Stack-based buffer overflow in the hfs_mac2asc function in fs/hfs/trans.c in the Linux kernel 2.6 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via an HFS image with a crafted len field.

CVE-2011-4330

Multiple buffer overflows in the si4713_write_econtrol_string function in drivers/media/radio/si4713-i2c.c in the Linux kernel before 2.6.39.4 on the N900 platform might allow local users to cause a denial of service or have unspecified other impact via a crafted s_ext_ctrls operation with a (1) V4L2_CID_RDS_TX_PS_NAME or (2) V4L2_CID_RDS_TX_RADIO_TEXT control ID.

CVE-2011-2700

CVE-2011-2698 wireshark: Infinite loop in the ANSI A Interface (IS-634/IOS) dissector

**updates at fedoraproject.org** updates at fedoraproject.org  
_Wed Aug 10 03:22:21 UTC 2011_

*   Previous message: Fedora 15 Update: java-service-wrapper-3.2.5-2.fc15
*   Next message: Fedora 14 Update: plowshare-0.9.4-0.10.svn1645.fc14
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

\--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-9640
2011-07-23 01:34:01
--------------------------------------------------------------------------------

Name        : wireshark
Product     : Fedora 14
Version     : 1.4.8
Release     : 1.fc14
URL         : http://www.wireshark.org/
Summary     : Network traffic analyzer
Description :
Wireshark is a network traffic analyzer for Unix-ish operating systems.

This package lays base for libpcap, a packet capture and filtering
library, contains command-line utilities, contains plugins and
documentation for wireshark. A graphical user interface is packaged
separately to GTK+ package.

--------------------------------------------------------------------------------
Update Information:

Wireshark 1.4.8 fixes the following vulnerabilities:

The Lucent/Ascend file parser was susceptible to an infinite loop. CVE-2011-2597.
The ANSI MAP dissector was susceptible to an infinite loop. CVE-2011-2698.
--------------------------------------------------------------------------------
ChangeLog:

\* Thu Jun  2 2011 Jan Safranek <jsafrane at redhat.com\> - 1.4.8-1
- upgrade to 1.4.8
- see http://www.wireshark.org/docs/relnotes/wireshark-1.4.8.html
\* Thu Jun  2 2011 Jan Safranek <jsafrane at redhat.com\> - 1.4.7-1
- upgrade to 1.4.7
- see http://www.wireshark.org/docs/relnotes/wireshark-1.4.7.html
\* Thu May 19 2011 Steve Dickson <steved at redhat.com\> - 1.4.6-2
- Improved the NFS4.1 patcket dissectors
\* Tue Apr 19 2011 Jan Safranek <jsafrane at redhat.com\> - 1.4.6-1
- upgrade to 1.4.6
- see http://www.wireshark.org/docs/relnotes/wireshark-1.4.6.html
\* Mon Apr 18 2011 Jan Safranek <jsafrane at redhat.com\> - 1.4.5-1
- upgrade to 1.4.5
- see http://www.wireshark.org/docs/relnotes/wireshark-1.4.5.html
\* Thu Mar  3 2011 Jan Safranek <jsafrane at redhat.com\> - 1.4.4-1
- upgrade to 1.4.4
- see http://www.wireshark.org/docs/relnotes/wireshark-1.4.4.html
\* Mon Jan 17 2011 Jan Safranek <jsafrane at redhat.com\> - 1.4.2-3
- upgrade to 1.4.3
- see http://www.wireshark.org/docs/relnotes/wireshark-1.4.3.html
\* Wed Jan  5 2011 Jan Safranek <jsafrane at redhat.com\> - 1.4.2-2
- fixed buffer overflow in ENTTEC dissector (#666897)
\* Mon Nov 22 2010 Jan Safranek <jsafrane at redhat.com\> - 1.4.2-1
- upgrade to 1.4.2
- see http://www.wireshark.org/docs/relnotes/wireshark-1.4.2.html
\* Mon Nov  1 2010 Jan Safranek <jsafrane at redhat.com\> - 1.4.1-2
- temporarily disable zlib until
  https://bugs.wireshark.org/bugzilla/show\_bug.cgi?id=4955 is resolved (#643461)
\* Fri Oct 22 2010 Jan Safranek <jsafrane at redhat.com\> - 1.4.1-1
- upgrade to 1.4.1
- see http://www.wireshark.org/docs/relnotes/wireshark-1.4.1.html
- Own the %{\_libdir}/wireshark dir (#644508)
- associate \*.pcap files with wireshark (#641163)
\* Tue Oct  5 2010 jkeating - 1.4.0-2.1
- Rebuilt for gcc bug 634757
--------------------------------------------------------------------------------
References:

  \[ 1 \] Bug #719753 - CVE-2011-2597 wireshark: infinite loop DoS in lucent/ascend file parser
        https://bugzilla.redhat.com/show\_bug.cgi?id=719753
  \[ 2 \] Bug #723215 - CVE-2011-2698 wireshark: Infinite loop in the ANSI A Interface (IS-634/IOS) dissector
        https://bugzilla.redhat.com/show\_bug.cgi?id=723215
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update wireshark' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

