The code in IOMXNodeInstance.cpp that handles enableNativeBuffers uses port_index without validation, leading to writing the dword value 0 or 1 at an attacker controlled offset from the IOMXNodeInstance structure.
72e3f04c0dccca9d11b30c786b9e44b6ad70abc4202d48d377b62972e3b859afThe interaction between the kernel /dev/binder and the usermode Parcel.cpp mean that when a binder object is passed as BINDER_TYPE_BINDER or BINDER_TYPE_WEAK_BINDER, a pointer to that object (in the server process) is leaked to the client process as the cookie value. This leads to a leak of a heap address in many of the privileged binder services, including system_server.
d3a390084b839f03fc96f626d43551a1c0687c7d83accd79ef36bdd4b33ddbefThere's an integer overflow issue in get_node_path_locked in /system/bin/sdcard on Android, which results in a buffer overflow.
03bc08380fba4bccc4dcff7acf038b1a908c760c3558b538af25c67c1f49b3aaThere's a logic error in the PCRE engine version used in Adobe Flash that allows the execution of arbitrary PCRE bytecode, with potential for memory corruption and remote code execution.
7634c378b901e854196bb2c6638f9cdaaeebb56a0a8e8bedc196af24d7ed49f8com.apple.audio.coreaudiod is reachable from various sandboxes including the Safari renderer. coreaudiod is sandboxed and runs as its own user, nevertheless it has access to various other interesting attack surfaces which safari doesn't, allowing this bug to potentially form part of a full sandbox escape chain.
040c5bc4ee814b9abdf174150d4582e8d233b7e6ea6fe2992ae37f08d1dc46e2There is an integer overflow issue in sanity checking section lengths when parsing the vcdiff format (used in SDCH content encoding). This results in the parser parsing outside of sane memory bounds when parsing the contents of a vcdiff windowThere's an integer overflow issue in sanity checking section lengths when parsing the vcdiff format (used in SDCH content encoding). This results in the parser parsing outside of sane memory bounds when parsing the contents of a vcdiff window.
7dd26a5b0e5074777454a033d2a5cf9abf8079a2604f2b566807914eb6911c4bA path traversal vulnerability was found in the WifiHs20UtilityService. This service is running on a Samsung S6 Edge device, and may be present on other Samsung device models. WifiHs20UtilityService reads any files placed in /sdcard/Download/cred.zip, and unzips this file into /data/bundle. Directory traversal in the path of the zipped contents allows an attacker to write a controlled file to an arbitrary path as the system user.
518c9bcbcc800ca3f2eabf30aca38ce8d0b16a83ab93ae8b359b37e023aa64a9A heap overflow exists due to a 64-32 integer truncation issue in device/hid/hid_connection_linux.cc.
770ba2318e417025ee29f56a1103dfb964c9deb4f6c83609e26beb78d0effa4fThere is an error in the PCRE engine version used in Flash that allows the execution of arbitrary PCRE bytecode, with potential for memory corruption and remote code execution.
f100f0c5cc96a2a407b46491520f1bce43ba7ca526f4e6c69f5887bf768c2eca
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed