Next Page >>
Off/by/one error
1. *Advisory Information*
Title: Novell iManager Multiple Vulnerabilities
Advisory Id: CORE-2010-0316
Advisory URL:
[http://www.coresecurity.com/content/novell-imanager-buffer-overflow-off-by-one-vulnerabilities]
Date published: 2010-06-23
Date of last update: 2010-06-23
Vendors contacted: Novell
Release mode: User release
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A remotely exploitable off-by-one error leading to a heap overflow was
found in irssi which might result in the execution of arbitrary code.
Background
==========
CVE IDs : CVE-2011-2489 CVE-2011-2490 CVE-2010-1938
Debian Bugs : 631344 631345 584932
Sebastian Krahmer discovered that opie, a system that makes it simple to
use One-Time passwords in applications, is prone to a privilege
escalation (CVE-2011-2490) and an off-by-one error, which can lead to
the execution of arbitrary code (CVE-2011-2489). Adam Zabrocki and
Maksymilian Arciemowicz also discovered another off-by-one error
(CVE-2010-1938), which only affects the lenny version as the fix was
already included for squeeze.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
An off-by-one error in Compress::Raw::Zlib and Compress::Raw::Bzip2
might lead to a Denial of Service.
Background
==========
http://www.debian.org/security/ Noah Meyerhans
October 02, 2007
- ------------------------------------------------------------------------
Package : openssl
Vulnerability : off-by-one error/buffer overflow
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-5135
Debian Bug : 444435
-----------------------------------------------------------------
ClamAV get_unicode_name() off-by-one buffer overflow
Copyright (c) 2008 Moritz Jodeit <moritz@jodeit.org> (2008/11/08)
-----------------------------------------------------------------
Application details:
From http://www.clamav.net/:
tricking a victim into opening crafted S3M files.
CVE-2011-2913
Hossein Lotfi of Secunia discovered that the CSoundFile::ReadAMS
function suffers from an off-by-one vulnerability that leads to
memory corruption. An attacker can exploit this flaw to potentially
execute arbitrary code by tricking a victim into opening crafted AMS
files.
CVE-2011-2914
http://www.debian.org/security/ Noah Meyerhans
October 10, 2007
- ------------------------------------------------------------------------
Package : openssl097, openssl096
Vulnerability : off-by-one error/buffer overflow
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-5135
Debian Bug : 444435
Multiple Vendor ImageMagick Off-By-One Vulnerability
iDefense Security Advisory 09.19.07
http://labs.idefense.com/intelligence/vulnerabilities/
Sep 19, 2007
I. BACKGROUND
ImageMagick is a suite of image manipulation tools (animate, composite,
conjure, convert, display, identify, import, mogrify and montage) that
-----------------------------------------------------------------
OpenSSL SSL_get_shared_ciphers() off-by-one buffer overflow
Copyright (c) 2007 Moritz Jodeit <moritz@jodeit.org> (2007/09/27)
-----------------------------------------------------------------
Application details:
OpenSSL is a widely used open source implementation of the
SSL v2/v3 and TLS v1 protocols.
>
>Description
>===========
>
>Andy Polyakov reported a vulnerability in the OpenSSL toolkit, that is
>caused due to an unspecified off-by-one error within the DTLS
>implementation.
>
>Impact
>======
>
Problem Description:
A vulnerability has been found and corrected in perl-Compress-Raw-Zlib:
Off-by-one error in the inflate function in Zlib.xs in
Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS,
SpamAssassin, and possibly other products, allows context-dependent
attackers to cause a denial of service (hang or crash) via a crafted
zlib compressed stream that triggers a heap-based buffer overflow,
as exploited in the wild by Trojan.Downloader-71014 in June 2009
Problem Description:
Multiple vulnerabilities were discovered in libpng:
An off-by-one error when handling ICC profile chunks in the
png_set_iCCP() function (CVE-2007-5266; only affects Mandriva Linux
2008.0).
George Cook and Jeff Phillips reported several errors in pngrtran.c,
such as the use of logical instead of bitwise functions and incorrect
and (b) the gxsnmp package; does not properly validate length values
during decoding of ASN.1 BER data, which allows remote attackers
to cause a denial of service (crash) or execute arbitrary code via
(1) a length greater than the working buffer, which can lead to an
unspecified overflow; (2) an oid length of zero, which can lead to an
off-by-one error; or (3) an indefinite length for a primitive encoding.
To update your kernel, please follow the directions located at:
http://www.mandriva.com/en/security/kernelupdate
cause a denial of service (memory consumption) via a crafted XML
document containing a large number of nested entity references, as
demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564
(CVE-2009-1955).
Off-by-one error in the apr_brigade_vprintf function in Apache APR-util
before 1.3.5 on big-endian platforms allows remote attackers to obtain
sensitive information or cause a denial of service (application crash)
via crafted input (CVE-2009-1956).
The updated packages have been patched to prevent this.
1 app-antivirus/clamav < 0.94.2 >= 0.94.2
Description
===========
Moritz Jodeit reported an off-by-one error within the
get_unicode_name() function in libclamav/vba_extract.c when processing
VBA project files (CVE-2008-5050). Ilja van Sprundel reported an
infinite recursion error within the cli_check_jpeg_exploit() function
in libclamav/special.c when processing JPEG files (CVE-2008-5314).
Jüri Aedla discovered a heap-based buffer overflow that allows remote attackers
to cause a denial of service or possibly have unspecified other impact via
unknown vectors.
CVE-2011-0216:
An Off-by-one error have been discoveried that allows remote attackers to
execute arbitrary code or cause a denial of service.
CVE-2011-2821:
A memory corruption (double free) bug has been identified in libxml2's XPath
engine. Through it, it is possible to an attacker allows cause a denial of
Summary
-------
The function countCENHeaders() in zip_util.c of the java.util.zip
implementation contains an off-by-one bug. The bug can be exploited via
corrupted ZIP files to cause an endless recursion. The endless recursion
results in a segmentation fault of the JVM.
The following assessment is based on the JDK sources available from
Oracle's website (jdk-6u23-fcs-src-b05-jrl-12_nov_2010.jar).
with WebGL when texImage2D uses use JSVAL_TO_OBJECT on arbitrary
objects. This can lead to a crash on a maliciously crafted web
page. While there is no evidence that this is directly exploitable,
there is a possibility of remote code execution (CVE-2012-0478).
Mateusz Jurczyk of the Google Security Team discovered an off-by-one
error in the OpenType Sanitizer using the Address Sanitizer tool. This
can lead to an out-of-bounds read and execution of an uninitialized
function pointer during parsing and possible remote code execution
(CVE-2011-3062).
Problem Description:
Multiple vulnerabilities has been found and corrected in perl:
Off-by-one error in the decode_xs function in Unicode/Unicode.xs
in the Encode module before 2.44, as used in Perl before 5.15.6,
might allow context-dependent attackers to cause a denial of service
(memory corruption) via a crafted Unicode string, which triggers a
heap-based buffer overflow (CVE-2011-2939).
Problem Description:
A vulnerability has been identified and fixed in ISC BIND:
Off-by-one error in named in ISC BIND 9.x before 9.7.3-P1, 9.8.x
before 9.8.0-P2, 9.4-ESV before 9.4-ESV-R4-P1, and 9.6-ESV before
9.6-ESV-R4-P1 allows remote DNS servers to cause a denial of service
(assertion failure and daemon exit) via a negative response containing
large RRSIG RRsets (CVE-2011-1910).
http://www.debian.org/security/ Moritz Muehlenhoff
May 23, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : libxml2
Vulnerability : off-by-one
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-3102
Jueri Aedla discovered an off-by-one in libxml2, which could result in
2007b allows remote SMTP servers to cause a denial of service (NULL
pointer dereference and application crash) by responding to the QUIT
command with a close of the TCP connection instead of the expected
221 response code (CVE-2008-5006).
Off-by-one error in the rfc822_output_char function in the RFC822BUFFER
routines in the University of Washington (UW) c-client library, as
used by the UW IMAP toolkit before imap-2007e and other applications,
allows context-dependent attackers to cause a denial of service (crash)
via an e-mail message that triggers a buffer overflow (CVE-2008-5514).
with WebGL when texImage2D uses use JSVAL_TO_OBJECT on arbitrary
objects. This can lead to a crash on a maliciously crafted web
page. While there is no evidence that this is directly exploitable,
there is a possibility of remote code execution (CVE-2012-0478).
Mateusz Jurczyk of the Google Security Team discovered an off-by-one
error in the OpenType Sanitizer using the Address Sanitizer tool. This
can lead to an out-of-bounds read and execution of an uninitialized
function pointer during parsing and possible remote code execution
(CVE-2011-3062).
address of the IP address given to inet_network() as a character string in
the dot-notation.
II. Problem Description
An off-by-one error in the inet_network() function could lead to memory
corruption with certain inputs.
III. Impact
For programs which passes untrusted data to inet_network(), an
2007b allows remote SMTP servers to cause a denial of service (NULL
pointer dereference and application crash) by responding to the QUIT
command with a close of the TCP connection instead of the expected
221 response code (CVE-2008-5006).
Off-by-one error in the rfc822_output_char function in the RFC822BUFFER
routines in the University of Washington (UW) c-client library, as
used by the UW IMAP toolkit before imap-2007e and other applications,
allows context-dependent attackers to cause a denial of service (crash)
via an e-mail message that triggers a buffer overflow (CVE-2008-5514).
1 media-video/motion < 3.2.10.1 >= 3.2.10.1
Description
===========
Nico Golde reported an off-by-one error within the read_client()
function in the webhttpd.c file, leading to a stack-based buffer
overflow. Stefan Cornelius (Secunia Research) reported a boundary error
within the same function, also leading to a stack-based buffer
overflow. Both vulnerabilities require that the HTTP Control interface
is enabled.
Problem Description:
A vulnerability has been found and corrected in perl-Compress-Raw-Zlib:
Off-by-one error in the inflate function in Zlib.xs in
Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS,
SpamAssassin, and possibly other products, allows context-dependent
attackers to cause a denial of service (hang or crash) via a crafted
zlib compressed stream that triggers a heap-based buffer overflow,
as exploited in the wild by Trojan.Downloader-71014 in June 2009
Problem Description:
A vulnerability has been found and corrected in perl-Compress-Raw-Zlib:
Off-by-one error in the inflate function in Zlib.xs in
Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS,
SpamAssassin, and possibly other products, allows context-dependent
attackers to cause a denial of service (hang or crash) via a crafted
zlib compressed stream that triggers a heap-based buffer overflow,
as exploited in the wild by Trojan.Downloader-71014 in June 2009
* Ryan Permeh reported that the init_request_info() function in
sapi/cgi/cgi_main.c does not properly consider operator precedence
when calculating the length of PATH_TRANSLATED (CVE-2008-0599).
* An off-by-one error in the metaphone() function may lead to memory
corruption.
* Maksymilian Arciemowicz of SecurityReason Research reported an
integer overflow, which is triggerable using printf() and related
functions (CVE-2008-1384).
Next Page>>
|
