Log

CVE-2017-1000367 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Local
Type
+ Access restriction bypass
Description
+ On Linux systems, sudo parses the /proc/[pid]/stat file to determine the device number of the process's tty (field 7). The fields in the file are space-delimited, but it is possible for the command name (field 2) to include spaces, which sudo does not account for. A user with sudo privileges can cause sudo to use a device number of the user's choosing by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number.
+ This may allow a user to be able to bypass the "tty_ticket" constraints. In order for this to succeed there must exist on the machine a terminal device that the user has previously authenticated themselves on via sudo within the last time stamp timeout (5 minutes by default).
References
+ https://www.sudo.ws/alerts/linux_tty.html
+ http://www.openwall.com/lists/oss-security/2017/05/30/16
+ https://www.sudo.ws/repos/sudo/raw-rev/b5460cbbb11b
Notes
+ If SELinux is enabled on the system and sudo was built with SELinux support, it is possible for a user with sudo privileges to overwrite an arbitrary file. This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or event /etc/sudoers.
CVE-2017-1000369 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Local
Type
+ Denial of service
Description
+ An uncontrolled resource consumption flaw has been discovered in Exim before 4.89.1. The use of multiple "-p" command line arguments which are malloc()'ed and never free()'ed results in leaking memory. While Exim itself is not vulnerable to privilege escalation, this particular flaw can be used by the stackguard vulnerability to achieve privilege escalation.
References
+ https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
+ https://git.exim.org/exim.git/commitdiff/65e061b76867a9ea7aeeb535341b790b90ae6c21
+ https://access.redhat.com/security/vulnerabilities/stackguard
Notes
CVE-2017-1000370 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Local
Type
+ Access restriction bypass
Description
+ The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be execve()'ed with 1GB of arguments or environmental strings then the stack occupies the address 0x80000000 and the PIE binary is mapped above 0x40000000 nullifying the protection of the offset2lib patch. This affects Linux Kernel version 4.11.5 and earlier. This is a different issue than CVE-2017-1000371. This issue appears to be limited to i386 based systems.
References
+ https://cybersecurity.upv.es/solutions/aslrv2/fix_offset2lib.patch
+ https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Notes
+ This issue appears to be limited to i386 based systems.
CVE-2017-1000371 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Local
Type
+ Access restriction bypass
Description
+ The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems.
References
+ https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Notes
+ This issue appears to be limited to i386 based systems.
CVE-2017-1000376 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ libffi requests an executable stack allowing attackers to more easily trigger arbitrary code execution by overwriting the stack. Please note that libffi is used by a number of other libraries. This affects libffi version 3.2.1.
References
+ https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Notes
CVE-2017-1000377 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ An issue was discovered in the size of the default stack guard page on PAX Linux (originally from GRSecurity but shipped by other Linux vendors), specifically the default stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects PAX Linux Kernel versions as of June 19, 2017 (specific version information is not available at this time).
References
+ https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Notes
CVE-2017-1000379 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Local
Type
+ Access restriction bypass
Description
+ The Linux Kernel running on AMD64 systems will sometimes map the contents of PIE executable, the heap or ld.so to where the stack is mapped allowing attackers to more easily manipulate the stack. Linux Kernel version 4.11.5 is affected
References
+ https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
+ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1be7107fbe18eed3e319a6c3e83c78254b693acb
Notes
+ Commit included in 4.12
CVE-2017-1000381 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ A out-of-bounds read has been found in c-ares < 1.13.0. The ares_parse_naptr_reply() function, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.
References
+ https://c-ares.haxx.se/adv_20170620.html
Notes
CVE-2017-1000382 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Local
Type
+ Information disclosure
Description
+ VIM ignores umask when creating a swap file ("[ORIGINAL_FILENAME].swp") resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the vi binary. An attacker might search for vim swap files in order to retrieve security sensible data.
References
+ https://github.com/vim/vim/issues/2295
+ http://www.openwall.com/lists/oss-security/2017/10/31/15
Notes
CVE-2017-1000383 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Local
Type
+ Information disclosure
Description
+ This CVE assignment is nonsense, GNU emacs reuses the umask of the original file when creating a backup file. That's hardly incorrect behaviour
+ Upstream report: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=29182
+
+ GNU Emacs version 25.3.1 (and other versions most likely) ignores umask when creating a backup save file ("[ORIGINAL_FILENAME]~") resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the emacs binary. An attacker might search for emacs backup save files in order to retrieve security sensible data.
References
+ http://www.openwall.com/lists/oss-security/2017/10/31/1
+ https://debbugs.gnu.org/cgi/bugreport.cgi?bug=29182
Notes
+ Reading the comments, this will most likely never get fixed upstream.