Log

CVE-2017-1000083 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary command execution
Description
+ The comic book backend in evince <= 3.24.0 is vulnerable to a command injection bug that can be used to execute arbitrary commands when a cbt file is opened.
+ CBT files are simple tar archives containing images. When a cbt file is processed, evince calls "tar -xOf $archive $filename" for every image file in the archive. While both the archive name and the filename are quoted to not be interpreted by the shell, the filename is completely attacker controlled an can start with "--" which leads to tar interpreting it as a command line flag. This can be exploited by creating a tar archive with an embedded file named something like this: "--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg"
+ This can presumably be triggered by the evince thumbnailer, which is not sandboxed, and web browsers that allow untrusted websites to auto-downloading files without user interaction (Chrome, Epiphany) can trigger the thumbnailer to run so this is web exposed.
References
+ https://bugzilla.gnome.org/show_bug.cgi?id=784630
+ https://git.gnome.org/browse/evince/commit/?h=gnome-3-24&id=717df38fd8509bf883b70d680c9b1b3cf36732ee
Notes
CVE-2017-1000098 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Denial of service
Description
+ The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.
References
+ https://groups.google.com/forum/#%21msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ
+ https://github.com/golang/go/commit/7478ea5dba7ed02ddffd91c1d17ec8141f7cf184
+ https://github.com/golang/go/issues/16296
Notes
CVE-2017-1000099 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Local
Type
+ Information disclosure
Description
+ An information disclosure issue has been found in curl < 7.55.0. When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory.
References
+ https://curl.haxx.se/docs/adv_20170809C.html
+ https://curl.haxx.se/CVE-2017-1000099.patch
Notes
CVE-2017-1000100 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ An information disclosure issue has been found in curl < 7.55.0. When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The sendto() function will then read beyond the end of the heap based buffer.
+ A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP.
References
+ https://curl.haxx.se/docs/adv_20170809B.html
+ https://curl.haxx.se/CVE-2017-1000100.patch
Notes
CVE-2017-1000101 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Local
Type
+ Information disclosure
Description
+ A heap-based read buffer overflow has been found in curl < 7.55.0. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be http://ur%20[0-60000000000000000000. This flaw only affects the curl command line tool, not the libcurl library.
References
+ https://curl.haxx.se/docs/adv_20170809A.html
+ https://curl.haxx.se/CVE-2017-1000101.patch
Notes
CVE-2017-1000111 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Arbitrary code execution
Description
+ heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.
References
+ http://www.securityfocus.com/bid/100267
+ http://www.securitytracker.com/id/1039132
+ https://access.redhat.com/security/cve/cve-2017-1000111
+ https://github.com/torvalds/linux/commit/c27927e372f0785f3303e8fad94b85945e2c97b7
Notes
+ Fixed in:
+ - v4.13-rc5 by c27927e372f0785f3303e8fad94b85945e2c97b7
CVE-2017-1000112 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Arbitrary code execution
Description
+ Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.
References
+ http://seclists.org/oss-sec/2017/q3/277
+ http://www.securityfocus.com/bid/100262
+ http://www.securitytracker.com/id/1039162
+ https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa
Notes
+ Fixed in v4.13-rc5 by 85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa
CVE-2017-1000115 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary filesystem access
Description
+ Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.
References
+ https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.282017-08-10.29
Notes
CVE-2017-1000116 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary command execution
Description
+ Mercurial < 4.3 was not sanitizing hostnames passed to ssh, allowing shell injection attacks on clients by specifying a hostname starting with -oProxyCommand. This is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so please patch those tools as well if you have them installed.
References
+ https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.282017-08-10.29
Notes
CVE-2017-1000117 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary command execution
Description
+ A security issue has been found in git < 2.14.1. A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in
+ any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.
References
+ https://lkml.org/lkml/2017/8/10/757
Notes