There is a memory corruption issue when processing a malformed RTP video stream in FaceTime that leads to a kernel panic due to a corrupted heap cookie or data abort. This bug can be reached if a user accepts a call from a malicious caller. This issue only affects FaceTime on iOS, it does not crash on a Mac.
e1efd0319dcc1218c75d95f35d08574bThere is a heap corruption vulnerability in VCPDecompressionDecodeFrame which is called by FaceTime. This bug can be reached if a user accepts a call from a malicious peer.
98ed8bf1539b036052ee59ec0d5239fdFaceTime suffers from a stack corruption vulnerability in readSPSandGetDecoderParams.
17c8ace8d98479a7e023a22b0a94235cgVisor runsc suffers from a guest->host breakout via filsystem cache desync.
c5955d055e040d0690a596b137e3036dLinux has an issue where mremap() performs a TLB flush too late with concurrent ftruncate().
662f158d83c31c10c9b25a7d01c09b0aChrome OS runs an ancient unrar in CAP_SYS_ADMIN context.
8fb9a08410a49c789a6cd995c55a1b9elibtiff up to and including 4.0.9 decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size.
1f65f444f30882af96c78320cb935028Linux suffers from an issue with systemd where chown_one() can dereference symlinks.
8a7385919cce2220b792617aa434b36bLinux has an issue with systemd where overlong input to fgets() during reexec state injection can lead to line splitting.
7eee1ef6f7faca88b348b6dac9d6b20cThe Chrome debugger extension API appears to have more power than necessary, including the ability to bypass the check for disabled natives.
7f04b4dbaa37e47793da6858cb2f0661The Apple Intel GPU driver suffers from use-after-free and double-delete issues due to bad locking.
b351e27cbcb6569d7e176048b1d1639fiOS and macOS suffers from a sandbox escape due to trusted length field in shared memory used by the HID event subsystem.
d02085ca3eebe96590a6bfad12954bf6iOS suffers from a kernel stack memory disclosure due to failure to check copyin return value.
dabae5d2d2f7dfbc02093d00e56e96e6iOS and macOS suffer from a sandbox escape vulnerability due to failure to comply with MIG object lifetime semantics in the iohideventsystem_client subsystem.
b9de50e80a2ea80f7f9468bd16b597e3iOS and macOS suffer from sandbox escape vulnerabilities due to MIG failing to use correct out-of-line descriptor lengths when parsing reply messages.
4f22a8f810b85991d35e76ab7b9861b4iOS and macOS suffers from a kernel memory corruption vulnerability due to integer overflow in IOHIDResourceQueue::enqueueReport.
eaf771ae19474d20de705e51b77b51d3iOS and macOS suffers from a sandbox escape vulnerability due to mach message sent from shared memory.
212667e2b57588da87c0742e251ac563The iOS kernel suffers from a use-after-free vulnerability due to bad error handling in personas.
00aa8ae882f2b6020f3e4a12749da1eeGhostscript has an issues where callers of a procedure are not forced to be properly marked as executeonly or pseudo-operators, allowing for the ability to take complete control of it.
f6013aa13df201f50c343927fca57dcdThe Linux BPF verifier has an issue where 32-bit RSH verification does not truncate input before the ALU op.
373edc458d7e0a3a57e28573408ae811Linux suffers from a semi-arbitrary task stack read on ARM64 (and x86) via /proc/$pid/stack.
7100e417a396e293988088f73c3b7c3aChrome has missing validation in the deserialization routines for both DataPipeConsumerDispatcher and DataPipeProducerDispatcher, which take from the incoming message a read_offset/write_offset respectively into shared memory. Providing an offset outside the bounds of the allocated memory will then result in an out-of-bounds read/write when the pipe is used.
08315707021518b918593c1b05081689On Microsoft Windows, the FSCTL_FIND_FILES_BY_SID control code does not check for permissions to list a directory leading to disclosure of file names when a user is not granted FILE_LIST_DIRECTORY access.
1ad1fd11e41df6d259aeb00e3e6cc367Ghostscript suffers from an issue where .loadfontloop exposes system operators in the saved execution stack.
8ee6daa56e7b3cbcf912ca5433934a03Ghostscript suffers from an executeonly bypass with errorhandler setup.
de8be7c4957ab4b3c8a37259c65b3c84
© 2018 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed