format string vulnerabilities
MOPS-2010-032: PHP iconv_mime_decode() Interruption Information Leak
Vulnerability
http://php-security.org/2010/05/18/mops-2010-032-php-iconv_mime_decode-interruption-information-leak-vulnerability/
MOPS-2010-028: PHP phar_wrapper_open_url Format String Vulnerabilities
http://php-security.org/2010/05/14/mops-2010-028-php-phar_wrapper_open_url-format-string-vulnerabilities/
MOPS-2010-027: PHP phar_parse_url Format String Vulnerabilities
http://php-security.org/2010/05/14/mops-2010-027-php-phar_parse_url-format-string-vulnerabilities/
http://www.debian.org/security/ Moritz Muehlenhoff
March 11, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : libdbd-pg-perl
Vulnerability : format string vulnerabilities
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-1151
Debian Bug : 661536
Problem Description:
Multiple vulnerabilities was discovered and corrected in silc-toolkit:
Multiple format string vulnerabilities in lib/silcclient/client_entry.c
in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and
SILC Client before 1.1.8, allow remote attackers to execute arbitrary
code via format string specifiers in a nickname field, related to the
(1) silc_client_add_client, (2) silc_client_update_client, and (3)
silc_client_nickname_format functions (CVE-2009-3051).
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Qt: Multiple format string vulnerabilities
Date: August 22, 2007
Bugs: #185446
ID: 200708-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://www.debian.org/security/ Moritz Muehlenhoff
March 12, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : libyaml-libyaml-perl
Vulnerability : format string vulnerabilities
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-1152
Debian Bug : 661548
Problem Description:
Multiple vulnerabilities was discovered and corrected in silc-toolkit:
Multiple format string vulnerabilities in lib/silcclient/client_entry.c
in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and
SILC Client before 1.1.8, allow remote attackers to execute arbitrary
code via format string specifiers in a nickname field, related to the
(1) silc_client_add_client, (2) silc_client_update_client, and (3)
silc_client_nickname_format functions (CVE-2009-3051).
Problem Description:
Multiple vulnerabilities was discovered and corrected in silc-toolkit:
Multiple format string vulnerabilities in lib/silcclient/client_entry.c
in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and
SILC Client before 1.1.8, allow remote attackers to execute arbitrary
code via format string specifiers in a nickname field, related to the
(1) silc_client_add_client, (2) silc_client_update_client, and (3)
silc_client_nickname_format functions (CVE-2009-3051).
Problem Description:
Multiple vulnerabilities was discovered and corrected in silc-toolkit:
Multiple format string vulnerabilities in lib/silcclient/client_entry.c
in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and
SILC Client before 1.1.8, allow remote attackers to execute arbitrary
code via format string specifiers in a nickname field, related to the
(1) silc_client_add_client, (2) silc_client_update_client, and (3)
silc_client_nickname_format functions (CVE-2009-3051).
http://docs.sun.com/app/docs/doc/816-0211/6m6nc677k?a=view
II. DESCRIPTION
Remote exploitation of multiple format string vulnerabilities in Sun
Microsystems Inc.'s snoop could allow an attacker to execute arbitrary
code with the privileges of the nobody user.
Multiple format string vulnerabilities exist within the code that parses
and displays SMB traffic. All of the vulnerabilities are present due to
HTTP header enables a heap buffer overflow, potentially enabling
the execution of arbitrary code.
CVE-2007-5825
Format string vulnerabilities in debug logging within the
authentication of XML-RPC requests could enable the execution of
arbitrary code.
CVE-2008-1771
Problem Description:
A vulnerability has been found and corrected in mysql:
Multiple format string vulnerabilities in the dispatch_command function
in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow
remote authenticated users to cause a denial of service (daemon crash)
and possibly have unspecified other impact via format string specifiers
in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request.
NOTE: some of these details are obtained from third party information
http://www.debian.org/security/ Thijs Kinkhorst
March 05, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : evolution
Vulnerability : format string attack
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-0072
Ulf Härnhammar discovered that Evolution, the e-mail and groupware suite,
following problems:
CVE-2007-3388
Tim Brown and Dirk Mller discovered several format string
vulnerabilities in the handling of error messages, which might lead
to the execution of arbitrary code.
CVE-2007-4137
Dirk Mller discovered an off-by-one buffer overflow in the Unicode
setuid program, would not verify user permissions before opening a
credentials file. A local user could exploit this to use or read the
contents of unauthorized credential files. (CVE-2009-2948)
Reinhard Nißl discovered that the smbclient utility contained format string
vulnerabilities in its file name handling. Because of security features in
Ubuntu, exploitation of this vulnerability is limited. If a user or
automated system were tricked into processing a specially crafted file
name, smbclient could be made to crash, possibly leading to a denial of
service. This only affected Ubuntu 8.10. (CVE-2009-1886)
Problem type : remote
Debian-specific: no
Debian bug : 574935
CVE ID : CVE-2010-0743
Florent Daigniere discovered multiple format string vulnerabilities in Linux
SCSI target framework (which is known as iscsitarget under Debian) allow remote
attackers to cause a denial of service in the ietd daemon. The flaw could be
trigger by sending a carefully-crafted Internet Storage Name Service (iSNS)
request.
