Next Page >>
Tavis Ormandy
Dave Chinner discovered that the XFS filesystem did not correctly order
inode lookups when exported by NFS. A remote attacker could exploit this to
read or write disk blocks that had changed file assignment or had become
unlinked, leading to a loss of privacy. (CVE-2010-2943)
Tavis Ormandy discovered that the IRDA subsystem did not correctly shut
down. A local attacker could exploit this to cause the system to crash
or possibly gain root privileges. (Ubuntu 10.10 was not affected.)
(CVE-2010-2954)
Brad Spengler discovered that the wireless extensions did not correctly
Sergey Vlasov discovered that JFS did not correctly handle certain extended
attributes. A local attacker could bypass namespace access rules, leading
to a loss of privacy. (CVE-2010-2946)
Tavis Ormandy discovered that the IRDA subsystem did not correctly shut
down. A local attacker could exploit this to cause the system to crash or
possibly gain root privileges. (CVE-2010-2954)
Brad Spengler discovered that the wireless extensions did not correctly
validate certain request sizes. A local attacker could exploit this to read
Ben Hawkes discovered that the Linux kernel did not correctly validate
memory ranges on 64bit kernels when allocating memory on behalf of 32bit
system calls. On a 64bit system, a local attacker could perform malicious
multicast getsockopt calls to gain root privileges. (CVE-2010-3081)
Tavis Ormandy discovered that the IRDA subsystem did not correctly shut
down. A local attacker could exploit this to cause the system to crash or
possibly gain root privileges. (CVE-2010-2954)
Brad Spengler discovered that the wireless extensions did not correctly
validate certain request sizes. A local attacker could exploit this to read
credential validation. This issue is also tracked as CVE-2007-6601,
since the initial upstream fix was incomplete.
CVE-2007-4769
Tavis Ormandy and Will Drewry discovered that a bug in the handling
of back-references inside the regular expressions engine could lead
to an out of bands read, resulting in a crash. This constitutes only
a security problem if an application using ProgreSQL processes
regular expressions from untrusted sources.
credential validation. This issue is also tracked as CVE-2007-6601,
since the initial upstream fix was incomplete.
CVE-2007-4769
Tavis Ormandy and Will Drewry discovered that a bug in the handling
of back-references inside the regular expressions engine could lead
to an out of bands read, resulting in a crash. This constitutes only
a security problem if an application using ProgreSQL processes
regular expressions from untrusted sources.
Sergey Vlasov discovered that JFS did not correctly handle certain extended
attributes. A local attacker could bypass namespace access rules, leading
to a loss of privacy. (CVE-2010-2946)
Tavis Ormandy discovered that the IRDA subsystem did not correctly shut
down. A local attacker could exploit this to cause the system to crash or
possibly gain root privileges. (CVE-2010-2954)
Brad Spengler discovered that the wireless extensions did not correctly
validate certain request sizes. A local attacker could exploit this to read
Sergey Vlasov discovered that JFS did not correctly handle certain extended
attributes. A local attacker could bypass namespace access rules, leading
to a loss of privacy. (CVE-2010-2946)
Tavis Ormandy discovered that the IRDA subsystem did not correctly shut
down. A local attacker could exploit this to cause the system to crash or
possibly gain root privileges. (CVE-2010-2954)
Brad Spengler discovered that the wireless extensions did not correctly
validate certain request sizes. A local attacker could exploit this to read
back?
Since June 5th have you tried emailing back or any of your contacts from
past interactions and asked what was up? I'm disappointed in this lack
of communication I see on both sides. You are ...well... Tavis
Ormandy... I seriously doubt MSRC is blowing you off here.
