<< Previous Next >>
heap/based
remote attackers to cause a denial of service and possibly to execute
arbitrary code via a crafted Postscript file (CVE-2008-6679).
Multiple interger overflows in Ghostsript's International Color
Consortium Format Library (icclib) allows attackers to cause denial
of service (heap-based buffer overflow and application crash) and
possibly execute arbirary code by using either a PostScript or PDF
file with crafte embedded images (CVE-2009-0583, CVE-2009-0584).
Multiple interger overflows in Ghostsript's International Color
Consortium Format Library (icclib) allows attackers to cause denial
exploited to cause limited stack-based buffer overflows via an overly
long string passed as the 1st argument.
3) A boundary error in the Novell iPrint ActiveX control (ienipp.ocx)
when handling the "GetFileList()" method can be exploited to cause a
heap-based buffer overflow via an overly long argument.
4) Various boundary errors in nipplib.dll when e.g. creating a server
reference or interpreting a URI can be exploited to cause stack-based
and heap-based buffer overflows by e.g. passing an overly long string
as argument to the "GetServerVersion()", "GetResourceList()", or
Description
===========
iDefense Labs reported multiple vulnerabilities in OpenOffice.org:
* multiple heap-based buffer overflows when parsing the "Attribute"
and "Font" Description records of Quattro Pro (QPRO) files
(CVE-2007-5745),
* an integer overflow when parsing the EMR_STRETCHBLT record of an
EMF file, resulting in a heap-based buffer overflow (CVE-2007-5746),
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Samba: Heap-based buffer overflow
Date: May 29, 2008
Bugs: #222299
ID: 200805-23
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ClamAV 0.92 allowed local users to overwrite arbitrary files via
a symlink attack on temporary files or on .ascii files in sigtool,
when utf16-decode is enabled (CVE-2007-6595).
A heap-based buffer overflow in ClamAV 0.92.1 allowed remote attackers
to execute arbitrary code via a crafted PeSpin packed PE binary
(CVE-2008-0314).
An integer overflow in libclamav prior to 0.92.1 allowed remote
attackers to cause a denial of service and possibly execute arbitrary
Secunia Research has discovered some vulnerabilities in ACDSee
products, which can be exploited by malicious people to compromise a
user's system.
1) An input validation error within ID_PSP.apl when processing PSP
image files can be exploited to cause a heap-based buffer overflow via
a specially crafted PSP image file.
2) An integer overflow error within ID_PSP.apl when processing PSP
image files can be exploited to cause a heap-based buffer overflow via
a specially crafted PSP image file.
http://flac.sourceforge.net/format.html.
Vulnerability #1: Metadata Block Size Heap Overflow
The first notable vulnerability is the Metadata Block Size Overflow
vulnerability. Editing any Metadata Block Size value to a large value
such as 0xFFFFFFFF may result in a heap based overflow in the decoding
software.
Whenever vulnerable software open or process a malformed FLAC file, they
use the size fields for reference points to allocate memory (malloc) and
write the contents of these files into those memory buffers. Setting
these values to an overly large value, such as 0xFFFFFFFF, could cause
buffer overflow (CVE-2007-1660). Further improper calculations of
memory boundaries were reported when matching certain input bytes
against regex patterns in non UTF-8 mode (CVE-2007-1661) and when
searching for unmatched brackets or parentheses (CVE-2007-1662).
Multiple integer overflows when processing escape sequences may lead to
invalid memory read operations or potentially cause heap-based buffer
overflows (CVE-2007-4766). PCRE does not properly handle "\P" and
"\P{x}" sequences which can lead to heap-based buffer overflows or
trigger the execution of infinite loops (CVE-2007-4767), PCRE is also
prone to an error when optimizing character classes containing a
singleton UTF-8 sequence which might lead to a heap-based buffer
===========
Several vulnerabilities were found in PHP. Mattias Bengtsson and Philip
Olausson reported integer overflows in the gdImageCreate() and
gdImageCreateTrueColor() functions of the GD library which can cause
heap-based buffer overflows (CVE-2007-3996). Gerhard Wagner discovered
an integer overflow in the chunk_split() function that can lead to a
heap-based buffer overflow (CVE-2007-2872). Its incomplete fix caused
incorrect buffer size calculation due to precision loss, also resulting
in a possible heap-based buffer overflow (CVE-2007-4661 and
CVE-2007-4660). A buffer overflow in the sqlite_decode_binary() of the
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: OpenOffice.org: Heap-based buffer overflow
Date: October 23, 2007
Bugs: #192818
ID: 200710-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Secunia Research has discovered three vulnerabilities in libgdiplus
for Mono, which can be exploited by malicious people to compromise an
application using the library.
1) An integer overflow error within the "gdip_load_tiff_image()"
function in src/tiffcodec.c can be exploited to cause a heap-based
buffer overflow by e.g. processing specially crafted TIFF images in
an application using the library.
2) An integer overflow error within the
"gdip_load_jpeg_image_internal()" function in src/jpegcodec.c can be
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Tor: Remote heap-based buffer overflow
Date: January 15, 2011
Bugs: #349312
ID: 201101-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://office.microsoft.com/en-us/powerpoint/default.aspx
II. DESCRIPTION
Remote exploitation of a heap-based buffer overflow vulnerability in
Microsoft Corp.'s PowerPoint could allow an attacker to execute
arbitrary code with the privileges of the current user.
The vulnerability occurs during the parsing of two related PowerPoint
record types. The first record type, the "LinkedSlideAtom" record, is
http://www.vmware.com/support/ws5/doc/ws_running_capture.html
II. DESCRIPTION
Remote exploitation of a heap-based buffer overflow vulnerability in
VMware Inc.'s movie decoder allows attackers to execute arbitrary code.
