Log

CVE-2018-11210 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ TinyXML2 6.2.0 has a heap-based buffer over-read in the XMLDocument::Parse function in libtinyxml2.so.
References
+ https://github.com/leethomason/tinyxml2/issues/675
Notes
+ This is not a security issue, the initial reporter made a mistake in the fuzzing code (passing a non-null terminated buffer without the size).
CVE-2018-1122 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Local
Type
+ Privilege escalation
Description
+ The top utility from procps-ng <= 3.3.14 reads its configuration file from the current working directory, without any security check, if the HOME environment variable is unset or empty. In this very unlikely scenario, an attacker can carry out an LPE (Local Privilege Escalation) if an administrator executes top in /tmp (for example), by exploiting one of several vulnerabilities in top's config_file() function.
References
+ https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt
Notes
+ Related patch in Qualys' tarball: 0097-top-Do-not-default-to-the-cwd-in-configs_read.patch
CVE-2018-1123 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Local
Type
+ Denial of service
Description
+ A security issue has been found in procps-ng <= 3.3.14 where an attacker can overflow the output buffer of ps, when executed by another user, administrator, or script: a denial of service only (not an LPE), because ps mmap()s its output buffer and mprotect()s its last page with PROT_NONE (an effective guard page).
References
+ https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt
Notes
+ Related patch in Qualys' tarball: 0054-ps-output.c-Fix-outbuf-overflows-in-pr_args-etc.patch
CVE-2018-11233 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ A security issue has been found in git before 2.17.1, where the code that sanify-check paths in is_ntfs_dotgit() could have been tricked into reading random pieces of memory.
References
+ https://lkml.org/lkml/2018/5/29/889
+ https://github.com/gitster/git/commit/11a9f4d807a0d71dc6eff51bb87baf4ca2cccf1d
Notes
CVE-2018-11235 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A security issue has been found in git before 2.17.1. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.
References
+ https://lkml.org/lkml/2018/5/29/889
Notes
CVE-2018-1124 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Local
Type
+ Privilege escalation
Description
+ A security issue has been found in procps-ng <= 3.3.14. An attacker can exploit an integer overflow in libprocps's file2strvec() function and carry out an LPE when another user, administrator, or script executes a vulnerable utility (pgrep, pidof, pkill, and w are vulnerable by default; other utilities are vulnerable if executed with non-default options). Moreover, an attacker's process running inside a container can trigger this vulnerability in a utility running outside the container: the attacker can exploit this userland vulnerability and break out of the container or chroot.
References
+ https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt
Notes
+ Related patch in Qualys' tarball: 0074-proc-readproc.c-Fix-bugs-and-overflows-in-file2strve.patch
CVE-2018-1125 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Local
Type
+ Arbitrary code execution
Description
+ A potential stack-based buffer overflow has been found in the pgrep utility of procps-ng <= 3.3.14. If the strlen() of one of the cmdline arguments is greater than INT_MAX (it is possible), then the "int bytes" could wrap around completely, back to a very large positive int, and the next strncat() would be called with a huge number of destination bytes (a stack-based buffer overflow).
+ Fortunately, every distribution that we checked compiles its procps utilities with FORTIFY, and the fortified strncat() detects and aborts the buffer overflow before it occurs.
References
+ https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt
Notes
+ Related patch in Qualys' tarball: 0008-pgrep-Prevent-a-potential-stack-based-buffer-overflo.patch
CVE-2018-1126 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Local
Type
+ Arbitrary code execution
Description
+ A security issue has been found in procps-ng <= 3.3.14, in the xcalloc() and xrealloc() functions, where the use of an unsigned int instead of a size_t could lead to integer overflow on 64-bit platforms.
References
+ https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt
Notes
+ Related patch in Qualys' tarball: 0035-proc-alloc.-Use-size_t-not-unsigned-int.patch
CVE-2018-11354 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ An out-of-bounds read has been found in the IEEE 1905.1a dissector of Wireshark <= 2.6.0.
References
+ https://www.wireshark.org/security/wnpa-sec-2018-26.html
+ https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14647
Notes
CVE-2018-11355 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A heap-based buffer overflow has been found in the RTCP dissector of Wireshark <= 2.6.0.
References
+ https://www.wireshark.org/security/wnpa-sec-2018-27.html
+ https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14673
Notes