Red Hat Security Advisory 2016-0496-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. An integer truncation flaw and an integer overflow flaw, both leading to a heap-based buffer overflow, were found in the way Git processed certain path information. A remote attacker could create a specially crafted Git repository that would cause a Git client or server to crash or, possibly, execute arbitrary code.
33481f9b2e323032036bbac27addbdbb7aca8f0d60afb5adf509af12b34245cc
Red Hat Security Advisory 2016-0494-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. It was found that the fix for CVE-2015-1805 incorrectly kept buffer offset and buffer length in sync on a failed atomic read, potentially resulting in a pipe buffer state corruption. A local, unprivileged user could use this flaw to crash the system or leak kernel memory to user space. The security impact of this issue was discovered by Red Hat.
80c54b65ae506f1bd02a2a902ef6537ba749f2d08c2885f9ed60f7d6ef16502f
Red Hat Security Advisory 2016-0493-01 - Kerberos is a networked authentication system which allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos KDC. A memory leak flaw was found in the krb5_unparse_name() function of the MIT Kerberos kadmind service. An authenticated attacker could repeatedly send specially crafted requests to the server, which could cause the server to consume large amounts of memory resources, ultimately leading to a denial of service due to memory exhaustion. An out-of-bounds read flaw was found in the kadmind service of MIT Kerberos. An authenticated attacker could send a maliciously crafted message to force kadmind to read beyond the end of allocated memory, and write the memory contents to the KDC database if the attacker has write permission, leading to information disclosure.
0e26967fe71da50ea746ca56ebbcbd9d8e567b9479d3f724ddadcfc1a14f7e01
Red Hat Security Advisory 2016-0492-01 - Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. Previously, using a New I/O connector in the Apache Tomcat 6 servlet resulted in a large memory leak. An upstream patch has been applied to fix this bug, and the memory leak no longer occurs.
986c615e343a02a31239053dbcc2ca4ace64881603b3079b68d4cc77891cc485
Red Hat Security Advisory 2016-0491-01 - Foomatic is a comprehensive, spooler-independent database of printers, printer drivers, and driver descriptions. The package also includes spooler-independent command line interfaces to manipulate queues and to print files and manipulate print jobs. It was discovered that the unhtmlify() function of foomatic-rip did not correctly calculate buffer sizes, possibly leading to a heap-based memory corruption. A malicious attacker could exploit this flaw to cause foomatic-rip to crash or, possibly, execute arbitrary code.
1c8dbb1c6105619a657be78d0cb2ea781f9214a1e2082f02d87b336503f8acc9
Debian Linux Security Advisory 3525-1 - Vincent LE GARREC discovered an integer overflow in pixman, a pixel-manipulation library for X and cairo. A remote attacker can exploit this flaw to cause an application using the pixman library to crash, or potentially, to execute arbitrary code with the privileges of the user running the application.
fba720c0d3e90f68190018adddc68de92e676476b3b8967b4271fbe9e372278b
Red Hat Security Advisory 2016-0489-01 - OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service solution designed for on-premise or private cloud deployments. The following security issue is addressed with this release: It was found that ActiveMQ did not safely handle user supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the ActiveMQ application.
c167e3d8f6f600ab83c359b1f2e0d619cadb47f08e42a17fb9a8a88b9b2d5e66
Red Hat Security Advisory 2016-0490-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. A padding oracle flaw was found in the Secure Sockets Layer version 2.0 protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. A denial of service flaw was found in the way OpenSSL handled SSLv2 handshake messages. A remote attacker could use this flaw to cause a TLS/SSL server using OpenSSL to exit on a failed assertion if it had both the SSLv2 protocol and EXPORT-grade cipher suites enabled.
5acd2c526da16235e590f280881bf7c08e3d07dd82e68161ed9d958c6754780e
WordPress Memphis Document Library plugin version 3.1.5 suffers from an arbitrary file download vulnerability.
b72346b0c1735575621f6102ef6ef9845d42644148787b3ded9d0b7bddc09cb7
WordPress Dharma Booking plugin versions 2.28.3 and below suffer from local and remote file inclusion vulnerabilities.
82526a805b6d2b7b16345894f9995542ea3661ae96f70e63be274799a3089476
WordPress Brandfolder plugin versions 3.0 and below suffer from local and remote file inclusion vulnerabilities.
