Next Page >>
Google Security Team
X. DISCLOSURE TIMELINE
-------------------------
Sep 7, 2009 12:09 PM: Vulnerability reported to Google and Opera Security
Teams.
Sep 7, 2009 12:10 PM: Automated Response from Google Security Team.
Sep 7, 2009 03:49 PM: First Status update provided by Google Security Team.
Quick response for a Holiday.
Sep 8, 2009 01:09 AM: First Status update provided by Opera Security Team.
Vulnerability concluded as design feature.
Sep 8, 2009 03:28 PM: Vulnerability confirmed by Google Chrome Security
This vulnerability is discovered by
Inferno (inferno {at} securethoughts {dot} com)
X. DISCLOSURE TIMELINE
-------------------------
Oct 5, 2009 12:14 AM: Vulnerability reported to Google Security Team.
Oct 6, 2009 11:19 AM: Automated Response from Google Security Team.
Oct 6, 2009 01:46 PM: First Status update provided by Michal Zalewski.
Vulnerability confirmed.
Oct 6, 2009 11:33 PM: Second Status update provided by Michal Zalewski. Code
Fix 1 checked in by Adam Barth.
manipulated to cause a buffer overlow (CVE-2008-5680).
* David Bloom discovered that unspecified "scripted URLs" are not
blocked during the feed preview (CVE-2008-5681).
* Robert Swiecki of the Google Security Team reported a Cross-site
scripting vulnerability (CVE-2008-5682).
* An unspecified vulnerability reveals random data (CVE-2008-5683).
* Tavis Ormandy of the Google Security Team reported a vulnerability
Anyway, the bug was resolved (without due credit) in about a month or two.
http://careers.yxxxx.com/pdfdownload.php?file=/../pdfdownload.php
This serves as a contrast to the prompt response that Google Security Team displayed.
Cheers
Nam
On 9 May 2009 02:03:15 -0000
(CVE-2008-1185, CVE-2008-1186).
* John Heasman of NGSSoftware discovered that the Java Plug-in does
not properly enforce the same origin policy (CVE-2008-1192).
* Chris Evans of the Google Security Team discovered multiple
unspecified vulnerabilities within the Java Runtime Environment Image
Parsing Library (CVE-2008-1193, CVE-2008-1194).
* Gregory Fleischer reported that web content fetched via the "jar:"
protocol was not subject to network access restrictions
Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0
_______________________________________________________________________
Problem Description:
A denial of service flaw was discovered by the Google Security Team
in the way libxml2 processes malformed XML content. This flaw could
cause the application to stop responding.
The updated packages have been patched to correct this issue.
_______________________________________________________________________
Problem type : local (remote)
Debian-specific: no
CVE Ids : CVE-2007-1659 CVE-2007-1660 CVE-2007-1661 CVE-2007-1662
CVE-2007-4766 CVE-2007-4767 CVE-2007-4768
Tavis Ormandy of the Google Security Team has discovered several
security issues in PCRE, the Perl-Compatible Regular Expression library,
which potentially allow attackers to execute arbitrary code by compiling
specially crafted regular expressions.
Version 7.0 of the PCRE library featured a major rewrite of the regular
overflows in a number of core modules (CVE-2008-2315).
Justin Ferguson reported multiple buffer overflows in unicode string
processing that affected 32bit systems (CVE-2008-3142).
Multiple integer overflows were reported by the Google Security Team
that had been fixed in Python 2.5.2 (CVE-2008-3143).
Justin Ferguson reported a number of integer overflows and underflows
in the PyOS_vsnprintf() function, as well as an off-by-one error
when passing zero-length strings, that led to memory corruption
mathTeX, mathtex.zip (2009/07/13)
Credit: vulnerability report received from Chris Evans <cevans [at] google
[dot] com> (mimetex) and Damien Miller <djm [at] google [dot] com>
(mathtex), Google Security Team.