Problem Description:
A vulnerability has been found and corrected in php-phar:
Multiple format string vulnerabilities in the phar extension in PHP
5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive
information (memory contents) and possibly execute arbitrary code
via a crafted phar:// URI that is not properly handled by the (1)
phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or
(4) phar_wrapper_open_url functions in ext/phar/stream.c; and the (5)
Integer overflow in ext/shmop/shmop.c in PHP before 5.3.6 allows
context-dependent attackers to cause a denial of service (crash)
and possibly read sensitive memory via a large third argument to the
shmop_read function (CVE-2011-1092).
Multiple format string vulnerabilities in phar_object.c in the phar
extension in PHP 5.3.5 and earlier allow context-dependent attackers
to obtain sensitive information from process memory, cause a denial of
service (memory corruption), or possibly execute arbitrary code via
format string specifiers in an argument to a class method, leading
to an incorrect zend_throw_exception_ex call (CVE-2011-1153).
Felipe Pena discovered that a use-after-free vulnerability in the
substr_replace function allows an attacker to cause a denial of
service (memory corruption) or possibly execute arbitrary code.
(CVE-2011-1148)
Felipe Pena discovered multiple format string vulnerabilities in the
PHP phar extension. These could allow an attacker to obtain sensitive
information from process memory, cause a denial of service (memory
corruption), or possibly execute arbitrary code. This issue affected
Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04.(CVE-2011-1153)
Integer overflow in ext/shmop/shmop.c in PHP before 5.3.6 allows
context-dependent attackers to cause a denial of service (crash)
and possibly read sensitive memory via a large third argument to the
shmop_read function (CVE-2011-1092).
Multiple format string vulnerabilities in phar_object.c in the phar
extension in PHP 5.3.5 and earlier allow context-dependent attackers
to obtain sensitive information from process memory, cause a denial of
service (memory corruption), or possibly execute arbitrary code via
format string specifiers in an argument to a class method, leading
to an incorrect zend_throw_exception_ex call (CVE-2011-1153).
CVE Id(s) : CVE-2010-2451 CVE-2010-2452
Two security issues have been discovered in the DCC protocol support
code of kvirc, a KDE-based next generation IRC client, which allow
the overwriting of local files through directory traversal and the
execution of arbitrary code through a format string attack.
For the stable distribution (lenny), these problems have been fixed in
version 3.4.0-5.
For the unstable distribution (sid), these problems have been fixed in
Problem Description:
Multiple vulnerabilities has been found and corrected in samba:
Multiple format string vulnerabilities in client/client.c in smbclient
in Samba 3.2.0 through 3.2.12 might allow context-dependent attackers
to execute arbitrary code via format string specifiers in a filename
(CVE-2009-1886).
The acl_group_override function in smbd/posix_acls.c in smbd in Samba
Format string attack in pack.c file (package allegro-tools) Fedora 14
Problematic code:
static void err(char *s1, char *s2)
{
......
if (s2)
printf(s2);
Felipe Pena discovered that a use-after-free vulnerability in the
substr_replace function allows an attacker to cause a denial of
service (memory corruption) or possibly execute arbitrary code.
(CVE-2011-1148)
Felipe Pena discovered multiple format string vulnerabilities in the
PHP phar extension. These could allow an attacker to obtain sensitive
information from process memory, cause a denial of service (memory
corruption), or possibly execute arbitrary code. This issue affected
Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04.(CVE-2011-1153)
======
2) Bug
======
The Unreal engine is affected by some format string vulnerabilities
which can be exploited by a malicious server when the victim client
connects to it.
The main format string can be exploited through a malformed CLASS
parameter of the DLMGR command but another one seems to be exploitable
Problem type : remote (for authenticated users only)
Debian-specific: no
CVE Id(s) : CVE-2009-2446
Debian Bug : 536726
In MySQL 4.0.0 through 5.0.83, multiple format string vulnerabilities
in the dispatch_command() function in libmysqld/sql_parse.cc in mysqld
allow remote authenticated users to cause a denial of service (daemon
crash) and potentially the execution of arbitrary code via format
string specifiers in a database name in a COM_CREATE_DB or
COM_DROP_DB request.
======================================================================
Secunia Research 01/04/2009
- UltraISO Image Name Parsing Format String Vulnerabilities -
======================================================================
Table of Contents
Affected Software....................................................1
HTTP header enables a heap buffer overflow, potentially enabling
the execution of arbitrary code.
CVE-2007-5825
Format string vulnerabilities in debug logging within the
authentication of XML-RPC requests could enable the execution of
arbitrary code.
CVE-2008-1771
Problem Description:
A vulnerability has been found and corrected in mysql:
Multiple format string vulnerabilities in the dispatch_command function
in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow
remote authenticated users to cause a denial of service (daemon crash)
and possibly have unspecified other impact via format string specifiers
in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request.
NOTE: some of these details are obtained from third party information
in MySQL 5.0.26 through 5.0.45, when the --html option is enabled,
allows attackers to inject arbitrary web script or HTML by placing
it in a database cell, which might be accessed by this client when
composing an HTML document (CVE-2008-4456).
Multiple format string vulnerabilities in the dispatch_command function
in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow
remote authenticated users to cause a denial of service (daemon crash)
and possibly have unspecified other impact via format string specifiers
in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request.
NOTE: some of these details are obtained from third party information
in certain operations that could lead to directory traversals.
An attacker could exploit these vulnerabilities to overwrite
arbitrary files or disclose system information.
CVE-2009-4014: format string vulnerabilities
Multiple check scripts and the Lintian::Schedule module were using
user-provided input as part of the sprintf/printf format string.
CVE-2009-4015: arbitrary command execution
|
