CVSS: 9.8EPSS: 3%CPEs: 5EXPL: 4CVE-2016-2851 – libotr 4.1.0 - Memory Corruption
https://notcve.org/view.php?id=CVE-2016-2851
Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a series of large OTR messages, which triggers a heap-based buffer overflow. Desbordamiento de entero en proto.c en libotr en versiones anteriores a 4.1.1 en plataformas de 64-bit permite a atacantes remotos causar denegación de servicio (corrupción de memoria y caída de aplicación) o ejecutar código arbitrario a través de una serie de mensajes OTR grandes, lo que desencadena un desbordamiento de buffer basado en memoria dinámica. A remote attacker may crash or execute arbitrary code in libotr by sending large OTR messages. While processing specially crafted messages, attacker controlled data on the heap is written out of bounds. No special user interaction or authorization is necessary in default configurations. libotr versions 4.1.0 and below are affected. • https://www.exploit-db.com/exploits/39550 http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00030.html http://seclists.org/fulldisclosure/2016/Mar/21 http://www.debian.org/security/2016/dsa-3512 http://www.securityfocus.com/archive/1/537745/100/0/threaded http://www.securityfocus.com/bid/84285 http://www.ubuntu.com/usn/USN-2926-1 https://lists.cypherpunks.ca/pipermail/otr-users/2016-Mar • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 4.3EPSS: 3%CPEs: 2EXPL: 0CVE-2012-3461
https://notcve.org/view.php?id=CVE-2012-3461
The (1) otrl_base64_otr_decode function in src/b64.c; (2) otrl_proto_data_read_flags and (3) otrl_proto_accept_data functions in src/proto.c; and (4) decode function in toolkit/parse.c in libotr before 3.2.1 allocates a zero-length buffer when decoding a base64 string, which allows remote attackers to cause a denial of service (application crash) via a message with the value "?OTR:===.", which triggers a heap-based buffer overflow. La función (1) otrl_base64_otr_decode en src/b64.c; la función (2) otrl_proto_data_read_flags y la función (3) otrl_proto_accept_data en src/proto.c; y la función (4) (decode) in toolkit/parse.c in libotr before v3.2.1 asigna un búfer de longitud cero cuando se decodifica un (string) en base64, lo que permite a atacantes remotos causar una denegación de servicio (caída de la aplicación) a través de un mensaje con el valor "? • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684121 http://lists.cypherpunks.ca/pipermail/otr-dev/2012-July/001347.html http://lists.cypherpunks.ca/pipermail/otr-dev/2012-July/001348.html http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00016.html http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00019.html http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00019.html http://otr.git.sourceforge.net/git/gitweb.cgi?p=otr/libotr%3Ba=commitdiff%3Bh&# • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •