<< Previous Next >>
off/by/one error
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-4091
Sebastian Krahmer discovered that rsync, a fast remote file copy program,
contains an off-by-one error which might allow remote attackers to execute
arbitary code via long directory names.
For the stable distribution (etch), this problem has been fixed in version
2.6.9-2etch1.
1 media-libs/libpng < 1.2.21-r3 >= 1.2.21-r3
Description
===========
An off-by-one error when handling ICC profile chunks in the
png_set_iCCP() function was discovered (CVE-2007-5266). George Cook and
Jeff Phillips reported several errors in pngrtran.c, the use of logical
instead of a bitwise functions and incorrect comparisons
(CVE-2007-5268). Tavis Ormandy reported out-of-bounds read errors in
several PNG chunk handling functions (CVE-2007-5269).
and (b) the gxsnmp package; does not properly validate length values
during decoding of ASN.1 BER data, which allows remote attackers
to cause a denial of service (crash) or execute arbitrary code via
(1) a length greater than the working buffer, which can lead to an
unspecified overflow; (2) an oid length of zero, which can lead to
an off-by-one error; or (3) an indefinite length for a primitive
encoding. (CVE-2008-1673)
Linux kernel 2.6.18, and possibly other versions, when running on
AMD64 architectures, allows local users to cause a denial of service
(crash) via certain ptrace calls. (CVE-2008-1615)
remote attackers to cause a denial of service (application crash)
via a PDF document containing a crafted Type 1 font that triggers an
invalid memory write, a different vulnerability than CVE-2011-0764
(CVE-2011-1553).
Off-by-one error in t1lib 5.1.2 and earlier allows remote attackers
to cause a denial of service (application crash) via a PDF document
containing a crafted Type 1 font that triggers an invalid memory
read, integer overflow, and invalid pointer dereference, a different
vulnerability than CVE-2011-0764 (CVE-2011-1554).
===========
regenrecht reported multiple infinite loops in functions ReadDCMImage()
and ReadXCFImage() (CVE-2007-4985), multiple integer overflows when
handling certain types of images (CVE-2007-4986, CVE-2007-4988), and an
off-by-one error in the ReadBlobString() function (CVE-2007-4987).
Impact
======
A remote attacker could entice a user to open a specially crafted
authentication and authenticated denial of existence to resolvers.
II. Problem Description
Very large RRSIG RRsets included in a negative response can trigger
an assertion failure that will crash named(8) due to an off-by-one error
in a buffer size check.
III. Impact
If named(8) is being used as a recursive resolver, an attacker who
users to bypass certain security restrictions (SA26642).
- Includes fixes for CVE-2007-3996, CVE-2007-3378 and CVE-2007-3997.
rsync < TSL 3.0.5 > < TSL 3.0 > < TSL 2.2 > < TSEL 2>
- SECURITY Fix: Sebastian Krahmer has reported a vulnerability in
rsync, caused due to an off-by-one error within the "f_name()"
function in flist.c. This can be exploited to cause a one-byte
stack-based buffer overflow via an overly long directory name.
The Common Vulnerabilities and Exposures project has assigned the
name CVE-2007-4091 this issue.
Problem Description:
Multiple vulnerabilities has been discovered and corrected in libxml2:
Off-by-one error in libxml allows remote attackers to execute arbitrary
code or cause a denial of service (heap-based buffer overflow and
application crash) via a crafted web site CVE-2011-0216).
libxml2 allows remote attackers to cause a denial of service
(out-of-bounds read) via unspecified vectors (CVE-2011-3905).
An integer overflow vulnerability was reported by iDefense with clamav
when parsing Portable Executable (PE) files packed in he MEW format.
This could be exploited to cause a heap-based buffer overflow
(CVE-2007-6335).
Toeroek Edwin reported an off-by-one error when decompressing MS-ZIP
compressed CAB files (CVE-2007-6336).
As well, an unspecified vulnerability related to the bzip2
decompression algorithm was also discovered (CVE-2007-6337).
