Next Page >>
race condition
Security Advisory
===============/========================================================
Advisory ID: CAU-2008-0001
Release Date: 04/01/2008
Title: Slowly Closing Door Race Condition
Application/OS: Physical Structures
Topic: Physical structures employing exit doors with locks
are vulnerable to a race condition.
Vendor Status: Not Notified
Attributes: Physical, Race Condition
=============================================================================
FreeBSD-SA-09:14.devfs Security Advisory
The FreeBSD Project
Topic: Devfs / VFS NULL pointer race condition
Category: core
Module: kern
Announced: 2009-10-02
Credits: Przemyslaw Frasunek
functionality in the Linux kernel before 2.6.25.9 allows local users
to cause a denial of service (resource consumption and system outage)
via vectors involving a large addr_num field in an sctp_getaddrs_old
data structure. (CVE-2008-2826)
Race condition in the directory notification subsystem (dnotify)
in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1,
allows local users to cause a denial of service (OOPS) and possibly
gain privileges via unspecified vectors. (CVE-2008-1375)
The bdx_ioctl_priv function in the tehuti driver (tehuti.c) in
http://www.debian.org/security/ Thijs Kinkhorst
April 17, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : kdm (kdebase)
Vulnerability : race condition
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2010-0436
Sebastian Krahmer discovered that a race condition in the KDE Desktop
Multiple integer underflows in the x25_parse_facilities function in
allow remote attackers to cause a denial of service (system crash)
via malformed X.25 (1) X25_FAC_CLASS_A, (2) X25_FAC_CLASS_B, (3)
X25_FAC_CLASS_C, or (4) X25_FAC_CLASS_D facility data. (CVE-2010-4164)
Race condition in the do_setlk function allows local users to cause a
denial of service (crash) via vectors resulting in an interrupted RPC
call that leads to a stray FL_POSIX lock, related to improper handling
of a race between fcntl and close in the EINTR case. (CVE-2009-4307)
Multiple integer overflows in fs/bio.c allow local users to cause
http://www.debian.org/security/ Moritz Muehlenhoff
March 25, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : systemtap
Vulnerability : race condition
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2009-0784
Erik Sjoelund discovered that a race condition in the stap tool shipped
IBM DB2 Universal Database Multiple Race Condition Vulnerabilities
iDefense Security Advisory 08.16.07
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 16, 2007
I. BACKGROUND
IBM Corp.'s DB2 Universal Database product is a large database server
product commonly used for high end databases. For more information,
#############################################
Internet Explorer 6, 7 and 8 Window.open race condition Vulnerability
Vendor URL: http://www.microsoft.com
Advisore: http://lostmon.blogspot.com/2011/08/internet-explorer-6-7-and-8-windowopen.html
Coordinate Dislcosure: YES exploit available: Private
CVE-2011-1257 and MS011-57
#############################################
Microsoft Internet Explorer 6, 7 and 8 is prone vulnerable to a
Remote code execution due a race condition in window.open
------------------------------------------------------------------------
PulseAudio local race condition privilege escalation vulnerability
------------------------------------------------------------------------
Yorick Koster, June 2009
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
The PulseAudio binary is affected by a local race condition. If the
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
FreeBSD <= 6.1 suffers from classical check/use race condition on SMP
systems in kevent() syscall, leading to kernel mode NULL pointer
dereference. It can be triggered by spawning two threads:
1st thread looping on open() and close() syscalls, and the 2nd thread
looping on kevent(), trying to add possibly invalid filedescriptor.
The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but
http://www.debian.org/security/ Thijs Kinkhorst
October 8, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : policykit-1
Vulnerability : race condition
Problem type : local
Debian-specific: no
CVE ID : CVE-2011-1485
Debian Bug : 644500
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A race condition might lead to theft of user credentials or information
disclosure in services using nss_ldap.
Background
==========
values during an ioctl. If the dvb-ttpci module was loaded, a local
attacker could exploit this to crash the system, leading to a denial of
service, or possibly gain root privileges. (CVE-2011-0521)
Jens Kuehnel discovered that the InfiniBand driver contained a race
condition. On systems using InfiniBand, a local attacker could send
specially crafted requests to crash the system, leading to a denial of
service. (CVE-2011-0695)
Timo Warns discovered that the LDM disk partition handling code did not
correctly handle certain values. By inserting a specially crafted disk
Unhide is a forensic tool to find processes and TCP/UDP ports hidden
by rootkits / LKMs or any other hidden techniques.
[*] What is new in this release
* Fixed a race condition bug that showed false positives
* Added manpages
[*] URLs
Description:
In previous versions of automake, when producing a distribution
tarball for a package that uses Automake, insecure permissions
were assigned to directories in the build tree, which introduces
a race condition that allows local users to modify the contents of
package files before the build is complete. This has been fixed.
http://wiki.rpath.com/Advisories:rPSA-2010-0071
Copyright 2010 rPath, Inc.
