CVE-2018-7566 – kernel: race condition in snd_seq_write() may lead to UAF or OOB-access
https://notcve.org/view.php?id=CVE-2018-7566
The Linux kernel 4.15 has a Buffer Overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by a local user. El kernel de Linux 4.15 tiene un desbordamiento de búfer mediante una operación de escritura ioctl SNDRV_SEQ_IOCTL_SET_CLIENT_POOL en /dev/snd/seq por un usuario local. ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user can reset the pool size manually via ioctl concurrently, and this may lead to UAF or out-of-bound access. • http://lists.opensuse.org/opensuse-security-announce/2018-03/msg00067.html http://mailman.alsa-project.org/pipermail/alsa-devel/2018-February/132026.html http://www.securityfocus.com/bid/103605 https://access.redhat.com/errata/RHSA-2018:2384 https://access.redhat.com/errata/RHSA-2018:2390 https://access.redhat.com/errata/RHSA-2018:2395 https://access.redhat.com/errata/RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2019:1483 https://access.redhat.com/errata/RHSA-2019:1487 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2018-5148 – firefox: Use-after-free in compositor potentially allows code execution
https://notcve.org/view.php?id=CVE-2018-5148
A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR < 52.7.3 and Firefox < 59.0.2. Puede ocurrir una vulnerabilidad de uso de memoria previamente liberada en el compositor durante determinadas operaciones de gráficos cuando un puntero raw se utiliza en vez de una de conteo de referencias. Esto resulta en un cierre inesperado explotable. • http://www.securityfocus.com/bid/103506 http://www.securitytracker.com/id/1040574 https://access.redhat.com/errata/RHSA-2018:1098 https://access.redhat.com/errata/RHSA-2018:1099 https://bugzilla.mozilla.org/show_bug.cgi?id=1440717 https://lists.debian.org/debian-lts-announce/2018/03/msg00023.html https://usn.ubuntu.com/3609-1 https://www.debian.org/security/2018/dsa-4153 https://www.mozilla.org/security/advisories/mfsa2018-10 https://access.redhat.com/security/cve/CVE& • CWE-416: Use After Free •
CVE-2017-15710 – httpd: Out of bounds write in mod_authnz_ldap when using too small Accept-Language values
https://notcve.org/view.php?id=CVE-2017-15710
In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all. • http://www.openwall.com/lists/oss-security/2018/03/24/8 http://www.securityfocus.com/bid/103512 http://www.securitytracker.com/id/1040569 https://access.redhat.com/errata/RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2019:0366 https://access.redhat.com/errata/RHSA-2019:0367 https://httpd.apache.org/security/vulnerabilities_24.html https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.ht • CWE-787: Out-of-bounds Write •
CVE-2018-1301 – httpd: Out of bounds access after failure in reading the HTTP request
https://notcve.org/view.php?id=CVE-2018-1301
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage. Una petición especialmente manipulada podría haber provocado el cierre inesperado del servidor Apache HTTP en versiones anteriores a la 2.4.30, debido a un acceso fuera de límites tras alcanzar un límite de tamaño mediante la lectura de una cabecera HTTP. Esta vulnerabilidad se considera crítica si no es imposible desencadenarla en un modo que no sea de depuración (tanto a nivel de log como de build), por lo que se clasifica como vulnerabilidad de riesgo bajo para un uso común del servidor. • http://www.openwall.com/lists/oss-security/2018/03/24/2 http://www.securityfocus.com/bid/103515 http://www.securitytracker.com/id/1040573 https://access.redhat.com/errata/RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2019:0366 https://access.redhat.com/errata/RHSA-2019:0367 https://httpd.apache.org/security/vulnerabilities_24.html https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.ht • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •
CVE-2018-1312 – httpd: Weak Digest auth nonce generation in mod_auth_digest
https://notcve.org/view.php?id=CVE-2018-1312
In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection. En Apache httpd, en versiones desde la 2.2.0 hasta la 2.4.29, cuando se genera un desafío de autenticación HTTP Digest, el nonce enviado para evitar ataques replay no se generó correctamente empleando una semilla pseudoaleatoria. En un clúster de servidores, utilizando una configuración de autenticación Digest común, las peticiones HTTP se podrían reemplazar en los servidores por un atacante si que este sea detectado. • http://www.openwall.com/lists/oss-security/2018/03/24/7 http://www.securityfocus.com/bid/103524 http://www.securitytracker.com/id/1040571 https://access.redhat.com/errata/RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2019:0366 https://access.redhat.com/errata/RHSA-2019:0367 https://access.redhat.com/errata/RHSA-2019:1898 https://httpd.apache.org/security/vulnerabilities_24.html https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd. • CWE-287: Improper Authentication CWE-305: Authentication Bypass by Primary Weakness •