Next Page >>
Will Drewry
credential validation. This issue is also tracked as CVE-2007-6601,
since the initial upstream fix was incomplete.
CVE-2007-4769
Tavis Ormandy and Will Drewry discovered that a bug in the handling
of back-references inside the regular expressions engine could lead
to an out of bands read, resulting in a crash. This constitutes only
a security problem if an application using ProgreSQL processes
regular expressions from untrusted sources.
credential validation. This issue is also tracked as CVE-2007-6601,
since the initial upstream fix was incomplete.
CVE-2007-4769
Tavis Ormandy and Will Drewry discovered that a bug in the handling
of back-references inside the regular expressions engine could lead
to an out of bands read, resulting in a crash. This constitutes only
a security problem if an application using ProgreSQL processes
regular expressions from untrusted sources.
Pango >= 1.24
(check with your package maintainer for backports)
Credit: Will Drewry, oCERT Team | Google Security Team.
Special thanks to Karl Tomlinson for extended analysis of the
impact on Firefox.
CVE: CVE-2009-1194
After a standard system upgrade you need to restart applications linked
against libicu, such as OpenOffice.org, to effect the necessary changes.
Details follow:
Will Drewry discovered that libicu did not properly handle '\0' when
processing regular expressions. If an application linked against libicu
processed a crafted regular expression, an attacker could execute
arbitrary code with privileges of the user invoking the program.
(CVE-2007-4770)
channel driver that uses RTP for media (CVE-2007-3762).
* Chris Clark and Zane Lackey (iSEC Partners) reported a NULL pointer
dereference in the IAX2 channel driver (chan_iax2) (CVE-2007-3763).
* Will Drewry (Google Security) reported a vulnerability in the
Skinny channel driver (chan_skinny), resulting in an overly large
memcpy (CVE-2007-3764).
* Will Drewry (Google Security) reported a vulnerability in the IAX2
channel driver (chan_iax2), that does not correctly handle
xine-lib >= 1.1.15 [*]
* - see analysis text for more detail on fixes
Credit: Will Drewry, oCERT Team | Google Security Team.
CVE: TBD
Timeline:
2008-04-30: vendor contacts oCERT asking patch analysis
in the context of the misconfigured domain. This would also affect users
who connect via a shared caching http proxy machine, that also hosts an
http daemon.
An excellent example of exploiting this misconfiguration was discovered
by my colleague, Will Drewry, in CUPS.
http://localhost.example.com:631/jobs/?job_id=&job_printer_name=Click%20Me&job_printer_uri=javascript:alert(document.cookie)
This misconfiguration allows any of the domains affected to be
vulnerable to this issue via CUPS (installed on most UNIX, Linux, Mac
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities were discovered by Tavis Ormandy and
Will Drewry in the way that pcre handled certain malformed regular
expressions. If an application linked against pcre, such as Konqueror,
parses a malicious regular expression, it could lead to the execution
of arbitrary code as the user running the application.
Updated packages have been patched to prevent this issue.
Vulnerability : cross site scripting
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-3823
Will Drewry discovered that the Horde, allows remote attackers to send
an email with a crafted MIME attachment filename attribute to perform
cross site scripting.
For the stable distribution (etch), this problem has been fixed in
version 3.1.3-4etch4.
(CVE-2007-5747),
* and a heap-based buffer overflow when parsing the
"DocumentSummaryInformation" stream in an OLE file (CVE-2008-0320).
Furthermore, Will Drewry (Google Security) reported vulnerabilities in
the memory management of the International Components for Unicode
(CVE-2007-4770, CVE-2007-4771), which was resolved with GLSA 200803-20.
However, the binary version of OpenOffice.org uses an internal copy of
said library.
Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
Tavis Ormandy and Will Drewry discovered a flaw in Perl's regular
expression engine. Specially crafted input to a regular expression can
cause Perl to improperly allocate memory, resulting in the possible
execution of arbitrary code with the permissions of the user running
Perl.
Permalink:
http://www.ocert.org/advisories/ocert-2009-006.html
--
Will Drewry <redpig@ocert.org>
oCERT Team :: http://ocert.org
0 0 0 0 0 0 0 0 0 0 0 ] >> .seticcspace
Announcement:
http://scarybeastsecurity.blogspot.com/2008/02/buffer-overflow-in-ghostscript.html
Full technical details including a demo exploit by my colleague Will Drewry:
http://scary.beasts.org/security/CESA-2008-001.html
Cheers
Chris
Debian-specific: no
CVE Id : CVE-2009-1194
Debian Bugs : 527474
Will Drewry discovered that pango, a system for layout and rendering of
internationalized text, is prone to an integer overflow via long
glyphstrings. This could cause the execution of arbitrary code when
displaying crafted data through an application using the pango library.
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities were discovered by Tavis Ormandy and
Will Drewry in the way that pcre handled certain malformed regular
expressions. If an application linked against pcre, such as Konqueror,
parses a malicious regular expression, it could lead to the execution
of arbitrary code as the user running the application.
