Next Page >>
indices
When processing certain structures from a 3DS file, Google SketchUp
trusts bytes from the 3DS file without performing validations and uses
them as:
1. an operand in pointer arithmetics to calculate an index for an
array where user-controlled data will be written.
2. a loop counter in a copy operation.
These bytes are used by the application without proper validation of
their values, leading to the issues described below.
However, I have not found any evidence of accessing freed memory -- as
far as I can tell, the problem is a logic bug. The CDispNode family
of classes contains a flags field that happens to be located
immediately after the vtable pointer, the lowest four bits of which
I'll refer to as the "extra size index."
CDispNode::SetExpandedClipRect uses the extra size index of a class
instance as an index into CDispNode::_extraSizeTable, a constant array
where each element represents a count of machine words of, I guess,
extra data that precedes the class instance. (This means that a
CDispNode-family class instance is not expected to snugly occupy its
Hmmm, linker fails to check for setgid, and fails to close descriptors
in such cases. It should be possible to write arbitrary files with gid
3003/3004 permissions.
diff --git a/linker/linker.c b/linker/linker.c
index 8f15f62..5e963b4 100644
--- a/linker/linker.c
+++ b/linker/linker.c
@@ -1563,13 +1563,13 @@ static int link_image(soinfo *si, unsigned wr_offset)
}
#endif
The VideoLAN (VLC) media player package is vulnerable to an arbitrary
memory corruption vulnerability, which can be exploited by malicious
remote attackers to compromise a user's system. The vulnerability is
caused due to the VLC ('demux/mp4/mp4.c') library not properly
sanitizing certain tags on a MOV file before using them to index an
array on the heap. This can be exploited to get arbitrary code execution
by opening a specially crafted file.
*Vulnerable Packages*
Overview:
Home FTP Server FTP Server is an easy use FTP server Application. Denial of service
vulnerability exists in Home FTP Server that causes the application to stop service when we
send multiple irregular "SITE INDEX" commands to the server.
Details:
If you could log on the server successfully, take the following steps and the application
will stop service:
Details follow:
It was discovered that MySQL could be made to overwrite existing table
files in the data directory. An authenticated user could use the DATA
DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege checks.
This update alters table creation behaviour by disallowing the use of the
MySQL data directory in DATA DIRECTORY and INDEX DIRECTORY options. This
issue only affected Ubuntu 8.10. (CVE-2008-4098)
It was discovered that MySQL contained a cross-site scripting vulnerability
The patch we reviewed is the following but please refer to the vendor's
article for exact informations.
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
Index: lib/webrick/httpstatus.rb
===================================================================
--- lib/webrick/httpstatus.rb (revision 26065)
+++ lib/webrick/httpstatus.rb (working copy)
@@ -13,5 +13,15 @@ module WEBrick
module HTTPStatus
========
This patch applies to Subversion 1.6.x (apply with patch -p0 < patchfile):
[[[
Index: subversion/libsvn_delta/svndiff.c
===================================================================
--- subversion/libsvn_delta/svndiff.c (revision 38519)
+++ subversion/libsvn_delta/svndiff.c (working copy)
@@ -60,10 +60,23 @@ struct encoder_baton {
apr_pool_t *pool;
------------------------------------------
69 6E 64 78 FF FF FF FF 01 00 64 73 20 00 00 10
indx truck size 0xffffffff
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020
test case 2 (new_avihead_poc2.avi)
------------------------------------------
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 5120
Maximum SA index: 5120
Maximum Flow index: 10230
Note: In the previous example, the "Product Name" VAM2+ is displayed,
indicating that the router has the VAM2+ installed. The Enabled
Vendors contacted: Microsoft
Release mode: Coordinated release
Last Updated: 2010-02-09
Index
-----
1.Vulnerablity information
2.Vulnerablity description
3.Vulnerable systems
customer identifiers. It also allows attackers to modify carts of logged
on users or saved cards of previously logged on users. This is
demonstrated in the following PHP script (Dutch):
<?php
$url = "http://127.0.0.1/index.php?page=cart&action=show";
$max = 1000;
for($customerid = 1; $customerid <= $max; $customerid++)
{
echo "<h3>Customerid: " . $customerid .
http://www.adobe.com/products/flashplayer/
II. DESCRIPTION
Remote exploitation of an array indexing vulnerability in Adobe Systems
Inc.'s Flash Player could allow an attacker to execute arbitrary code
with the privileges of the current user.<BR><BR> During the
processing
of certain types of Adobe Flash code, a certain function may be tricked
into accepting an overly large index argument. The index argument may
vulnerability.
* For the krb5-1.7 and krb5-1.7.1 releases, apply the following patch:
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 52fbda5..680e6a1 100644
- --- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -137,6 +137,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
session_key.contents = 0;
enc_tkt_reply.authorization_data = NULL;
processing CDF files. This advisory contains technical information about
one of the identified vulnerabilities, that can be exploited when a
malformed CDF file is parsed by a CDF reading program.
The vulnerability exists in the ReadAEDRList64() function. This function
is used to read a list of attribute entries from a CDF file.
The attribute entries are stored in a list indexed by the entry number.
