From e9d286982ad56577e3cd9c2b545c867baafbd13e Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Thu, 22 Feb 2018 09:27:40 +0100 Subject: Fixed CVEs which were not in right order. Signed-off-by: Sona Sarmadi --- doc/enea-linux-security-report | 2110 ++++++++++++++++++++-------------------- 1 file changed, 1055 insertions(+), 1055 deletions(-) diff --git a/doc/enea-linux-security-report b/doc/enea-linux-security-report index 72a8f34..60b4597 100644 --- a/doc/enea-linux-security-report +++ b/doc/enea-linux-security-report @@ -1,1055 +1,1055 @@ -CVE-i2017-1000380 -Package: kernel -Score: 2.1 (Low) -Description: sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1000380 - -CVE-2017-1000253 -Package: kernel -Score: 8.0 (High) -Description: A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.Upstream patch:https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2017-1000253 - -CVE-2017-1000250 -Package: bluez5 -Score: 3.3 (Minor) -Description: All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250 - -CVE-2017-13081 -Package: linux-firmware -Score: 2.9 (Minor) -Description: Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13081 - -CVE-2017-13080 -Package: linux-firmware -Score: 2.9 (Minor) -Description: Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13080 - -CVE-2017-9955 -Package: GNU Binutils -Score: 4.3 (Medium) -Description: The get_build_id function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file in which a certain size field is larger than a corresponding data field, as demonstrated by mishandling within the objdump program. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9955 - -CVE-2017-9954 -Package: GNU Binutils -Score: 4.3 (Medium) -Description: The getvalue function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted tekhex file, as demonstrated by mishandling within the nm program. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9954 - -CVE-2017-9756 -Package: GNU Binutils -Score: 6.8 (Medium) -Description: The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9756 - -CVE-2017-9755 -Package: GNU Binutils (objdump) -Score: 6.8 (Medium) -Description: opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of registers for bnd mode, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9755 - -CVE-2017-9753 -Package: GNU Binutils -Score: 6.8 (Medium) -Description: The versados_mkobject function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not initialize a certain data structure, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9753 - -CVE-2017-9752 -Package: GNU Binutils, libbfd -Score: 6.8 (Medium) -Description: bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file in the _bfd_vms_get_value and _bfd_vms_slurp_etir functions during \"objdump -D\" execution. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9752 - -CVE-2017-9751 -Package: GNU Binutils -Score: 6.8 (Medium) -Description: opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE macro, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9751 - -CVE-2017-9750 -Package: GNU Binutils -Score: 6.8 (Medium) -Description: opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain scale arrays, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9750 - -CVE-2017-9749 -Package: GNU Binutils -Score: 6.8 (Medium) -Description: The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9749 - -CVE-2017-9748 -Package: GNU Binutils -Score: 6.8 (Medium) -Description: The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9748 - -CVE-2017-9747 -Package: GNU Binutils (libbfd) -Score: 6.8 (Medium) -Description: The ieee_archive_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9747 - -CVE-2017-9746 -Package: GNU Binutils -Score: 6.8 (Medium) -Description: The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of rae insns printing for this file during \"objdump -D\" execution. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9746 - -CVE-2017-9745 -Package: GNU Binutils (libbfd) -Score: 6.8 (Medium) -Description: The _bfd_vms_slurp_etir function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9745 - -CVE-2017-9744 -Package: GNU Binutils (libbfd) -Score: 6.8 (Medium) -Description: The sh_elf_set_mach_from_flags function in bfd/elf32-sh.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9744 - -CVE-2017-9742 -Package: GNU Binutils (objdump) -Score: 6.8 (Medium) -Description: The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9742 - -CVE-2017-9445 -Package: systemd -Score: 5.0 (Medium) -Description: In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9445 - -CVE-2017-9050 -Package: libxml2-native -Score: 5.0 (Medium) -Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050 - -CVE-2017-9049 -Package: libxml2-native -Score: 5.0 (Medium) -Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049 - -CVE-2017-9048 -Package: libxml2-native -Score: 5.0 (Medium) -Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048 - -CVE-2017-9047 -Package: libxml2-native -Score: 5.0 (Medium) -Description: A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047 - -CVE-2017-9044 -Package: GNU Binutils (readelf) -Score: 4.3 (Medium) -Description: The print_symbol_for_build_attribute function in readelf.c in GNU Binutils 2017-04-12 allows remote attackers to cause a denial of service (invalid read and SEGV) via a crafted ELF file. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9044 - -CVE-2017-9042 -Package: GNU Binutils -Score: 6.8 (Medium) -Description: readelf.c in GNU Binutils 2017-04-12 has a \"cannot be represented in type long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9042 - -CVE-2017-9040 -Package: GNU Binutils -Score: 4.3 (Medium) -Description: GNU Binutils 2017-04-03 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash), related to the process_mips_specific function in readelf.c, via a crafted ELF file that triggers a large memory-allocation attempt. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9040 - -CVE-2017-9039 -Package: GNU Binutils (readelf) -Score: 4.3 (Medium) -Description: GNU Binutils 2.28 allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file with many program headers, related to the get_program_headers function in readelf.c. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9039 - -CVE-2017-9038 -Package: GNU Binutils (readelf) -Score: 4.3 (Medium) -Description: GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to the byte_get_little_endian function in elfcomm.c, the get_unwind_section_word function in readelf.c, and ARM unwind information that contains invalid word offsets. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9038 - -CVE-2017-8872 -Package: libxml2-native -Score: 6.4 (Medium) -Description: The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8872 - -CVE-2017-8831 -Package: kernel -Score: 7.2 (High) -Description: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.10.14 allows local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a "double fetch" vulnerability. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8831 - -CVE-2017-8804 -Package: glibc -Score: 7.8 (High) -Description: The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8804 - -CVE-2017-8779 -Package: rpcbind -Score: 7.8 (High) -Description: rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779 - -CVE-2017-8421 -Package: GNU Binutils -Score: 7.1 (High) -Description: The function coff_set_alignment_hook in coffcode.h in Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a memory leak vulnerability which can cause memory exhaustion in objdump via a crafted PE file. Additional validation in dump_relocs_in_section in objdump.c can resolve this. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8421 - -CVE-2017-8398 -Package: GNU Binutils -Score: 5.0 (Medium) -Description: dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary. This vulnerability causes programs that conduct an analysis of binary programs, such as objdump and readelf, to crash. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8398 - -CVE-2017-8397 -Package: GNU Binutils -Score: 5.0 (Medium) -Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 and an invalid write of size 1 during processing of a corrupt binary containing reloc(s) with negative addresses. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8397 - -CVE-2017-8396 -Package: GNU Binutils -Score: 5.0 (Medium) -Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 because the existing reloc offset range tests didn't catch small negative offsets less than the size of the reloc field. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8396 - -CVE-2017-8395 -Package: GNU Binutils -Score: 5.0 (Medium) -Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of missing a malloc() return-value check to see if memory had actually been allocated in the _bfd_generic_get_section_contents function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8395 - -CVE-2017-8394 -Package: GNU Binutils -Score: 5.0 (Medium) -Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of _bfd_elf_large_com_section. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8394 - -CVE-2017-8393 -Package: GNU Binutils -Score: 5.0 (Medium) -Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a global buffer over-read error because of an assumption made by code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela prefix. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy and strip, to crash. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8393 - -CVE-2017-8392 -Package: binutils -Score: 5.0 (Medium) -Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8392 - -CVE-2017-8283 -Package: dpkg -Score: 7.5 (High) -Description: dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8283 - -CVE-2017-8105 -Package: freetype -Score: 7.5 (High) -Description: FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8105 - -CVE-2017-8072 -Package: kernel -Score: 7.2 (High) -Description: The cp2112_gpio_direction_input function in drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 does not have the expected EIO error status for a zero-length report, which allows local users to have an unspecified impact via unknown vectors. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8072 - -CVE-2017-8071 -Package: kernel -Score: 2.1 (Low) -Description: drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 uses a spinlock without considering that sleeping is possible in a USB HID request callback, which allows local users to cause a denial of service (deadlock) via unspecified vectors. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8071 - -CVE-2017-8070 -Package: kernel -Score: 7.2 (High) -Description: drivers/net/usb/catc.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8070 - -CVE-2017-8069 -Package: kernel -Score: 7.2 (High) -Description: drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8069 - -CVE-2017-8068 -Package: kernel -Score: 7.2 (High) -Description: drivers/net/usb/pegasus.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8068 - -CVE-2017-8067 -Package: kernel -Score: 7.2 (High) -Description: drivers/char/virtio_console.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8067 - -CVE-2017-8066 -Package: kernel -Score: 7.2 (High) -Description: drivers/net/can/usb/gs_usb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.2 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8066 - -CVE-2017-8065 -Package: kernel -Score: 7.2 (High) -Description: rypto/ccm.c in the Linux kernel 4.9.x and 4.10.x through 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8065 - -CVE-2017-8064 -Package: kernel -Score: 7.2 (High) -Description: drivers/media/usb/dvb-usb-v2/dvb_usb_core.