Log

CVE-2017-8815 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Cross-site scripting
Description
+ The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via glossary rules.
References
+ https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html
+ https://phabricator.wikimedia.org/T119158
+ https://github.com/wikimedia/mediawiki/commit/f21f3942eb10d7e688eb25261ac3a9478268cbd3
Notes
CVE-2017-8816 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A buffer overrun flaw has been found in libcurl > 7.15.4 and < 7.57.0, in the NTLM authentication code. The internal function `Curl_ntlm_core_mk_ntlmv2_hash` sums up the lengths of the user name + password (= SUM) and multiplies the sum by two (= SIZE) to figure out how large storage to allocate from the heap. The SUM value is subsequently used to iterate over the input and generate output into the storage buffer. On systems with a 32 bit `size_t`, the math to calculate SIZE triggers an integer overflow when the combined lengths of the user name and password is larger than 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a buffer overrun.
+ This is only an issue on 32 bit systems. It also requires the user and password fields to use more than 2GB of memory combined, which in itself should be rare.
References
+ https://curl.haxx.se/docs/adv_2017-11e7.html
+ https://curl.haxx.se/CVE-2017-8816.patch
+ https://github.com/curl/curl/commit/7f2a1df6f5fc598750b2c6f34465c8d924db28cc
Notes
+ only affects 32-bit variants
+ Introduced by: https://github.com/curl/curl/commit/86724581b6c02d160b52f817550cfdfc9c93af62
CVE-2017-8817 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ A read out of bounds flaw has been found in the FTP wildcard function of libcurl >= 7.21.0 and < 7.57.0. libcurl's FTP wildcard matching feature, which is enabled with the `CURLOPT_WILDCARDMATCH` option can use a built-in wildcard function or a user provided one. The built-in wildcard function has a flaw that makes it not detect the end of the pattern string if it ends with an open bracket (`[`) but instead it will continue reading the heap beyond the end of the URL buffer that holds the wildcard.
+ For applications that use HTTP(S) URLs, allow libcurl to handle redirects and have FTP wildcards enabled, this flaw can be triggered by malicious servers that can redirect clients to a URL using such a wildcard pattern.
References
+ https://curl.haxx.se/docs/adv_2017-ae72.html
+ https://curl.haxx.se/CVE-2017-8817.patch
+ https://github.com/curl/curl/commit/0b664ba968437715819bfe4c7ada5679d16ebbc3
Notes
+ Introduced by: https://github.com/curl/curl/commit/0825cd80a62c21725fb3615f1fdd3aa6cc5f0f34
CVE-2017-8818 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ An out-of-bounds flaw has been found in the SSL related code of libcurl >= 7.56.0 and < 7.57.0. When allocating memory for a connection (the internal struct called connectdata), a certain amount of memory is allocated at the end of the struct to be used for SSL related structs. Those structs are used by the particular SSL library libcurl is built to use. The application can also tell libcurl which specific SSL library to use if it was built to support more than one. The math used to calculate the extra memory amount necessary for the SSL library was wrong on 32 bit systems, which made the allocated memory too small by 4 bytes. The last struct member of the last object within the memory area could then be outside of what was allocated. Accessing that member could lead to a crash or other undefined behaviors depending on what memory that is present there and how the particular SSL library decides to act on that memory content.
+ Specifically the vulnerability is present if libcurl was built so that sizeof(long long *) < sizeof(long long) which as far as we are aware only happens in 32-bit builds.
References
+ https://curl.haxx.se/docs/adv_2017-af0a.html
+ https://curl.haxx.se/CVE-2017-8818.patch
+ https://github.com/curl/curl/commit/9b5e12a5491d2e6b68e0c88ca56f3a9ef9fba400
Notes
+ only affects 32-bit variants
+ Introduced by: https://github.com/curl/curl/commit/70f1db321a2b39c75f679b5b052aa1ac0636bd50
CVE-2017-8819 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ An issue has been found in the way Tor before 0.3.1.9 checked for replays, leading to a possible traffic confirmation attack.
References
+ https://trac.torproject.org/projects/tor/ticket/24244
Notes
CVE-2017-8820 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ A denial of service issue where an attacker could crash a directory authority using a malformed router descriptor has been found in Tor before 0.3.1.9.
References
+ https://trac.torproject.org/projects/tor/ticket/24245
Notes
CVE-2017-8822 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Information disclosure
Description
+ In Tor before 0.3.1.9, relays (that have incompletely downloaded descriptors) can pick themselves in a circuit path, leading to a degradation of anonymity, aka TROVE-2017-012.
References
+ https://bugs.torproject.org/21534
+ https://bugs.torproject.org/24333
Notes
CVE-2017-8823 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A use-after-free vulnerability has been found in Tor before 0.3.1.9, leading to a crash of v2 Tor onion services when they failed to open circuits while expiring introduction points.
References
+ https://trac.torproject.org/projects/tor/ticket/24313
Notes
CVE-2017-8824 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Privilege escalation
Description
+ A use-after-free vulnerability was found in DCCP socket code affecting the Linux kernel since 2.6.16. The dccp_disconnect function in net/dccp/proto.c allows local users to gain privileges or cause a denial of service via an AF_UNSPEC connect system call during the DCCP_LISTEN state.
References
+ https://git.kernel.org/linus/69c64866ce072dea1d1e59a0d61e0f66c0dffb76
Notes
+ On systems that do not already have the dccp module loaded, this can be mitigated by disabling it:
+ echo >> /etc/modprobe.d/disable-dccp.conf install dccp false
CVE-2017-8849 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Privilege escalation
Description
+ Smb4k <= 2.0.0 contains a logic flaw in which mount helper binary does not properly verify the mount command it is being asked to run. This allows calling any other binary as root since the mount helper is typically installed as suid.
References
+ https://www.kde.org/info/security/advisory-20170510-2.txt
+ http://seclists.org/oss-sec/2017/q2/240
+ https://commits.kde.org/smb4k/a90289b0962663bc1d247bbbd31b9e65b2ca000e
Notes