CVE: CVE-2009-1382 (mimetex), CVE-2009-1383 (mathtex)
Timeline:
1 media-sound/pulseaudio < 0.9.9-r54 >= 0.9.9-r54
Description
===========
Tavis Ormandy and Julien Tinnes of the Google Security Team discovered
that the pulseaudio binary is installed setuid root, and does not drop
privileges before re-executing itself. The vulnerability has
independently been reported to oCERT by Yorick Koster.
Impact
Topic: OpenSSL incorrectly checks for malformed signatures
Category: contrib
Module: openssl
Announced: 2009-01-07
Credits: Google Security Team
Affects: All FreeBSD releases
Corrected: 2009-01-07 21:03:41 UTC (RELENG_7, 7.1-STABLE)
2009-01-07 20:17:55 UTC (RELENG_7_1, 7.1-RELEASE-p1)
2009-01-07 20:17:55 UTC (RELENG_7_0, 7.0-RELEASE-p8)
2009-01-07 20:17:55 UTC (RELENG_6, 6.4-STABLE)
Vulnerability description:
OpenSSL 0.9.7l and 0.9.8d fixed a buffer overflow found in
the SSL_get_shared_ciphers() function reported by Tavis
Ormandy and Will Drewry of the Google Security Team.
Although this fix prevented the unlimited overflow of the
buffer, it still allowed an off-by-one buffer overflow to
happen, which could potentially still result in remote code
execution.
Affected: Corporate 3.0, Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
Multiple integer overflows were reported by the Google Security Team
that had been fixed in Python 2.5.2 (CVE-2008-3143).
The Python packages on Corporate 3 have been updated to the latest
version 2.3.7, which corrects this issue.
_______________________________________________________________________
1 app-arch/unzip < 5.52-r2 >= 5.52-r2
Description
===========
Tavis Ormandy of the Google Security Team discovered that the NEEDBITS
macro in the inflate_dynamic() function in the file inflate.c can be
invoked using invalid buffers, which can lead to a double free.
Impact
======
tell the difference in the UI you are using, so it's understandable to
have missed these extra limits.
Thanks for taking the trouble to contact us, though.
Chris Evans, Google Security Team
On Fri, Jul 17, 2009 at 2:48 PM, ISecAuditors Security
Advisories<advisories@isecauditors.com> wrote:
> =============================================
1 dev-python/pycrypto < 2.0.1-r8 >= 2.0.1-r8
Description
===========
Mike Wiacek of the Google Security Team reported a buffer overflow in
the ARC2 module when processing a large ARC2 key length.
Impact
======
libmng zip archives >= 01010x
Firefox, N/A
Credit: vulnerability report received from Chris Evans <cevans [at] google
[dot] com>, Google Security Team.
CVE: CVE-2009-0723 (integer overflows), CVE-2009-0581 (memory leak),
CVE-2009-0733 (lack of upper-ground checks on size)
Timeline:
Affected: 2007.1, 2008.0, 2008.1
_______________________________________________________________________
Problem Description:
Tavis Ormandy of the Google Security Team discovered a heap-based
buffer overflow when compiling certain regular expression patterns.
This could be used by a malicious attacker by sending a specially
crafted regular expression to an application using the PCRE library,
resulting in the possible execution of arbitrary code or a denial of
service (CVE-2008-2371).
relation with original site.
Your position is similar to Mozilla's position. And because Mozilla declined
to fix this hole due to "lack of inheritance" between data: URI and the site
with redirector, and Chrome also has no such inheritance, I didn't send my
advisory directly to Google Security Team. And from your declining of this
vulnerability, I see that it's Google's official position about this issue.
I understand your and Mozilla's position, but I don't agree with you. And I
wrote enough (as I was thinking) arguments in my advisory, why it's
dangerous and why it need to be fixed.
Lasso >= 2.2.2
ZXID N/A
Credit: Google Security Team (for the original OpenSSL issue).
