Buffer underflow
-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of J. Oquendo
Sent: Friday, April 01, 2011 10:52 AM
To: bugtraq@securityfocus.com
Cc: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Microsoft VISTA TCP/IP heap buffer underflow
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://www.debian.org/security/ Moritz Muehlenhoff
January 27, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : wireshark
Vulnerability : buffer underflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-3483 CVE-2012-0041 CVE-2012-0042 CVE-2012-0066
CVE-2012-0067 CVE-2012-0068
http://www.debian.org/security/ Nico Golde
September 14th, 2009 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : nginx
Vulnerability : buffer underflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-2629
Chris Ries discovered that nginx, a high-performance HTTP server, reverse
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Microsoft VISTA TCP/IP heap buffer underflow
Summary
- -----------------------------
Microsoft Device IO Control wrapped by an API shipping with Windows
Vista 32 bit and 64 bit contains a possibly exploitable, buffer
http://www.debian.org/security/ Moritz Muehlenhoff
January 29, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : icu
Vulnerability : buffer underflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-4599
It was discovered that a buffer overflow in the Unicode libraray ICU
Problem Description:
Multiple vulnerabilities has been found and corrected in libtiff:
Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2
allows context-dependent attackers to cause a denial of service (crash)
via a crafted TIFF image, a different vulnerability than CVE-2008-2327
(CVE-2009-2285).
Fix several places in tiff2rgba and rgb2ycbcr that were being careless
VULNERABILITY DETAILS
====================
When the data format field (offset 4 of the sample description table
extension) is 'RVZA' (Apple Video), it is possible to trigger a sign
extension vulnerability which leads to a buffer underflow.
The following is the faulty sign extended MOV:
MOVSX ECX,WORD PTR SS:[ESP+4C]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023
Description:
Previous versions of apr-util contain a vulnerability which can allow
remote attackers to crash an Apache HTTP Server by triggering a
heap-based buffer underflow. This vulnerability only exists when
.htaccess files are used, or when a module linked to libaprutil is used.
http://wiki.rpath.com/Advisories:rPSA-2009-0144
Copyright 2009 rPath, Inc.
corrupt map, it does require the attacker to manipulate heap memory into
a favorable state. The difficulty of this task has not been measured.
B. Heap-based Buffer Underflow (CVE-2009-0840)
Severity: Medium
By providing a specially-crafted POST request to the "mapserv" CGI
application, an out-of-bounds memory write can be triggered.
Specifically, by setting the "CONTENT_LENGTH" environment variable to
vulnerable software: BufferZone (all product version) till version 2.5 (latest)
type of vulnerability: DoS, potential privilege escalation
I found a vulnerability in BufferZone which allows an unprivileged user and even a malicious software running inside the BufferZone sandbox to crash the system and potentially run arbitrary code with kernel privileges.
The issue is within the kernel driver redlight.sys which does not properly validate file buffer. Sending the IOCTL code FsSetVolumeInformation with subcode FsSetDirectoryInformation with a large buffer but underreporting its size with at most 1024 bytes results in a buffer underrun which might also lead to executing arbitrary code.
Since the RedLight device is also visible to sandboxed application, it might allow a sandboxed malware to escape the sandbox.
How to reproduce:
- get DC2.exe from the latest Windows Driver Kit
- install BufferZone
CVE-2008-5702
Zvonimir Rakamaric reported an off-by-one error in the ib700wdt
watchdog driver which allows local users to cause a buffer
underflow by making a specially crafted WDIOC_SETTIMEOUT ioctl
call.
CVE-2008-5713
Flavio Leitner discovered that a local user can cause a denial of
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple buffer underflow vulnerabilities in libTIFF may allow for the
remote execution of arbitrary code.
Background
==========
http://www.debian.org/security/ Thijs Kinkhorst
August 26, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : tiff
Vulnerability : buffer underflow
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2008-2327
Drew Yao discovered that libTIFF, a library for handling the Tagged Image
Problem Description:
Multiple vulnerabilities was discovered and corrected in python:
Buffer underflow in the rgbimg module in Python 2.5 allows remote
attackers to cause a denial of service (application crash) via a large
ZSIZE value in a black-and-white (aka B/W) RGB image that triggers
an invalid pointer dereference (CVE-2009-4134).
Integer overflow in rgbimgmodule.c in the rgbimg module in Python
Problem Description:
Multiple vulnerabilities has been found and corrected in libtiff:
Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2
allows context-dependent attackers to cause a denial of service (crash)
via a crafted TIFF image, a different vulnerability than CVE-2008-2327
(CVE-2009-2285).
Fix several places in tiff2rgba and rgb2ycbcr that were being careless
CVE-2008-5702
Zvonimir Rakamaric reported an off-by-one error in the ib700wdt
watchdog driver which allows local users to cause a buffer
underflow by making a specially crafted WDIOC_SETTIMEOUT ioctl
call.
CVE-2009-0028
Chris Evans discovered a situation in which a child process can
http://www.debian.org/security/ Moritz Muehlenhoff
January 27, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : qemu-kvm
Vulnerability : buffer underflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-0029
Nicolae Mogoraenu discovered a heap overflow in the emulated e1000e
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A buffer underflow vulnerability in the request URI processing of nginx
might enable remote attackers to execute arbitrary code or cause a
Denial of Service.
Background
==========
Description
===========
Two vulnerabilities have been reported in libTIFF:
* wololo reported a buffer underflow in the LZWDecodeCompat()
function (CVE-2009-2285).
* Tielei Wang of ICST-ERCIS, Peking University reported two integer
overflows leading to heap-based buffer overflows in the tiff2rgba and
rgb2ycbcr tools (CVE-2009-2347).
===========
Multiple vulnerabilities have been discovered in the APR Utility
Library:
* Matthew Palmer reported a heap-based buffer underflow while
compiling search patterns in the apr_strmatch_precompile() function
in strmatch/apr_strmatch.c (CVE-2009-0023).
* kcope reported that the expat XML parser in xml/apr_xml.c does not
limit the amount of XML entities expanded recursively
A vulnerability has been found and corrected in irssi:
Off-by-one error in the event_wallops function in
fe-common/irc/fe-events.c in irssi 0.8.13 allows remote IRC servers
to cause a denial of service (crash) via an empty command, which
triggers a one-byte buffer under-read and a one-byte buffer underflow
(CVE-2009-1959).
This update provides fixes for this vulnerability.
Update:
Problem Description:
Multiple vulnerabilities has been found and corrected in libtiff:
Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2
allows context-dependent attackers to cause a denial of service (crash)
via a crafted TIFF image, a different vulnerability than CVE-2008-2327
(CVE-2009-2285).
Fix several places in tiff2rgba and rgb2ycbcr that were being careless
A vulnerability has been found and corrected in irssi:
Off-by-one error in the event_wallops function in
fe-common/irc/fe-events.c in irssi 0.8.13 allows remote IRC servers
to cause a denial of service (crash) via an empty command, which
triggers a one-byte buffer under-read and a one-byte buffer underflow
(CVE-2009-1959).
This update provides fixes for this vulnerability.
_______________________________________________________________________
|
