Next Page >>
infinite loop
Vendor: Sophos, http://www.sophos.com
Affected Products:
Sophos Anti-Virus for Windows
Sophos Anti-Virus for Unix/Linux
Vulnerability: Infinite Loop DoS (remote)
Risk: MEDIUM
________________________________________________________________________
Vendor communication:
Dear security@nruns.com,
Either Subject "UPX parsing Arbitrary CodeExecution" or vulnerability
description "Infinite Loop in UPX packed files parsing" are wrong. Can
you provide more detailed information please? It's not clear, how
infinite loop can lead to remote code execution.
--Friday, August 24, 2007, 11:15:01 PM, you wrote to bugtraq@securityfocus.com:
A remotely exploitable vulnerability has been found in the file parsing
engine.
In detail, the following flaw was determined:
- Infinite Loop in UPX packed files parsing
Impact:
This problem can lead to remote denial of service or arbitrary code
Multiple vulnerabilities has been discovered and corrected in cups:
The cupsDoAuthentication function in auth.c in the client in CUPS
before 1.4.4, when HAVE_GSSAPI is omitted, does not properly handle a
demand for authorization, which allows remote CUPS servers to cause
a denial of service (infinite loop) via HTTP_UNAUTHORIZED responses
(CVE-2010-2432).
The LZW decompressor in the LWZReadByte function in giftoppm.c in
the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw
function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte
handling function (mainly diskette image files are able to cause this kind
of application hang, but it's also possible that other image formats'
header modification may lead to such kind of program behaviour).
The succesful DoS attack is achieved by opening a special .IMG
file with its header modified. Because of bad FAT header handling,
the application may get into an infinite loop, so that the
only way is to terminate the process.
The second one - Directory Traversal vuln - was reported in .IMG
and .ISO images processing. There is no function to check whether
the filename or directory name consists a string like ".." etc
=============
Vulnerability
=============
IDA Pro uses different file loaders to disassemble files of different formats
(PE, ELF, etc.). The loader for QNX files contains a vulnerability that allows
a specially crafted file to cause the loader to go into an infinite loop,
thereby consuming 100% of CPU resources and preventing disassembly.
The for-loop below is designed to iterate through each lmf_data structure in
the input file, advancing the file pointer based on sizeof(lmf_data) +
lmf_data.offset). However, if lmf_data.offset == -sizeof(lmf_data) then at is
[CAL-20100204-1]Adobe Shockwave Player Director File Parsing ATOM size
infinite loop vulnerability
Affected Products
=================
11.5.2.602 ,11.5.6.606 and prior
CVE ID: CVE-2010-1282
CAL ID: CAL-20100204-1
if (preg_match("/[^\w\s+*^\/()\.,-]/", $expr, $matches)) { // make sure the characters are all good
return $this->trigger("illegal character '{$matches[0]}'");
}
while(1) { // 1 Infinite Loop ;)
$op = substr($expr, $index, 1); // get the first character at the current index
// find out if we're currently at the beginning of a number/variable/function/parenthesis/operand
$ex = preg_match('/^([a-z]\w*\(?|\d+(?:\.\d*)?|\.\d+|\()/', substr($expr, $index), $match);
//===============
if ($op == '-' and !$expecting_op) { // is it a negation instead of a minus?
3. *Vulnerability Description*
The VNC server of Qemu and KVM virtualization solutions are vulnerable
to a remote DoS, when specially crafted packets are received by the host
VNC server causing an infinite loop.
Successful exploitation causes the host server to enter an infinite loop
and cease to function. The vulnerability can be triggered remotely by
external hosts or virtualized guests. No special privileges are required
to perform the Denial of Service.
Problem Description:
A vulnerability has been found and corrected in git:
git-daemon in git 1.4.4.5 through 1.6.3 allows remote attackers to
cause a denial of service (infinite loop and CPU consumption) via a
request containing extra unrecognized arguments (CVE-2009-2108).