This vulnerability exists due to a lack of input validation when
processing certain specially crafted Audio-Video Interleave (AVI)
files. During processing, a heap buffer will be allocated based on one
which can be exploited by malicious people to potentially compromise a
user's system.
1) Three boundary errors in the Impulse Tracker parser when parsing
an instrument containing a column, panning, or pitch envelope with
more than ENVPOINTS (32) points can result in a heap-based buffer
overflow.
2) A boundary error in the Ultratracker parser when parsing a file
with more than UF_MAXCHAN (64) channels can result in a heap-based
buffer overflow.
Problem Description:
Security issues were identified and fixed in firefox 3.5.x:
Security researcher Alin Rad Pop of Secunia Research reported a
heap-based buffer overflow in Mozilla's string to floating point
number conversion routines. Using this vulnerability an attacker
could craft some malicious JavaScript code containing a very long
string to be converted to a floating point number which would result
in improper memory allocation and the execution of an arbitrary memory
location. This vulnerability could thus be leveraged by the attacker
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A heap-based buffer overflow in the Newt library might allow remote,
user-assisted attackers to execute arbitrary code.
Background
==========
applications that use xulrunner, such as Epiphany, to effect the necessary
changes.
Details follow:
Alin Rad Pop discovered a heap-based buffer overflow in Firefox when it
converted strings to floating point numbers. If a user were tricked into
viewing a malicious website, a remote attacker could cause a denial of service
or possibly execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1563)
After a standard system upgrade you need to restart your session to effect
the necessary changes.
Details follow:
Tobias Klein discovered a heap-based buffer overflow in libsndfile. If a
user or automated system processed a crafted VOC file, an attacker could
cause a denial of service via application crash, or possibly execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2009-1788)
Problem Description:
Security issues were identified and fixed in firefox 3.0.x:
Security researcher Alin Rad Pop of Secunia Research reported a
heap-based buffer overflow in Mozilla's string to floating point
number conversion routines. Using this vulnerability an attacker
could craft some malicious JavaScript code containing a very long
string to be converted to a floating point number which would result
in improper memory allocation and the execution of an arbitrary memory
location. This vulnerability could thus be leveraged by the attacker
Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and
earlier allows remote attackers to cause a denial of service (daemon
crash) and possibly execute arbitrary code via a crafted TIFF image,
which is not properly handled by the (1) _cupsImageReadTIFF function
in the imagetops filter and (2) imagetoraster filter, leading to a
heap-based buffer overflow (CVE-2009-0163).
Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier,
as used in Poppler and other products, when running on Mac OS X,
has unspecified impact, related to g*allocn (CVE-2009-0165).
Problem Description:
Multiple vulnerabilities has been found and corrected in libsndfile:
Heap-based buffer overflow in voc_read_header in libsndfile 1.0.15
through 1.0.19, as used in Winamp 5.552 and possibly other media
programs, allows remote attackers to cause a denial of service
(application crash) and possibly execute arbitrary code via a VOC
file with an invalid header value (CVE-2009-1788).
Integer overflow in the ObjectStream::ObjectStream function in XRef.cc
in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in
GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote
attackers to execute arbitrary code via a crafted PDF document that
triggers a heap-based buffer overflow (CVE-2009-3608).
Integer overflow in dvips in TeX Live 2009 and earlier, and teTeX,
allows remote attackers to cause a denial of service (application
crash) or possibly execute arbitrary code via a crafted virtual font
(VF) file associated with a DVI file (CVE-2010-0827).
We apologize for the inconvenience.
Original advisory details:
Alin Rad Pop discovered a heap-based buffer overflow in Firefox when it
converted strings to floating point numbers. If a user were tricked into
viewing a malicious website, a remote attacker could cause a denial of service
or possibly execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1563)
Secunia Research has discovered two vulnerabilities in Ziproxy, which
can be exploited by malicious people to compromise a vulnerable
system.
1) An integer overflow within the "jpg2bitmap()" function in
src/image.c can be exploited to cause a heap-based buffer overflow via
specially crafted JPG images.
2) An integer overflow within the "png2bitmap()" function in
src/image.c can be exploited to cause a heap-based buffer overflow via
specially crafted PNG images.
overflow when processing certain GET parameters. An attacker can use
this to execute arbitrary code on the server via crafted id parameters.
CVE-2009-0840
An integer overflow leading to a heap-based buffer overflow when
processing the Content-Length header of an HTTP request can be used by an
attacker to execute arbitrary code via crafted POST requests containing
negative Content-Length values.
CVE-2009-2281
Problem Description:
Security issues were identified and fixed in firefox 3.0.x:
Security researcher Alin Rad Pop of Secunia Research reported a
heap-based buffer overflow in Mozilla's string to floating point
number conversion routines. Using this vulnerability an attacker
could craft some malicious JavaScript code containing a very long
string to be converted to a floating point number which would result
in improper memory allocation and the execution of an arbitrary memory
location. This vulnerability could thus be leveraged by the attacker
* Mike Wroe reported an unspecified vulnerability, related to
"privilege escalation" (CVE-2009-1863).
* An anonymous researcher through iDefense reported an unspecified
heap-based buffer overflow (CVE-2009-1864).
* Chen Chen of Venustech reported an unspecified "null pointer
vulnerability" (CVE-2009-1865).
* Chen Chen of Venustech reported an unspecified stack-based buffer
http://www.debian.org/security/ Nico Golde
August 7th, 2009 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : memcached
Vulnerability : heap-based buffer overflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-2415
Ronald Volgers discovered that memcached, a high-performance memory object
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple integer overflows, leading to heap-based buffer overflows in
the Subversion client and server might allow remote attackers to
execute arbitrary code.
Background
==========
<<Previous Next>>
|
