Log

CVE-2019-7221 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Local
Type
+ Privilege escalation
Description
+ A use-after-free vulnerability was found in the way the Linux kernel's KVM hypervisor emulates a preemption timer for L2 guests when nested (=1) virtualization is enabled. This high resolution timer(hrtimer) runs when a L2 guest is active. After VM exit, the sync_vmcs12() timer object is stopped. The use-after-free occurs if the timer object is freed before calling sync_vmcs12() routine. A guest user/process could use this flaw to crash the host kernel resulting in a denial of service or, potentially, gain privileged access to a system.
References
+ https://bugs.chromium.org/p/project-zero/issues/detail?id=1759&desc=2
+ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=353c0956a618a07ba4bbe7ad00ff29fe70e8412a
Notes
CVE-2019-7222 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Local
Type
+ Information disclosure
Description
+ An information leakage issue was found in the way Linux kernel's KVM hypervisor handled page fault exceptions while emulating instructions like VMXON, VMCLEAR, VMPTRLD, and VMWRITE with memory address as an operand. It occurs if the operand is a mmio address, as the returned exception object holds uninitialized stack memory contents. A guest user/process could use this flaw to leak host's stack memory contents to a guest.
References
+ https://bugs.chromium.org/p/project-zero/issues/detail?id=1759
+ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=353c0956a618a07ba4bbe7ad00ff29fe70e8412a
Notes
CVE-2019-7310 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Remote
Type
+ Denial of service
Description
+ In Poppler 0.73.0, a heap-based buffer over-read (due to an integer signedness error in the XRef::getEntry function in XRef.cc) allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document, as demonstrated by pdftocairo.
References
+ https://gitlab.freedesktop.org/poppler/poppler/issues/717
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12797
+ https://gitlab.freedesktop.org/poppler/poppler/commit/b54e1fc3e0d2600621a28d50f9f085b9e38619c2
Notes
CVE-2019-7314 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ liblivemedia in Live555 before 2019.02.03 mishandles the termination of an RTSP stream after RTP/RTCP-over-RTSP has been set up, which could lead to a use-after-free error that causes the RTSP server to crash (Segmentation fault) or possibly have unspecified other impact.
References
+ http://lists.live555.com/pipermail/live-devel/2019-February/021143.html
+ http://www.live555.com/liveMedia/public/changelog.txt
Notes
CVE-2019-7317 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Local
Type
+ Denial of service
Description
+ png_image_free in png.c in libpng 1.6.36 has a use-after-free because png_image_free_function is called under png_safe_execute.
References
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803
+ https://github.com/glennrp/libpng/issues/275
Notes
CVE-2019-7524 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Privilege escalation
Description
+ A stack-based buffer overflow has been found in Dovecot versions prior to 2.3.5.1. When reading FTS or POP3-UIDL header from dovecot index, the input buffer size is not bound, and data is copied to target structure causing stack overflow. This can be used for local root privilege escalation or executing arbitrary code in dovecot process context. This requires ability to directly modify dovecot indexes.
References
+ https://seclists.org/oss-sec/2019/q1/197
+ https://dovecot.org/pipermail/dovecot/2019-March/115296.html
+ https://github.com/dovecot/core/commit/79679674eb6d2c7d38f2537e613efc103058dff1
+ https://github.com/dovecot/core/commit/d79845350e0754f5e25c41bd56591ddd5b0a35fd
Notes
CVE-2019-7572 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.
References
+ https://bugzilla.libsdl.org/show_bug.cgi?id=4495
+ https://discourse.libsdl.org/t/vulnerabilities-found-in-libsdl-1-2-15-and-sdl2/25720
+ https://hg.libsdl.org/SDL/rev/e52413f52586
+ https://hg.libsdl.org/SDL/rev/a8afedbcaea0
Notes
CVE-2019-7573 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (inside the wNumCoef loop).
References
+ https://bugzilla.libsdl.org/show_bug.cgi?id=4491
+ https://discourse.libsdl.org/t/vulnerabilities-found-in-libsdl-1-2-15-and-sdl2/25720
+ https://hg.libsdl.org/SDL/rev/388987dff7bf
+ https://hg.libsdl.org/SDL/rev/f9a9d6c76b21
Notes
+ Upstream states that the fix is similar to the one for CVE-2019-7578.
CVE-2019-7574 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c.
References
+ https://bugzilla.libsdl.org/show_bug.cgi?id=4496
+ https://discourse.libsdl.org/t/vulnerabilities-found-in-libsdl-1-2-15-and-sdl2/25720
+ https://hg.libsdl.org/SDL/rev/a6e3d2f5183e
Notes
CVE-2019-7575 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c.
References
+ https://bugzilla.libsdl.org/show_bug.cgi?id=4493
+ https://discourse.libsdl.org/t/vulnerabilities-found-in-libsdl-1-2-15-and-sdl2/25720
+ https://hg.libsdl.org/SDL/rev/a936f9bd3e38
Notes