*   Previous message: Fedora 15 Update: java-service-wrapper-3.2.5-2.fc15
*   Next message: Fedora 14 Update: plowshare-0.9.4-0.10.svn1645.fc14
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the package-announce mailing list

CVE-2011-2698: [SECURITY] Fedora 14 Update: wireshark-1.4.8-1.fc14

CVE-2011-2696 libsndfile: Application crash due integer overflow by processing certain PAF audio files

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[<thread-prev\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Thu, 14 Jul 2011 16:49:22 +1000
From: Erik de Castro Lopo <erikd@...a-nerd.com>
To: oss-security@...ts.openwall.com
Cc: Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey"
 <coley@...us.mitre.org>, Secunia Research <vuln@...unia.com>
Subject: Re: CVE Request -- libsndfile -- Integer overflow by processing
 certain PAF files

Jan Lieskovsky wrote:

>    an integer overflow, leading to heap-based buffer overflow flaw was
> found in the way libsndfile, library for reading and writing of sound
> files, processed certain PARIS Audio Format (PAF) audio files with
> crafted count of channels in the PAF file header. A remote attacker
> could provided a specially-crafted PAF audio file, which once opened by
> a local, unsuspecting user in an application, linked against libsndfile,
> could lead to that particular application crash (denial of service),

I agree with everything up to here.

> or, potentially arbitrary code execution with the privileges of the
> user running the application.

but this is rubbish. The heap gets overwritten with zeros which would
certainly lead to the application segfaulting. However, there is
no way for arbitrary code to be executed on amy sane OS with proper
memory protection.

Furthermore, Secunia when they contacted me about this said they would
release information about this vulernability on the 18th and then ended
up releasing it on the 12th instead which means I had to rush out the
release I was working on (and would have easily had ready for the
18th). That is not the way to win friends and influence people.

Regards,
Erik
-- 
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2011-2696: oss-security - Re: CVE Request -- libsndfile -

Stack-based buffer overflow in the GeneratePassword function in dsmtca (aka the Trusted Communications Agent or TCA) in the backup-archive client in IBM Tivoli Storage Manager (TSM) 5.3.x before 5.3.6.10, 5.4.x before 5.4.3.4, 5.5.x before 5.5.2.10, and 6.1.x before 6.1.3.1 on Unix and Linux allows local users to gain privileges by specifying a long LANG environment variable, and then sending a request over a pipe.

CVE-2010-4604

Heap-based buffer overflow in the GSM mobility management implementation in Telephony in Apple iOS before 4.2 on the iPhone and iPad allows remote attackers to execute arbitrary code on the baseband processor via a crafted Temporary Mobile Subscriber Identity (TMSI) field.

CVE-2010-3832

WebKit in Apple iOS before 4 on the iPhone and iPod touch does not properly implement the history.replaceState method in certain situations involving IFRAME elements, which allows remote attackers to obtain sensitive information via a crafted HTML document.

CVE-2010-1407: About the security content of iOS 4

Stack-based buffer overflow in CursorArts ZipWrangler 1.20 allows user-assisted remote attackers to execute arbitrary code via a ZIP file containing a file with a long filename.

CVE-2010-1685

Buffer overflow in the usb_host_handle_control function in the USB passthrough handling implementation in usb-linux.c in QEMU before 0.11.1 allows guest OS users to cause a denial of service (guest OS crash or hang) or possibly execute arbitrary code on the host OS via a crafted USB packet.

**\[prev in list\] \[next in list\] \[prev in thread\] \[next in thread\]** 
**List:       oss-security
Subject:    \[oss-security\] KVM possible security issues fixed
From:       Thomas Biege <thomas () suse ! de>
Date:       2010-02-02 9:59:13
Message-ID: 201002021059.13521.thomas () suse ! de
\[Download RAW message or body\]**

Hello,
the following was listed in the changelog of kvm
- slirp: fix use-after-free
- usb-linux.c: fix buffer overflow
- fix potential stack corruption saving MSRs (Eduardo Habkost)

Looks like these are security issues. Does someone know more about?
Any details about exploitability etc.

Thanks
Thomas

-- 
 Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing
 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
  Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
                            -- Marie von Ebner-Eschenbach
**\[prev in list\] \[next in list\] \[prev in thread\] \[next in thread\]** 

  

Configure | About | News | Add a list | Sponsored by KoreLogic

CVE-2010-0297: '[oss-security] KVM possible security issues fixed'

Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld in MySQL 5.0.x before 5.0.90, MySQL 5.1.x before 5.1.43, MySQL 5.5.x through 5.5.0-m2, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field, as demonstrated by mysql_overflow1.py and the vd_mysql5 module in VulnDisco Pack Professional 8.11. NOTE: this was originally reported for MySQL 5.0.51a.

Tag

#buffer_overflow