This update provides fixes for this vulnerability.
_______________________________________________________________________
third party information. (CVE-2007-5500)
The minix filesystem code in Linux kernel 2.6.x before 2.6.24,
including 2.6.18, allows local users to cause a denial of service
(hang) via a malformed minix file stream that triggers an infinite
loop in the minix_bmap function. NOTE: this issue might be due to an
integer overflow or signedness error. (CVE-2006-6058)
To update your kernel, please follow the directions located at:
http://www.mandriva.com/en/security/kernelupdate
Problem Description:
Multiple vulnerabilities have been identified and fixed in mplayer:
FFmpeg 0.5 allows remote attackers to cause a denial of service (hang)
via a crafted file that triggers an infinite loop. (CVE-2009-4636)
flicvideo.c in libavcodec 0.6 and earlier in FFmpeg, as used in MPlayer
and other products, allows remote attackers to execute arbitrary code
via a crafted flic file, related to an arbitrary offset dereference
vulnerability. (CVE-2010-3429)
A vulnerability was discovered and corrected in xerces-j2:
Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE)
in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update
20, and in other products, allows remote attackers to cause a denial
of service (infinite loop and application hang) via malformed XML
input, as demonstrated by the Codenomicon XML fuzzing framework
(CVE-2009-2625).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
CVE-2009-1183
The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and
earlier, Poppler before 0.10.6, and other products allows remote
attackers to cause a denial of service (infinite loop and hang) via a
crafted PDF file.
For the old stable distribution (etch), these problems have been fixed in version
3.01-9.1+etch6.
Details follow:
Brad Fitzpatrick discovered that libxml2 did not correctly handle certain
UTF-8 sequences. If a remote attacker were able to trick a user or
automated system into processing a specially crafted XML document, the
application linked against libxml2 could enter an infinite loop, leading
to a denial of service via CPU resource consumption.
Updated packages for Ubuntu 6.06 LTS:
other products allow remote attackers to execute arbitrary code via
a crafted PDF file. (CVE-2009-1182)
The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and
earlier, Poppler before 0.10.6, and other products allows remote
attackers to cause a denial of service (infinite loop and hang)
via a crafted PDF file. (CVE-2009-1183)
The directory-services functionality in the scheduler in CUPS 1.1.17
and 1.1.22 allows remote attackers to cause a denial of service (cupsd
daemon outage or crash) via manipulations of the timing of CUPS browse
a log file (CVE-2011-2204).
Apache Tomcat, when sendfile is enabled for the HTTP APR or HTTP
NIO connector, does not validate certain request attributes, which
allows local users to bypass intended file access restrictions or
cause a denial of service (infinite loop or JVM crash) by leveraging
an untrusted web application (CVE-2011-2526).
Certain AJP protocol connector implementations in Apache Tomcat allow
remote attackers to spoof AJP requests, bypass authentication, and
obtain sensitive information by causing the connector to interpret
long "library" parameter in the dl() function (CVE-2007-4887), in
several iconv and xmlrpc functions (CVE-2007-4840 and CVE-2007-4783),
in the setlocale() function (CVE-2007-4784), in the glob() and
fnmatch() function (CVE-2007-4782 and CVE-2007-3806), a floating point
exception in the wordwrap() function (CVE-2007-3998), a stack
exhaustion via deeply nested arrays (CVE-2007-4670), an infinite loop
caused by a specially crafted PNG image in the png_read_info() function
of libpng (CVE-2007-2756) and several issues related to array
conversion.
Impact
function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte
function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier,
the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4
and earlier, and other products, does not properly handle code words
that are absent from the decompression table when encountered, which
allows remote attackers to trigger an infinite loop or a heap-based
buffer overflow, and possibly execute arbitrary code, via a crafted
compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895
(CVE-2011-2896).
The updated packages have been patched to correct these issues.
Successful exploitation of the above vulnerabilities allows execution
of arbitrary code.