5c0396bb5e5d44afc466802c4588ce6dcd5714d10e9025371d7bed1ff1fab90d
Comodo Antivirus includes a x86 emulator that is used to unpack and monitor obfuscated executables, this is common practice among antivirus products. The idea is that emulators can run the code safely for a short time, giving the sample enough time to unpack itself or do something that can be profiled. Needless to say, this is a very significant and complicated attack surface, as an attacker can trigger emulation simply by sending the victim an email or getting them to visit a website with zero user interaction. Multiple memory corruption issues have been found with the emulator.
cfbf0dd1caad664a8a36d0e11f52ccba899cbf069cf799a34ef08893acaf37b2
Packman is an obscure opensource executable packer that Comodo Antivirus attempts to unpack during scanning. If the compression method is set to algorithm 1, compression parameters are read directly from the input executable without validation. Fuzzing this unpacker revealed a variety of crashes due to this, such as causing pointer arithmetic in CAEPACKManUnpack::DoUnpack_With_NormalPack to move pksDeCodeBuffer.ptr to an arbitrary address, which allows an attacker to free() an arbitrary pointer. This issue is obviously exploitable to execute code as NT AUTHORITY\SYSTEM.
adf1b7ee75650e302c810380b477450604f08412c70d3784267cfd3c982dd3ea
The Comodo Antivirus LZMA decoder performs insufficient parameter checks, resulting in a heap overflow vulnerability.
80e8644d174a99b1386292c6a83033e7044613fa936d4b5dfafeec8f9086d5f4
In COleMemFile::LoadDiFatList, values from the header are used to parse the document FAT. If header.csectDif is very high, the calculation overflows and a very small buffer is allocated. The document FAT is then memcpy'd onto the buffer directly from the input file being scanned, resulting in a nice clean heap overflow. This vulnerability is obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM, the attached test cases should reproduce the problem reliably (this issue was found using trivial fuzzing). You can see this testcase has this->m_oleDocHeader.csectDif = 0x40000001, and so this->m_oleDocHeader.csectDif * this->diFATPerSect * 4 + 436 wraps to 0x3b0.
0d8944589584ffd6f19521f74f3b05e3ba9308f6e066d7502ae4420ba2f83b4c
Comodo Antivirus includes a full x86 emulator that is used to unpack executables that are being scanned. Files read from disk or received over the network, including email, browser cache and so on can all trigger emulation. The emulator itself uses a sequence of nested lookup tables to translate opcodes to the routines that emulate them. The xmm/ymm registers are used like a union in C. For example, the registers can be treated as 4 floats, 2 doubles, 2 dwords, 8 shorts and so on - whatever is appropriate. The comodo emulator uses a union to represent these registers, and then each emulated instruction uses whichever union member matches it's function. For example, PUNPCKLBW would use regs->words, PSRLQ would use regs->qwords and so on. The code for PSUBUSB incorrectly uses the wrong union member (words instead of bytes), meaning it will clobber double the space allocated by CPU::MMX_OPCODE(). The fix for this vulnerability is to use the bytes member of the union instead.
65a2860985334c929241500c3eec6733661c6d157ba7ce5980acbe5b0395bc08
Wireshark suffers from a crash vulnerability due to a static memory out-of-bounds write that can be observed in an ASAN build of Wireshark .
d751a97af648548ff6b3fe6c3fc7c524ae5d47ea88f286570d27423b9ad6b6bb
A major component of Comodo Antivirus is the x86 emulator, which includes a number of shims for win32 API routines so that common API calls work in emulated programs (CreateFile, LoadLibrary, etc). The emulator itself is located in MACH32.DLL, which is compiled without /DYNAMICBASE, and runs as NT AUTHORITY\SYSTEM. These API routines access memory from the emulated virtual machine, perform the requested operation, and then poke the result back into the emulator. Because these emulated routines are all native code, they must take care not to trust values extracted from the emulator, which is running attacker controlled code. Browsing through the list of emulated routines, MSVBVM60!rtcLowerCaseVar jumped out as an obvious case of integer overflow due to trusting attacker-provided parameters.
8d147c54c65aab4d2452bd4eb9517303915856455def848dcb10b51b25e3f9d5
Lzx_Decoder::init() initializes the vector Lzx_Decoder->window to a fixed size of 2^method bytes, which is then used during Lzx_Decoder::Extract(). It's possible for LZX compressed streams to exceed this size. Writes to the window buffer are bounds checked, but only after the write is completed.
839695e6d83e2e3da8e7895210ee30106fa6966de6fc5fbd59853d59883fab72
Joomla iCagenda versions 3.5.5 through 3.5.15 suffer from a cross site scripting vulnerability.
0001d83aa084d5c104998b1032f6415017f5124a6175ddb8e5f7fcebd3a48622
Joomla Easy Youtube Gallery version 1.0.2 suffers from a remote SQL injection vulnerability.
987a237426e6ed06720e2a870b988b79e8b2683c6b7071f29514125567994022