Log

CVE-2018-1000122 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ A buffer over-read exists in curl >= 7.20.0 and < 7.59.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage. When asked to transfer an RTSP URL, curl could calculate a wrong data length to copy from the read buffer. The memcpy call would copy data from the heap following the buffer to a storage area that would subsequently be delivered to the application (if it didn't cause a crash). This could lead to information leakage or a denial of service for the application if the server offering the RTSP data can trigger this.
References
+ https://curl.haxx.se/docs/adv_2018-b047.html
+ https://curl.haxx.se/CVE-2018-1000122.patch
+ https://github.com/curl/curl/commit/d52dc4760f6d9ca1937eefa2093058a952465128
Notes
CVE-2018-1000135 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ GNOME NetworkManager version 1.10.2 and earlier contains a Information Exposure (CWE-200) vulnerability in DNS resolver that can result in Private DNS queries leaked to local network's DNS servers, while on VPN.
References
+ https://bugzilla.redhat.com/show_bug.cgi?id=1553634
+ https://bugzilla.gnome.org/show_bug.cgi?id=746422
+ https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1754671
Notes
CVE-2018-1000156 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Arbitrary command execution
Description
+ An arbitrary command execution vulnerability has been found in patch versions prior to 2.7.7 when applying ed-style patches. Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch to pass certain ed scripts to the ed editor, which would run commands. This issue could be exploited to execute arbitrary commands as the user invoking patch against a specially crafted patch file, which could be leveraged to obtain elevated privileges.
References
+ https://savannah.gnu.org/bugs/?53566
+ https://git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d
+ https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0
Notes
CVE-2018-1000222 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability in gdImageBmpPtr Function that can result in Remote Code Execution . This attack appear to be exploitable via Specially Crafted Jpeg Image can trigger double free.
References
+ https://github.com/libgd/libgd/commit/4b1e18a00ce7c4b7e6919c3b3109a034393b805a
+ https://github.com/libgd/libgd/issues/447
Notes
CVE-2018-1000300 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ curl >= 7.54.1 and < 7.60.0 might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.
+ When doing FTP transfers, curl keeps a spare "closure handle" around internally that will be used when an FTP connection gets shut down since the original curl easy handle is then already removed. FTP server response data that gets cached from the original transfer might then be larger than the default buffer size (16 KB) allocated in the "closure handle", which can lead to a buffer overwrite. The contents and size of that overwrite is controllable by the server.
References
+ https://curl.haxx.se/docs/adv_2018-82c2.html
+ https://curl.haxx.se/CVE-2018-1000300.patch
Notes
CVE-2018-1000301 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ curl >= 7.20.0 and < 7.60.0 can be tricked into reading data beyond the end of a heap based buffer used to store downloaded content.
+ When servers send RTSP responses back to curl, the data starts out with a set of headers. curl parses that data to separate it into a number of headers to deal with those appropriately and to find the end of the headers that signal the start of the "body" part. The function that splits up the response into headers is called Curl_http_readwrite_headers() and in situations where it can't find a single header in the buffer, it might end up leaving a pointer pointing into the buffer instead of to the start of the buffer which then later on may lead to an out of buffer read when code assumes that pointer points to a full buffer size worth of memory to use.
+ This could potentially lead to information leakage but most likely a crash/denial of service for applications if a server triggers this flaw.
References
+ https://curl.haxx.se/docs/adv_2018-b138.html
+ https://curl.haxx.se/CVE-2018-1000301.patch
Notes
CVE-2018-1000559 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Cross-site scripting
Description
+ qutebrowser before 1.3.3 contains a Cross Site Scripting (XSS) vulnerability that can result in a website stealing the user's browsing history. This attack can be exploitable by tricking the victim into opening a page with a specially crafted <title> attribute, and then opening the qute://history site via the :history command.
References
+ https://github.com/qutebrowser/qutebrowser/commit/4c9360237f186681b1e3f2a0f30c45161cf405c7
+ https://github.com/qutebrowser/qutebrowser/issues/4011
Notes
CVE-2018-1000877 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Arbitrary code execution
Description
+ A double-free issue has been found in libarchive >= 3.1.0 and <=3.3.3, in the parse_codes() function in archive_read_support_format_rar.c. An attacker can use a specially crafted RAR file to cause a call to realloc with a size of 0, effectively freeing the memory which will be freed again at a later time.
References
+ https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909
+ https://github.com/libarchive/libarchive/pull/1105
+ https://github.com/libarchive/libarchive/commit/021efa522ad729ff0f5806c4ce53e4a6cc1daa31
Notes
CVE-2018-1000878 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Arbitrary code execution
Description
+ A use-after-free issue has been found in libarchive >= 3.1.0 and <=3.3.3, in the archive_read_format_rar_read_header() function in archive_read_support_format_rar.c. An attacker can use a specially crafted RAR file to cause the vulnerable function to free the buffer and allocate a new one, causing the ppmd7 decoder to continue reading from and writing to the freed buffer.
References
+ https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909
+ https://github.com/libarchive/libarchive/pull/1105
+ https://github.com/libarchive/libarchive/commit/bfcfe6f04ed20db2504db8a254d1f40a1d84eb28
Notes
CVE-2018-1000879 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Local
Type
+ Denial of service
Description
+ A NULL-pointer dereference issue has been found in libarchive >= 3.3.0 and <=3.3.3, in the archive_acl_from_text_l() function in archive_acl.c. An attacker can use a specially crafted archive file to cause a crash via a malformed ACL.
References
+ https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909
+ https://github.com/libarchive/libarchive/pull/1105
+ https://github.com/libarchive/libarchive/commit/15bf44fd2c1ad0e3fd87048b3fcc90c4dcff1175
Notes