Multiple integer overflows were reported by the Google Security Team
that had been fixed in Python 2.5.2 (CVE-2008-3143).
Justin Ferguson reported a number of integer overflows and underflows
in the PyOS_vsnprintf() function, as well as an off-by-one error
when passing zero-length strings, that led to memory corruption
(CVE-2008-3144).
The updated packages have been patched to correct these issues.
As well, Python packages on Corporate Server 4 have been updated to
Operations within the Bounds of a Memory Buffer (CWE-119)
Remote: Yes
Discovered by: Patroklos Argyroudis
We have discovered a remotely exploitable "improper input validation"
vulnerability in the CoreHTTP web server that leads to an off-by-one
stack buffer overflow. The vulnerability can lead to denial of service
attacks against the web server and potentially to the remote execution
of arbitrary code with the privileges of the user running the server.
Details
Multiple unspecified vulnerabilities in pdf.c in libclamav in ClamAV
before 0.96.5 allow remote attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via a crafted
PDF document (CVE-2010-4260, (CVE-2010-4479).
Off-by-one error in the icon_cb function in pe_icons.c in libclamav
in ClamAV before 0.96.5 allows remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via unspecified vectors. NOTE: some of these details
are obtained from third party information (CVE-2010-4261).
=============================================================================
FreeBSD-SA-10:05.opie Security Advisory
The FreeBSD Project
Topic: OPIE off-by-one stack overflow
Category: contrib
Module: contrib_opie
Announced: 2010-05-27
Credits: Maksymilian Arciemowicz and Adam Zabrocki
user or automated system were tricked into opening a crafted PNG image, an
attacker could cause a denial of service via application crash, or possibly
execute arbitrary code with the privileges of the user invoking the program.
This issue did not affect Ubuntu 8.10. (CVE-2008-1382)
Harald van Dijk discovered an off-by-one error in libpng. An attacker could
could cause an application crash in programs using pngtest. (CVE-2008-3964)
It was discovered that libpng did not properly NULL terminate a keyword
string. An attacker could exploit this to set arbitrary memory locations to
zero. (CVE-2008-5907)
===========
Wireshark doesn't properly handle chunked encoding in HTTP responses
(CVE-2007-3389), iSeries capture files (CVE-2007-3390), certain types
of DCP ETSI packets (CVE-2007-3391), and SSL or MMS packets
(CVE-2007-3392). An off-by-one error has been discovered in the
DHCP/BOOTP dissector when handling DHCP-over-DOCSIS packets
(CVE-2007-3393).
Impact
======
Problem Description:
A vulnerability has been found and corrected in irssi:
Off-by-one error in the event_wallops function in
fe-common/irc/fe-events.c in irssi 0.8.13 allows remote IRC servers
to cause a denial of service (crash) via an empty command, which
triggers a one-byte buffer under-read and a one-byte buffer underflow
(CVE-2009-1959).
1 dev-libs/openssl < 0.9.8e-r3 >= 0.9.8e-r3
Description
===========
Moritz Jodeit reported an off-by-one error in the
SSL_get_shared_ciphers() function, resulting from an incomplete fix of
CVE-2006-3738. A flaw has also been reported in the
BN_from_montgomery() function in crypto/bn/bn_mont.c when performing
Montgomery multiplication.
Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0
_______________________________________________________________________
Problem Description:
An off-by-one error was found in ClamAV versions prior to 0.94.1 that
could allow remote attackers to cause a denial of service or possibly
execute arbitrary code via a crafted VBA project file (CVE-2008-5050).
Other bugs have also been corrected in 0.94.1 which is being provided
with this update.
b) Disable DTLS.
Vulnerability B
- ---------------
Moritz Jodeit found an off-by-one error in SSL_get_shared_ciphers(), a
function that should normally only be used for logging or debugging.
The impact of this overflow is unclear.
This vulnerability is tracked as CVE-2007-5135.
