Polkit suffers from a temporary auth hijacking vulnerability via PID reuse and a non-atomic fork.
57634c3dcea314066b8d2beba7cfe951CUPS generates session cookies srandom(time(NULL)) and random() on Linux.
583f7c6a7321642c12877e79a0682883Linux userfaultfd bypasses tmpfs file permissions.
61256d48b95082beb5d8e4ef759bcd4cGoogle Chrome version 70.0.3538.77 stable suffers from cross site scripting and man-in-the-middle vulnerabilities.
983c9bbc501d7d7ca4d8d631173677e7XNU POSIX has an issue where shared memory mapping have an incorrect maximum protection.
ac2760f95d5d33a22ed9bc8cebfab544This Metasploit module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18, and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user namespaces and kernel uid/gid mappings allow elevation to root (CVE-2018-18955). The target system must have unprivileged user namespaces enabled and the newuidmap and newgidmap helpers installed (from uidmap package). This Metasploit module has been tested successfully on: Fedora Workstation 28 kernel 4.16.3-301.fc28.x86_64; Kubuntu 18.04 LTS kernel 4.15.0-20-generic (x86_64); Linux Mint 19 kernel 4.15.0-20-generic (x86_64); Ubuntu Linux 18.04.1 LTS kernel 4.15.0-20-generic (x86_64).
bcf9a7b1fda21bc456a3d65c534bf1afLinux has a broken uid/gid mapping for nested user namespaces with greater than 5 ranges.
5a4e9282df80bcac13075f0181391a8bgVisor runsc suffers from a guest->host breakout via filsystem cache desync.
c5955d055e040d0690a596b137e3036dLinux has an issue where mremap() performs a TLB flush too late with concurrent ftruncate().
662f158d83c31c10c9b25a7d01c09b0aChrome OS runs an ancient unrar in CAP_SYS_ADMIN context.
8fb9a08410a49c789a6cd995c55a1b9eLinux suffers from an issue with systemd where chown_one() can dereference symlinks.
8a7385919cce2220b792617aa434b36bLinux has an issue with systemd where overlong input to fgets() during reexec state injection can lead to line splitting.
7eee1ef6f7faca88b348b6dac9d6b20cThe Chrome debugger extension API appears to have more power than necessary, including the ability to bypass the check for disabled natives.
7f04b4dbaa37e47793da6858cb2f0661The Linux BPF verifier has an issue where 32-bit RSH verification does not truncate input before the ALU op.
373edc458d7e0a3a57e28573408ae811Linux suffers from a semi-arbitrary task stack read on ARM64 (and x86) via /proc/$pid/stack.
7100e417a396e293988088f73c3b7c3aAndroid sdcardfs changes current->fs without proper locking.
30d07510d647a3e253ccd32f80cd1b03The Linux kernel suffers from a ptr leak via BPF due to a broken subtraction check.
3c1a45fa16b073a790adbcf32e65e7e7Chrome OS suffers from a /sbin/crash_reporter symlink traversal vulnerability.
c687c89c005c3b62a720e1c1f587693fThe Debian/Ubuntu AppArmor policy for evince in bypassable.
1b19708e83a1bfd77dfc118b056fc7eeAppArmor has an issue where filesystem blacklisting can be bypassed by moving parents.
639fa99eb3859f6045557741289c460bgVisor reuses pagetables across levels without paging-structure invalidation.
b9810ec486fb711402c3a34a26e05900Linux suffers from a VMA use-after-free vulnerability via a buggy vmacache_flush_all() fastpath.
f1861d71fffe7fe2825d8cc77332fd6aLinux suffers from an arbitrary kernel read into dmesg via a missing address check in the segfault handler.
06e9283f3dd8c10929847de0f7b403d2There is a variety of RPC communication channels between the Chrome OS host system and the crosvm guest. This bug report focuses on communication on TCP port 8889, which is used by the "garcon" service. garcon uses gRPC, which is an RPC protocol that sends protobufs over plaintext HTTP/2. (Other system components communicate with the VM over gRPC-over-vsock, but garcon uses gRPC-over-TCP.) For some command types, the TCP connection is initiated by the host; for others, it is initiated by the guest. Both guest and host are listening on [::]:8889; however, the iptables rules of the host prevent an outside host from simply connecting to those sockets. However, apps running on the host are not affected by such restrictions.
aff1ab159e8069bed85cefa1dff66810Android suffers from a privilege escalation vulnerability in zygote that can be leveraged by CVE-2018-9445.
ab958bdb52ab9f8d11c64fe093731380
© 2019 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed