Next Page >>
off/by/one error
1. *Advisory Information*
Title: Novell iManager Multiple Vulnerabilities
Advisory Id: CORE-2010-0316
Advisory URL:
[http://www.coresecurity.com/content/novell-imanager-buffer-overflow-off-by-one-vulnerabilities]
Date published: 2010-06-23
Date of last update: 2010-06-23
Vendors contacted: Novell
Release mode: User release
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A remotely exploitable off-by-one error leading to a heap overflow was
found in irssi which might result in the execution of arbitrary code.
Background
==========
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
An off-by-one error in Compress::Raw::Zlib and Compress::Raw::Bzip2
might lead to a Denial of Service.
Background
==========
CVE IDs : CVE-2011-2489 CVE-2011-2490 CVE-2010-1938
Debian Bugs : 631344 631345 584932
Sebastian Krahmer discovered that opie, a system that makes it simple to
use One-Time passwords in applications, is prone to a privilege
escalation (CVE-2011-2490) and an off-by-one error, which can lead to
the execution of arbitrary code (CVE-2011-2489). Adam Zabrocki and
Maksymilian Arciemowicz also discovered another off-by-one error
(CVE-2010-1938), which only affects the lenny version as the fix was
already included for squeeze.
Multiple Vendor ImageMagick Off-By-One Vulnerability
iDefense Security Advisory 09.19.07
http://labs.idefense.com/intelligence/vulnerabilities/
Sep 19, 2007
I. BACKGROUND
ImageMagick is a suite of image manipulation tools (animate, composite,
conjure, convert, display, identify, import, mogrify and montage) that
http://www.debian.org/security/ Noah Meyerhans
October 02, 2007
- ------------------------------------------------------------------------
Package : openssl
Vulnerability : off-by-one error/buffer overflow
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-5135
Debian Bug : 444435
-----------------------------------------------------------------
OpenSSL SSL_get_shared_ciphers() off-by-one buffer overflow
Copyright (c) 2007 Moritz Jodeit <moritz@jodeit.org> (2007/09/27)
-----------------------------------------------------------------
Application details:
OpenSSL is a widely used open source implementation of the
SSL v2/v3 and TLS v1 protocols.
http://www.debian.org/security/ Noah Meyerhans
October 10, 2007
- ------------------------------------------------------------------------
Package : openssl097, openssl096
Vulnerability : off-by-one error/buffer overflow
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-5135
Debian Bug : 444435
-----------------------------------------------------------------
ClamAV get_unicode_name() off-by-one buffer overflow
Copyright (c) 2008 Moritz Jodeit <moritz@jodeit.org> (2008/11/08)
-----------------------------------------------------------------
Application details:
From http://www.clamav.net/:
The cli_pdf function in libclamav/pdf.c in ClamAV before 0.96.1 allows
remote attackers to cause a denial of service (crash) via a malformed
PDF file, related to an inconsistency in the calculated stream length
and the real stream length (CVE-2010-1639).
Off-by-one error in the parseicon function in libclamav/pe_icons.c
in ClamAV 0.96 allows remote attackers to cause a denial of service
(crash) via a crafted PE icon that triggers an out-of-bounds read,
related to improper rounding during scaling (CVE-2010-1640).
Packages for 2008.0 and 2009.0 are provided as of the Extended
user or automated system were tricked into opening a crafted PNG image, an
attacker could cause a denial of service via application crash, or possibly
execute arbitrary code with the privileges of the user invoking the program.
This issue did not affect Ubuntu 8.10. (CVE-2008-1382)
Harald van Dijk discovered an off-by-one error in libpng. An attacker could
could cause an application crash in programs using pngtest. (CVE-2008-3964)
It was discovered that libpng did not properly NULL terminate a keyword
string. An attacker could exploit this to set arbitrary memory locations to
zero. (CVE-2008-5907)
1 app-antivirus/clamav < 0.94.2 >= 0.94.2
Description
===========
Moritz Jodeit reported an off-by-one error within the
get_unicode_name() function in libclamav/vba_extract.c when processing
VBA project files (CVE-2008-5050). Ilja van Sprundel reported an
infinite recursion error within the cli_check_jpeg_exploit() function
in libclamav/special.c when processing JPEG files (CVE-2008-5314).
Problem Description:
Multiple vulnerabilities has been found and corrected in perl:
Off-by-one error in the decode_xs function in Unicode/Unicode.xs
in the Encode module before 2.44, as used in Perl before 5.15.6,
might allow context-dependent attackers to cause a denial of service
(memory corruption) via a crafted Unicode string, which triggers a
heap-based buffer overflow (CVE-2011-2939).
Multiple integer overflows were reported by the Google Security Team
that had been fixed in Python 2.5.2 (CVE-2008-3143).
Justin Ferguson reported a number of integer overflows and underflows
in the PyOS_vsnprintf() function, as well as an off-by-one error
when passing zero-length strings, that led to memory corruption
(CVE-2008-3144).
The updated packages have been patched to correct these issues.
As well, Python packages on Mandriva Linux 2007.1 and 2008.0 have
which triggers a heap-based buffer overflow. It only affects the
oldstable distribution (etch).
CVE-2007-4987
Off-by-one error allows context-dependent attackers to execute arbitrary
code via a crafted image file, which triggers the writing of a '\0'
character to an out-of-bounds address. It affects only the oldstable
distribution (etch).
CVE-2007-4988
1 media-libs/libpng < 1.2.21-r3 >= 1.2.21-r3
Description
===========
An off-by-one error when handling ICC profile chunks in the
png_set_iCCP() function was discovered (CVE-2007-5266). George Cook and
Jeff Phillips reported several errors in pngrtran.c, the use of logical
instead of a bitwise functions and incorrect comparisons
(CVE-2007-5268). Tavis Ormandy reported out-of-bounds read errors in
several PNG chunk handling functions (CVE-2007-5269).
1 net-print/cups < 1.2.12-r2 >= 1.2.12-r2
Description
===========
Alin Rad Pop (Secunia Research) discovered an off-by-one error in the
ippReadIO() function when handling Internet Printing Protocol (IPP)
tags that might allow to overwrite one byte on the stack.
Impact
======
Problem Description:
Multiple vulnerabilities were discovered in libpng:
An off-by-one error when handling ICC profile chunks in the
png_set_iCCP() function (CVE-2007-5266; only affects Mandriva Linux
2008.0).
George Cook and Jeff Phillips reported several errors in pngrtran.c,
such as the use of logical instead of bitwise functions and incorrect
Problem Description:
A vulnerability has been found and corrected in perl-Compress-Raw-Zlib:
Off-by-one error in the inflate function in Zlib.xs in
Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS,
SpamAssassin, and possibly other products, allows context-dependent
attackers to cause a denial of service (hang or crash) via a crafted
zlib compressed stream that triggers a heap-based buffer overflow,
as exploited in the wild by Trojan.Downloader-71014 in June 2009
Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0
_______________________________________________________________________
Problem Description:
An off-by-one error was found in ClamAV versions prior to 0.94.1 that
could allow remote attackers to cause a denial of service or possibly
execute arbitrary code via a crafted VBA project file (CVE-2008-5050).
Other bugs have also been corrected in 0.94.1 which is being provided
with this update.
* Ryan Permeh reported that the init_request_info() function in
sapi/cgi/cgi_main.c does not properly consider operator precedence
when calculating the length of PATH_TRANSLATED (CVE-2008-0599).
* An off-by-one error in the metaphone() function may lead to memory
corruption.
* Maksymilian Arciemowicz of SecurityReason Research reported an
integer overflow, which is triggerable using printf() and related
functions (CVE-2008-1384).
Problem Description:
Multiple vulnerabilities has been discovered and corrected in libxml2:
Off-by-one error in libxml allows remote attackers to execute arbitrary
code or cause a denial of service (heap-based buffer overflow and
application crash) via a crafted web site CVE-2011-0216).
libxml2 allows remote attackers to cause a denial of service
(out-of-bounds read) via unspecified vectors (CVE-2011-3905).
Description
===========
Andy Polyakov reported a vulnerability in the OpenSSL toolkit, that is
caused due to an unspecified off-by-one error within the DTLS
implementation.
Impact
======
2007b allows remote SMTP servers to cause a denial of service (NULL
pointer dereference and application crash) by responding to the QUIT
command with a close of the TCP connection instead of the expected
221 response code (CVE-2008-5006).
Off-by-one error in the rfc822_output_char function in the RFC822BUFFER
routines in the University of Washington (UW) c-client library, as
used by the UW IMAP toolkit before imap-2007e and other applications,
allows context-dependent attackers to cause a denial of service (crash)
via an e-mail message that triggers a buffer overflow (CVE-2008-5514).
=============================================================================
FreeBSD-SA-10:05.opie Security Advisory
The FreeBSD Project
Topic: OPIE off-by-one stack overflow
Category: contrib
Module: contrib_opie
Announced: 2010-05-27
Credits: Maksymilian Arciemowicz and Adam Zabrocki
could cause a system crash by crafting a malicious binary which
makes o32 syscalls with a number less than 4000.
CVE-2008-5702
Zvonimir Rakamaric reported an off-by-one error in the ib700wdt
watchdog driver which allows local users to cause a buffer
underflow by making a specially crafted WDIOC_SETTIMEOUT ioctl
call.
CVE-2008-5713
names, leading to stack-based buffer overflows (CVE-2008-5005).
* An error in smtp.c in the c-client library was found, leading to a
NULL pointer dereference vulnerability (CVE-2008-5006).
* Ludwig Nussel reported an off-by-one error in the
rfc822_output_char() function in the RFC822BUFFER routines in the
c-client library, as used by the UW IMAP toolkit (CVE-2008-5514).
Impact
======
Problem Description:
A vulnerability has been found and corrected in perl-Compress-Raw-Zlib:
Off-by-one error in the inflate function in Zlib.xs in
Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS,
SpamAssassin, and possibly other products, allows context-dependent
attackers to cause a denial of service (hang or crash) via a crafted
zlib compressed stream that triggers a heap-based buffer overflow,
as exploited in the wild by Trojan.Downloader-71014 in June 2009
cause a denial of service (memory consumption) via a crafted XML
document containing a large number of nested entity references, as
demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564
(CVE-2009-1955).
Off-by-one error in the apr_brigade_vprintf function in Apache APR-util
before 1.3.5 on big-endian platforms allows remote attackers to obtain
sensitive information or cause a denial of service (application crash)
via crafted input (CVE-2009-1956).
The updated packages have been patched to prevent this.
Problem Description:
A vulnerability has been found and corrected in perl-Compress-Raw-Bzip:
Off-by-one error in the bzinflate function in Bzip2.xs in
the Compress-Raw-Bzip2 module before 2.018 for Perl allows
context-dependent attackers to cause a denial of service (application
hang or crash) via a crafted bzip2 compressed stream that triggers
a buffer overflow, a related issue to CVE-2009-1391 (CVE-2009-1884).
Next Page>>
|