Updated packages have been patched to prevent this issue.
1 dev-lang/perl < 5.8.8-r4 >= 5.8.8-r4
Description
===========
Tavis Ormandy and Will Drewry (Google Security Team) discovered a
heap-based buffer overflow in the Regular Expression engine (regcomp.c)
that occurs when switching from byte to Unicode (UTF-8) characters in a
regular expression.
Impact
Permalink:
http://www.ocert.org/advisories/ocert-2009-002.html
--
Will Drewry <redpig@ocert.org>
oCERT Team :: http://ocert.org
Permalink:
http://www.ocert.org/advisories/ocert-2008-016.html
--
Will Drewry <redpig@ocert.org>
oCERT Team :: http://ocert.org
Vulnerability description:
OpenSSL 0.9.7l and 0.9.8d fixed a buffer overflow found in
the SSL_get_shared_ciphers() function reported by Tavis
Ormandy and Will Drewry of the Google Security Team.
Although this fix prevented the unlimited overflow of the
buffer, it still allowed an off-by-one buffer overflow to
happen, which could potentially still result in remote code
execution.
1 media-libs/libvorbis < 1.2.1_rc1 >= 1.2.1_rc1
Description
===========
Will Drewry of the Google Security Team reported multiple
vulnerabilities in libvorbis:
* A zero value for "codebook.dim" is not properly handled, leading to
a crash, infinite loop or triggering an integer overflow
(CVE-2008-1419).
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities were discovered by Tavis Ormandy and
Will Drewry in the way that pcre handled certain malformed regular
expressions. If an application linked against pcre, such as Konqueror,
parses a malicious regular expression, it could lead to the execution
of arbitrary code as the user running the application.
Updated packages have been patched to prevent this issue.
efforts have been taken to maintain behavioral compatibility with the
earlier versions.
Details follow:
Tavis Ormandy and Will Drewry discovered multiple flaws in the regular
expression handling of PCRE. By tricking a user or service into running
specially crafted expressions via applications linked against libpcre3,
a remote attacker could crash the application, monopolize CPU resources,
or possibly execute arbitrary code with the application's privileges.
> OpenSSL 0.9.7l and 0.9.8d fixed a buffer overflow found in
> the SSL_get_shared_ciphers() function reported by Tavis
> Ormandy and Will Drewry of the Google Security Team.
> Although this fix prevented the unlimited overflow of the
> buffer, it still allowed an off-by-one buffer overflow to
> happen, which could potentially still result in remote code
> execution.
Both these bugs of course exist, and have been fixed. However, it is unclear if they could actually be exploited in the real world.
After a standard system upgrade you need to restart your session to effect
the necessary changes.
Details follow:
Will Drewry discovered that Pango incorrectly handled rendering text with
long glyphstrings. If a user were tricked into displaying specially crafted
data with applications linked against Pango, such as Firefox, an attacker
could cause a denial of service or execute arbitrary code with privileges
of the user invoking the program.
deferences in the IAX2 implementation could lead to denial of
service.
CVE-2007-3764
Will Drewry discovered that a programming error in the Skinny
implementation could lead to denial of service.
For the oldstable distribution (sarge) these problems have been fixed in
version 1.0.7.dfsg.1-2sarge5.
Vulnerability : heap overflow
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2007-5116
Will Drewry and Tavis Ormandy of the Google Security Team have
discovered a UTF-8 related heap overflow in Perl's regular expression
compiler, probably allowing attackers to execute arbitrary code by
compiling specially crafted regular expressions.
For the stable distribution (etch), this problem has been fixed in
1 dev-libs/icu < 3.8.1-r1 >= 3.8.1-r1
Description
===========
Will Drewry (Google Security) reported a vulnerability in the regular
expression engine when using back references to capture \0 characters
(CVE-2007-4770). He also found that the backtracking stack size is not
limited, possibly allowing for a heap-based buffer overflow
(CVE-2007-4771).
Attack Feasibility: run-time
Attack Vector: remote network
Attack Impact: arbitrary code execution
Description:
Will Drewry and Tavis Ormandy of the Google Security Team have
discovered a UTF-8 related heap overflow in the regular expression
compiler of the Perl [0] programming language, probably allowing
attackers to execute arbitrary code by compiling specially crafted
regular expressions. The bug manifests in a possible buffer overflow
in the polymorphic "opcode" support code, caused by ASCII regular
Affected: 2007.0, 2007.1, 2008.0
_______________________________________________________________________
Problem Description:
Tavis Ormandy and Will Drewry found that the bost library did not
properly perform input validation on regular expressions. An attacker
could exploit this by sening a specially crafted regular expression
to an application linked against boost and cause a denial of service
via an application crash.
Permalink:
http://www.ocert.org.org/advisories/ocert-2008-012.html
--
Will Drewry <redpig@ocert.org>
oCERT Team :: http://ocert.org
Next Page>>
|