4) A logic error when parsing long tokens can result in an infinite
loop. Exploitation will result in maximum CPU usage until an
application-configured timeout expires. In some cases memory usage
will increase until the OS terminates the process.
======================================================================
5) Solution
1 media-libs/libid3tag < 0.15.1b-r2 >= 0.15.1b-r2
Description
===========
Kentaro Oda reported an infinite loop in the file field.c when parsing
an MP3 file with an ID3_FIELD_TYPE_STRINGLIST field that ends in '\0'.
Impact
======
CVE-2011-2896
The LZW decompressor in the LZWReadByte function in
plug-ins/common/file-gif-load.c does not properly handle code
words that are absent from the decompression table when
encountered, which allows remote attackers to trigger an
infinite loop or a heap-based buffer overflow, and possibly
execute arbitrary code, via a crafted compressed stream.
For the stable distribution (squeeze), these problems have been fixed in
version 2.6.10-1+squeeze3.
corruption or arbitrary code execution.
CVE-2007-6356
Cyclical EXIF image file directory (IFD) references could cause
a denial of service (infinite loop).
For the stable distribution (etch), these problems have been fixed in
version 0.98-1.1+etch1.
The old stable distribution (sarge) cannot be fixed synchronously
Details follow:
It was discovered that ClamAV did not properly verify its input when
processing TAR archives. A remote attacker could send a specially crafted
TAR file and cause a denial of service via infinite loop.
It was discovered that ClamAV did not properly validate Portable Executable
(PE) files. A remote attacker could send a crafted PE file and cause a
denial of service (divide by zero).
inconsistent codec types and identifiers, which causes the mp3 decoder
to process a pointer for a video structure, leading to a stack-based
buffer overflow. (CVE-2009-4635)
FFmpeg 0.5 allows remote attackers to cause a denial of service (hang)
via a crafted file that triggers an infinite loop. (CVE-2009-4636)
The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows
remote attackers to cause a denial of service (crash) via a crafted
AVI file that triggers a divide-by-zero error. (CVE-2009-4639)
A denial of service vulnerability has been found in libhtml-parser-perl,
a collection of modules to parse HTML in text documents which is used by
several other projects like e.g. SpamAssassin.
Mark Martinec discovered that the decode_entities() function will get stuck
in an infinite loop when parsing certain HTML entities with invalid UTF-8
characters. An attacker can use this to perform denial of service attacks
by submitting crafted HTML to an application using this functionality.
For the oldstable distribution (etch), this problem has been fixed in
Problem Description:
Multiple vulnerabilities has been identified and fixed in ffmpeg:
FFmpeg 0.5 allows remote attackers to cause a denial of service (hang)
via a crafted file that triggers an infinite loop. (CVE-2009-4636)
flicvideo.c in libavcodec 0.6 and earlier in FFmpeg, as used in MPlayer
and other products, allows remote attackers to execute arbitrary code
via a crafted flic file, related to an arbitrary offset dereference
vulnerability. (CVE-2010-3429)
CVE-2011-2213
Dan Rosenberg discovered an issue in the INET socket monitoring interface.
Local users could cause a denial of service by injecting code and causing
the kernel to execute an infinite loop.
CVE-2011-2898
Eric Dumazet reported an information leak in the raw packet socket
implementation.
a remote file from a malformed FTP server to a local hard driver. This allows an
attacker to perform a directory traversal attack. Successful exploitation may
lead to a full scale system compromise.
Unreal Commander also fails to correctly handle FTP reponses. This can lead to
the application entering an infinite loop, denying service to the legitimate
user.
== Details ==
CVE-2007-3998
Mattias Bengtsson and Philip Olausson discovered that a
programming error in the implementation of the wordwrap() function
allowed denial of service through an infinite loop.
CVE-2007-4658
Stanislav Malyshev discovered that a format string vulnerability
in the money_format() function could allow the execution of
Next Page>>
|