(USB subsystem hang and CPU consumption in khubd) by not closing the
device after the disconnect is invoked. NOTE: this rarely crosses
privilege boundaries, unless the attacker can convince the victim to
unplug the affected device. (CVE-2007-5093)
A race condition in the directory notification subsystem (dnotify)
in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1,
allows local users to cause a denial of service (OOPS) and possibly
gain privileges via unspecified vectors. (CVE-2008-1375)
The Linux kernel before 2.6.25.2 does not apply a certain protection
following problems:
CVE-2008-4307
Bryn M. Reeves reported a denial of service in the NFS filesystem.
Local users can trigger a kernel BUG() due to a race condition in
the do_setlk function.
CVE-2008-5395
Helge Deller discovered a denial of service condition that allows
The (a) imagearc and (b) imagefilledarc functions in GD Graphics
Library (libgd) before 2.0.35 allows attackers to cause a denial
of service (CPU consumption) via a large (1) start or (2) end angle
degree value. (CVE-2007-3477)
Race condition in gdImageStringFTEx (gdft_draw_bitmap) in gdft.c in the
GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote
attackers to cause a denial of service (crash) via unspecified vectors,
possibly involving truetype font (TTF) support. (CVE-2007-3478)
The security issues related to GIF image handling (CVE-2007-3473,
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1669
Description:
Previous versions of the kernel package are vulnerable to a race
condition which could allow local users to gain escalated privileges.
A system reboot is required to resolve these issues.
http://wiki.rpath.com/Advisories:rPSA-2008-0162
traversal vulnerability in chrome: URI handling could lead to
information disclosure.
CVE-2008-0419
David Bloom discovered a race condition in the image handling of
designMode elements, which could lead to information disclosure or
potentially the execution of arbitrary code.
CVE-2008-0591
man-in-the-middle attack, when using a proxy due to insufficient checks
on a certain proxy response. (MFSA 2009-27)
CVE-2009-1837
Jakob Balle and Carsten Eiram reported a race condition in the
NPObjWrapper_NewResolve function that can be used to execute arbitrary
code. (MFSA 2009-28)
CVE-2009-1838
ZDI-09-087: Microsoft Internet Explorer CSS Race Condition Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-087
December 8, 2009
-- CVE ID:
CVE-2009-3673
-- Affected Vendors:
Microsoft
http://www.debian.org/security/ Thijs Kinkhorst
January 21, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : shadow
Vulnerability : race condition
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-5394
Debian Bug : 505271
I am way behind on this, so I wanted to drop a quick note regarding
some of my vulnerabilities recently addressed by browser vendors - and
provide some possibly interesting PoCs / fuzzers to go with them:
Summary : MSIE same-origin bypass race condition (CVE-2007-3091)
Impact : security bypass, possibly more
Reported : June 2007 (publicly)
PoC URL : http://lcamtuf.coredump.cx/ierace/
Bulletin : http://www.microsoft.com/technet/security/bulletin/MS09-019.mspx
Notes : additional credit to David Bloom for developing an improved
> indeed lead to a
> change in access control semantics. Under POSIX, the file IS unwriteable,
> because it is protected by the permissions on the parent directory.
>
> (2) While it's irrelevant for his argument, the script by Pavel Machek has a
> race condition. The 'chmod 700 /tmp/my_priv' should be done before the
> file is created, not
> afterwards. Otherwise there is a window where the file exists, but hardlink
> creation is not prevented by the directory permissions.
>
Your (2) contradicts to (1) and confirms what I told, if you didn't notice that.
That said, the user in the example already has access to the file (in
a running process), and would be able to do so again, *if he had
access to a directory where the file was hard-linked*. Pavel
described that the sysadmin checked for that, but even if this worked
as expected, there's a race condition where the user could create the
hard link after the sysadmin checked, but before the permissions were
corrected. Unlikely, I know... but possible.
There's a nearly identical case that works in all Unixen, AFAIK: You
have /a/b/file1, which is writable to user1. The user has permission
The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3,
and release branches branch-1-4 through branch-1-9, when producing a
distribution tarball for a package that uses Automake, assign insecure
permissions (777) to directories in the build tree, which introduces
a race condition that allows local users to modify the contents of
package files, introduce Trojan horse programs, or conduct other
attacks before the build is complete (CVE-2009-4029).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
traversal vulnerability in chrome: URI handling could lead to
information disclosure.
CVE-2008-0419
David Bloom discovered a race condition in the image handling of
designMode elements, which can lead to information disclosure or
potentially the execution of arbitrary code.
CVE-2008-0591
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5794
http://wiki.rpath.com/Advisories:rPSA-2007-0255
Description:
Previous versions of nss_ldap contain a race condition that can allow
nss_ldap to return the wrong information, allowing for the possibility of
improper information disclosure.
- ---
Problem type : local
Debian-specific: no
CVE Id : CVE-2009-3297
Debian Bug : 567633
Dan Rosenberg discovered a race condition in FUSE, a Filesystem in USErspace.
A local attacker, with access to use FUSE, could unmount arbitrary
locations, leading to a denial of service.
For the oldstable distribution (etch), this problem has been fixed in
Next Page>>
|