CVE: CVE-2008-5077 (OpenSSL),
CVE-2009-0021 (NTP),
CVE-2009-0025 (BIND)
Topic: BIND DNSSEC incorrect checks for malformed signatures
Category: contrib
Module: bind
Announced: 2009-01-13
Credits: Google Security Team
Affects: All supported FreeBSD versions
Corrected: 2009-01-10 03:00:21 UTC (RELENG_7, 7.1-STABLE)
2009-01-13 21:19:27 UTC (RELENG_7_1, 7.1-RELEASE-p2)
2009-01-13 21:19:27 UTC (RELENG_7_0, 7.0-RELEASE-p9)
2009-01-10 04:30:27 UTC (RELENG_6, 6.4-STABLE)
(CVE-2008-1384).
A stack-based buffer overflow in the FastCGI SAPI in PHP has unknown
impact and attack vectors (CVE-2008-2050).
Tavis Ormandy of the Google Security Team discovered a heap-based
buffer overflow when compiling certain regular expression patterns.
This could be used by a malicious attacker by sending a specially
crafted regular expression to an application using the PCRE library,
resulting in the possible execution of arbitrary code or a denial of
service (CVE-2008-2371). PHP in Corporate Server 4.0 is affected by
Pango >= 1.24
(check with your package maintainer for backports)
Credit: Will Drewry, oCERT Team | Google Security Team.
Special thanks to Karl Tomlinson for extended analysis of the
impact on Firefox.
CVE: CVE-2009-1194
Problem Description:
A vulnerability has been found and corrected in pulseaudio:
Tavis Ormandy and Julien Tinnes of the Google Security Team discovered
that pulseaudio, when installed setuid root, does not drop privileges
before re-executing itself to achieve immediate bindings. This can
be exploited by a user who has write access to any directory on the
file system containing /usr/bin to gain local root access. The user
needs to exploit a race condition related to creating a hard link
1 media-libs/libvorbis < 1.2.1_rc1 >= 1.2.1_rc1
Description
===========
Will Drewry of the Google Security Team reported multiple
vulnerabilities in libvorbis:
* A zero value for "codebook.dim" is not properly handled, leading to
a crash, infinite loop or triggering an integer overflow
(CVE-2008-1419).
libpng version 1.2.27 and 1.0.33 are in beta and will be released on or about
April 26, 2008 according to libpng maintainer
libpng-1.2.27beta01
Credit: Tavis Ormandy, oCERT Team | Google Security Team
CVE: CVE-2008-1382
Timeline:
1 media-libs/libpng < 1.2.26-r1 >= 1.2.26-r1
Description
===========
Tavis Ormandy of the Google Security Team discovered that libpng does
not handle zero-length unknown chunks in PNG files correctly, which
might lead to memory corruption in applications that call
png_set_read_user_chunk_fn() or png_set_keep_unknown_chunks().
Impact
All users may mitigate this issue by upgrading to 3.0.3
Community users of 2.5.x and earlier may also mitigate this issue by upgrading 2.5.6.SEC02
Subscription users of 2.5.x and earlier may also mitigate this issue by upgrading 2.5.6.SEC02 or 2.5.7.SR01
Credit:
The issue was discovered by Meder Kydyraliev, Google Security Team
References:
[1] http://www.springsource.com/security/spring-framework
Problem Description:
A vulnerability has been found and corrected in pulseaudio:
Tavis Ormandy and Julien Tinnes of the Google Security Team discovered
that pulseaudio, when installed setuid root, does not drop privileges
before re-executing itself to achieve immediate bindings. This can
be exploited by a user who has write access to any directory on the
file system containing /usr/bin to gain local root access. The user
needs to exploit a race condition related to creating a hard link
An improper setting of the exception code on page faults may allow
for local privilege escalation on the guest operating system. This
vulnerability does not affect the host system.
VMware would like to thank Tavis Ormandy and Julien Tinnes of the
Google Security Team for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2009-2267 to this issue.
The following table lists what action remediates the vulnerability
Next Page>>
|