The relevant source code is shown below:
./cdf32_1-dist/src/lib/cdfread64.c:
------------------------------------------------
STATICforIDL CDFstatus ReadAEDRList64 (vFILE *fp,
Description:
In previous versions of the postgresql package, authenticated
users of a postgresql database could cause the postgresql server
to crash by triggering a failure in converting an error message to
an encoding selected by the user, by making mismatched encoding
conversion requests. In addition, a GiST index corruption bug
is also addressed by this update; users of GiST indices should
regenerate GiST indices after updating.
http://wiki.rpath.com/Advisories:rPSA-2009-0086
VLC media player is vulnerable to a memory corruption vulnerability,
which can be exploited by malicious remote attackers to compromise a
user's system, by providing a specially crafted XSPF playlist file. The
vulnerability exists because the VLC ('demux/playlist/xspf.c') library
does not properly perform bounds-checking on an 'identifier' tag from an
XSPF file before using it to index an array on the heap. This can be
exploited to overwrite an arbitrary memory address in the context of the
VLC media player process, and eventually get arbitrary code execution by
opening a specially crafted file.
Debian-specific: no
CVE Id(s) : CVE-2008-2079
Debian Bug : 480292
Sergei Golubchik discovered that MySQL, a widely-deployed database
server, did not properly validate optional data or index directory
paths given in a CREATE TABLE statement, nor would it (under proper
conditions) prevent two databases from using the same paths for data
or index files. This permits an authenticated user with authorization
to create tables in one database to read, write or delete data from
tables subsequently created in other databases, regardless of other
To participate just send an e-mail to osd@opencosmo.com with its data combined the method of payment:
Name:
Surname:
Nickname:
E-mail:
At the time of response from a staff member of Opencosmo, will be given an ID that will identify the attacker. This ID will be implemented in the index "deface".
(You can choose the payment method when vincit)
The regulation is very simple; participating You agree to the following terms in its entirety. In case you had not agree you can not attend the event.
REGULATION
To participate just send an e-mail to osd@opencosmo.com with its data combined the method of payment:
Name:
Surname:
Nickname:
E-mail:
At the time of response from a staff member of Opencosmo, will be given an ID that will identify the attacker. This ID will be implemented in the index "deface".
(You can choose the payment method when vincit)
The regulation is very simple; participating You agree to the following terms in its entirety. In case you had not agree you can not attend the event.
REGULATION
To participate just send an e-mail to osd@opencosmo.com with its data combined the method of payment:
Name:
Surname:
Nickname:
E-mail:
At the time of response from a staff member of Opencosmo, will be given an ID that will identify the attacker. This ID will be implemented in the index "deface".
(You can choose the payment method when vincit)
The regulation is very simple; participating You agree to the following terms in its entirety. In case you had not agree you can not attend the event.
REGULATION
The most interesting part is the faulty code:
Limit = SpGetUInt32 (Buf);
...
UInt16Ptr = (KpUInt16_t *)SpMalloc (Limit * (KpInt32_t)sizeof (*UInt16Ptr));
...
for (Index = 0; Index < Limit; Index++)
*UInt16Ptr++ = SpGetUInt16 (Buf);
...
And the image to trigger:
http://scary.beasts.org/misc/jdk/evilicc2.jpg
Application: IBM solidDB
http://www.solidtech.com/en/products/relationaldatabasemanagementsoftware/embed.asp
Versions: <= 06.00.1018
Platforms: Windows (tested), Solaris, AIX, HP-UX and Linux
Bugs: A] format string in logging function
B] crash caused by arbitrary array index
C] NULL pointer
D] server termination through allocation error
Exploitation: remote
Date: 26 Mar 2008
Author: Luigi Auriemma
The MPlayer package [1] is vulnerable to an arbitrary pointer
dereference vulnerability, which can be exploited by malicious remote
attackers to compromise a user's system. The vulnerability is caused by
the MPlayer libmpdemux ('demux_mov.c') library not properly sanitizing
certain tags on a MOV file before using them to index an array on the
heap. This can be exploited to execute arbitrary commands by opening a
specially crafted file.
*Vulnerable Packages*
---------------------------------
C] arbitrary empty files creation
---------------------------------
IM creates index files for storing pointers to the entries of its
database in which are stored the messages of the users.
The problem here is that these index files are created in append mode
using the name of the target of the message plus the "@hostname.idx"
suffix (like username@myhost.idx) without checking if the file has been
----------------------------
There are five security fixes included in this release. None of these
issues are known to have been exploited in the field; they were
discovered through security analysis.
Index Functions Privilege Escalation (CVE-2007-6600): as a unique
feature, PostgreSQL allows users to create indexes on the results of
user-defined functions, known as "expression indexes". This provided
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0
_______________________________________________________________________
Problem Description:
Index Functions Privilege Escalation (CVE-2007-6600): as a unique
feature, PostgreSQL allows users to create indexes on the results of
user-defined functions, known as expression indexes. This provided
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
Affected: .
_______________________________________________________________________
Problem Description:
Index Functions Privilege Escalation (CVE-2007-6600): as a unique
feature, PostgreSQL allows users to create indexes on the results of
user-defined functions, known as expression indexes. This provided
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
http://en.wikipedia.org/wiki/X_Window_System
II. DESCRIPTION
Local exploitation of an invalid array index vulnerability in the X.Org
X server, as included in various vendors' operating system
distributions, could allow an attacker to execute arbitrary code with
the privileges of the X server, typically root.
The vulnerability exists within the XFree86-Misc extension. When
Problem Description:
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
Array index error in the gdth_read_event function in
drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows
local users to cause a denial of service or possibly gain privileges
via a negative event index in an IOCTL request. (CVE-2009-3080)
The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the
Next Page>>
|
