Log

CVE-2018-0739 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Local
Type
+ Denial of service
Description
+ A stack-exhaustion issue has been found in OpenSSL <= 1.1.0h, where constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe.
References
+ https://www.openssl.org/news/secadv/20180327.txt
+ https://github.com/openssl/openssl/commit/2ac4c6f7b2b2af20c0e2b0ba05367e454cd11b33
Notes
CVE-2018-1000001 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Privilege escalation
Description
+ A buffer underflow vulnerability has been discovered in the realpath() function in glibc 2.26 when getcwd() returns a relative or unreachable path (i.e. not starting with '/') which may allow privilege escalation under certain conditions.
References
+ http://www.openwall.com/lists/oss-security/2018/01/11/5
+ https://sourceware.org/bugzilla/show_bug.cgi?id=22679
+ https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94
Notes
CVE-2018-1000005 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ libcurl contains an out bounds read in code handling HTTP/2 trailers. It was reported that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `":"` to the target buffer, while this was recently changed to `": "` (a space was added after the colon) but the associated math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to the libcurl callback. This might lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.
References
+ https://curl.haxx.se/docs/adv_2018-824a.html
+ https://github.com/curl/curl/commit/fa3dbb9a147488a2943bda809c66fc497efe06cb
Notes
CVE-2018-1000007 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ libcurl might leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.
References
+ https://curl.haxx.se/docs/adv_2018-b3bf.html
+ https://github.com/curl/curl/commit/af32cd3859336ab963591ca0df9b1e33a7ee066b
Notes
+ In libcurl version 7.58.0, custom `Authorization:` headers will be limited the same way other such headers is controlled within libcurl: they will only be sent to the host used in the original URL unless libcurl is told that it is ok to pass on to others using the `CURLOPT_UNRESTRICTED_AUTH` option. This solution creates a slight change in behavior. Users who actually want to pass on the header to other hosts now need to give curl that specific permission. You do this with --location-trusted with the curl command line tool.
CVE-2018-1000035 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Local
Type
+ Arbitrary code execution
Description
+ A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.
References
+ https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html
Notes
+ Still no fix upstream. We do use FORTIFY_SOURCE=2 on our builds and that works as a "workaround" since it kills the app. Downgrading the severity to 'low' since we don't really care about DoS in unzip.
CVE-2018-1000051 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Arbitrary code execution
Description
+ Artifex Mupdf version 1.12.0 contains a use-after-free vulnerability in fz_keep_key_storable that can result in DOS / Possible code execution. This attack appear to be exploitable via Victim opens a specially crafted PDF.
References
+ https://bugs.ghostscript.com/show_bug.cgi?id=698825
+ https://bugs.ghostscript.com/show_bug.cgi?id=698873
+ https://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=321ba1de287016b0036bf4a56ce774ad11763384
Notes
CVE-2018-1000085 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ A heap-based out-of-bounds read has been found in the xar_hash_check function of the xar decoder of ClamAV before 0.99.4, leading to a denial of service.
References
+ http://www.openwall.com/lists/oss-security/2017/09/29/4
+ https://github.com/Cisco-Talos/clamav-devel/commit/d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6
+ https://bugzilla.clamav.net/show_bug.cgi?id=11588
Notes
CVE-2018-1000115 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Insufficient validation
Description
+ Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume (Network Amplification, CWE-406) vulnerability in the UDP support of the memcached server that can result in denial of service via network flood (traffic amplification of 1:50,000 has been reported by reliable sources). This attack appear to be exploitable via network connectivity to port 11211 UDP. This vulnerability appears to have been fixed in 1.5.6 due to the disabling of the UDP protocol by default.
References
+ https://marc.info/?l=oss-security&m=152005218613138
Notes
CVE-2018-1000120 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.
References
+ https://curl.haxx.se/docs/adv_2018-9cd6.html
+ https://curl.haxx.se/CVE-2018-1000120.patch
+ https://github.com/curl/curl/commit/535432c0adb62fe167ec09621500470b6fa4eb0f
Notes
CVE-2018-1000121 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ A NULL pointer dereference exists in the LDAP code of curl >= 7.21.0 and < curl 7.59.0, allowing an attacker to cause a denial of service. libcurl-using applications that allow LDAP URLs, or that allow redirects to LDAP URLs could be made to crash by a malicious server.
References
+ https://curl.haxx.se/docs/adv_2018-97a2.html
+ https://curl.haxx.se/CVE-2018-1000121.patch
+ https://github.com/curl/curl/commit/9889db043393092e9d4b5a42720bba0b3d58deba
Notes