Docker httpd:2.2

Overview

When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.

References

• Apache Security Advisory
• CONFIRM
• CONFIRM
• Debian Security Announcement
• Debian Security Tracker
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• Security Focus
• Security Tracker
• Ubuntu CVE Tracker

Overview

Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.

References

• Apache Security Advisory
• Debian Security Advisory
• Debian Security Announcement
• Debian Security Announcement
• Debian Security Tracker
• Netapp Security Advisory
• Security Focus
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory

Overview

An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.

References

• CONFIRM
• Debian Security Tracker
• GitHub Commit
• MISC
• MISC
• Ubuntu CVE Tracker

Overview

rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.

References

• Debian Security Announcement
• Debian Security Tracker
• MISC
• MISC
• Netapp Security Advisory
• OpenSuse Security Announcement
• UBUNTU
• UBUNTU
• Ubuntu CVE Tracker

Overview

BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.

References

• BUGTRAQ
• BUGTRAQ
• CONFIRM
• CVE Details
• Debian Security Announcement
• Debian Security Tracker
• FREEBSD
• MISC
• MISC
• MISC
• MISC
• MLIST
• MLIST
• MLIST
• MLIST
• SUSE
• SUSE
• SUSE
• SUSE
• UBUNTU
• UBUNTU
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory

Overview

cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet. The OpenLDAP crash is ultimately caused by an off-by-one error in _sasl_add_string in common.c in cyrus-sasl.

References

• ADVISORY
• Bugtraq Mailing List
• CONFIRM
• CONFIRM
• Debian Security Advisory
• Debian Security Announcement
• Debian Security Tracker
• FEDORA
• FEDORA
• FULLDISC
• FULLDISC
• GitHub Issue
• MISC
• Ubuntu CVE Tracker
• Ubuntu Security Advisory

Overview

dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD.

References

• Debian Security Tracker
• OSS security Advisory
• Security Focus
• Ubuntu CVE Tracker

Overview

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.

References

• ADVISORY
• BUGTRAQ
• BUGTRAQ
• BUGTRAQ
• BUGTRAQ
• BUGTRAQ
• BUGTRAQ
• BUGTRAQ
• Bugtraq Mailing List
• CONFIRM
• CONFIRM
• CONFIRM
• CONFIRM
• CONFIRM
• CONFIRM
• CONFIRM
• CONFIRM
• DEBIAN
• DEBIAN
• DEBIAN
• Debian Security Tracker
• FEDORA
• FEDORA
• FEDORA
• FULLDISC
• FULLDISC
• FULLDISC
• FULLDISC
• GENTOO
• GitHub Commit
• GitHub Issue
• GitHub Issue
• GitHub PR
• MISC
• MISC
• MISC
• MISC
• MLIST
• MLIST
• N/A
• REDHAT
• REDHAT
• REDHAT
• SUSE
• SUSE
• SUSE
• SUSE
• SUSE
• SUSE
• SUSE
• SUSE
• SUSE
• SUSE
• SUSE
• SUSE
• UBUNTU
• UBUNTU
• UBUNTU
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory

Overview

In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).

References

• Bugtraq Mailing List
• CONFIRM
• CVE Details
• Debian Security Advisory
• Debian Security Announcement
• Debian Security Tracker
• FEDORA
• FEDORA
• GENTOO
• GitHub Commit
• GitHub Issue
• GitHub PR
• MISC
• MISC
• MISC
• N/A
• Netapp Security Advisory
• SUSE
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory

Overview

stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.

References

• CONFIRM
• Debian Security Tracker
• MISC

Overview

stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.

References

• CONFIRM
• Debian Security Tracker
• MISC

Overview

** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."

References

• CONFIRM
• Debian Security Tracker
• MISC
• Security Focus
• UBUNTU

Overview

In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.

References

• CONFIRM
• CONFIRM
• Debian Security Tracker
• MISC
• MISC
• MISC
• MISC
• MISC
• MISC
• MISC
• Netapp Security Advisory
• Ubuntu CVE Tracker

Overview

The string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.

References

• Debian Security Tracker
• GENTOO
• MISC
• Security Focus

Overview

A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached and amplified through the LD_HWCAP_MASK environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.

References

• Debian Security Tracker
• Exploit DB
• Netapp Security Advisory
• OSS security Advisory
• OSS security Advisory
• OSS security Advisory
• Oss-Sec Mailing List
• Ubuntu CVE Tracker

Overview

res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).

References

• Debian Security Tracker
• Gentoo Security Advisory
• MISC
• RHSA Security Advisory
• RedHat Bugzilla Bug
• Security Focus
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory
• https://sourceware.org/bugzilla/attachment.cgi?id=8492
• https://sourceware.org/bugzilla/show_bug.cgi?id=18784
• https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fc82b0a2dfe7dbd35671c10510a8da1043d746a5
• https://sourceware.org/ml/libc-alpha/2017-02/msg00079.html

Overview

The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator.

References

• CONFIRM
• CONFIRM
• Debian Security Tracker
• RHSA Security Advisory
• RHSA Security Advisory
• Security Focus
• Ubuntu CVE Tracker

Overview

A buffer overflow in glibc 2.5 (released on September 29, 2006) and can be triggered through the LD_LIBRARY_PATH environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.

References

• Debian Security Tracker
• Exploit DB
• Netapp Security Advisory
• Oss-Sec Mailing List
• Ubuntu CVE Tracker

Overview

The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.

References

• CONFIRM
• Debian Security Tracker
• RHSA Security Advisory
• RHSA Security Advisory
• Security Focus
• Ubuntu CVE Tracker

Overview

Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6) before 2.23 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long argument to the (1) nan, (2) nanf, or (3) nanl function.

References

• BUGTRAQ
• Bugtraq Mailing List
• CONFIRM
• Debian Security Tracker
• FULLDISC
• Fedora Security Announcement
• Gentoo Security Advisory
• MISC
• MISC
• MLIST
• OSS security Advisory
• OSS security Advisory
• OpenSuse Security Announcement
• OpenSuse Security Announcement
• OpenSuse Security Announcement
• OpenSuse Security Announcement
• OpenSuse Security Announcement
• RHSA Security Advisory
• RedHat Security Advisory
• Seclists Full Disclosure
• Security Focus
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory

Overview

** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."

References

• Debian Security Tracker
• MISC
• UBUNTU

Overview

In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.

References

• CONFIRM
• CONFIRM
• Debian Security Tracker
• GENTOO
• MISC
• MISC
• MISC
• MISC
• Netapp Security Advisory
• Security Focus
• UBUNTU
• Ubuntu CVE Tracker

Overview

An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.

References

• CONFIRM
• Debian Bug Report
• Debian Security Tracker
• Netapp Security Advisory
• Oracle Security Advisory
• REDHAT
• RHSA Security Advisory
• Security Focus
• UBUNTU
• Ubuntu CVE Tracker
• Ubuntu Security Advisory

Overview

stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.

References

• Debian Security Tracker
• MISC
• MISC
• Netapp Security Advisory
• Netapp Security Advisory
• Oracle Security Advisory
• REDHAT
• RHSA Security Advisory
• Security Focus
• UBUNTU
• Ubuntu CVE Tracker

Overview

In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.

References

• Debian Security Tracker
• Exploit DB
• Exploit DB
• MISC
• Netapp Security Advisory
• Oss-Sec Mailing List
• RHSA Security Advisory
• Security Focus
• Security Tracker
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory

Overview

An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.

References

• Debian Security Tracker
• Exploit DB
• MISC
• Netapp Security Advisory
• Netapp Security Advisory
• Oracle Security Advisory
• REDHAT
• RHSA Security Advisory
• Security Focus
• UBUNTU
• Ubuntu CVE Tracker

Overview

An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.

References

• ADVISORY
• Debian Security Tracker
• GENTOO
• MISC
• Netapp Security Advisory
• RedHat Bugzilla Bug
• UBUNTU

Overview

** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.

References

• CONFIRM
• Debian Security Tracker
• MISC
• Ubuntu CVE Tracker

Overview

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep.

References

• CONFIRM
• Debian Security Tracker
• MISC
• MISC
• Netapp Security Advisory
• Security Focus
• Ubuntu CVE Tracker

Overview

elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.

References

• CONFIRM
• CONFIRM
• Debian Bug Report
• Debian Security Tracker
• REDHAT
• RHSA Security Advisory
• Security Focus
• Ubuntu CVE Tracker

Overview

A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.

References

• CONFIRM
• CONFIRM
• Debian Security Tracker
• GENTOO
• Netapp Security Advisory
• RedHat Bugzilla Bug
• UBUNTU
• Ubuntu CVE Tracker

Overview

cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.

References

• Debian Security Tracker
• MISC
• MISC
• MISC
• MISC

Overview

A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.

References

• ADVISORY
• Debian Security Tracker
• MISC
• MISC
• MISC
• RedHat Bugzilla Bug
• UBUNTU
• Ubuntu CVE Tracker

Overview

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.

References

• CONFIRM
• CVE Details
• Debian Security Advisory
• Debian Security Advisory
• Debian Security Advisory
• Debian Security Tracker
• MISC
• MISC
• MISC
• MISC
• MISC
• OSS security Advisory
• OSS security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• Seclists Full Disclosure
• Security Focus
• Security Tracker
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory
• Ubuntu Security Advisory
• Ubuntu Security Advisory

Overview

utility.c in telnetd in netkit telnet through 0.17 allows remote attackers to execute arbitrary code via short writes or urgent data, because of a buffer overflow involving the netclear and nextitem functions.

References

• CISCO
• Debian Security Tracker
• Fedora Security Update
• Fedora Security Update
• Fedora Security Update
• MISC
• MISC
• MLIST
• MLIST

Overview

Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffer overflows, which can be exploited to bypass veriexec restrictions on Junos OS. A stack-based overflow is present in the handling of environment variables when connecting via the telnet client to remote telnet servers. This issue only affects the telnet client — accessible from the CLI or shell — in Junos OS. Inbound telnet services are not affected by this issue. This issue affects: Juniper Networks Junos OS: 12.3 versions prior to 12.3R12-S13; 12.3X48 versions prior to 12.3X48-D80; 14.1X53 versions prior to 14.1X53-D130, 14.1X53-D49; 15.1 versions prior to 15.1F6-S12, 15.1R7-S4; 15.1X49 versions prior to 15.1X49-D170; 15.1X53 versions prior to 15.1X53-D237, 15.1X53-D496, 15.1X53-D591, 15.1X53-D69; 16.1 versions prior to 16.1R3-S11, 16.1R7-S4; 16.2 versions prior to 16.2R2-S9; 17.1 versions prior to 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R2-S7, 17.2R3-S1; 17.3 versions prior to 17.3R3-S4; 17.4 versions prior to 17.4R1-S6, 17.4R2-S3, 17.4R3; 18.1 versions prior to 18.1R2-S4, 18.1R3-S3; 18.2 versions prior to 18.2R1-S5, 18.2R2-S2, 18.2R3; 18.2X75 versions prior to 18.2X75-D40; 18.3 versions prior to 18.3R1-S3, 18.3R2; 18.4 versions prior to 18.4R1-S2, 18.4R2.

References

• Bugtraq Mailing List
• CONFIRM
• Debian Security Tracker
• Exploit DB
• FREEBSD
• MISC

Overview

cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.

References

• Debian Security Tracker
• MISC
• MISC
• MISC
• MISC

Overview

The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack.

References

• CVE Details
• Debian Security Advisory
• Debian Security Tracker
• Gentoo Security Advisory
• MLIST
• RedHat Bugzilla Bug
• Ubuntu CVE Tracker
• Ubuntu Security Advisory

Overview

In ncurses before 6.1.20180414, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service if the terminfo library code is used to process untrusted terminfo data in which a use-name is invalid syntax. The product proceeds to the dereference code path even after a "dubious character `[' in name or alias field" detection.

References

• CVE Details
• Debian Security Tracker
• MISC
• MISC
• RedHat Bugzilla Bug

Overview

Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.

References

• CONFIRM
• CONFIRM
• CVE Details
• Debian Security Tracker
• Gentoo Security Advisory
• MISC
• Ubuntu CVE Tracker

Overview

An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL authentication and session encryption, and relying on the SASL security layers in slapd access controls, it is possible to obtain access that would otherwise be denied via a simple bind for any identity covered in those ACLs. After the first SASL bind is completed, the sasl_ssf value is retained for all new non-SASL connections. Depending on the ACL configuration, this can affect different types of operations (searches, modifications, etc.). In other words, a successful authorization step completed by one user affects the authorization requirement for a different user.

References

• ADVISORY
• BUGTRAQ
• CONFIRM
• CONFIRM
• CONFIRM
• Debian Security Announcement
• Debian Security Tracker
• FULLDISC
• MISC
• MLIST
• N/A
• OpenSuse Security Announcement
• OpenSuse Security Announcement
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory

Overview

contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.

References

• CVE Details
• Debian Security Tracker
• MISC
• OpenSuse Security Announcement
• OpenSuse Security Announcement

Overview

In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash).

References

• CONFIRM
• CONFIRM
• CONFIRM
• Debian Security Advisory
• Debian Security Announcement
• Debian Security Tracker
• MISC
• MISC
• Netapp Security Advisory
• OpenSuse Security Announcement
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory

Overview

During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).

References

• CONFIRM
• CONFIRM
• CONFIRM
• CONFIRM
• CONFIRM
• CONFIRM
• CONFIRM
• CONFIRM
• CVE Details
• Debian Security Advisory
• Debian Security Advisory
• Debian Security Announcement
• Debian Security Tracker
• FEDORA
• FEDORA
• FEDORA
• Gentoo Security Advisory
• MISC
• MISC
• MISC
• N/A
• Netapp Security Advisory
• Netapp Security Advisory
• OpenSSL Security Advisory
• Oracle Security Advisory
• Oracle Security Advisory
• Oracle Security Advisory
• REDHAT
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• Security Focus
• Security Tracker
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory

Overview

Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.

References

• CVE Details
• Debian Security Tracker
• Gentoo Security Advisory
• MISC
• RHSA Security Advisory
• Security Focus
• Ubuntu CVE Tracker

Overview

Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.

References

• CVE Details
• Debian Security Tracker
• Gentoo Security Advisory
• MISC
• RHSA Security Advisory
• Security Focus
• Ubuntu CVE Tracker

Overview

libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup.

References

• CONFIRM
• CONFIRM
• CONFIRM
• CONFIRM
• CONFIRM
• CVE Details
• Debian Security Tracker
• Gentoo Security Advisory
• Gentoo Security Advisory
• MISC
• RHSA Security Advisory
• Security Focus
• Ubuntu CVE Tracker

Overview

PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\.|([^\\W_])?)+)+$/.

References

• CONFIRM
• CONFIRM
• Debian Security Tracker
• IBM Security Bulletin
• OSS security Advisory
• Oracle Security Bulletin
• RHSA Security Advisory
• RedHat Bugzilla Bug
• RedHat Security Advisory
• RedHat Security Advisory
• Security Focus

Overview

Affected versions of this package are vulnerable to Out-of-bounds Read libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454.

Remediation

There is no fixed version for pcre3.

References

• ADVISORY
• ADVISORY
• CONFIRM
• CONFIRM
• FULLDISC
• FULLDISC
• MISC
• MISC

Overview

In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.

References

• CVE Details
• Debian Security Tracker
• OSS security Advisory
• Security Focus
• Ubuntu CVE Tracker

Overview

Affected versions of this package are vulnerable to Buffer Overflow regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

Remediation

There is no fixed version for perl.

References

• CONFIRM
• CONFIRM
• CONFIRM
• CONFIRM
• Debian Security Tracker
• FEDORA
• GENTOO
• MISC
• MISC
• MISC
• MISC
• SUSE
• Ubuntu CVE Tracker

Overview

Affected versions of this package are vulnerable to Integer Overflow or Wraparound. Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

Remediation

There is no fixed version for perl.

References

• CONFIRM
• CONFIRM
• CONFIRM
• CONFIRM
• CONFIRM
• Debian Security Tracker
• FEDORA
• GENTOO
• MISC
• MISC
• SUSE
• Ubuntu CVE Tracker

Overview

In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.

References

• Apple Security Advisory
• Bugtraq Mailing List
• CVE Details
• Debian Bug Report
• Debian Security Advisory
• Debian Security Tracker
• MISC
• Netapp Security Advisory
• RHSA Security Advisory
• Seclists Full Disclosure
• Security Focus
• Security Tracker
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory

Overview

_is_safe in the File::Temp module for Perl does not properly handle symlinks.

References

• Debian Security Tracker
• GitHub Issue
• MISC
• OSS security Advisory
• OSS security Advisory
• Oss-Sec Mailing List

Overview

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

References

• Apple Security Advisory
• Bugtraq Mailing List
• CONFIRM
• CONFIRM
• CONFIRM
• CONFIRM
• CVE Details
• Debian Security Advisory
• Debian Security Announcement
• Debian Security Tracker
• Fedora Security Update
• GENTOO
• GitHub Commit
• MISC
• MISC
• N/A
• Netapp Security Advisory
• REDHAT
• REDHAT
• REDHAT
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RedHat Bugzilla Bug
• Seclists Full Disclosure
• Security Focus
• Security Tracker
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory

Overview

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

References

• CONFIRM
• CVE Details
• Debian Security Advisory
• Debian Security Announcement
• Debian Security Tracker
• Gentoo Security Advisory
• MISC
• Security Focus
• Security Tracker
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory

Overview

An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written.

References

• CONFIRM
• CVE Details
• Debian Security Advisory
• Debian Security Tracker
• Gentoo Security Advisory
• MISC
• RHSA Security Advisory
• Security Tracker
• Security Tracker
• Ubuntu CVE Tracker
• Ubuntu Security Advisory

Overview

Affected versions of this package are vulnerable to Out-of-bounds Write. Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

Remediation

There is no fixed version for perl.

References

• CONFIRM
• CONFIRM
• CONFIRM
• CONFIRM
• Debian Security Tracker
• FEDORA
• GENTOO
• MISC
• MISC
• SUSE
• Ubuntu CVE Tracker

Overview

procps-ng before version 3.3.15 is vulnerable to a local privilege escalation in top. If a user runs top with HOME unset in an attacker-controlled directory, the attacker could achieve privilege escalation by exploiting one of several vulnerabilities in the config_file() function.

References

• Debian Security Advisory
• Debian Security Announcement
• Debian Security Tracker
• Exploit DB
• Gentoo Security Advisory
• MISC
• Oss-Sec Mailing List
• REDHAT
• RHSA Security Advisory
• RedHat Bugzilla Bug
• SUSE
• SUSE
• Security Focus
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory

Overview

procps-ng before version 3.3.15 is vulnerable to an incorrect integer size in proc/alloc.* leading to truncation/integer overflow issues. This flaw is related to CVE-2018-1124.

References

• CONFIRM
• Debian Security Advisory
• Debian Security Announcement
• Debian Security Tracker
• MISC
• Oss-Sec Mailing List
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RedHat Bugzilla Bug
• SUSE
• SUSE
• Security Focus
• Security Tracker
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory

Overview

procps-ng before version 3.3.15 is vulnerable to a denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maps a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service).

References

• Debian Security Advisory
• Debian Security Announcement
• Debian Security Tracker
• Exploit DB
• Gentoo Security Advisory
• MISC
• Oss-Sec Mailing List
• RedHat Bugzilla Bug
• SUSE
• SUSE
• Security Focus
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory

Overview

procps-ng before version 3.3.15 is vulnerable to a stack buffer overflow in pgrep. This vulnerability is mitigated by FORTIFY, as it involves strncat() to a stack-allocated string. When pgrep is compiled with FORTIFY (as on Red Hat Enterprise Linux and Fedora), the impact is limited to a crash.

References

• Debian Security Advisory
• Debian Security Announcement
• Debian Security Tracker
• MISC
• Oss-Sec Mailing List
• RedHat Bugzilla Bug
• SUSE
• SUSE
• Security Focus
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory

Overview

procps-ng before version 3.3.15 is vulnerable to multiple integer overflows leading to a heap corruption in file2strvec function. This allows a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users.

References

• CONFIRM
• CONFIRM
• Debian Security Advisory
• Debian Security Announcement
• Debian Security Tracker
• Exploit DB
• Gentoo Security Advisory
• MISC
• Oss-Sec Mailing List
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RedHat Bugzilla Bug
• SUSE
• SUSE
• Security Focus
• Security Tracker
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory

Overview

sensible-browser in sensible-utils before 0.0.11 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument.

References

• Debian Bug Report
• Debian Security Advisory
• Debian Security Announcement
• Debian Security Tracker
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• http://metadata.ftp-master.debian.org/changelogs/main/s/sensible-utils/sensible-utils_0.0.11_changelog

Overview

shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).

References

• Debian Security Tracker
• GENTOO
• GitHub Commit
• GitHub PR
• GitHub PR
• MISC
• MISC

Overview

In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.

References

• CVE Details
• Debian Bug Report
• Debian Security Tracker
• Gentoo Security Advisory
• GitHub Commit
• Ubuntu CVE Tracker
• https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1266675

Overview

systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.

References

• Debian Security Tracker
• GitHub Issue
• OpenSuse Security Announcement
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory

Overview

In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the "allow_active" element rather than "allow_any".

References

• Debian Security Announcement
• Debian Security Tracker
• Exploit DB
• Fedora Security Update
• MISC
• OpenSuse Security Announcement
• RedHat Bugzilla Bug
• Ubuntu CVE Tracker

Overview

An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges. Versions through v240 are vulnerable.

References

• Debian Security Advisory
• Debian Security Announcement
• Debian Security Tracker
• Gentoo Security Advisory
• MISC
• Netapp Security Advisory
• Oracle Security Advisory
• REDHAT
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RedHat Bugzilla Bug
• Security Focus
• Ubuntu CVE Tracker
• Ubuntu Security Advisory

Overview

An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges. Versions through v240 are vulnerable.

References

• Bugtraq Mailing List
• Debian Security Advisory
• Debian Security Announcement
• Debian Security Tracker
• Gentoo Security Advisory
• MISC
• MISC
• Netapp Security Advisory
• OSS security Advisory
• Oracle Security Advisory
• REDHAT
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RedHat Bugzilla Bug
• Seclists Full Disclosure
• Security Focus
• Ubuntu CVE Tracker
• Ubuntu Security Advisory

Overview

A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.

References

• Debian Security Announcement
• Debian Security Tracker
• Exploit DB
• Gentoo Security Advisory
• GitHub PR
• MLIST
• REDHAT
• REDHAT
• RHSA Security Advisory
• Security Focus
• Ubuntu CVE Tracker
• Ubuntu Security Advisory

Overview

systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.

References

• Debian Security Tracker
• GitHub Commit
• GitHub PR
• MISC
• Netapp Security Advisory
• Security Focus
• Ubuntu CVE Tracker

Overview

systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file.

