<< Previous Next >>
crashes
Original advisory details:
Sauli Pahlman discovered that the TIFF library incorrectly handled invalid
td_stripbytecount fields. If a user or automated system were tricked into
opening a specially crafted TIFF image, a remote attacker could crash the
application, leading to a denial of service. This issue only affected
Ubuntu 10.04 LTS and 10.10. (CVE-2010-2482)
Sauli Pahlman discovered that the TIFF library incorrectly handled TIFF
files with an invalid combination of SamplesPerPixel and Photometric
Multiple vulnerabilities has been identified and fixed in php:
The _zip_name_locate function in zip_name_locate.c in the Zip extension
in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED
argument, which might allow context-dependent attackers to cause
a denial of service (application crash) via an empty ZIP archive
that is processed with a (1) locateName or (2) statName operation
(CVE-2011-0421).
exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms
performs an incorrect cast, which allows remote attackers to cause a
Multiple vulnerabilities has been identified and fixed in php:
The _zip_name_locate function in zip_name_locate.c in the Zip extension
in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED
argument, which might allow context-dependent attackers to cause
a denial of service (application crash) via an empty ZIP archive
that is processed with a (1) locateName or (2) statName operation
(CVE-2011-0421).
exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms
performs an incorrect cast, which allows remote attackers to cause a
Ben Schmidt discovered that a use-after-free vulnerability in the PHP
Zend engine could allow an attacker to cause a denial of service (heap
memory corruption) or possibly execute arbitrary code. (CVE-2010-4697)
Martin Barbella discovered a buffer overflow in the PHP GD extension
that allows an attacker to cause a denial of service (application crash)
via a large number of anti- aliasing steps in an argument to the
imagepstext function. (CVE-2010-4698)
It was discovered that PHP accepts the \0 character in a pathname,
which might allow an attacker to bypass intended access restrictions
Ben Schmidt discovered that a use-after-free vulnerability in the PHP
Zend engine could allow an attacker to cause a denial of service (heap
memory corruption) or possibly execute arbitrary code. (CVE-2010-4697)
Martin Barbella discovered a buffer overflow in the PHP GD extension
that allows an attacker to cause a denial of service (application crash)
via a large number of anti- aliasing steps in an argument to the
imagepstext function. (CVE-2010-4698)
It was discovered that PHP accepts the \0 character in a pathname,
which might allow an attacker to bypass intended access restrictions
CVSSv2 Temporal Score: 6.1
SUMMARY
=======
CVE-2011-1527: In releases krb5-1.9 and later, the KDC can crash due
to a null pointer dereference if configured to use the LDAP back end.
A trigger condition is publicly known but not known to be widely
circulated.
CVE-2011-1528: In releases krb5-1.8 and later, the KDC can crash due
out a priority. ***
== VENDOR RESPONSE / STATUS ==
* Internet Explorer: MSRC notified in July 2010. Fuzzer observed to trigger
several exploitable crashes - e.g.:
http://lcamtuf.coredump.cx/cross_fuzz/msie_crash.txt
...ad well as some security-relevant GDI corruption issues.
Multiple vulnerabilities has been discovered and fixed in tetex:
Multiple buffer overflows in the JBIG2 decoder in Xpdf 3.02pl2
and earlier allow remote attackers to cause a denial of service
(crash) via a crafted PDF file, related to (1) setBitmap and (2)
readSymbolDictSeg (CVE-2009-0146).
Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and
earlier allow remote attackers to cause a denial of service (crash)
via a crafted PDF file (CVE-2009-0147).
_______________________________________________________________________
Problem Description:
An out-of-bounds reading flaw in the JBIG2 decoder allows remote
attackers to cause a denial of service (crash) via a crafted PDF file
(CVE-2009-0799).
Multiple input validation flaws in the JBIG2 decoder allows
remote attackers to execute arbitrary code via a crafted PDF file
(CVE-2009-0800).
CVE-2007-1667
Multiple integer overflows in XInitImage function in xwd.c for
GraphicsMagick, allow user-assisted remote attackers to cause a
denial of service (crash) or obtain sensitive information via
crafted images with large or negative values that trigger a
buffer overflow. It only affects the oldstable distribution (etch).
