CVE-2018-18585 – libmspack: chmd_read_headers() fails to reject filenames containing NULL bytes
https://notcve.org/view.php?id=CVE-2018-18585
chmd_read_headers in mspack/chmd.c in libmspack before 0.8alpha accepts a filename that has '\0' as its first or second character (such as the "/\0" name). chmd_read_headers en mspack/chmd.c en libmspack en versiones anteriores a la 0.8alpha acepta un nombre de archivo que tiene "\0" como su primer o segundo carácter (como el nombre "/\0"). • https://access.redhat.com/errata/RHSA-2019:2049 https://bugs.debian.org/911637 https://github.com/kyz/libmspack/commit/8759da8db6ec9e866cb8eb143313f397f925bb4f https://lists.debian.org/debian-lts-announce/2018/10/msg00017.html https://security.gentoo.org/glsa/201903-20 https://usn.ubuntu.com/3814-1 https://usn.ubuntu.com/3814-2 https://usn.ubuntu.com/3814-3 https://www.openwall.com/lists/oss-security/2018/10/22/1 https://www.starwindsoftware.com/security/sw-20181213-0002 • CWE-476: NULL Pointer Dereference •
CVE-2018-18559 – kernel: Use-after-free due to race condition in AF_PACKET implementation
https://notcve.org/view.php?id=CVE-2018-18559
In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout_add from setsockopt and bind on an AF_PACKET socket. This issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 incomplete fix for a race condition. The code mishandles a certain multithreaded case involving a packet_do_bind unregister action followed by a packet_notifier register action. Later, packet_release operates on only one of the two applicable linked lists. The attacker can achieve Program Counter control. • https://access.redhat.com/errata/RHBA-2019:0327 https://access.redhat.com/errata/RHSA-2019:0163 https://access.redhat.com/errata/RHSA-2019:0188 https://access.redhat.com/errata/RHSA-2019:1170 https://access.redhat.com/errata/RHSA-2019:1190 https://access.redhat.com/errata/RHSA-2019:3967 https://access.redhat.com/errata/RHSA-2019:4159 https://access.redhat.com/errata/RHSA-2020:0174 https://blogs.securiteam.com/index.php/archives/3731 https://access.redhat.com/security/ • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free •
CVE-2018-18438
https://notcve.org/view.php?id=CVE-2018-18438
Qemu has integer overflows because IOReadHandler and its associated functions use a signed integer data type for a size value. Qemu tiene desbordamientos de enteros debido a que IOReadHandler y sus funciones asociadas emplean un tipo de datos de enteros firmados para un valor tamaño. • http://www.openwall.com/lists/oss-security/2018/10/17/3 http://www.securityfocus.com/bid/105953 https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02396.html https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02402.html • CWE-190: Integer Overflow or Wraparound •
CVE-2018-18520 – elfutils: eu-size cannot handle recursive ar files
https://notcve.org/view.php?id=CVE-2018-18520
An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file. Existe una desreferencia de dirección de memoria inválida en la función elf_end en elfutils hasta la versión v0.174. Aunque se supone que eu-size soporta archivos ar dentro de archivos ar, handle_ar en size.c cierra el archivo ar externo antes de gestionar todas la entradas internas. • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html https://access.redhat.com/errata/RHSA-2019:2197 https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html https://lists.debian.org/debian-lts-announce/2021/10/msg00030.html https://sourceware.org/bugzilla/show_bug.cgi?id=23787 https://sourceware.org/ml/elfutils-devel/2018-q4/msg00057.html https://usn.ubuntu.com/4012-1 https://access.redhat.com/security/cve/CVE-2018-18520 https://bugzilla.redh • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2018-18521 – elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c
https://notcve.org/view.php?id=CVE-2018-18521
Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled. Vulnerabilidades de división entre cero en la función arlib_add_symbols() en arlib.c en elfutils 0.174 permiten que los atacantes remotos provoquen una denegación de servicio (cierre inesperado de la aplicación) con un archivo ELF manipulado, tal y como queda demostrado con eu-ranlib. Esto se debe a que se gestiona de manera incorrecta un sh_entsize con valor cero. • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html https://access.redhat.com/errata/RHSA-2019:2197 https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html https://lists.debian.org/debian-lts-announce/2021/10/msg00030.html https://sourceware.org/bugzilla/show_bug.cgi?id=23786 https://sourceware.org/ml/elfutils-devel/2018-q4/msg00055.html https://usn.ubuntu.com/4012-1 https://access.redhat.com/security/cve/CVE-2018-18521 https://bugzilla.redh • CWE-369: Divide By Zero •