<< Previous Next >>
Chris Evans
Fixed version:
libxslt, N/A
Credit: vulnerability report and PoC code received from Chris Evans
<scarybeasts [at] gmail [dot] com>, Google Security Team.
CVE: CVE-2008-2935
Timeline:
4.) Babak Javadi (TOOOL USA)
5.) Bruno Goncalves de Oliveira (Computer Engineer, iBLISS)
6.) Chris Evans (Information Security Engineer/Troublemaker/Chrome
Security, Google Corp)
7.) Damien Aumaitre (Sogeti)
8.) Daniele Bianco (Hardware Hacker, Inverse Path)
Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0
_______________________________________________________________________
Problem Description:
Chris Evans found a buffer overflow condition in Ghostscript, which can
lead to arbitrary code execution as the user running any application
using it to process a maliciously crafted Postscript file.
The updated packages have been patched to prevent this issue.
_______________________________________________________________________
memory leak. The Common Vulnerabilities and Exposures project
identifies the following problems:
CVE-2009-0028
Chris Evans discovered a situation in which a child process can
send an arbitrary signal to its parent.
CVE-2009-0834
Roland McGrath discovered an issue on amd64 kernels that allows
trigger the execution of infinite loops (CVE-2007-4767), PCRE is also
prone to an error when optimizing character classes containing a
singleton UTF-8 sequence which might lead to a heap-based buffer
overflow (CVE-2007-4768).
Chris Evans also reported multiple integer overflow vulnerabilities in
PCRE when processing a large number of named subpatterns ("name_count")
or long subpattern names ("max_name_size") (CVE-2006-7227), and via
large "min", "max", or "duplength" values (CVE-2006-7228) both possibly
leading to buffer overflows. Another vulnerability was reported when
compiling patterns where the "-x" or "-i" UTF-8 options change within
< 1.1.8
Description
===========
Chris Evans (Google Security) reported that the libexslt library that
is part of libxslt is affected by a heap-based buffer overflow in the
RC4 encryption/decryption functions.
Impact
======
service by generating large amounts of traffic on a large SMP
system, resulting in soft lockups.
CVE-2009-0028
Chris Evans discovered a situation in which a child process can
send an arbitrary signal to its parent.
CVE-2009-0029
Christian Borntraeger discovered an issue effecting the alpha,
Affected: 2009.0, 2010.0, 2010.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Chris Evans of the Chrome Security Team reported that the XSLT
generate-id() function returned a string that revealed a specific valid
address of an object on the memory heap. It is possible that in some
cases this address would be valuable information that could be used
by an attacker while exploiting a different memory corruption but,
in order to make an exploit more reliable or work around mitigation
fixes. In general, a standard system update will make all the necessary
changes.
Details follow:
Chris Evans discovered that libvpx did not properly perform bounds
checking. If an application using libvpx opened a specially crafted WebM
file, an attacker could cause a denial of service.
Updated packages for Ubuntu 10.10:
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Chris Evans discovered that certain ICC operations in lcms were not
correctly bounds-checked. If a user or automated system were tricked
into processing an image with malicious ICC tags, a remote attacker could
crash applications linked against liblcms1, leading to a denial of service,
or possibly execute arbitrary code with user privileges.
Marius Schilder discovered that Thunderbird did not properly handle redirects
to an outside domain when an XMLHttpRequest was made to a same-origin resource.
When Javascript is enabled, it's possible that sensitive information could be
revealed in the XMLHttpRequest response. (CVE-2008-5506)
Chris Evans discovered that Thunderbird did not properly protect a user's data
when accessing a same-domain Javascript URL that is redirected to an unparsable
Javascript off-site resource. If a user were tricked into opening a malicious
website and had Javascript enabled, an attacker may be able to steal a limited
amount of private data. (CVE-2008-5507)
===========
RedHat reported a null-pointer dereference flaw while processing
monochrome ICC profiles (CVE-2009-0793).
Chris Evans of Google discovered the following vulnerabilities:
* LittleCMS contains severe memory leaks (CVE-2009-0581).
* LittleCMS is prone to multiple integer overflows, leading to a
heap-based buffer overflow (CVE-2009-0723).
*>= 2.4.6
Description
===========
Chris Evans reported multiple integer overflows in the expandtabs
method, as implemented by (1) the string_expandtabs function in
Objects/stringobject.c and (2) the unicode_expandtabs function in
Objects/unicodeobject.c.
Impact
structure maybe reclaimed resulting in a bad pointer dereference causing
an oops during a readdir.
CVE-2007-4997
Chris Evans discovered an issue with certain drivers that make use of the
Linux kernel's ieee80211 layer. A remote user could generate a malicious
802.11 frame that could result in a denial of service (crash). The ipw2100
driver is known to be affected by this issue, while the ipw2200 is
believed not to be.
Marius Schilder discovered that Firefox did not properly handle redirects to
an outside domain when an XMLHttpRequest was made to a same-origin resource.
It's possible that sensitive information could be revealed in the
XMLHttpRequest response. (CVE-2008-5506)
Chris Evans discovered that Firefox did not properly protect a user's data when
accessing a same-domain Javascript URL that is redirected to an unparsable
Javascript off-site resource. If a user were tricked into opening a malicious
website, an attacker may be able to steal a limited amount of private data.
(CVE-2008-5507)
Wladimir Palant discovered that security checks in XML processing
were insufficiently enforced.
CVE-2010-0654
Chris Evans discovered that insecure CSS handling could lead to
reading data across domain boundaries.
CVE-2010-1205
Aki Helin discovered a buffer overflow in the internal copy of
Emmanuel Gadaix, Founder, TSTF
Andrea Barisani, Inverse Path
Philippe Langlois, TSTF
Ed Skoudis, InGuardians
Haroon Meer, Thinkst
Chris Evans, Google
Raoul Chiesa, TSTF
rsnake, SecTheory
Skyper, THC
Note: We do not accept product or vendor related pitches. If you would
Marius Schilder discovered that Thunderbird did not properly handle redirects
to an outside domain when an XMLHttpRequest was made to a same-origin resource.
When Javascript is enabled, it's possible that sensitive information could be
revealed in the XMLHttpRequest response. (CVE-2008-5506)
Chris Evans discovered that Thunderbird did not properly protect a user's data
when accessing a same-domain Javascript URL that is redirected to an unparsable
Javascript off-site resource. If a user were tricked into opening a malicious
website and had Javascript enabled, an attacker may be able to steal a limited
amount of private data. (CVE-2008-5507)
Jordi Chancel discovered that Firefox did not properly handle when a server
responds to an HTTPS request with plaintext and then processes JavaScript
history events. An attacker could exploit this to spoof the location bar,
such as in a phishing attack. (CVE-2010-2751)
Chris Evans discovered that Firefox did not properly process improper CSS
selectors. If a user were tricked into viewing a malicious website, an
attacker could exploit this to read data from other domains.
(CVE-2010-0654)
Soroush Dalili discovered that Firefox did not properly handle script error
malformed font files. If a user were tricked into using a specially crafted
font file, a remote attacker could cause FreeType to crash or possibly
execute arbitrary code with user privileges. This issue only affected
Ubuntu 6.06 LTS, 8.04 LTS, 9.10 and 10.04 LTS. (CVE-2010-3311)
Chris Evans discovered that FreeType did not correctly handle certain
malformed TrueType font files. If a user were tricked into using a
specially crafted TrueType file, a remote attacker could cause FreeType to
crash or possibly execute arbitrary code with user privileges. This issue
only affected Ubuntu 8.04 LTS, 9.10, 10.04 LTS and 10.10. (CVE-2010-3814)
Vulnerability : buffer overflow
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-0411
Chris Evans discovered a buffer overflow in the color space handling
code of the Ghostscript PostScript/PDF interpreter, which might result
in the execution of arbitrary code if a user is tricked into processing
a malformed file.
For the stable distribution (etch), this problem has been fixed in version
Jordi Chancel discovered that Firefox did not properly handle when a server
responds to an HTTPS request with plaintext and then processes JavaScript
history events. An attacker could exploit this to spoof the location bar,
such as in a phishing attack. (CVE-2010-2751)
Chris Evans discovered that Firefox did not properly process improper CSS
selectors. If a user were tricked into viewing a malicious website, an
attacker could exploit this to read data from other domains.
(CVE-2010-0654)
Soroush Dalili discovered that Firefox did not properly handle script error
Collin Jackson discovered that the -moz-binding property bypasses
security checks on codebase principals.
CVE-2008-5024
Chris Evans discovered that quote characters were improperly
escaped in the default namespace of E4X documents.
For the stable distribution (etch), these problems have been fixed in
version 1.8.0.15~pre080614h-0etch1. Packages for mips will be provided
later.
Marius Schilder discovered that Firefox did not properly handle redirects to
an outside domain when an XMLHttpRequest was made to a same-origin resource.
It's possible that sensitive information could be revealed in the
XMLHttpRequest response. (CVE-2008-5506)
Chris Evans discovered that Firefox did not properly protect a user's data when
accessing a same-domain Javascript URL that is redirected to an unparsable
Javascript off-site resource. If a user were tricked into opening a malicious
website, an attacker may be able to steal a limited amount of private data.
(CVE-2008-5507)
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
Debian Bug : 628537
Chris Evans discovered that libxml was vulnerable to buffer overflows,
which allowed a crafted XML input file to potentially execute arbitrary
code.
For the oldstable distribution (lenny), this problem has been fixed in
version 2.6.32.dfsg-5+lenny4.
~ Guide for more information on advanced options for the esxupdate
~ utility.
~ b. Python
~ Chris Evans of the Google security research team discovered an
~ integer overflow issue with the way Python's Perl-Compatible
~ Regular Expression (PCRE) module handled certain regular
~ expressions. If a Python application used the PCRE module to
~ compile and execute untrusted regular expressions, it might be
~ possible to cause the application to crash, or to execute
libmng zip archives >= 01010x
Firefox, N/A
Credit: vulnerability report received from Chris Evans <cevans [at] google
[dot] com>, Google Security Team.
CVE: CVE-2009-0723 (integer overflows), CVE-2009-0581 (memory leak),
CVE-2009-0733 (lack of upper-ground checks on size)
tell the difference in the UI you are using, so it's understandable to
have missed these extra limits.
Thanks for taking the trouble to contact us, though.
Chris Evans, Google Security Team
On Fri, Jul 17, 2009 at 2:48 PM, ISecAuditors Security
Advisories<advisories@isecauditors.com> wrote:
> =============================================
-------------------------------------------------------------------
Description
===========
Chris Evans reported an integer overflow within the FreeType PCF font
file parser (CVE-2006-1861). NX and NX Node are vulnerable to this due
to shipping XFree86 4.3.0, which includes the vulnerable FreeType code.
Impact
======
Mikko Hyppnen, Chief Research Officer, F-Secure
Nart Villeneuve, Chief Technology Officer, Information Warfare Monitor
Chris Evans, Security Lead, Google Chrome
Susan Brenner, University of Dayton School of Law
Haroon Meer, Thinkst Applied Research
<<Previous Next>>
|
