Linux has a broken uid/gid mapping for nested user namespaces with greater than 5 ranges.
5a4e9282df80bcac13075f0181391a8bgVisor runsc suffers from a guest->host breakout via filsystem cache desync.
c5955d055e040d0690a596b137e3036dLinux has an issue where mremap() performs a TLB flush too late with concurrent ftruncate().
662f158d83c31c10c9b25a7d01c09b0aChrome OS runs an ancient unrar in CAP_SYS_ADMIN context.
8fb9a08410a49c789a6cd995c55a1b9eLinux suffers from an issue with systemd where chown_one() can dereference symlinks.
8a7385919cce2220b792617aa434b36bLinux has an issue with systemd where overlong input to fgets() during reexec state injection can lead to line splitting.
7eee1ef6f7faca88b348b6dac9d6b20cThe Chrome debugger extension API appears to have more power than necessary, including the ability to bypass the check for disabled natives.
7f04b4dbaa37e47793da6858cb2f0661The Linux BPF verifier has an issue where 32-bit RSH verification does not truncate input before the ALU op.
373edc458d7e0a3a57e28573408ae811Linux suffers from a semi-arbitrary task stack read on ARM64 (and x86) via /proc/$pid/stack.
7100e417a396e293988088f73c3b7c3aAndroid sdcardfs changes current->fs without proper locking.
30d07510d647a3e253ccd32f80cd1b03The Linux kernel suffers from a ptr leak via BPF due to a broken subtraction check.
3c1a45fa16b073a790adbcf32e65e7e7Chrome OS suffers from a /sbin/crash_reporter symlink traversal vulnerability.
c687c89c005c3b62a720e1c1f587693fThe Debian/Ubuntu AppArmor policy for evince in bypassable.
1b19708e83a1bfd77dfc118b056fc7eeAppArmor has an issue where filesystem blacklisting can be bypassed by moving parents.
639fa99eb3859f6045557741289c460bgVisor reuses pagetables across levels without paging-structure invalidation.
b9810ec486fb711402c3a34a26e05900Linux suffers from a VMA use-after-free vulnerability via a buggy vmacache_flush_all() fastpath.
f1861d71fffe7fe2825d8cc77332fd6aLinux suffers from an arbitrary kernel read into dmesg via a missing address check in the segfault handler.
06e9283f3dd8c10929847de0f7b403d2There is a variety of RPC communication channels between the Chrome OS host system and the crosvm guest. This bug report focuses on communication on TCP port 8889, which is used by the "garcon" service. garcon uses gRPC, which is an RPC protocol that sends protobufs over plaintext HTTP/2. (Other system components communicate with the VM over gRPC-over-vsock, but garcon uses gRPC-over-TCP.) For some command types, the TCP connection is initiated by the host; for others, it is initiated by the guest. Both guest and host are listening on [::]:8889; however, the iptables rules of the host prevent an outside host from simply connecting to those sockets. However, apps running on the host are not affected by such restrictions.
aff1ab159e8069bed85cefa1dff66810Android suffers from a privilege escalation vulnerability in zygote that can be leveraged by CVE-2018-9445.
ab958bdb52ab9f8d11c64fe093731380Linux suffers from an insufficient shootdown for paging-structure caches.
8c0d36eab2a0b162e885643f73377706gVisor Sentry permits access to the renameat() syscall. As the sentry is not chrooted, it permits renaming files in the host system.
82846292495d155d34683eb88e13fadeLinux suffers from a reiserfs listxattr_filler() heap overflow vulnerability.
32f35281c7d063fa006860df2819530eWayland suffers from an out-of-bounds memory access vulnerability in wl_connection_demarshal() on 32-bit systems.
d6df3a560088b2c39f11b2f8dc3a2c2dRace conditions exist on percpu refcounts on struct mount.
2431157d4031096f9869974723e0f6f4Android suffers from a directory traversal vulnerability leveraged over USB via injection in blkid output.
54330565924c07e00a436420e71adec0
© 2018 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed