops.c in XFS in the Linux kernel 2.6, when CONFIG_XFS_DEBUG is disabled, allows local users to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via an XFS image containing a symbolic link with a long pathname.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2011-4077: oss-security - CVE Request -

Stack-based buffer overflow in the hfs_mac2asc function in fs/hfs/trans.c in the Linux kernel 2.6 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via an HFS image with a crafted len field.

CVE-2011-4330

Multiple buffer overflows in the si4713_write_econtrol_string function in drivers/media/radio/si4713-i2c.c in the Linux kernel before 2.6.39.4 on the N900 platform might allow local users to cause a denial of service or have unspecified other impact via a crafted s_ext_ctrls operation with a (1) V4L2_CID_RDS_TX_PS_NAME or (2) V4L2_CID_RDS_TX_RADIO_TEXT control ID.

CVE-2011-2700

CVE-2011-2698 wireshark: Infinite loop in the ANSI A Interface (IS-634/IOS) dissector

**updates at fedoraproject.org** updates at fedoraproject.org  
_Wed Aug 10 03:22:21 UTC 2011_

*   Previous message: Fedora 15 Update: java-service-wrapper-3.2.5-2.fc15
*   Next message: Fedora 14 Update: plowshare-0.9.4-0.10.svn1645.fc14
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

\--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-9640
2011-07-23 01:34:01
--------------------------------------------------------------------------------

Name        : wireshark
Product     : Fedora 14
Version     : 1.4.8
Release     : 1.fc14
URL         : http://www.wireshark.org/
Summary     : Network traffic analyzer
Description :
Wireshark is a network traffic analyzer for Unix-ish operating systems.

This package lays base for libpcap, a packet capture and filtering
library, contains command-line utilities, contains plugins and
documentation for wireshark. A graphical user interface is packaged
separately to GTK+ package.

--------------------------------------------------------------------------------
Update Information:

Wireshark 1.4.8 fixes the following vulnerabilities:

The Lucent/Ascend file parser was susceptible to an infinite loop. CVE-2011-2597.
The ANSI MAP dissector was susceptible to an infinite loop. CVE-2011-2698.
--------------------------------------------------------------------------------
ChangeLog:

\* Thu Jun  2 2011 Jan Safranek <jsafrane at redhat.com\> - 1.4.8-1
- upgrade to 1.4.8
- see http://www.wireshark.org/docs/relnotes/wireshark-1.4.8.html
\* Thu Jun  2 2011 Jan Safranek <jsafrane at redhat.com\> - 1.4.7-1
- upgrade to 1.4.7
- see http://www.wireshark.org/docs/relnotes/wireshark-1.4.7.html
\* Thu May 19 2011 Steve Dickson <steved at redhat.com\> - 1.4.6-2
- Improved the NFS4.1 patcket dissectors
\* Tue Apr 19 2011 Jan Safranek <jsafrane at redhat.com\> - 1.4.6-1
- upgrade to 1.4.6
- see http://www.wireshark.org/docs/relnotes/wireshark-1.4.6.html
\* Mon Apr 18 2011 Jan Safranek <jsafrane at redhat.com\> - 1.4.5-1
- upgrade to 1.4.5
- see http://www.wireshark.org/docs/relnotes/wireshark-1.4.5.html
\* Thu Mar  3 2011 Jan Safranek <jsafrane at redhat.com\> - 1.4.4-1
- upgrade to 1.4.4
- see http://www.wireshark.org/docs/relnotes/wireshark-1.4.4.html
\* Mon Jan 17 2011 Jan Safranek <jsafrane at redhat.com\> - 1.4.2-3
- upgrade to 1.4.3
- see http://www.wireshark.org/docs/relnotes/wireshark-1.4.3.html
\* Wed Jan  5 2011 Jan Safranek <jsafrane at redhat.com\> - 1.4.2-2
- fixed buffer overflow in ENTTEC dissector (#666897)
\* Mon Nov 22 2010 Jan Safranek <jsafrane at redhat.com\> - 1.4.2-1
- upgrade to 1.4.2
- see http://www.wireshark.org/docs/relnotes/wireshark-1.4.2.html
\* Mon Nov  1 2010 Jan Safranek <jsafrane at redhat.com\> - 1.4.1-2
- temporarily disable zlib until
  https://bugs.wireshark.org/bugzilla/show\_bug.cgi?id=4955 is resolved (#643461)
\* Fri Oct 22 2010 Jan Safranek <jsafrane at redhat.com\> - 1.4.1-1
- upgrade to 1.4.1
- see http://www.wireshark.org/docs/relnotes/wireshark-1.4.1.html
- Own the %{\_libdir}/wireshark dir (#644508)
- associate \*.pcap files with wireshark (#641163)
\* Tue Oct  5 2010 jkeating - 1.4.0-2.1
- Rebuilt for gcc bug 634757
--------------------------------------------------------------------------------
References:

  \[ 1 \] Bug #719753 - CVE-2011-2597 wireshark: infinite loop DoS in lucent/ascend file parser
        https://bugzilla.redhat.com/show\_bug.cgi?id=719753
  \[ 2 \] Bug #723215 - CVE-2011-2698 wireshark: Infinite loop in the ANSI A Interface (IS-634/IOS) dissector
        https://bugzilla.redhat.com/show\_bug.cgi?id=723215
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update wireshark' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

*   Previous message: Fedora 15 Update: java-service-wrapper-3.2.5-2.fc15
*   Next message: Fedora 14 Update: plowshare-0.9.4-0.10.svn1645.fc14
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the package-announce mailing list

CVE-2011-2698: [SECURITY] Fedora 14 Update: wireshark-1.4.8-1.fc14

CVE-2011-2696 libsndfile: Application crash due integer overflow by processing certain PAF audio files

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[<thread-prev\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Thu, 14 Jul 2011 16:49:22 +1000
From: Erik de Castro Lopo <erikd@...a-nerd.com>
To: oss-security@...ts.openwall.com
Cc: Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey"
 <coley@...us.mitre.org>, Secunia Research <vuln@...unia.com>
Subject: Re: CVE Request -- libsndfile -- Integer overflow by processing
 certain PAF files

Jan Lieskovsky wrote:

>    an integer overflow, leading to heap-based buffer overflow flaw was
> found in the way libsndfile, library for reading and writing of sound
> files, processed certain PARIS Audio Format (PAF) audio files with
> crafted count of channels in the PAF file header. A remote attacker
> could provided a specially-crafted PAF audio file, which once opened by
> a local, unsuspecting user in an application, linked against libsndfile,
> could lead to that particular application crash (denial of service),

I agree with everything up to here.

> or, potentially arbitrary code execution with the privileges of the
> user running the application.

but this is rubbish. The heap gets overwritten with zeros which would
certainly lead to the application segfaulting. However, there is
no way for arbitrary code to be executed on amy sane OS with proper
memory protection.

Furthermore, Secunia when they contacted me about this said they would
release information about this vulernability on the 18th and then ended
up releasing it on the 12th instead which means I had to rush out the
release I was working on (and would have easily had ready for the
18th). That is not the way to win friends and influence people.

Regards,
Erik
-- 
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

Tag

#buffer_overflow