CVE-2007-1797
[CVE-2009-0844]
The MIT krb5 implementation of the SPNEGO GSS-API mechanism can read
beyond the end of a network input buffer. This can cause a GSS-API
application to crash by reading from invalid address space. Under
theoretically possible but very unlikely conditions, a small
information leak may occur. We believe that no successful exploit
exists that could induce an information leak.
[CVE-2009-0845]
(MFSA 2008-34)
CVE-2008-2798
Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered
crashes in the layout engine, which might allow the execution of
arbitrary code. (MFSA 2008-21)
CVE-2008-2799
Igor Bukanov, Jesse Ruderman and Gary Kwong discovered crashes in
Executive Summary:
URI/URL Spoofing when displaying the content of a NDEF Smart Poster
and plain URI tag. Web browser does not display full hostname when
loading a web page.
Crash of the parser for various parts of NDEF records, reboots
graphical user interface (GUI) of phone.
-----------------------------
Reporter: Collin Mulliner <collin.mulliner[AT]sit.fraunhofer.de>
I've also posted this to my blog:
http://hboeck.de/archives/578-How-long-does-it-take-to-fix-a-crash-bug.html
About one year ago, Sam Hocevar posted some results on tests with his fuzzing
tool zzuf, which showed a large number of crashes in various applications,
especially multimedia apps.
http://sam.zoy.org/blog/2007-01-16-exposing-file-parsing-vulnerabilities
http://sam.zoy.org/zzuf/
Problem Description:
Multiple vulnerabilities has been found and corrected in mysql:
MySQL before 5.1.48 allows remote authenticated users with alter
database privileges to cause a denial of service (server crash
and database loss) via an ALTER DATABASE command with a #mysql50#
string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or
similar sequence, and an UPGRADE DATA DIRECTORY NAME command, which
causes MySQL to move certain directories to the server data directory
(CVE-2010-2008).
Problem Description:
Multiple vulnerabilities has been found and corrected in mysql:
MySQL before 5.1.48 allows remote authenticated users with alter
database privileges to cause a denial of service (server crash
and database loss) via an ALTER DATABASE command with a #mysql50#
string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or
similar sequence, and an UPGRADE DATA DIRECTORY NAME command, which
causes MySQL to move certain directories to the server data directory
(CVE-2010-2008).
Multiple vulnerabilities were discovered and corrected in mysql:
* During evaluation of arguments to extreme-value functions (such
as LEAST() and GREATEST()), type errors did not propagate properly,
causing the server to crash (CVE-2010-3833).
* The server could crash after materializing a derived table that
required a temporary table for grouping (CVE-2010-3834).
* A user-variable assignment expression that is evaluated in a logical
innodb_file_per_table configuration parameters for the InnoDB storage
engine, then executing a DDL statement (CVE-2010-3676).
MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote
authenticated users to cause a denial of service (mysqld daemon
crash) via a join query that uses a table with a unique SET column
(CVE-2010-3677).
MySQL 5.1 before 5.1.49 allows remote authenticated users to cause
a denial of service (crash) via (1) IN or (2) CASE operations with
NULL arguments that are explicitly specified or indirectly provided
Details follow:
Gleb Napatov discovered that KVM did not correctly check certain privileged
operations. A local attacker with access to a guest kernel could exploit
this to crash the host system, leading to a denial of service.
(CVE-2010-0435)
Dave Chinner discovered that the XFS filesystem did not correctly order
inode lookups when exported by NFS. A remote attacker could exploit this to
read or write disk blocks that had changed file assignment or had become
web site (CVE-2011-2372).
Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0,
and SeaMonkey before 2.4 allow remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via unknown vectors (CVE-2011-2995).
Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox 6, Thunderbird before 7.0, and SeaMonkey before 2.4 allow
remote attackers to cause a denial of service (memory corruption and
Multiple security vulnerabilities has been discovered and corrected
in poppler:
An out-of-bounds reading flaw in the JBIG2 decoder allows remote
attackers to cause a denial of service (crash) via a crafted PDF file
(CVE-2009-0799).