Keep in mind we just had a LARGE patch week to deal with. I don't know
what was going on on their side, nor making excuses as I don't know what
communication you've had in the past and had on this issue ... I'm just
saying I would have spent a little more time getting mad at them and
Hey just wanted to say that my default installation of Windows 7 doesnt seem vulnerable~no hcp protocol handler. Just thought some people would like to take note :)
----- Original Message ----
From: Tavis Ormandy <taviso@cmpxchg8b.com>
To: full-disclosure@lists.grok.org.uk
Cc: bugtraq@securityfocus.com
Sent: Wed, June 9, 2010 4:46:21 PM
Subject: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
Affected: 2007.0, 2007.1, Corporate 4.0
_______________________________________________________________________
Problem Description:
Tavis Ormandy discovered a heap overflow flaw during video-to-video
copy operations in the Cirrus VGA extension code that is used in Xen.
A malicious local administrator of a guest domain could potentially
trigger this flaw and execute arbitrary code outside of the domain
(CVE-2007-1320).
#include <stdlib.h>
#include <string.h>
//
// BSD IPComp Kernel Stack Overflow Testcase
// -- Tavis Ormandy <taviso@cmpxchg8b.com>, March 2011
//
#define MAX_PACKET_SIZE (1024 * 1024 * 32)
#define MAX_ENCAP_DEPTH 1024
I've released an exploit for the Linux sock_sendpage() NULL pointer
dereference[1], discovered by Tavis Ormandy and Julien Tinnes. This exploit
was written to illustrate the exploitability of this vulnerability on
Power/Cell BE architecture.
The exploit makes use of the SELinux and the mmap_min_addr problem to exploit
this vulnerability on Red Hat Enterprise Linux 5.3 and CentOS 5.3. The
problem, first noticed by Brad Spengler, was described by Red Hat in Red Hat
Knowledgebase article: Security-Enhanced Linux (SELinux) policy and the
mmap_min_addr protection[2].
overflow condition may allow local users to cause a denial of service
or gain elevated privileges.
CVE-2010-2954
Tavis Ormandy reported an issue in the irda subsystem which may allow
local users to cause a denial of service via a NULL pointer dereference.
CVE-2010-3078
Dan Rosenberg discovered an issue in the XFS file system that allows
<html>
<head><title>Testing HCP</title></head>
<body>
<h1>OK</h1>
<script>
// HCP:// Vulnerability, Tavis Ormandy, June 2010.
var asx = "http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/simple.asx";
if (window.navigator.appName == "Microsoft Internet Explorer") {
// Internet Explorer
var o = document.createElement("OBJECT");
I'd honestly like to know if there is a break down in communication at
the MSRC that needs to be addressed. It appears there is one?
Tavis Ormandy wrote:
> Susan, this is what is called "full disclosure", and my response was
> relevant.
>
> I will not answer anymore uninformed questions on this topic.
>
-------------------
Credit
-----------------------
This bug was discovered by Tavis Ormandy.
-------------------
Greetz
-----------------------
Debian-specific: no
Debian bug : 526434
CVE ID : CVE-2009-1364
Tavis Ormandy discovered that the embedded GD library copy in libwmf,
a library to parse windows metafiles (WMF), makes use of a pointer
after it was already freed. An attacker using a crafted WMF file can
cause a denial of service or possibly the execute arbitrary code via
applications using this library.
HTML Version
----------
http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1
----------
Bye bye my little 0day :(, Tavis Ormandy did a great job uncovering a
big logic flaw within Java JRE. I discovered that bug and other that
affects every browser few weeks ago and I posted the common "0day++" tweet.
The method in which Java Web Start support has been added to the JRE is
not less than a deliberately embedded backdoor(I really don't think so)
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Tavis Ormandy and Yorick Koster discovered that PulseAudio did not
safely re-execute itself. A local attacker could exploit this to gain
root privileges.
Updated packages for Ubuntu 8.04 LTS:
1 app-arch/unzip < 5.52-r2 >= 5.52-r2
Description
===========
Tavis Ormandy of the Google Security Team discovered that the NEEDBITS
macro in the inflate_dynamic() function in the file inflate.c can be
invoked using invalid buffers, which can lead to a double free.
