CVE-2018-20843 – expat: large number of colons in input makes parser consume high amount of resources, leading to DoS
https://notcve.org/view.php?id=CVE-2018-20843
In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). En libexpat en Expat anterior a versión 2.2.7, una entrada XML incluyendo nombres XML que contienen una gran cantidad de "dos puntos", podría hacer que el analizador XML consuma una gran cantidad de recursos de RAM y CPU durante el procesamiento (lo suficiente como para ser utilizables en ataques de denegación de servicio) . It was discovered that the "setElementTypePrefix()" function incorrectly extracted XML namespace prefixes. By tricking an application into processing a specially crafted XML file, an attacker could cause unusually high consumption of memory resources and possibly lead to a denial of service. • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00039.html https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226 https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes https://github.com/libexpat/libexpat/issues/186 https://github.com/libexpat/libexpat/pull/262 https://github.com/libexpat/libexpat/pull/262/commits/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6 https://lists.debian.org/debian-lts-announce/2019/06/msg00028.html https://lists.fedoraproject.org/archives/ • CWE-400: Uncontrolled Resource Consumption CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2019-10161 – libvirt: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API
https://notcve.org/view.php?id=CVE-2019-10161
It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs. Se detectó que libvirtd anterior a versiones 4.10.1 y 5.4.1, permitiría a clientes de solo lectura usar la API de la función virDomainSaveImageGetXMLDesc(), especificando una ruta (path) arbitraria a la que se accedería con los permisos del proceso libvirtd. Un atacante con acceso al socket libvirtd podría usar esto para probar la existencia de archivos arbitrarios, causar una denegación de servicio o causar que libvirtd ejecute programas arbitrarios. It was discovered that libvirtd would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. • https://access.redhat.com/libvirt-privesc-vulnerabilities https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10161 https://libvirt.org/git/?p=libvirt.git%3Ba=commit%3Bh=aed6a032cead4386472afb24b16196579e239580 https://security.gentoo.org/glsa/202003-18 https://usn.ubuntu.com/4047-2 https://access.redhat.com/security/cve/CVE-2019-10161 https://bugzilla.redhat.com/show_bug.cgi?id=1720115 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVE-2019-12900 – bzip2: out-of-bounds write in function BZ2_decompress
https://notcve.org/view.php?id=CVE-2019-12900
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors. La función BZ2_decompress en el archivo decompress.c en bzip2 hasta 1.0.6, presenta una escritura fuera de límites cuando hay muchos selectores. • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00040.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00050.html http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00078.html http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00000.html http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html https://gitlab.com/federicomenaqui • CWE-787: Out-of-bounds Write •
CVE-2019-11038 – Uninitialized read in gdImageCreateFromXbm
https://notcve.org/view.php?id=CVE-2019-11038
When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code. Cuando se usa la función gdImageCreateFromXbm () en la Biblioteca de gráficos GD (también conocida como LibGD) 2.2.5, como se usa en la extensión PHP GD en las versiones de PHP 7.1.x debajo de 7.1.30, 7.2.x debajo de 7.2.19 y 7.3.x debajo 7.3.6, es posible suministrar datos que harán que la función use el valor de la variable no inicializada. Esto puede llevar a revelar el contenido de la pila que ha quedado allí por código anterior. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00020.html https://access.redhat.com/errata/RHSA-2019:2519 https://access.redhat.com/errata/RHSA-2019:3299 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929821 https://bugs.php.net/bug.php?id=77973 https://bugzilla.redhat.com/show_bug.cgi?id=1724149 https://bugzilla.redhat.com/show_bug.cgi?id=1724432 https://bugzilla.suse.com/show_bug.cgi? • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-457: Use of Uninitialized Variable CWE-908: Use of Uninitialized Resource •
CVE-2019-11477 – Integer overflow in TCP_SKB_CB(skb)->tcp_gso_segs
https://notcve.org/view.php?id=CVE-2019-11477
Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff. Jonathan Looney detectó que el valor TCP_SKB_CB(skb)-mayor que tcp_gso_segs estuvo sujeto a un desbordamiento de enteros en el kernel de Linux durante el manejo del Reconocimiento Selectivo (SACK) de TCP. Un atacante remoto podría usar esto para causar una denegación de servicio. • http://packetstormsecurity.com/files/153346/Kernel-Live-Patch-Security-Notice-LSN-0052-1.html http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.html http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-010.txt http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191225-01-kernel-en http://www.openwall.com/lists/oss-security/2019/06/20/3 http://www.openwall.com/lists/oss-security/2019/06/28/2 http://www.openwall.com/lists/oss • CWE-190: Integer Overflow or Wraparound CWE-400: Uncontrolled Resource Consumption •