References

• Debian Security Announcement
• Debian Security Tracker
• Exploit DB
• GitHub Issue
• MISC
• OSS security Advisory
• OSS security Advisory
• OpenSuse Security Update

Overview

A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to overwrite heap memory in systemd-networkd. Affected releases are systemd: versions up to and including 239.

References

• Debian Security Announcement
• Debian Security Tracker
• Gentoo Security Advisory
• GitHub PR
• REDHAT
• RHSA Security Advisory
• RHSA Security Advisory
• Security Focus
• Ubuntu CVE Tracker
• Ubuntu Security Advisory
• Ubuntu Security Advisory

Overview

Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.

This is considered intended behaviour, as tar is an archiving tool and one needs to give -p as a command line flag

References

• Debian Security Tracker
• HP Security Bulletin

Overview

pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.

References

• Debian Security Tracker
• MISC
• MISC
• MISC
• OpenSuse Security Announcement
• Ubuntu CVE Tracker

Overview

runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

References

• Debian Bug Report
• Debian Security Tracker
• OSS security Advisory
• OSS security Advisory
• Ubuntu CVE Tracker

Overview

The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks.

References

• Debian Security Tracker
• GitHub Commit
• OSS security Advisory
• RedHat Bugzilla Bug
• Security Focus

Overview

inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

References

• Apple Security Advisory
• Apple Security Advisory
• Apple Security Advisory
• Apple Security Advisory
• CVE Details
• Debian Security Announcement
• Debian Security Tracker
• GENTOO
• Gentoo Security Advisory
• GitHub Commit
• MISC
• MISC
• MISC
• MLIST
• Netapp Security Advisory
• OSS security Advisory
• OpenSuse Security Update
• OpenSuse Security Update
• OpenSuse Security Update
• Oracle Security Advisory
• Oracle Security Advisory
• Oracle Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RedHat Bugzilla Bug
• Security Focus
• Security Tracker
• Security Tracker
• UBUNTU
• UBUNTU
• Ubuntu CVE Tracker

Overview

The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.

References

• Apple Security Advisory
• Apple Security Advisory
• Apple Security Advisory
• Apple Security Advisory
• CVE Details
• Debian Security Announcement
• Debian Security Tracker
• GENTOO
• Gentoo Security Advisory
• GitHub Commit
• MISC
• MISC
• MISC
• MLIST
• Netapp Security Advisory
• OSS security Advisory
• OpenSuse Security Update
• OpenSuse Security Update
• OpenSuse Security Update
• Oracle Security Advisory
• Oracle Security Advisory
• Oracle Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RedHat Bugzilla Bug
• Security Focus
• Security Tracker
• Security Tracker
• UBUNTU
• UBUNTU
• Ubuntu CVE Tracker

Overview

The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.

References

• Apple Security Advisory
• Apple Security Advisory
• Apple Security Advisory
• Apple Security Advisory
• CVE Details
• Debian Security Announcement
• Debian Security Tracker
• GENTOO
• Gentoo Security Advisory
• GitHub Commit
• MISC
• MISC
• MISC
• MLIST
• OSS security Advisory
• OpenSuse Security Update
• OpenSuse Security Update
• OpenSuse Security Update
• Oracle Security Advisory
• Oracle Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RedHat Bugzilla Bug
• Security Focus
• Security Tracker
• UBUNTU
• UBUNTU
• Ubuntu CVE Tracker

Overview

inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

References

• Apple Security Advisory
• Apple Security Advisory
• Apple Security Advisory
• Apple Security Advisory
• CVE Details
• Debian Security Announcement
• Debian Security Tracker
• GENTOO
• Gentoo Security Advisory
• GitHub Commit
• MISC
• MISC
• MISC
• MLIST
• OSS security Advisory
• OpenSuse Security Update
• OpenSuse Security Update
• OpenSuse Security Update
• Oracle Security Advisory
• Oracle Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RHSA Security Advisory
• RedHat Bugzilla Bug
• Security Focus
• Security Tracker
• UBUNTU
• UBUNTU
• Ubuntu CVE Tracker