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8064 - -CVE-2017-8063 -Package: kernel -Score: 7.2 (High) -Description: drivers/media/usb/dvb-usb/cxusb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8063 - -CVE-2017-8062 -Package: kernel -Score: 7.2 (High) -Description: drivers/media/usb/dvb-usb/dw2102.c in the Linux kernel 4.9.x and 4.10.x before 4.10.4 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8062 - -CVE-2017-8061 -Package: kernel -Score: 7.2 (High) -Description: drivers/media/usb/dvb-usb/dvb-usb-firmware.c in the Linux kernel 4.9.x and 4.10.x before 4.10.7 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8061 - -CVE-2017-7895 -Package: kernel -Score: 10.0 (High) -Description: The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7895 - -CVE-2017-7869 -Package: gnutls -Score: 5.0 (Medium) -Description: GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer overflow and heap-based buffer overflow related to the cdk_pkt_read function in opencdk/read-packet.c. This issue (which is a subset of the vendor's GNUTLS-SA-2017-3 report) is fixed in 3.5.10. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7869 - -CVE-2017-7645 -Package: kernel -Score: 7.8 (High) -Description: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7645 - -CVE-2017-7618 -Package: kernel -Score: 7.8 (High) -Description: crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7618 - -CVE-2017-7614 -Package: GNU Binutils -Score: 7.5 (High) -Description: elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a \"member access within null pointer\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an \"int main() {return 0;}\" program. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7614 - -CVE-2017-7487 -Package: kernel -Score: 7.2 (High) -Description: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel through 4.11.1 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7487 - -CVE-2017-7472 -Package: kernel -Score: 4.9 (Medium) -Description: The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7472 - -CVE-2017-7468 -Package: curl -Score: 6.0 (Medium) -Description: libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7468 - -CVE-2017-7407 -Package: curl -Score: 2.1 (Low) -Description: The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7407 - -CVE-2017-7304 -Package: Binutils -Score: 5.0 (Medium) -Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because of missing a check (in the copy_special_section_fields function) for an invalid sh_link field before attempting to follow it. This vulnerability causes Binutils utilities like strip to crash. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7304 - -CVE-2017-7223 -Package: GNU Binutils -Score: 5.0 (Medium) -Description: GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer overflow (of size 1) while attempting to unget an EOF character from the input stream, potentially leading to a program crash. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7223 - -CVE-2017-7210 -Package: binutils -Score: 7.8 (High) -Description: objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer over-reads (of size 1 and size 8) while handling corrupt STABS enum type strings in a crafted object file, leading to program crash. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7210 - -CVE-2017-7209 -Package: binutils -Score: 4.3 (Medium) -Description: The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses a NULL pointer while reading section contents in a corrupt binary, leading to a program crash. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7209 - -CVE-2017-6969 -Package: binutils -Score: 6.4 (Medium) -Description: readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read while processing corrupt RL78 binaries. The vulnerability can trigger program crashes. It may lead to an information leak as well. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6969 - -CVE-2017-6966 -Package: binutil -Score: 4.0 (Medium) -Description: readelf in GNU Binutils 2.28 has a use-after-free (specifically read-after-free) error while processing multiple, relocated sections in an MSP430 binary. This is caused by mishandling of an invalid symbol index, and mishandling of state across invocations. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6966 - -CVE-2017-6965 -Package: binutils -Score: 4.3 (Medium) -Description: readelf in GNU Binutils 2.28 writes to illegal addresses while processing corrupt input files containing symbol-difference relocations, leading to a heap-based buffer overflow. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6965 - -CVE-2017-6874 -Package: Kernel -Score: 7.0 (High) -Description: Race condition in kernel/ucount.c in the Linux kernel through 4.10.2 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls that leverage certain decrement behavior that causes incorrect interaction between put_ucounts and get_ucounts. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6874 - -CVE-2017-6353 -Package: Kernel -Score: 5.0 (Medium) -Description: net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6353 - -CVE-2017-6348 -Package: Kernel -Score: 5.0 (Medium) -Description: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel before 4.9.13 improperly manages lock dropping, which allows local users to cause a denial of service (deadlock) via crafted operations on IrDA devices. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6348 - -CVE-2017-6347 -Package: Kernel -Score: 7.0 (High) -Description: The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Linux kernel before 4.10.1 has incorrect expectations about skb data layout, which allows local users to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted system calls, as demonstrated by use of the MSG_MORE flag in conjunction with loopback UDP transmission. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6347 - -CVE-2017-6346 -Package: Kernel -Score: 7.0 (High) -Description: Race condition in net/packet/af_packet.c in the Linux kernel before 4.9.13 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that makes PACKET_FANOUT setsockopt system calls. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6346 - -CVE-2017-6345 -Package: Kernel -Score: 5.0 (Medium) -Description: The LLC subsystem in the Linux kernel before 4.9.13 does not ensure that a certain destructor exists in required circumstances, which allows local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6345 - -CVE-2017-6214 -Package: Kernel -Score: 5.0 (Medium) -Description: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6214 - -CVE-2017-6074 -Package: Kernel -Score: 8.0 (High) -Description: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6074 - -CVE-2017-6001 -Package: Kernel -Score: 8.0 (High) -Description: Race condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain privileges via a crafted application that makes concurrent perf_event_open system calls for moving a software group into a hardware context. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-6786. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6001 - -CVE-2017-5986 -Package: Kernel -Score: 7.0 (High) -Description: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5986 - -CVE-2017-5970 -Package: Kernel -Score: 5.0 (Medium) -Description: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows attackers to cause a denial of service (system crash) via (1) an application that makes crafted system calls or possibly (2) IPv4 traffic with invalid IP options. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5970 - -CVE-2017-5969 -Package: libxml2-native -Score: 2.6 (Low) -Description: libxml2 2.9.4, when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted XML document. NOTE: The maintainer states "I would disagree of a CVE with the Recover parsing option which should only be used for manual recovery at least for XML parser." -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5969 - -CVE-2017-5848 -Package: gstreamer -Score: 5.0 (Medium) -Description: The gst_ps_demux_parse_psm function in gst/mpegdemux/gstmpegdemux.c in gst-plugins-bad in GStreamer allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors involving PSM parsing. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5848 - -CVE-2017-5847 -Package: gstreamer -Score: 5.0 (Medium) -Description: The gst_asf_demux_process_ext_content_desc function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving extended content descriptors. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5847 - -CVE-2017-5669 -Package: Kernel -Score: 5.0 (Medium) -Description: The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not restrict the address calculated by a certain rounding operation, which allows local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5669 - -CVE-2017-5618 -Package: GNU screen -Score: 7.2 (High) -Description: GNU screen before 4.5.1 allows local users to modify arbitrary files and consequently gain root privileges by leveraging improper checking of logfile permissions. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5618 - -CVE-2017-5601 -Package: libarchive -Score: 5.0 (Medium) -Description: An error in the lha_read_file_header_1() function (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote attackers to trigger an out-of-bounds read memory access and subsequently cause a crash via a specially crafted archive. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5601 - -CVE-2017-5577 -Package: Kernel -Score: 5.0 (Medium) -Description: The vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM driver in the Linux kernel before 4.9.7 does not set an errno value upon certain overflow detections, which allows local users to cause a denial of service (incorrect pointer dereference and OOPS) via inconsistent size values in a VC4_SUBMIT_CL ioctl call. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5577 - -CVE-2017-5576 -Package: Kernel -Score: 7.0 (High) -Description: Integer overflow in the vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM driver in the Linux kernel before 4.9.7 allows local users to cause a denial of service or possibly have unspecified other impact via a crafted size value in a VC4_SUBMIT_CL ioctl call. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5576 - -CVE-2017-5551 -Package: Kernel -Score: 4.0 (Medium) -Description: The simple_set_acl function in fs/posix_acl.c in the Linux kernel before 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs filesystem, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7097. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5551 - -CVE-2017-5548 -Package: Kernel -Score: 7.0 (High) -Description: drivers/net/ieee802154/atusb.c in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5548 - -CVE-2017-5547 -Package: Kernel -Score: 7.0 (High) -Description: drivers/hid/hid-corsair.c in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5547 - -CVE-2017-5546 -Package: Kernel -Score: 7.0 (High) -Description: The freelist-randomization feature in mm/slab.c in the Linux kernel 4.8.x and 4.9.x before 4.9.5 allows local users to cause a denial of service (duplicate freelist entries and system crash) or possibly have unspecified other impact in opportunistic circumstances by leveraging the selection of a large value for a random number. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5546 - -CVE-2017-5335 -Package: GnuTLS -Score: 5.0 (Medium) -Description: The stream reading functions in lib/opencdk/read-packet.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to cause a denial of service (out-of-memory error and crash) via a crafted OpenPGP certificate. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5335 - -CVE-2017-5225 -Package: tiff -Score: 7.5 (High) -Description: LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5225 - -CVE-2017-5029 -Package: libxslt -Score: 6.8 (Medium) -Description: The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5029 - -CVE-2017-3731 -Package: OpenSSL -Score: 5.0 (Medium) -Description: If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731 - -CVE-2017-3136 -Package: bind -Score: 5.9 (Medium) -Description: A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate.An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3136 - -CVE-2017-3135 -Package: bind -Score: 6.0 (Medium) -Description: Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3135 - -CVE-2017-2636 -Package: Kernel -Score: 7.2 (High) -Description: Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2636 - -CVE-2017-2628 -Package: curl -Score: 0.0 (Low) -Description: It was found that the fix for CVE-2015-3148 in curl was incomplete. An application using libcurl with HTTP Negotiate authentication could incorrectly re-use credentials for subsequent requests to the same server. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2628 - -CVE-2017-18017 -Package: kernel -Score: 5.0 (Medium) -Description: The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18017 - -CVE-2017-14496 -Package: dnsmasq -Score: 7.0 (High) -Description: Integer underflow in the add_pseudoheader function in dnsmasq before 2.78 , when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service via a crafted DNS request. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14496 - -CVE-2017-14106 -Package: kernel -Score: 4.9 (Medium) -Description: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14106 - -CVE-2017-12132 -Package: glibc -Score: 4.3 (Medium) -Description: The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132 - -CVE-2017-11176 -Package: kernel -Score: 10.0 (High) -Description: The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11176 - -CVE-2017-1000366 -Package: glibc -Score: 7.2 (High) -Description: glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366 - -CVE-2017-1000365 -Package: kernel -Score: 7.2 (High) -Description: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment pointers into account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and earlier. It appears that this feature was introduced in the Linux Kernel version 2.6.23. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000365 - -CVE-2017-1000251 -Package: kernel -Score: 8.3 (High) -Description: The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 2.6.32 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000251 - -CVE-2017-1000111 -Package: kernel -Score: 7.2 (High) -Description: Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000111 - -CVE-2017-1000101 -Package: curl -Score: 4.0 (Medium) -Description: curl supports "globbing" of URLs, in which a user can pass a numerical rangeto have the tool iterate over those numbers to do a sequence of transfers.In the globbing function that parses the numerical range, there was anomission that made curl read a byte beyond the end of the URL if given acarefully crafted, or just wrongly written, URL. The URL is stored in a heapbased buffer, so it could then be made to wrongly read something else insteadof crashing. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000101 - -CVE-2017-1000100 -Package: curl -Score: 4.0 (Medium) -Description: When doing an TFTP upload and curl/libcurl is given a URL that contains a verylong file name (longer than about 515 bytes), the file name is truncated tofit within the buffer boundaries, but the buffer size is still wrongly updatedto use the untruncated length. This too large value is then used in the`send()` call, making curl attempt to send more data than what is actually putinto the buffer. The `send()` function will then read beyond the end of theheap based buffer. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000100 - -CVE-2017-1000082 -Package: systemd -Score: 10.0 (High) -Description: systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. "0day"), running the service in question with root privileges rather than the user intended. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000082 - -CVE-2016-9844 -Package: unzip -Score: 2.1 (Low) -Description: Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large compression method value in the central directory file header. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9844 - -CVE-2016-9754 -Package: Kernel -Score: 7.0 (High) -Description: The ring_buffer_resize function in kernel/trace/ring_buffer.c in the profiling subsystem in the Linux kernel before 4.6.1 mishandles certain integer calculations, which allows local users to gain privileges by writing to the /sys/kernel/debug/tracing/buffer_size_kb file. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9754 - -CVE-2016-9444 -Package: bind -Score: 7.0 (High) -Description: named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9.11.x before 9.11.0-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted DS resource record in an answer. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9444 - -CVE-2016-9401 -Package: bash -Score: 2.0 (Low) -Description: ref to yocto patch: http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=1b2857a781b6666feaf5d3c91dc02ac263d0c4f6 -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9401 - -CVE-2016-9318 -Package: libxml2-native -Score: 6.8 (Medium) -Description: libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9318 - -CVE-2016-9083 -Package: Kernel -Score: 8.0 (High) -Description: drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a "state machine confusion bug." -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9083 - -CVE-2016-8864 -Package: bind -Score: 5.0 (Medium) -Description: named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864 - -CVE-2016-8858 -Package: OpenSSL -Score: 7.8 (High) -Description: A memory exhaustion issue in OpenSSH that can be triggered before user authentication was found. An unauthenticated attacker could consume approx. 400 MB of memory per each connection. The attacker could set up multiple such connections to run out of server’s memory. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8858 - -CVE-2016-8655 -Package: Kernel -Score: 8.0 (High) -Description: Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655 - -CVE-2016-8636 -Package: Kernel -Score: 7.0 (High) -Description: Integer overflow in the mem_check_range function in drivers/infiniband/sw/rxe/rxe_mr.c in the Linux kernel before 4.9.10 allows local users to cause a denial of service (memory corruption), obtain sensitive information from kernel memory, or possibly have unspecified other impact via a write or read request involving the "RDMA protocol over infiniband" (aka Soft RoCE) technology. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8636 - -CVE-2016-8630 -Package: Kernel -Score: 6.0 (Medium) -Description: The x86_decode_insn function in arch/x86/kvm/emulate.c in the Linux kernel before 4.8.7, when KVM is enabled, allows local users to cause a denial of service (host OS crash) via a certain use of a ModR/M byte in an undefined instruction. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8630 - -CVE-2016-8625 -Package: curl -Score: 6.9 (Medium) -Description: When curl is built with libidn to handle International Domain Names (IDNA), ittranslates them to puny code for DNS resolving using the IDNA 2003 standard,while IDNA 2008 is the modern and up-to-date IDNA standard.This misalignment causes problems with for example domains using the German ßcharacter (known as the Unicode Character 'LATIN SMALL LETTER SHARP S') whichis used at times in the .de TLD and is translated differently in the two IDNAstandards, leading to users potentially and unknowingly issuing networktransfer requests to the wrong host.For example, `straße.de` is translated into `strasse.de` using IDNA 2003 butis translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, thosehost names could very well resolve to different addresses and be twocompletely independent servers. IDNA 2008 is mandatory for .de domains.curl is not alone with this problem, as there's currently a big flux in theworld of network user-agents about which IDNA version to support and use.This name problem exists for DNS-using protocols in curl, but only when builtto use libidn. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625 - -CVE-2016-8624 -Package: curl -Score: 6.9 (Medium) -Description: curl doesn't parse the authority component of the URL correctly when the hostname part ends with a '#' character, and could instead be tricked intoconnecting to a different host. This may have security implications if you forexample use an URL parser that follows the RFC to check for allowed domainsbefore using curl to request them.Passing in `http://example.com#@evil.com/x.txt` would wrongly make curl send arequest to evil.com while your browser would connect to example.com given thesame URL.The problem exists for most protocol schemes. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624 - -CVE-2016-8623 -Package: curl -Score: 4.9 (Medium) -Description: libcurl explicitly allows users to share cookies between multiple easy handlesthat are concurrently employed by different threads.When cookies to be sent to a server are collected, the matching functioncollects all cookies to send and the cookie lock is released immediatelyafterwards. That function however only returns a list with *references* back tothe original strings for name, value, path and so on. Therefore, if anotherthread quickly takes the lock and frees one of the original cookie structstogether with its strings, a use-after-free can occur and lead to informationdisclosure. Another thread can also replace the contents of the cookies fromseparate HTTP responses or API calls. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8623 - -CVE-2016-8622 -Package: curl -Score: 4.9 (Medium) -Description: The URL percent-encoding decode function in libcurl is called`curl_easy_unescape`. Internally, even if this function would be made toallocate a unscape destination buffer larger than 2GB, it would return thatnew length in a signed 32 bit integer variable, thus the length would geteither just truncated or both truncated and turned negative. That could thenlead to libcurl writing outside of its heap based buffer.This can be triggered by a user on a 64bit system if the user can send in acustom (very large) URL to a libcurl using program. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8622 - -CVE-2016-8621 -Package: curl -Score: 4.9 (Medium) -Description: The `curl_getdate` converts a given date string into a numerical timestamp andit supports a range of different formats and possibilites to express a dateand time. The underlying date parsing function is also used internally whenparsing for example HTTP cookies (possibly received from remote servers) andit can be used when doing conditional HTTP requests.The date parser function uses the libc sscanf() function at two places, withthe parsing strings "%02d:%02d" and ""%02d:%02d:%02d". The intent being thatit would parse either a string with HH:MM (two digits colon two digits) orHH:MM:SS (two digits colon two digits colon two digits). If instead the pieceof time that was sent in had the final digit cut off, thus ending with asingle-digit, the date parser code would advance its read pointer one byte toomuch and end up reading out of bounds. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8621 - -CVE-2016-8620 -Package: curl -Score: 6.9 (Medium) -Description: The curl tool's "globbing" feature allows a user to specify a numerical rangethrough which curl will iterate. It is typically specified as [1-5],specifying the first and the last numbers in the range. Or with [a-z], usingletters.1. The curl code for parsing the second *unsigned* number did not check for aleading minus character, which allowed a user to specify `[1--1]` with nocomplaints and have the latter `-1` number get turned into the largestunsigned long value the system can handle. This would ultimately cause curl towrite outside the dedicated malloced buffer after no less than 100,000iterations, since it would have room for 5 digits but not 6.2. When the range is specified with letters, and the ending letter is left out`[L-]`, the code would still advance its read pointer 5 bytes even if thestring was just 4 bytes and end up reading outside the given buffer. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8620 - -CVE-2016-8619 -Package: curl -Score: 6.9 (Medium) -Description: In curl's implementation of the Kerberos authentication mechanism, thefunction `read_data()` in security.c is used to fill the necessary krb5structures. When reading one of the length fields from the socket, it fails toensure that the length parameter passed to realloc() is not set to 0.This would lead to realloc() getting called with a zero size and when doing sorealloc() returns NULL *and* frees the memory - in contrary to normalrealloc() fails where it only returns NULL - causing libcurl to free thememory *again* in the error path.This flaw could be triggered by a malicious or just otherwise ill-behavingserver. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619 - -CVE-2016-8618 -Package: curl -Score: 6.9 (Medium) -Description: The libcurl API function called `curl_maprintf()` can be tricked into doing adouble-free due to an unsafe `size_t` multiplication, on systems using 32 bit`size_t` variables. The function is also used internallty in numeroussituations.The function doubles an allocated memory area with realloc() and allows thesize to wrap and become zero and when doing so realloc() returns NULL *and*frees the memory - in contrary to normal realloc() fails where it only returnsNULL - causing libcurl to free the memory *again* in the error path.Systems with 64 bit versions of the `size_t` type are not affected by thisissue.This behavior is triggable using the publicly exposed function. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618 - -CVE-2016-8617 -Package: curl -Score: 6.9 (Medium) -Description: In libcurl's base64 encode function, the output buffer is allocated as followswithout any checks on insize: malloc( insize * 4 / 3 + 4 )On systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), themultiplication in the expression wraps around if insize is at least 1GB ofdata. If this happens, an undersized output buffer will be allocated, but thefull result will be written, thus causing the memory behind the output bufferto be overwritten.If a username is set directly via `CURLOPT_USERNAME` (or curl's `-u, --user`option), this vulnerability can be triggered. The name has to be at least512MB big in a 32bit system.Systems with 64 bit versions of the `size_t` type are not affected by thisissue. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617 - -CVE-2016-8616 -Package: curl -Score: 3.9 (Low) -Description: When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections.This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.We are not aware of any exploit of this flaw. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8616 - -CVE-2016-8615 -Package: curl -Score: 6.9 (Medium) -Description: If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.The issue pertains to the function that loads cookies into memory, which reads the specified file into a fixed-size buffer in a line-by-line manner using the fgets() function. If an invocation of fgets() cannot read the whole line into the destination buffer due to it being too small, it truncates the output. This way, a very long cookie (name + value) sent by a malicious server would be stored in the file and subsequently that cookie could be read partially and crafted correctly, it could be treated as a different cookie for another server.We are not aware of any exploit of this flaw. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615 - -CVE-2016-7795 -Package: systemd -Score: 4.9 (Medium) -Description: The manager_invoke_notify_message function in systemd 231 and earlier allows local users to cause a denial of service (assertion failure and PID 1 hang) via a zero-length message received over a notify socket. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7795 - -CVE-2016-7097 -Package: Kernel -Score: 3.6 (Low) -Description: The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr call, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7097 - -CVE-2016-6489 -Package: nettle -Score: 5.0 (Medium) -Description: The RSA and DSA decryption code in Nettle makes it easier for attackers to discover private keys via a cache side channel attack. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6489 - -CVE-2016-6480 -Package: Kernel -Score: 4.7 (Medium) -Description: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a "double fetch" vulnerability. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6480 - -CVE-2016-6354 -Package: flex -Score: 7.5 (High) -Description: Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354 - -CVE-2016-6323 -Package: glibc -Score: 5.0 (Medium) -Description: The makecontext function in the GNU C Library (aka glibc or libc6) before 2.25 creates execution contexts incompatible with the unwinder on ARM EABI (32-bit) platforms, which might allow context-dependent attackers to cause a denial of service (hang), as demonstrated by applications compiled using gccgo, related to backtrace generation. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6323 - -CVE-2016-6321 -Package: Tar (Gnu) -Score: 5.0 (Medium) -Description: Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321 - -CVE-2016-6318 -Package: cracklib -Score: 7.5 (High) -Description: Stack-based buffer overflow in the FascistGecosUser function in lib/fascist.c in cracklib allows local users to cause a denial of service (application crash) or gain privileges via a long GECOS field, involving longbuffer. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318 - -CVE-2016-6301 -Package: busybox -Score: 7.1 (High) -Description: The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6301 - -CVE-2016-6252 -Package: shadow -Score: 5.0 (Medium) -Description: Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap. Patch: https://bugzilla.suse.com/attachment.cgi?id=684679&action=diff -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6252 - -CVE-2016-6185 -Package: Perl -Score: 5.0 (Medium) -Description: The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6185 - -CVE-2016-6170 -Package: bind -Score: 6.0 (Medium) -Description: DNS protocols were designed with the assumption that a certain amount of trust could be presumed between the operators of primary and secondary servers for a given zone. However, in current practice some organizations have scenarios which require them to accept zone data from sources that are not fully trusted (for example: providers of secondary name service). A party who is allowed to feed data into a zone (e.g. by AXFR, IXFR, or Dynamic DNS updates) can overwhelm the server which is accepting data by intentionally or accidentally exhausting that server's memory.https://kb.isc.org/article/AA-01390 -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6170 - -CVE-2016-6131 -Package: gcc -Score: 4.9 (Medium) -Description: A stack overflow vulnerability in the libiberty demangler was found, which causes its host application to crash on a tainted branch instruction. The problem is caused by a self-reference in a mangled type string that is "remembered" for later reference. This leads to an infinite recursion during the demangling. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6131 - -CVE-2016-5636 -Package: CPython -Score: 10.0 (High) -Description: Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636 - -CVE-2016-5300 -Package: expat -Score: 7.8 (High) -Description: The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300 - -CVE-2016-5131 -Package: libxml2 -Score: 10.0 (High) -Description: Use-after-free vulnerability in libxml2 (used in chromium-browser) through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5131 - -CVE-2016-4658 -Package: libxml2 -Score: 10.0 (High) -Description: libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658 - -CVE-2016-4448 -Package: libxml2 -Score: 10.0 (High) -Description: Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4448 - -CVE-2016-2775 -Package: bind -Score: 4.3 (Medium) -Description: ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the named lwres option is enabled, allows remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2775 - -CVE-2016-2381 -Package: Perl -Score: 5.0 (Medium) -Description: Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381 - -CVE-2016-2183 -Package: OpenSSL -Score: 5.0 (Medium) -Description: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183 - -CVE-2016-2147 -Package: busybox -Score: 5.0 (Medium) -Description: Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147 - -CVE-2016-10350 -Package: libarchive -Score: 4.3 (Medium) -Description: The archive_read_format_cab_read_header function in archive_read_support_format_cab.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10350 - -CVE-2016-10349 -Package: libarchive -Score: 4.2 (Medium) -Description: The archive_le32dec function in archive_endian.h in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10349 - -CVE-2016-10229 -Package: kernel -Score: 10.0 (High) -Description: udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10229 - -CVE-2016-10228 -Package: glibc -Score: 4.2 (Medium) -Description: The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10228 - -CVE-2016-10208 -Package: Kernel -Score: 5.0 (Medium) -Description: The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.9.8 does not properly validate meta block groups, which allows physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10208 - -CVE-2016-10200 -Package: Kernel -Score: 7.0 (High) -Description: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel before 4.8.14 allows local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10200 - -CVE-2016-10154 -Package: Kernel -Score: 5.0 (Medium) -Description: The smbhash function in fs/cifs/smbencrypt.c in the Linux kernel 4.9.x before 4.9.1 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a scatterlist. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10154 - -CVE-2016-10153 -Package: Kernel -Score: 7.0 (High) -Description: The crypto scatterlist API in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging reliance on earlier net/ceph/crypto.c code. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10153 - -CVE-2016-10150 -Package: KVM -Score: 10.0 (High) -Description: Use-after-free vulnerability in the kvm_ioctl_create_device function in virt/kvm/kvm_main.c in the Linux kernel before 4.8.13 allows host OS users to cause a denial of service (host OS crash) or possibly gain privileges via crafted ioctl calls on the /dev/kvm device. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10150 - -CVE-2016-10147 -Package: Kernel -Score: 5.0 (Medium) -Description: crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users to cause a denial of service (NULL pointer dereference and system crash) by using an AF_ALG socket with an incompatible algorithm, as demonstrated by mcryptd(md5). -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10147 - -CVE-2016-10044 -Package: Kernel -Score: 7.0 (High) -Description: The aio_mount function in fs/aio.c in the Linux kernel before 4.7.7 does not properly restrict execute access, which makes it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10044 - -CVE-2016-0800 -Package: OpenSSL -Score: 4.3 (Medium) -Description: The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800 - -CVE-2016-0718 -Package: expat -Score: 7.5 (High) -Description: Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718 - -CVE-2016-0634 -Package: bash -Score: 5.0 (Medium) -Description: A vulnerability was found in a way bash expands the $HOSTNAME. Injecting the hostname with malicious code would cause it to run each time bash expanded \h in the prompt string. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0634 - -CVE-2015-9019 -Package: libxslt-native -Score: 5.0 (Medium) -Description: In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9019 - -CVE-2015-5224 -Package: util-linux -Score: 7.5 (High) -Description: The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5224 - -CVE-2014-9365 -Package: python -Score: 5.8 (Medium) -Description: The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. -Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9365 +CVE-2017-1000380 +Package: kernel +Score: 2.1 (Low) +Description: sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000380 + +CVE-2017-1000366 +Package: glibc +Score: 7.2 (High) +Description: glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366 + +CVE-2017-1000365 +Package: kernel +Score: 7.2 (High) +Description: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment pointers into account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and earlier. It appears that this feature was introduced in the Linux Kernel version 2.6.23. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000365 + +CVE-2017-1000253 +Package: kernel +Score: 8.0 (High) +Description: A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.Upstream patch:https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2017-1000253 + +CVE-2017-1000251 +Package: kernel +Score: 8.3 (High) +Description: The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 2.6.32 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000251 + +CVE-2017-1000250 +Package: bluez5 +Score: 3.3 (Minor) +Description: All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250 + +CVE-2017-1000111 +Package: kernel +Score: 7.2 (High) +Description: Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000111 + +CVE-2017-1000101 +Package: curl +Score: 4.0 (Medium) +Description: curl supports "globbing" of URLs, in which a user can pass a numerical rangeto have the tool iterate over those numbers to do a sequence of transfers.In the globbing function that parses the numerical range, there was anomission that made curl read a byte beyond the end of the URL if given acarefully crafted, or just wrongly written, URL. The URL is stored in a heapbased buffer, so it could then be made to wrongly read something else insteadof crashing. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000101 + +CVE-2017-1000100 +Package: curl +Score: 4.0 (Medium) +Description: When doing an TFTP upload and curl/libcurl is given a URL that contains a verylong file name (longer than about 515 bytes), the file name is truncated tofit within the buffer boundaries, but the buffer size is still wrongly updatedto use the untruncated length. This too large value is then used in the`send()` call, making curl attempt to send more data than what is actually putinto the buffer. The `send()` function will then read beyond the end of theheap based buffer. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000100 + +CVE-2017-1000082 +Package: systemd +Score: 10.0 (High) +Description: systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. "0day"), running the service in question with root privileges rather than the user intended. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000082 + +CVE-2017-18017 +Package: kernel +Score: 5.0 (Medium) +Description: The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18017 + +CVE-2017-14496 +Package: dnsmasq +Score: 7.0 (High) +Description: Integer underflow in the add_pseudoheader function in dnsmasq before 2.78 , when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service via a crafted DNS request. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14496 + +CVE-2017-14106 +Package: kernel +Score: 4.9 (Medium) +Description: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14106 + +CVE-2017-13081 +Package: linux-firmware +Score: 2.9 (Minor) +Description: Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13081 + +CVE-2017-13080 +Package: linux-firmware +Score: 2.9 (Minor) +Description: Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13080 + +CVE-2017-12132 +Package: glibc +Score: 4.3 (Medium) +Description: The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132 + +CVE-2017-11176 +Package: kernel +Score: 10.0 (High) +Description: The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11176 + +CVE-2017-9955 +Package: GNU Binutils +Score: 4.3 (Medium) +Description: The get_build_id function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file in which a certain size field is larger than a corresponding data field, as demonstrated by mishandling within the objdump program. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9955 + +CVE-2017-9954 +Package: GNU Binutils +Score: 4.3 (Medium) +Description: The getvalue function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted tekhex file, as demonstrated by mishandling within the nm program. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9954 + +CVE-2017-9756 +Package: GNU Binutils +Score: 6.8 (Medium) +Description: The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9756 + +CVE-2017-9755 +Package: GNU Binutils (objdump) +Score: 6.8 (Medium) +Description: opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of registers for bnd mode, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9755 + +CVE-2017-9753 +Package: GNU Binutils +Score: 6.8 (Medium) +Description: The versados_mkobject function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not initialize a certain data structure, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9753 + +CVE-2017-9752 +Package: GNU Binutils, libbfd +Score: 6.8 (Medium) +Description: bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file in the _bfd_vms_get_value and _bfd_vms_slurp_etir functions during \"objdump -D\" execution. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9752 + +CVE-2017-9751 +Package: GNU Binutils +Score: 6.8 (Medium) +Description: opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE macro, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9751 + +CVE-2017-9750 +Package: GNU Binutils +Score: 6.8 (Medium) +Description: opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain scale arrays, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9750 + +CVE-2017-9749 +Package: GNU Binutils +Score: 6.8 (Medium) +Description: The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9749 + +CVE-2017-9748 +Package: GNU Binutils +Score: 6.8 (Medium) +Description: The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9748 + +CVE-2017-9747 +Package: GNU Binutils (libbfd) +Score: 6.8 (Medium) +Description: The ieee_archive_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9747 + +CVE-2017-9746 +Package: GNU Binutils +Score: 6.8 (Medium) +Description: The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of rae insns printing for this file during \"objdump -D\" execution. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9746 + +CVE-2017-9745 +Package: GNU Binutils (libbfd) +Score: 6.8 (Medium) +Description: The _bfd_vms_slurp_etir function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9745 + +CVE-2017-9744 +Package: GNU Binutils (libbfd) +Score: 6.8 (Medium) +Description: The sh_elf_set_mach_from_flags function in bfd/elf32-sh.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9744 + +CVE-2017-9742 +Package: GNU Binutils (objdump) +Score: 6.8 (Medium) +Description: The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9742 + +CVE-2017-9445 +Package: systemd +Score: 5.0 (Medium) +Description: In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9445 + +CVE-2017-9050 +Package: libxml2-native +Score: 5.0 (Medium) +Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050 + +CVE-2017-9049 +Package: libxml2-native +Score: 5.0 (Medium) +Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049 + +CVE-2017-9048 +Package: libxml2-native +Score: 5.0 (Medium) +Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048 + +CVE-2017-9047 +Package: libxml2-native +Score: 5.0 (Medium) +Description: A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047 + +CVE-2017-9044 +Package: GNU Binutils (readelf) +Score: 4.3 (Medium) +Description: The print_symbol_for_build_attribute function in readelf.c in GNU Binutils 2017-04-12 allows remote attackers to cause a denial of service (invalid read and SEGV) via a crafted ELF file. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9044 + +CVE-2017-9042 +Package: GNU Binutils +Score: 6.8 (Medium) +Description: readelf.c in GNU Binutils 2017-04-12 has a \"cannot be represented in type long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9042 + +CVE-2017-9040 +Package: GNU Binutils +Score: 4.3 (Medium) +Description: GNU Binutils 2017-04-03 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash), related to the process_mips_specific function in readelf.c, via a crafted ELF file that triggers a large memory-allocation attempt. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9040 + +CVE-2017-9039 +Package: GNU Binutils (readelf) +Score: 4.3 (Medium) +Description: GNU Binutils 2.28 allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file with many program headers, related to the get_program_headers function in readelf.c. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9039 + +CVE-2017-9038 +Package: GNU Binutils (readelf) +Score: 4.3 (Medium) +Description: GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to the byte_get_little_endian function in elfcomm.c, the get_unwind_section_word function in readelf.c, and ARM unwind information that contains invalid word offsets. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9038 + +CVE-2017-8872 +Package: libxml2-native +Score: 6.4 (Medium) +Description: The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8872 + +CVE-2017-8831 +Package: kernel +Score: 7.2 (High) +Description: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.10.14 allows local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a "double fetch" vulnerability. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8831 + +CVE-2017-8804 +Package: glibc +Score: 7.8 (High) +Description: The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8804 + +CVE-2017-8779 +Package: rpcbind +Score: 7.8 (High) +Description: rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779 + +CVE-2017-8421 +Package: GNU Binutils +Score: 7.1 (High) +Description: The function coff_set_alignment_hook in coffcode.h in Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a memory leak vulnerability which can cause memory exhaustion in objdump via a crafted PE file. Additional validation in dump_relocs_in_section in objdump.c can resolve this. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8421 + +CVE-2017-8398 +Package: GNU Binutils +Score: 5.0 (Medium) +Description: dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary. This vulnerability causes programs that conduct an analysis of binary programs, such as objdump and readelf, to crash. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8398 + +CVE-2017-8397 +Package: GNU Binutils +Score: 5.0 (Medium) +Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 and an invalid write of size 1 during processing of a corrupt binary containing reloc(s) with negative addresses. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8397 + +CVE-2017-8396 +Package: GNU Binutils +Score: 5.0 (Medium) +Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 because the existing reloc offset range tests didn't catch small negative offsets less than the size of the reloc field. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8396 + +CVE-2017-8395 +Package: GNU Binutils +Score: 5.0 (Medium) +Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of missing a malloc() return-value check to see if memory had actually been allocated in the _bfd_generic_get_section_contents function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8395 + +CVE-2017-8394 +Package: GNU Binutils +Score: 5.0 (Medium) +Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of _bfd_elf_large_com_section. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8394 + +CVE-2017-8393 +Package: GNU Binutils +Score: 5.0 (Medium) +Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a global buffer over-read error because of an assumption made by code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela prefix. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy and strip, to crash. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8393 + +CVE-2017-8392 +Package: GNU Binutils +Score: 5.0 (Medium) +Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8392 + +CVE-2017-8283 +Package: dpkg +Score: 7.5 (High) +Description: dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8283 + +CVE-2017-8105 +Package: freetype +Score: 7.5 (High) +Description: FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8105 + +CVE-2017-8072 +Package: kernel +Score: 7.2 (High) +Description: The cp2112_gpio_direction_input function in drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 does not have the expected EIO error status for a zero-length report, which allows local users to have an unspecified impact via unknown vectors. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8072 + +CVE-2017-8071 +Package: kernel +Score: 2.1 (Low) +Description: drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 uses a spinlock without considering that sleeping is possible in a USB HID request callback, which allows local users to cause a denial of service (deadlock) via unspecified vectors. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8071 + +CVE-2017-8070 +Package: kernel +Score: 7.2 (High) +Description: drivers/net/usb/catc.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8070 + +CVE-2017-8069 +Package: kernel +Score: 7.2 (High) +Description: drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8069 + +CVE-2017-8068 +Package: kernel +Score: 7.2 (High) +Description: drivers/net/usb/pegasus.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8068 + +CVE-2017-8067 +Package: kernel +Score: 7.2 (High) +Description: drivers/char/virtio_console.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8067 + +CVE-2017-8066 +Package: kernel +Score: 7.2 (High) +Description: drivers/net/can/usb/gs_usb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.2 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8066 + +CVE-2017-8065 +Package: kernel +Score: 7.2 (High) +Description: rypto/ccm.c in the Linux kernel 4.9.x and 4.10.x through 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8065 + +CVE-2017-8064 +Package: kernel +Score: 7.2 (High) +Description: drivers/media/usb/dvb-usb-v2/dvb_usb_core.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8064 + +CVE-2017-8063 +Package: kernel +Score: 7.2 (High) +Description: drivers/media/usb/dvb-usb/cxusb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8063 + +CVE-2017-8062 +Package: kernel +Score: 7.2 (High) +Description: drivers/media/usb/dvb-usb/dw2102.c in the Linux kernel 4.9.x and 4.10.x before 4.10.4 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8062 + +CVE-2017-8061 +Package: kernel +Score: 7.2 (High) +Description: drivers/media/usb/dvb-usb/dvb-usb-firmware.c in the Linux kernel 4.9.x and 4.10.x before 4.10.7 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8061 + +CVE-2017-7895 +Package: kernel +Score: 10.0 (High) +Description: The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7895 + +CVE-2017-7869 +Package: gnutls +Score: 5.0 (Medium) +Description: GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer overflow and heap-based buffer overflow related to the cdk_pkt_read function in opencdk/read-packet.c. This issue (which is a subset of the vendor's GNUTLS-SA-2017-3 report) is fixed in 3.5.10. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7869 + +CVE-2017-7645 +Package: kernel +Score: 7.8 (High) +Description: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7645 + +CVE-2017-7618 +Package: kernel +Score: 7.8 (High) +Description: crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7618 + +CVE-2017-7614 +Package: GNU Binutils +Score: 7.5 (High) +Description: elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a \"member access within null pointer\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an \"int main() {return 0;}\" program. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7614 + +CVE-2017-7487 +Package: kernel +Score: 7.2 (High) +Description: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel through 4.11.1 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7487 + +CVE-2017-7472 +Package: kernel +Score: 4.9 (Medium) +Description: The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7472 + +CVE-2017-7468 +Package: curl +Score: 6.0 (Medium) +Description: libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7468 + +CVE-2017-7407 +Package: curl +Score: 2.1 (Low) +Description: The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7407 + +CVE-2017-7304 +Package: Binutils +Score: 5.0 (Medium) +Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because of missing a check (in the copy_special_section_fields function) for an invalid sh_link field before attempting to follow it. This vulnerability causes Binutils utilities like strip to crash. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7304 + +CVE-2017-7223 +Package: GNU Binutils +Score: 5.0 (Medium) +Description: GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer overflow (of size 1) while attempting to unget an EOF character from the input stream, potentially leading to a program crash. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7223 + +CVE-2017-7210 +Package: binutils +Score: 7.8 (High) +Description: objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer over-reads (of size 1 and size 8) while handling corrupt STABS enum type strings in a crafted object file, leading to program crash. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7210 + +CVE-2017-7209 +Package: binutils +Score: 4.3 (Medium) +Description: The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses a NULL pointer while reading section contents in a corrupt binary, leading to a program crash. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7209 + +CVE-2017-6969 +Package: binutils +Score: 6.4 (Medium) +Description: readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read while processing corrupt RL78 binaries. The vulnerability can trigger program crashes. It may lead to an information leak as well. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6969 + +CVE-2017-6966 +Package: binutil +Score: 4.0 (Medium) +Description: readelf in GNU Binutils 2.28 has a use-after-free (specifically read-after-free) error while processing multiple, relocated sections in an MSP430 binary. This is caused by mishandling of an invalid symbol index, and mishandling of state across invocations. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6966 + +CVE-2017-6965 +Package: binutils +Score: 4.3 (Medium) +Description: readelf in GNU Binutils 2.28 writes to illegal addresses while processing corrupt input files containing symbol-difference relocations, leading to a heap-based buffer overflow. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6965 + +CVE-2017-6874 +Package: Kernel +Score: 7.0 (High) +Description: Race condition in kernel/ucount.c in the Linux kernel through 4.10.2 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls that leverage certain decrement behavior that causes incorrect interaction between put_ucounts and get_ucounts. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6874 + +CVE-2017-6353 +Package: Kernel +Score: 5.0 (Medium) +Description: net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6353 + +CVE-2017-6348 +Package: Kernel +Score: 5.0 (Medium) +Description: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel before 4.9.13 improperly manages lock dropping, which allows local users to cause a denial of service (deadlock) via crafted operations on IrDA devices. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6348 + +CVE-2017-6347 +Package: Kernel +Score: 7.0 (High) +Description: The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Linux kernel before 4.10.1 has incorrect expectations about skb data layout, which allows local users to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted system calls, as demonstrated by use of the MSG_MORE flag in conjunction with loopback UDP transmission. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6347 + +CVE-2017-6346 +Package: Kernel +Score: 7.0 (High) +Description: Race condition in net/packet/af_packet.c in the Linux kernel before 4.9.13 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that makes PACKET_FANOUT setsockopt system calls. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6346 + +CVE-2017-6345 +Package: Kernel +Score: 5.0 (Medium) +Description: The LLC subsystem in the Linux kernel before 4.9.13 does not ensure that a certain destructor exists in required circumstances, which allows local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6345 + +CVE-2017-6214 +Package: Kernel +Score: 5.0 (Medium) +Description: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6214 + +CVE-2017-6074 +Package: Kernel +Score: 8.0 (High) +Description: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6074 + +CVE-2017-6001 +Package: Kernel +Score: 8.0 (High) +Description: Race condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain privileges via a crafted application that makes concurrent perf_event_open system calls for moving a software group into a hardware context. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-6786. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6001 + +CVE-2017-5986 +Package: Kernel +Score: 7.0 (High) +Description: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5986 + +CVE-2017-5970 +Package: Kernel +Score: 5.0 (Medium) +Description: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows attackers to cause a denial of service (system crash) via (1) an application that makes crafted system calls or possibly (2) IPv4 traffic with invalid IP options. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5970 + +CVE-2017-5969 +Package: libxml2-native +Score: 2.6 (Low) +Description: libxml2 2.9.4, when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted XML document. NOTE: The maintainer states "I would disagree of a CVE with the Recover parsing option which should only be used for manual recovery at least for XML parser." +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5969 + +CVE-2017-5848 +Package: gstreamer +Score: 5.0 (Medium) +Description: The gst_ps_demux_parse_psm function in gst/mpegdemux/gstmpegdemux.c in gst-plugins-bad in GStreamer allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors involving PSM parsing. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5848 + +CVE-2017-5847 +Package: gstreamer +Score: 5.0 (Medium) +Description: The gst_asf_demux_process_ext_content_desc function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving extended content descriptors. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5847 + +CVE-2017-5669 +Package: Kernel +Score: 5.0 (Medium) +Description: The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not restrict the address calculated by a certain rounding operation, which allows local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5669 + +CVE-2017-5618 +Package: GNU screen +Score: 7.2 (High) +Description: GNU screen before 4.5.1 allows local users to modify arbitrary files and consequently gain root privileges by leveraging improper checking of logfile permissions. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5618 + +CVE-2017-5601 +Package: libarchive +Score: 5.0 (Medium) +Description: An error in the lha_read_file_header_1() function (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote attackers to trigger an out-of-bounds read memory access and subsequently cause a crash via a specially crafted archive. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5601 + +CVE-2017-5577 +Package: Kernel +Score: 5.0 (Medium) +Description: The vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM driver in the Linux kernel before 4.9.7 does not set an errno value upon certain overflow detections, which allows local users to cause a denial of service (incorrect pointer dereference and OOPS) via inconsistent size values in a VC4_SUBMIT_CL ioctl call. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5577 + +CVE-2017-5576 +Package: Kernel +Score: 7.0 (High) +Description: Integer overflow in the vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM driver in the Linux kernel before 4.9.7 allows local users to cause a denial of service or possibly have unspecified other impact via a crafted size value in a VC4_SUBMIT_CL ioctl call. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5576 + +CVE-2017-5551 +Package: Kernel +Score: 4.0 (Medium) +Description: The simple_set_acl function in fs/posix_acl.c in the Linux kernel before 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs filesystem, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7097. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5551 + +CVE-2017-5548 +Package: Kernel +Score: 7.0 (High) +Description: drivers/net/ieee802154/atusb.c in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5548 + +CVE-2017-5547 +Package: Kernel +Score: 7.0 (High) +Description: drivers/hid/hid-corsair.c in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5547 + +CVE-2017-5546 +Package: Kernel +Score: 7.0 (High) +Description: The freelist-randomization feature in mm/slab.c in the Linux kernel 4.8.x and 4.9.x before 4.9.5 allows local users to cause a denial of service (duplicate freelist entries and system crash) or possibly have unspecified other impact in opportunistic circumstances by leveraging the selection of a large value for a random number. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5546 + +CVE-2017-5335 +Package: GnuTLS +Score: 5.0 (Medium) +Description: The stream reading functions in lib/opencdk/read-packet.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to cause a denial of service (out-of-memory error and crash) via a crafted OpenPGP certificate. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5335 + +CVE-2017-5225 +Package: tiff +Score: 7.5 (High) +Description: LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5225 + +CVE-2017-5029 +Package: libxslt +Score: 6.8 (Medium) +Description: The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5029 + +CVE-2017-3731 +Package: OpenSSL +Score: 5.0 (Medium) +Description: If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731 + +CVE-2017-3136 +Package: bind +Score: 5.9 (Medium) +Description: A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate.An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3136 + +CVE-2017-3135 +Package: bind +Score: 6.0 (Medium) +Description: Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3135 + +CVE-2017-2636 +Package: Kernel +Score: 7.2 (High) +Description: Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2636 + +CVE-2017-2628 +Package: curl +Score: 0.0 (Low) +Description: It was found that the fix for CVE-2015-3148 in curl was incomplete. An application using libcurl with HTTP Negotiate authentication could incorrectly re-use credentials for subsequent requests to the same server. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2628 + +CVE-2016-10350 +Package: libarchive +Score: 4.3 (Medium) +Description: The archive_read_format_cab_read_header function in archive_read_support_format_cab.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10350 + +CVE-2016-10349 +Package: libarchive +Score: 4.2 (Medium) +Description: The archive_le32dec function in archive_endian.h in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10349 + +CVE-2016-10229 +Package: kernel +Score: 10.0 (High) +Description: udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10229 + +CVE-2016-10228 +Package: glibc +Score: 4.2 (Medium) +Description: The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10228 + +CVE-2016-10208 +Package: Kernel +Score: 5.0 (Medium) +Description: The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.9.8 does not properly validate meta block groups, which allows physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10208 + +CVE-2016-10200 +Package: Kernel +Score: 7.0 (High) +Description: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel before 4.8.14 allows local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10200 + +CVE-2016-10154 +Package: Kernel +Score: 5.0 (Medium) +Description: The smbhash function in fs/cifs/smbencrypt.c in the Linux kernel 4.9.x before 4.9.1 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a scatterlist. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10154 + +CVE-2016-10153 +Package: Kernel +Score: 7.0 (High) +Description: The crypto scatterlist API in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging reliance on earlier net/ceph/crypto.c code. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10153 + +CVE-2016-10150 +Package: KVM +Score: 10.0 (High) +Description: Use-after-free vulnerability in the kvm_ioctl_create_device function in virt/kvm/kvm_main.c in the Linux kernel before 4.8.13 allows host OS users to cause a denial of service (host OS crash) or possibly gain privileges via crafted ioctl calls on the /dev/kvm device. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10150 + +CVE-2016-10147 +Package: Kernel +Score: 5.0 (Medium) +Description: crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users to cause a denial of service (NULL pointer dereference and system crash) by using an AF_ALG socket with an incompatible algorithm, as demonstrated by mcryptd(md5). +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10147 + +CVE-2016-10044 +Package: Kernel +Score: 7.0 (High) +Description: The aio_mount function in fs/aio.c in the Linux kernel before 4.7.7 does not properly restrict execute access, which makes it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10044 + +CVE-2016-9844 +Package: unzip +Score: 2.1 (Low) +Description: Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large compression method value in the central directory file header. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9844 + +CVE-2016-9754 +Package: Kernel +Score: 7.0 (High) +Description: The ring_buffer_resize function in kernel/trace/ring_buffer.c in the profiling subsystem in the Linux kernel before 4.6.1 mishandles certain integer calculations, which allows local users to gain privileges by writing to the /sys/kernel/debug/tracing/buffer_size_kb file. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9754 + +CVE-2016-9444 +Package: bind +Score: 7.0 (High) +Description: named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9.11.x before 9.11.0-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted DS resource record in an answer. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9444 + +CVE-2016-9401 +Package: bash +Score: 2.0 (Low) +Description: ref to yocto patch: http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=1b2857a781b6666feaf5d3c91dc02ac263d0c4f6 +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9401 + +CVE-2016-9318 +Package: libxml2-native +Score: 6.8 (Medium) +Description: libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9318 + +CVE-2016-9083 +Package: Kernel +Score: 8.0 (High) +Description: drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a "state machine confusion bug." +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9083 + +CVE-2016-8864 +Package: bind +Score: 5.0 (Medium) +Description: named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864 + +CVE-2016-8858 +Package: OpenSSL +Score: 7.8 (High) +Description: A memory exhaustion issue in OpenSSH that can be triggered before user authentication was found. An unauthenticated attacker could consume approx. 400 MB of memory per each connection. The attacker could set up multiple such connections to run out of server’s memory. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8858 + +CVE-2016-8655 +Package: Kernel +Score: 8.0 (High) +Description: Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655 + +CVE-2016-8636 +Package: Kernel +Score: 7.0 (High) +Description: Integer overflow in the mem_check_range function in drivers/infiniband/sw/rxe/rxe_mr.c in the Linux kernel before 4.9.10 allows local users to cause a denial of service (memory corruption), obtain sensitive information from kernel memory, or possibly have unspecified other impact via a write or read request involving the "RDMA protocol over infiniband" (aka Soft RoCE) technology. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8636 + +CVE-2016-8630 +Package: Kernel +Score: 6.0 (Medium) +Description: The x86_decode_insn function in arch/x86/kvm/emulate.c in the Linux kernel before 4.8.7, when KVM is enabled, allows local users to cause a denial of service (host OS crash) via a certain use of a ModR/M byte in an undefined instruction. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8630 + +CVE-2016-8625 +Package: curl +Score: 6.9 (Medium) +Description: When curl is built with libidn to handle International Domain Names (IDNA), ittranslates them to puny code for DNS resolving using the IDNA 2003 standard,while IDNA 2008 is the modern and up-to-date IDNA standard.This misalignment causes problems with for example domains using the German ßcharacter (known as the Unicode Character 'LATIN SMALL LETTER SHARP S') whichis used at times in the .de TLD and is translated differently in the two IDNAstandards, leading to users potentially and unknowingly issuing networktransfer requests to the wrong host.For example, `straße.de` is translated into `strasse.de` using IDNA 2003 butis translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, thosehost names could very well resolve to different addresses and be twocompletely independent servers. IDNA 2008 is mandatory for .de domains.curl is not alone with this problem, as there's currently a big flux in theworld of network user-agents about which IDNA version to support and use.This name problem exists for DNS-using protocols in curl, but only when builtto use libidn. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625 + +CVE-2016-8624 +Package: curl +Score: 6.9 (Medium) +Description: curl doesn't parse the authority component of the URL correctly when the hostname part ends with a '#' character, and could instead be tricked intoconnecting to a different host. This may have security implications if you forexample use an URL parser that follows the RFC to check for allowed domainsbefore using curl to request them.Passing in `http://example.com#@evil.com/x.txt` would wrongly make curl send arequest to evil.com while your browser would connect to example.com given thesame URL.The problem exists for most protocol schemes. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624 + +CVE-2016-8623 +Package: curl +Score: 4.9 (Medium) +Description: libcurl explicitly allows users to share cookies between multiple easy handlesthat are concurrently employed by different threads.When cookies to be sent to a server are collected, the matching functioncollects all cookies to send and the cookie lock is released immediatelyafterwards. That function however only returns a list with *references* back tothe original strings for name, value, path and so on. Therefore, if anotherthread quickly takes the lock and frees one of the original cookie structstogether with its strings, a use-after-free can occur and lead to informationdisclosure. Another thread can also replace the contents of the cookies fromseparate HTTP responses or API calls. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8623 + +CVE-2016-8622 +Package: curl +Score: 4.9 (Medium) +Description: The URL percent-encoding decode function in libcurl is called`curl_easy_unescape`. Internally, even if this function would be made toallocate a unscape destination buffer larger than 2GB, it would return thatnew length in a signed 32 bit integer variable, thus the length would geteither just truncated or both truncated and turned negative. That could thenlead to libcurl writing outside of its heap based buffer.This can be triggered by a user on a 64bit system if the user can send in acustom (very large) URL to a libcurl using program. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8622 + +CVE-2016-8621 +Package: curl +Score: 4.9 (Medium) +Description: The `curl_getdate` converts a given date string into a numerical timestamp andit supports a range of different formats and possibilites to express a dateand time. The underlying date parsing function is also used internally whenparsing for example HTTP cookies (possibly received from remote servers) andit can be used when doing conditional HTTP requests.The date parser function uses the libc sscanf() function at two places, withthe parsing strings "%02d:%02d" and ""%02d:%02d:%02d". The intent being thatit would parse either a string with HH:MM (two digits colon two digits) orHH:MM:SS (two digits colon two digits colon two digits). If instead the pieceof time that was sent in had the final digit cut off, thus ending with asingle-digit, the date parser code would advance its read pointer one byte toomuch and end up reading out of bounds. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8621 + +CVE-2016-8620 +Package: curl +Score: 6.9 (Medium) +Description: The curl tool's "globbing" feature allows a user to specify a numerical rangethrough which curl will iterate. It is typically specified as [1-5],specifying the first and the last numbers in the range. Or with [a-z], usingletters.1. The curl code for parsing the second *unsigned* number did not check for aleading minus character, which allowed a user to specify `[1--1]` with nocomplaints and have the latter `-1` number get turned into the largestunsigned long value the system can handle. This would ultimately cause curl towrite outside the dedicated malloced buffer after no less than 100,000iterations, since it would have room for 5 digits but not 6.2. When the range is specified with letters, and the ending letter is left out`[L-]`, the code would still advance its read pointer 5 bytes even if thestring was just 4 bytes and end up reading outside the given buffer. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8620 + +CVE-2016-8619 +Package: curl +Score: 6.9 (Medium) +Description: In curl's implementation of the Kerberos authentication mechanism, thefunction `read_data()` in security.c is used to fill the necessary krb5structures. When reading one of the length fields from the socket, it fails toensure that the length parameter passed to realloc() is not set to 0.This would lead to realloc() getting called with a zero size and when doing sorealloc() returns NULL *and* frees the memory - in contrary to normalrealloc() fails where it only returns NULL - causing libcurl to free thememory *again* in the error path.This flaw could be triggered by a malicious or just otherwise ill-behavingserver. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619 + +CVE-2016-8618 +Package: curl +Score: 6.9 (Medium) +Description: The libcurl API function called `curl_maprintf()` can be tricked into doing adouble-free due to an unsafe `size_t` multiplication, on systems using 32 bit`size_t` variables. The function is also used internallty in numeroussituations.The function doubles an allocated memory area with realloc() and allows thesize to wrap and become zero and when doing so realloc() returns NULL *and*frees the memory - in contrary to normal realloc() fails where it only returnsNULL - causing libcurl to free the memory *again* in the error path.Systems with 64 bit versions of the `size_t` type are not affected by thisissue.This behavior is triggable using the publicly exposed function. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618 + +CVE-2016-8617 +Package: curl +Score: 6.9 (Medium) +Description: In libcurl's base64 encode function, the output buffer is allocated as followswithout any checks on insize: malloc( insize * 4 / 3 + 4 )On systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), themultiplication in the expression wraps around if insize is at least 1GB ofdata. If this happens, an undersized output buffer will be allocated, but thefull result will be written, thus causing the memory behind the output bufferto be overwritten.If a username is set directly via `CURLOPT_USERNAME` (or curl's `-u, --user`option), this vulnerability can be triggered. The name has to be at least512MB big in a 32bit system.Systems with 64 bit versions of the `size_t` type are not affected by thisissue. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617 + +CVE-2016-8616 +Package: curl +Score: 3.9 (Low) +Description: When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections.This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.We are not aware of any exploit of this flaw. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8616 + +CVE-2016-8615 +Package: curl +Score: 6.9 (Medium) +Description: If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.The issue pertains to the function that loads cookies into memory, which reads the specified file into a fixed-size buffer in a line-by-line manner using the fgets() function. If an invocation of fgets() cannot read the whole line into the destination buffer due to it being too small, it truncates the output. This way, a very long cookie (name + value) sent by a malicious server would be stored in the file and subsequently that cookie could be read partially and crafted correctly, it could be treated as a different cookie for another server.We are not aware of any exploit of this flaw. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615 + +CVE-2016-7795 +Package: systemd +Score: 4.9 (Medium) +Description: The manager_invoke_notify_message function in systemd 231 and earlier allows local users to cause a denial of service (assertion failure and PID 1 hang) via a zero-length message received over a notify socket. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7795 + +CVE-2016-7097 +Package: Kernel +Score: 3.6 (Low) +Description: The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr call, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7097 + +CVE-2016-6489 +Package: nettle +Score: 5.0 (Medium) +Description: The RSA and DSA decryption code in Nettle makes it easier for attackers to discover private keys via a cache side channel attack. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6489 + +CVE-2016-6480 +Package: Kernel +Score: 4.7 (Medium) +Description: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a "double fetch" vulnerability. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6480 + +CVE-2016-6354 +Package: flex +Score: 7.5 (High) +Description: Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354 + +CVE-2016-6323 +Package: glibc +Score: 5.0 (Medium) +Description: The makecontext function in the GNU C Library (aka glibc or libc6) before 2.25 creates execution contexts incompatible with the unwinder on ARM EABI (32-bit) platforms, which might allow context-dependent attackers to cause a denial of service (hang), as demonstrated by applications compiled using gccgo, related to backtrace generation. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6323 + +CVE-2016-6321 +Package: Tar (Gnu) +Score: 5.0 (Medium) +Description: Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321 + +CVE-2016-6318 +Package: cracklib +Score: 7.5 (High) +Description: Stack-based buffer overflow in the FascistGecosUser function in lib/fascist.c in cracklib allows local users to cause a denial of service (application crash) or gain privileges via a long GECOS field, involving longbuffer. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318 + +CVE-2016-6301 +Package: busybox +Score: 7.1 (High) +Description: The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6301 + +CVE-2016-6252 +Package: shadow +Score: 5.0 (Medium) +Description: Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap. Patch: https://bugzilla.suse.com/attachment.cgi?id=684679&action=diff +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6252 + +CVE-2016-6185 +Package: Perl +Score: 5.0 (Medium) +Description: The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6185 + +CVE-2016-6170 +Package: bind +Score: 6.0 (Medium) +Description: DNS protocols were designed with the assumption that a certain amount of trust could be presumed between the operators of primary and secondary servers for a given zone. However, in current practice some organizations have scenarios which require them to accept zone data from sources that are not fully trusted (for example: providers of secondary name service). A party who is allowed to feed data into a zone (e.g. by AXFR, IXFR, or Dynamic DNS updates) can overwhelm the server which is accepting data by intentionally or accidentally exhausting that server's memory.https://kb.isc.org/article/AA-01390 +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6170 + +CVE-2016-6131 +Package: gcc +Score: 4.9 (Medium) +Description: A stack overflow vulnerability in the libiberty demangler was found, which causes its host application to crash on a tainted branch instruction. The problem is caused by a self-reference in a mangled type string that is "remembered" for later reference. This leads to an infinite recursion during the demangling. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6131 + +CVE-2016-5636 +Package: CPython +Score: 10.0 (High) +Description: Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636 + +CVE-2016-5300 +Package: expat +Score: 7.8 (High) +Description: The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300 + +CVE-2016-5131 +Package: libxml2 +Score: 10.0 (High) +Description: Use-after-free vulnerability in libxml2 (used in chromium-browser) through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5131 + +CVE-2016-4658 +Package: libxml2 +Score: 10.0 (High) +Description: libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658 + +CVE-2016-4448 +Package: libxml2 +Score: 10.0 (High) +Description: Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4448 + +CVE-2016-2775 +Package: bind +Score: 4.3 (Medium) +Description: ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the named lwres option is enabled, allows remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2775 + +CVE-2016-2381 +Package: Perl +Score: 5.0 (Medium) +Description: Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381 + +CVE-2016-2183 +Package: OpenSSL +Score: 5.0 (Medium) +Description: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183 + +CVE-2016-2147 +Package: busybox +Score: 5.0 (Medium) +Description: Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147 + +CVE-2016-0800 +Package: OpenSSL +Score: 4.3 (Medium) +Description: The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800 + +CVE-2016-0718 +Package: expat +Score: 7.5 (High) +Description: Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718 + +CVE-2016-0634 +Package: bash +Score: 5.0 (Medium) +Description: A vulnerability was found in a way bash expands the $HOSTNAME. Injecting the hostname with malicious code would cause it to run each time bash expanded \h in the prompt string. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0634 + +CVE-2015-9019 +Package: libxslt-native +Score: 5.0 (Medium) +Description: In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9019 + +CVE-2015-5224 +Package: util-linux +Score: 7.5 (High) +Description: The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5224 + +CVE-2014-9365 +Package: python +Score: 5.8 (Medium) +Description: The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. +Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9365 -- cgit v1.2.3-54-g00ecf