Multiple input validation flaws in the JBIG2 decoder allows
remote attackers to execute arbitrary code via a crafted PDF file
(CVE-2009-0800).
---
.text:1000120B push 0
.text:1000120D push 1000h
.text:10001212 mov eax, [ebp+SystemBuffer] ;
EAX CAN BE NULL NOW
.text:10001215 mov ecx, [eax+8] ; CRASH HERE!
.text:10001218 push ecx
.text:10001219 push 1
.text:1000121B mov edx, [ebp+SystemBuffer]
.text:1000121E mov eax, [edx] ; OR HERE!
.text:10001220 push eax
into auto-filling the form fields with history entries and then
reading the entries (CVE-2009-3370).
Security researcher Marco C. reported a flaw in the parsing of regular
expressions used in Proxy Auto-configuration (PAC) files. In certain
cases this flaw could be used by an attacker to crash a victim's
browser and run arbitrary code on their computer. Since this
vulnerability requires the victim to have PAC configured in their
environment with specific regular expresssions which can trigger
the crash, the severity of the issue was determined to be moderate
(CVE-2009-3372).
SUMMARY
=======
In previous MIT krb5 releases krb5-1.5 through krb5-1.6.3, the
Kerberos administration daemon (kadmind) can crash due to referencing
freed memory. A legitimate user can trigger this crash by using a
newer version of the kadmin protocol than the server supports.
This is an implementation vulnerability in MIT krb5, and not a
vulnerability in the Kerberos protocol. This vulnerability is not
SUMMARY
=======
Integer underflow bugs in the AES and RC4 decryption operations of the
crypto library of the MIT Kerberos software can cause crashes, heap
corruption, or, under extraordinarily unlikely conditions, arbitrary
code execution. Only releases krb5-1.3 and later are vulnerable, as
earlier releases did not contain the functionality implemented by the
vulnerable code.
into auto-filling the form fields with history entries and then
reading the entries (CVE-2009-3370).
Security researcher Marco C. reported a flaw in the parsing of regular
expressions used in Proxy Auto-configuration (PAC) files. In certain
cases this flaw could be used by an attacker to crash a victim's
browser and run arbitrary code on their computer. Since this
vulnerability requires the victim to have PAC configured in their
environment with specific regular expresssions which can trigger
the crash, the severity of the issue was determined to be moderate
(CVE-2009-3372).
Problem Description:
Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2
and earlier, CUPS 1.3.9 and earlier, and other products allow
remote attackers to cause a denial of service (crash) via a
crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg, (2)
JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap
(CVE-2009-0146, CVE-2009-0147).
Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and
The msn_slplink_process_msg function in
libpurple/protocols/msn/slplink.c in libpurple, as used in Pidgin
(formerly Gaim) before 2.5.9 and Adium 1.3.5 and earlier, allows
remote attackers to execute arbitrary code or cause a denial of service
(memory corruption and application crash) by sending multiple crafted
SLP (aka MSNSLP) messages to trigger an overwrite of an arbitrary
memory location. NOTE: this issue reportedly exists because of an
incomplete fix for CVE-2009-1376 (CVE-2009-2694).
Unspecified vulnerability in Pidgin 2.6.0 allows remote attackers
reading the entries (CVE-2009-3370).
Security researcher Orlando Berrera of Sec Theory reported that
recursive creation of JavaScript web-workers can be used to create a
set of objects whose memory could be freed prior to their use. These
conditions often result in a crash which could potentially be
used by an attacker to run arbitrary code on a victim's computer
(CVE-2009-3371).
Security researcher Marco C. reported a flaw in the parsing of regular
expressions used in Proxy Auto-configuration (PAC) files. In certain
This file crashes Nokia E90 too (*#0000# says 210.34.75,
12-04-2008, RA-6, Nokia E90 (16)). In fact, E90 uses exactly the same
platform as N95 (TI OMAP 2420) with same Symbian v9.2 (S60 v3 FP1), so the
crash was predictable.
I've tested on:
- Image browser -- by pressing [Open] in File Manager, so that the
application crashes immediately, and File Manager barking "Unable to
open file".
<<Previous Next>>
|