Impact
======
Nelson Elhage discovered that Econet did not correctly handle AUN packets
over UDP. A local attacker could send specially crafted traffic to crash
the system, leading to a denial of service. (CVE-2010-4342)
Tavis Ormandy discovered that the install_special_mapping function could
bypass the mmap_min_addr restriction. A local attacker could exploit this
to mmap 4096 bytes below the mmap_min_addr area, possibly improving the
chances of performing NULL pointer dereference attacks. (CVE-2010-4346)
Dan Rosenberg discovered that the OSS subsystem did not handle name
I'm not asking about disclosure. I'm asking what happened to the level
of communication between you and MSRC that after 4 days you posted this?
Tavis Ormandy wrote:
> Susan, I wish I had the time to hold your hand through getting up to
> speed on the disclosure debate. Instead, I would suggest starting with
> the links in my advisory which were intended to give you enough
> background to understand the issues involved (skip to the Notes section,
> if you like).
>
Problem type : local (remote)
Debian-specific: no
CVE Ids : CVE-2007-1659 CVE-2007-1660 CVE-2007-1661 CVE-2007-1662
CVE-2007-4766 CVE-2007-4767 CVE-2007-4768
Tavis Ormandy of the Google Security Team has discovered several
security issues in PCRE, the Perl-Compatible Regular Expression library,
which potentially allow attackers to execute arbitrary code by compiling
specially crafted regular expressions.
Version 7.0 of the PCRE library featured a major rewrite of the regular
Vulnerabilities and Exposures project identifies the following
problems:
CVE-2009-1895
Julien Tinnes and Tavis Ormandy reported an issue in the Linux
personality code. Local users can take advantage of a setuid
binary that can either be made to dereference a NULL pointer or
drop privileges and return control to the user. This allows a
user to bypass mmap_min_addr restrictions which can be exploited
to execute arbitrary code.
* Tavis Ormandy:
> Hello, I'd like to document what appears to be a common named
> misconfiguration that can result in a minor security issue with web
> applications.
Interesting, thanks.
I did some digging because I remembered a rule to put "localhost"
nodes into all zones. It turns out that this was once recommended by
1 media-sound/pulseaudio < 0.9.9-r54 >= 0.9.9-r54
Description
===========
Tavis Ormandy and Julien Tinnes of the Google Security Team discovered
that the pulseaudio binary is installed setuid root, and does not drop
privileges before re-executing itself. The vulnerability has
independently been reported to oCERT by Yorick Koster.
Impact
exploit this to gain "man" user privileges, potentially leading to further
privilege escalations. Default Ubuntu installations were not affected.
Original advisory details:
Tavis Ormandy discovered multiple flaws in the GNU C Library's handling
of the LD_AUDIT environment variable when running a privileged binary. A
local attacker could exploit this to gain root privileges. (CVE-2010-3847,
CVE-2010-3856)
Category: contrib
Module: openssl
Announced: 2012-05-03
Credits: Adam Langley, George Kadianakis, Ben Laurie,
Ivan Nestlerode, Tavis Ormandy
Affects: All supported versions of FreeBSD.
Corrected: 2012-05-03 15:25:11 UTC (RELENG_7, 7.4-STABLE)
2012-05-03 15:25:11 UTC (RELENG_7_4, 7.4-RELEASE-p7)
2012-05-03 15:25:11 UTC (RELENG_8, 8.3-STABLE)
2012-05-03 15:25:11 UTC (RELENG_8_3, 8.3-RELEASE-p1)
Affected: 2007.1
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities were discovered by Tavis Ormandy and
Will Drewry in the way that pcre handled certain malformed regular
expressions. If an application linked against pcre, such as Konqueror,
parses a malicious regular expression, it could lead to the execution
of arbitrary code as the user running the application.
1 dev-util/valgrind < 3.4.0 >= 3.4.0
Description
===========
Tavis Ormandy reported that Valgrind loads a .valgrindrc file in the
current working directory, executing commands specified there.
Impact
======
Next Page>>
|