Problem Description:
A vulnerability has been found and corrected in perl-Compress-Raw-Bzip:
Off-by-one error in the bzinflate function in Bzip2.xs in
the Compress-Raw-Bzip2 module before 2.018 for Perl allows
context-dependent attackers to cause a denial of service (application
hang or crash) via a crafted bzip2 compressed stream that triggers
a buffer overflow, a related issue to CVE-2009-1391 (CVE-2009-1884).
The first vulnerability occurs when parsing Printer Font Binary (PFB)
format font files. PFB files contain various data structures, some of
which are stored in a tabular format. When parsing tables, the code
doesn't correctly validate a value used as an array index into a heap
buffer. The calculation contains an off-by-one error, which can result
in a heap overflow.
The second vulnerability occurs when parsing TrueType Font (TTF) font
files. TrueType font files contain "font programs" that are executed in
a TrueType virtual machine. One of the instructions in the instruction
user could cause a system crash by crafing a malicious binary
which makes o32 syscalls with a number less than 4000.
CVE-2008-5702
Zvonimir Rakamaric reported an off-by-one error in the ib700wdt
watchdog driver which allows local users to cause a buffer
underflow by making a specially crafted WDIOC_SETTIMEOUT ioctl
call.
CVE-2009-0028
necessary changes.
Details follow:
Philipp Thomas discovered that the ppscan function of nasm contained
an off-by-one error. If a user or automated system were tricked into
assembling a specially crafted ASM file, a remote attacker could execute
arbitrary commands with user privileges.
Updated packages for Ubuntu 8.04 LTS:
could cause a system crash by crafting a malicious binary which
makes o32 syscalls with a number less than 4000.
CVE-2008-5702
Zvonimir Rakamaric reported an off-by-one error in the ib700wdt
watchdog driver which allows local users to cause a buffer
underflow by making a specially crafted WDIOC_SETTIMEOUT ioctl
call.
CVE-2008-5713
Description
===========
Andy Polyakov reported a vulnerability in the OpenSSL toolkit, that is
caused due to an unspecified off-by-one error within the DTLS
implementation.
Impact
======
* kcope reported that the expat XML parser in xml/apr_xml.c does not
limit the amount of XML entities expanded recursively
(CVE-2009-1955).
* C. Michael Pilato reported an off-by-one error in the
apr_brigade_vprintf() function in buckets/apr_brigade.c
(CVE-2009-1956).
Impact
======
CVE-2011-1553
A use-after-free vulnerability results in an application
crash, triggered by crafted Type 1 fonts.
CVE-2011-1554
An off-by-one error results in an invalid memory read and
application crash, triggered by crafted Type 1 fonts.
For the oldstable distribution (lenny), this problem has been fixed in
version 5.1.2-3+lenny1.
2007b allows remote SMTP servers to cause a denial of service (NULL
pointer dereference and application crash) by responding to the QUIT
command with a close of the TCP connection instead of the expected
221 response code (CVE-2008-5006).
Off-by-one error in the rfc822_output_char function in the RFC822BUFFER
routines in the University of Washington (UW) c-client library, as
used by the UW IMAP toolkit before imap-2007e and other applications,
allows context-dependent attackers to cause a denial of service (crash)
via an e-mail message that triggers a buffer overflow (CVE-2008-5514).
cause a denial of service (memory consumption) via a crafted XML
document containing a large number of nested entity references, as
demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564
(CVE-2009-1955).
Off-by-one error in the apr_brigade_vprintf function in Apache APR-util
before 1.3.5 on big-endian platforms allows remote attackers to obtain
sensitive information or cause a denial of service (application crash)
via crafted input (CVE-2009-1956).
Packages for 2008.0 are being provided due to extended support for
which triggers a heap-based buffer overflow. It only affects the
oldstable distribution (etch).
CVE-2007-4987
Off-by-one error allows context-dependent attackers to execute arbitrary
code via a crafted image file, which triggers the writing of a '\0'
character to an out-of-bounds address. It affects only the oldstable
distribution (etch).
CVE-2007-4988
<<Previous Next>>
|
