CVSS: 6.0EPSS: 0%CPEs: 13EXPL: 0CVE-2020-14310 – grub2: Integer overflow read_section_as_string may lead to heap-based buffer overflow
https://notcve.org/view.php?id=CVE-2020-14310
There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow. Se presenta un problema en grub2 versiones anteriores a 2.06, en la función read_section_as_string(). Se espera que el nombre de la fuente sea una longitud máxima UINT32_MAX - 1 en bytes, pero no lo verifica antes de proceder con la asignación del búfer para leer el valor desde el valor de la fuente. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14310 https://security.gentoo.org/glsa/202104-05 https://usn.ubuntu.com/4432-1 https://access.redhat.com/security/cve/CVE-2020-14310 https://bugzilla.redhat.com/show_bug.cgi?id=1852030 • CWE-122: Heap-based Buffer Overflow CWE-190: Integer Overflow or Wraparound •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2020-15863
https://notcve.org/view.php?id=CVE-2020-15863
hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential privileged code execution. This was fixed in commit 5519724a13664b43e225ca05351c60b4468e4555. El archivo hw/net/xgmac.c en el controlador Ethernet XGMAC en QEMU antes del 20/07/2020, presenta un desbordamiento de búfer. • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00024.html http://www.openwall.com/lists/oss-security/2020/07/22/1 https://git.qemu.org/?p=qemu.git%3Ba=commitdiff%3Bh=5519724a13664b43e225ca05351c60b4468e4555 https://lists.nongnu.org/archive/html/qemu-devel/2020-07/msg03497.html https://lists.nongnu.org/archive/html/qemu-devel/2020-07/msg05745.html https://security.gentoo.org/glsa/202208-27 https://usn.ubuntu.com/4467-1 https://www.debian.org/security/2020/dsa-47 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2020-15900
https://notcve.org/view.php?id=CVE-2020-15900
A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The 'rsearch' calculation for the 'post' size resulted in a size that was too large, and could underflow to max uint32_t. This was fixed in commit 5d499272b95a6b890a1397e11d20937de000d31b. Se encontró un problema de corrupción de memoria en Artifex Ghostscript versiones 9.50 y 9.52. • http://git.ghostscript.com/?p=ghostpdl.git%3Ba=log http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00006.html https://artifex.com/security-advisories/CVE-2020-15900 https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=5d499272b95a6b890a1397e11d20937de000d31b https://github.com/ArtifexSoftware/ghostpdl/commit/5d499272b95a6b890a1397e11d20937de000d31b https://github.com/ArtifexSoftware/ghostpdl/commits/master/psi/zstring.c https: • CWE-191: Integer Underflow (Wrap or Wraparound) CWE-787: Out-of-bounds Write •
CVSS: 3.5EPSS: 0%CPEs: 7EXPL: 0CVE-2020-15103 – Integer Overflow in FreeRDP
https://notcve.org/view.php?id=CVE-2020-15103
In FreeRDP less than or equal to 2.1.2, an integer overflow exists due to missing input sanitation in rdpegfx channel. All FreeRDP clients are affected. The input rectangles from the server are not checked against local surface coordinates and blindly accepted. A malicious server can send data that will crash the client later on (invalid length arguments to a `memcpy`) This has been fixed in 2.2.0. As a workaround, stop using command line arguments /gfx, /gfx-h264 and /network:auto En FreeRDP versiones anteriores o igual a 2.1.2, se presenta un desbordamiento de enteros debido a una falta de saneamiento de entrada en el canal rdpegfx. • http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00010.html https://github.com/FreeRDP/FreeRDP/blob/616af2d5b86dc24c7b3e89870dbcffd841d9a535/ChangeLog#L4 https://github.com/FreeRDP/FreeRDP/pull/6382 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4r38-6hq7-j3j9 https://lists.debian.org/debian-lts-announce/2023/10/msg00008.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y35HBHG2INICLSGCIKNAR7GCXEHQACQ https://lists.fedoraproject.org/archives/list&#x • CWE-122: Heap-based Buffer Overflow CWE-190: Integer Overflow or Wraparound CWE-680: Integer Overflow to Buffer Overflow •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 1CVE-2014-1422 – Location service uses cached authorization even after revocation
https://notcve.org/view.php?id=CVE-2014-1422
In Ubuntu's trust-store, if a user revokes location access from an application, the location is still available to the application because the application will honour incorrect, cached permissions. This is because the cache was not ordered by creation time by the Select struct in src/core/trust/impl/sqlite3/store.cpp. Fixed in trust-store (Ubuntu) version 1.1.0+15.04.20150123-0ubuntu1 and trust-store (Ubuntu RTM) version 1.1.0+15.04.20150123~rtm-0ubuntu1. En trust-store de Ubuntu, si un usuario revoca el acceso a la ubicación desde una aplicación, la ubicación aún está disponible para la aplicación porque la aplicación respetará los permisos de caché incorrectos. Esto es debido a que la caché no fue ordenada por tiempo de creación por la estructura Select en el archivo src/core/trust/impl/sqlite3/store.cpp. • https://bazaar.launchpad.net/~phablet-team/trust-store/trunk/revision/82 https://launchpad.net/bugs/1387734 • CWE-275: Permission Issues CWE-732: Incorrect Permission Assignment for Critical Resource •