CVE-2017-1000253 Package: kernel Score: 8.0 (High) Description: A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.Upstream patch:https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2017-1000253 CVE-2017-14496 Package: dnsmasq Score: 7.0 (High) Description: Integer underflow in the add_pseudoheader function in dnsmasq before 2.78 , when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service via a crafted DNS request. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14496 CVE-2017-14495 Package: dnsmasq Score: 7.0 (High) Description: Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service (memory consumption) via vectors involving DNS response creation. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14495 CVE-2017-14494 Package: dnsmasq Score: 7.0 (High) Description: dnsmasq before 2.78, when configured as a relay, allows remote attackers to obtain sensitive memory information via vectors involving handling DHCPv6 forwarded requests. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14494 CVE-2017-14493 Package: dnsmasq Score: 9.0 (High) Description: Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DHCPv6 request. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14493 CVE-2017-14492 Package: dnsmasq Score: 9.0 (High) Description: Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted IPv6 router advertisement request. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14492 CVE-2017-14491 Package: dnsmasq Score: 9.0 (High) Description: Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14491 CVE-2017-12132 Package: glibc Score: 4.3 (Medium) Description: The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132 CVE-2017-11176 Package: kernel Score: 10.0 (High) Description: The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11176 CVE-2017-1000366 Package: glibc Score: 7.2 (High) Description: glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366 CVE-2017-1000364 Package: Kernel Score: 7.0 (High) Description: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010). Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364 CVE-2017-1000257 Package: curl Score: 6.4 (Medium) Description: An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000257 CVE-2017-1000101 Package: curl Score: 4.0 (Medium) Description: curl supports "globbing" of URLs, in which a user can pass a numerical rangeto have the tool iterate over those numbers to do a sequence of transfers.In the globbing function that parses the numerical range, there was anomission that made curl read a byte beyond the end of the URL if given acarefully crafted, or just wrongly written, URL. The URL is stored in a heapbased buffer, so it could then be made to wrongly read something else insteadof crashing. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000101 CVE-2017-1000100 Package: curl Score: 4.0 (Medium) Description: When doing an TFTP upload and curl/libcurl is given a URL that contains a verylong file name (longer than about 515 bytes), the file name is truncated tofit within the buffer boundaries, but the buffer size is still wrongly updatedto use the untruncated length. This too large value is then used in the`send()` call, making curl attempt to send more data than what is actually putinto the buffer. The `send()` function will then read beyond the end of theheap based buffer. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000100 CVE-2017-1000082 Package: systemd Score: 10.0 (High) Description: systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. "0day"), running the service in question with root privileges rather than the user intended. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000082 CVE-2017-9445 Package: systemd Score: 5.0 (Medium) Description: In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9445 CVE-2017-9050 Package: libxml2-native Score: 5.0 (Medium) Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050 CVE-2017-9049 Package: libxml2-native Score: 5.0 (Medium) Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049 CVE-2017-9048 Package: libxml2-native Score: 5.0 (Medium) Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048 CVE-2017-9047 Package: libxml2-native Score: 5.0 (Medium) Description: A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047 CVE-2017-8872 Package: libxml2-native Score: 6.4 (Medium) Description: The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8872 CVE-2017-8831 Package: kernel Score: 7.2 (High) Description: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.10.14 allows local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a "double fetch" vulnerability. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8831 CVE-2017-8817 Package: curl Score: 5.0 (Medium) Description: libcurl contains a read out of bounds flaw in the FTP wildcard function.libcurl's FTP wildcard matching feature, which is enabled with the CURLOPT_WILDCARDMATCH option can use a built-in wildcard function or a user provided one. The built-in wildcard function has a flaw that makes it not detect the end of the pattern string if it ends with an open bracket ([) but instead it will continue reading the heap beyond the end of the URL buffer that holds the wildcard.For applications that use HTTP(S) URLs, allow libcurl to handle redirects and have FTP wildcards enabled, this flaw can be triggered by malicious servers that can redirect clients to a URL using such a wildcard pattern.We are not aware of any exploit of this flaw. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817 CVE-2017-8816 Package: curl Score: 5.0 (Medium) Description: libcurl contains a buffer overrun flaw in the NTLM authentication code.The internal function Curl_ntlm_core_mk_ntlmv2_hash sums up the lengths of the user name + password (= SUM) and multiplies the sum by two (= SIZE) to figure out how large storage to allocate from the heap.The SUvalue is subsequently used to iterate over the input and generate output into the storage buffer. On systems with a 32 bit size_t, the math to calculate SIZE triggers an integer overflow when the combined lengths of the user name and password is larger than 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a buffer overrun.We are not aware of any exploit of this flaw. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8816 CVE-2017-8804 Package: glibc Score: 7.8 (High) Description: The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8804 CVE-2017-8392 Package: binutils Score: 5.0 (Medium) Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8392 CVE-2017-8309 Package: Qemu Score: 7.8 (High) Description: Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8309 CVE-2017-8105 Package: freetype Score: 7.5 (High) Description: FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8105 CVE-2017-8069 Package: kernel Score: 7.2 (High) Description: drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8069 CVE-2017-8068 Package: kernel Score: 7.2 (High) Description: drivers/net/usb/pegasus.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8068 CVE-2017-8067 Package: kernel Score: 7.2 (High) Description: drivers/char/virtio_console.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8067 CVE-2017-8066 Package: kernel Score: 7.2 (High) Description: drivers/net/can/usb/gs_usb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.2 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8066 CVE-2017-8064 Package: kernel Score: 7.2 (High) Description: drivers/media/usb/dvb-usb-v2/dvb_usb_core.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8064 CVE-2017-8063 Package: kernel Score: 7.2 (High) Description: drivers/media/usb/dvb-usb/cxusb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8063 CVE-2017-8062 Package: kernel Score: 7.2 (High) Description: drivers/media/usb/dvb-usb/dw2102.c in the Linux kernel 4.9.x and 4.10.x before 4.10.4 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8062 CVE-2017-7869 Package: gnutls Score: 5.0 (Medium) Description: GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer overflow and heap-based buffer overflow related to the cdk_pkt_read function in opencdk/read-packet.c. This issue (which is a subset of the vendor's GNUTLS-SA-2017-3 report) is fixed in 3.5.10. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7869 CVE-2017-7645 Package: kernel Score: 7.8 (High) Description: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7645 CVE-2017-7618 Package: kernel Score: 7.8 (High) Description: crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7618 CVE-2017-7487 Package: kernel Score: 7.2 (High) Description: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel through 4.11.1 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7487 CVE-2017-7471 Package: Qemu Score: 0.0 (Low) Description: Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory.A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7471 CVE-2017-7468 Package: curl Score: 6.0 (Medium) Description: libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7468 CVE-2017-7407 Package: curl Score: 2.1 (Low) Description: The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7407 CVE-2017-7304 Package: binutils Score: 5.0 (Medium) Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because of missing a check (in the copy_special_section_fields function) for an invalid sh_link field before attempting to follow it. This vulnerability causes Binutils utilities like strip to crash. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7304 CVE-2017-7210 Package: binutils Score: 7.8 (High) Description: objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer over-reads (of size 1 and size 8) while handling corrupt STABS enum type strings in a crafted object file, leading to program crash. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7210 CVE-2017-7209 Package: binutils Score: 4.3 (Medium) Description: The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses a NULL pointer while reading section contents in a corrupt binary, leading to a program crash. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7209 CVE-2017-6969 Package: binutils Score: 6.4 (Medium) Description: readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read while processing corrupt RL78 binaries. The vulnerability can trigger program crashes. It may lead to an information leak as well. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6969 CVE-2017-6966 Package: binutil Score: 4.0 (Medium) Description: readelf in GNU Binutils 2.28 has a use-after-free (specifically read-after-free) error while processing multiple, relocated sections in an MSP430 binary. This is caused by mishandling of an invalid symbol index, and mishandling of state across invocations. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6966 CVE-2017-6965 Package: binutils Score: 4.3 (Medium) Description: readelf in GNU Binutils 2.28 writes to illegal addresses while processing corrupt input files containing symbol-difference relocations, leading to a heap-based buffer overflow. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6965 CVE-2017-6505 Package: Qemu Score: 4.0 (Medium) Description: Quick Emulator built with the USB OHCI Emulation support is vulnerable to aninfinite loop issue. It could occur while processing an endpoint listdescriptor in ohci_service_ed_list().A guest user/process could use this flaw to crash Qemu process resulting in DoS. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6505 CVE-2017-6353 Package: Kernel Score: 5.0 (Medium) Description: net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6353 CVE-2017-6348 Package: Kernel Score: 5.0 (Medium) Description: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel before 4.9.13 improperly manages lock dropping, which allows local users to cause a denial of service (deadlock) via crafted operations on IrDA devices. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6348 CVE-2017-6345 Package: Kernel Score: 5.0 (Medium) Description: The LLC subsystem in the Linux kernel before 4.9.13 does not ensure that a certain destructor exists in required circumstances, which allows local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6345 CVE-2017-6214 Package: Kernel Score: 5.0 (Medium) Description: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6214 CVE-2017-6058 Package: Qemu Score: 5.0 (Medium) Description: Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU (aka Quick Emulator), when the VLANSTRIP feature is enabled on the vmxnet3 device, allows remote attackers to cause a denial of service (out-of-bounds access and QEMU process crash) via vectors related to VLAN stripping. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6058 CVE-2017-5986 Package: Kernel Score: 7.0 (High) Description: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5986 CVE-2017-5970 Package: Kernel Score: 5.0 (Medium) Description: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows attackers to cause a denial of service (system crash) via (1) an application that makes crafted system calls or possibly (2) IPv4 traffic with invalid IP options. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5970 CVE-2017-5969 Package: libxml2-native Score: 2.6 (Low) Description: libxml2 2.9.4, when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted XML document. NOTE: The maintainer states "I would disagree of a CVE with the Recover parsing option which should only be used for manual recovery at least for XML parser." Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5969 CVE-2017-5931 Package: Qemu Score: 6.0 (Medium) Description: Quick Emulator(Qemu) built with the Virtio crypto device emulation support isvulnerable to an integer overflow issue. It could occur while handling dataencryption/decryption requests in 'virtio_crypto_handle_sym_req'.A privileged user inside guest could use this flaw to crash the Qemu processresulting in DoS or potentially execute arbitrary code on the host withprivileges of the Qemu process. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5931 CVE-2017-5848 Package: gstreamer Score: 5.0 (Medium) Description: The gst_ps_demux_parse_psm function in gst/mpegdemux/gstmpegdemux.c in gst-plugins-bad in GStreamer allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors involving PSM parsing. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5848 CVE-2017-5847 Package: gstreamer Score: 5.0 (Medium) Description: The gst_asf_demux_process_ext_content_desc function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving extended content descriptors. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5847 CVE-2017-5669 Package: Kernel Score: 5.0 (Medium) Description: The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not restrict the address calculated by a certain rounding operation, which allows local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5669 CVE-2017-5618 Package: GNU screen Score: 7.2 (High) Description: GNU screen before 4.5.1 allows local users to modify arbitrary files and consequently gain root privileges by leveraging improper checking of logfile permissions. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5618 CVE-2017-5577 Package: Kernel Score: 5.0 (Medium) Description: The vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM driver in the Linux kernel before 4.9.7 does not set an errno value upon certain overflow detections, which allows local users to cause a denial of service (incorrect pointer dereference and OOPS) via inconsistent size values in a VC4_SUBMIT_CL ioctl call. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5577 CVE-2017-5551 Package: Kernel Score: 4.0 (Medium) Description: The simple_set_acl function in fs/posix_acl.c in the Linux kernel before 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs filesystem, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7097. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5551 CVE-2017-5335 Package: GnuTLS Score: 5.0 (Medium) Description: The stream reading functions in lib/opencdk/read-packet.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to cause a denial of service (out-of-memory error and crash) via a crafted OpenPGP certificate. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5335 CVE-2017-3737 Package: OpenSSL Score: 6.0 (Medium) Description: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state"mechanism. The intent was that if a fatal error occurred during a handshake thenOpenSSL would move into the error state and would immediately fail if youattempted to continue the handshake. This works as designed for the explicithandshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()),however due to a bug it does not work correctly if SSL_read() or SSL_write() iscalled directly. In that scenario, if the handshake fails then a fatal errorwill be returned in the initial function call. If SSL_read()/SSL_write() issubsequently called by the application for the same SSL object then it willsucceed and the data is passed without being decrypted/encrypted directly fromthe SSL/TLS record layer.In order to exploit this issue an application bug would have to be present thatresulted in a call to SSL_read()/SSL_write() being issued after having alreadyreceived a fatal error.External References:https://www.openssl.org/news/secadv/20171207.txt Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3737 CVE-2017-3735 Package: OpenSSL Score: 5.0 (Medium) Description: While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3735 CVE-2017-3731 Package: OpenSSL Score: 5.0 (Medium) Description: If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731 CVE-2017-3136 Package: bind Score: 5.9 (Medium) Description: A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate.An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3136 CVE-2017-3135 Package: bind Score: 6.0 (Medium) Description: Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3135 CVE-2017-2628 Package: curl Score: 0.0 (Low) Description: It was found that the fix for CVE-2015-3148 in curl was incomplete. An application using libcurl with HTTP Negotiate authentication could incorrectly re-use credentials for subsequent requests to the same server. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2628 CVE-2017-2620 Package: Qemu Score: 9.0 (High) Description: Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process.Upstream patch: http://git.qemu-project.org/?p=qemu.git;a=commit;h=92f2b88cea48c6aeba8de568a45f2ed958f3c298 Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2620 CVE-2016-9923 Package: Qemu Score: 2.0 (Low) Description: Quick Emulator (Qemu) built with the 'chardev' backend support is vulnerable to a use after free issue. It could occur while hotplug and unplugging the device in the guest. A guest user/process could use this flaw to crash a Qemu process on the host resulting in DoS. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9923 CVE-2016-9921 Package: Qemu Score: 2.0 (Low) Description: Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to a divide by zero issue. It could occur while copying VGA data when cirrus graphics mode was set to be VGA. A privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting in DoS. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9921 CVE-2016-9916 Package: Qemu Score: 5.0 (Medium) Description: Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the proxy backend. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9916 CVE-2016-9915 Package: Qemu Score: 5.0 (Medium) Description: Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the handle backend. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9915 CVE-2016-9914 Package: Qemu Score: 5.0 (Medium) Description: Memory leak in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in FileOperations. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9914 CVE-2016-9913 Package: Qemu Score: 5.0 (Medium) Description: Memory leak in the v9fs_device_unrealize_common function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) via vectors involving the order of resource cleanup. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9913 CVE-2016-9912 Package: Qemu Score: 2.0 (Low) Description: Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while destroying gpu resource object in 'virtio_gpu_resource_destroy'. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9912 CVE-2016-9911 Package: Qemu Score: 2.0 (Low) Description: Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9911 CVE-2016-9908 Package: Qemu Score: 2.0 (Low) Description: Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest user/process could use this flaw to leak contents of the host memory bytes. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9908 CVE-2016-9907 Package: Qemu Score: 2.0 (Low) Description: Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9907 CVE-2016-9846 Package: Qemu Score: 5.0 (Medium) Description: QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while updating the cursor data in update_cursor_data_virgl. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9846 CVE-2016-9845 Package: Qemu Score: 0.0 (Low) Description: QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest user/process could use this flaw to leak contents of the host memory bytes. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9845 CVE-2016-9776 Package: Qemu Score: 2.0 (Low) Description: QEMU (aka Quick Emulator) built with the ColdFire Fast Ethernet Controller emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets in 'mcf_fec_receive'. A privileged user/process inside guest could use this issue to crash the QEMU process on the host leading to DoS. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9776 CVE-2016-9754 Package: Kernel Score: 7.0 (High) Description: The ring_buffer_resize function in kernel/trace/ring_buffer.c in the profiling subsystem in the Linux kernel before 4.6.1 mishandles certain integer calculations, which allows local users to gain privileges by writing to the /sys/kernel/debug/tracing/buffer_size_kb file. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9754 CVE-2016-9603 Package: Qemu Score: 8.0 (High) Description: A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged user/process inside a guest could use this flaw to crash the QEMU process or, potentially, execute arbitrary code on the host with privileges of the QEMU process. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9603 CVE-2016-9444 Package: bind Score: 7.0 (High) Description: named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9.11.x before 9.11.0-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted DS resource record in an answer. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9444 CVE-2016-9401 Package: bash Score: 2.0 (Low) Description: ref to yocto patch: http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=1b2857a781b6666feaf5d3c91dc02ac263d0c4f6 Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9401 CVE-2016-9318 Package: libxml2-native Score: 6.8 (Medium) Description: libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9318 CVE-2016-9106 Package: Qemu Score: 2.0 (Low) Description: Memory leak in the v9fs_write function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) by leveraging failure to free an IO vector. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9106 CVE-2016-9105 Package: Qemu Score: 2.0 (Low) Description: Memory leak in the v9fs_link function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors involving a reference to the source fid object. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9105 CVE-2016-9104 Package: Qemu Score: 2.0 (Low) Description: Multiple integer overflows in the (1) v9fs_xattr_read and (2) v9fs_xattr_write functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via a crafted offset, which triggers an out-of-bounds access. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9104 CVE-2016-9103 Package: Qemu Score: 2.0 (Low) Description: The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values before writing to them. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9103 CVE-2016-9102 Package: Qemu Score: 2.0 (Low) Description: Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9102 CVE-2016-9083 Package: Kernel Score: 8.0 (High) Description: drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a "state machine confusion bug." Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9083 CVE-2016-8910 Package: Qemu Score: 2.0 (Low) Description: The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8910 CVE-2016-8909 Package: Qemu Score: 2.0 (Low) Description: The intel_hda_xfer function in hw/audio/intel-hda.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8909 CVE-2016-8864 Package: bind Score: 5.0 (Medium) Description: named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864 CVE-2016-8858 Package: OpenSSL Score: 7.8 (High) Description: A memory exhaustion issue in OpenSSH that can be triggered before user authentication was found. An unauthenticated attacker could consume approx. 400 MB of memory per each connection. The attacker could set up multiple such connections to run out of server’s memory. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8858 CVE-2016-8669 Package: Qemu Score: 2.0 (Low) Description: The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8669 CVE-2016-8668 Package: Qemu Score: 2.0 (Low) Description: The rocker_io_writel function in hw/net/rocker/rocker.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging failure to limit DMA buffer size. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8668 CVE-2016-8655 Package: Kernel Score: 8.0 (High) Description: Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655 CVE-2016-8649 Package: lxc Score: 9.0 (High) Description: lxc-attach in LXC before 1.0.9 and 2.x before 2.0.6 allows an attacker inside of an unprivileged container to use an inherited file descriptor, of the host's /proc, to access the rest of the host's filesystem via the openat() family of syscalls. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8649 CVE-2016-8625 Package: curl Score: 6.9 (Medium) Description: When curl is built with libidn to handle International Domain Names (IDNA), ittranslates them to puny code for DNS resolving using the IDNA 2003 standard,while IDNA 2008 is the modern and up-to-date IDNA standard.This misalignment causes problems with for example domains using the German ßcharacter (known as the Unicode Character 'LATIN SMALL LETTER SHARP S') whichis used at times in the .de TLD and is translated differently in the two IDNAstandards, leading to users potentially and unknowingly issuing networktransfer requests to the wrong host.For example, `straße.de` is translated into `strasse.de` using IDNA 2003 butis translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, thosehost names could very well resolve to different addresses and be twocompletely independent servers. IDNA 2008 is mandatory for .de domains.curl is not alone with this problem, as there's currently a big flux in theworld of network user-agents about which IDNA version to support and use.This name problem exists for DNS-using protocols in curl, but only when builtto use libidn. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625 CVE-2016-8624 Package: curl Score: 6.9 (Medium) Description: curl doesn't parse the authority component of the URL correctly when the hostname part ends with a '#' character, and could instead be tricked intoconnecting to a different host. This may have security implications if you forexample use an URL parser that follows the RFC to check for allowed domainsbefore using curl to request them.Passing in `http://example.com#@evil.com/x.txt` would wrongly make curl send arequest to evil.com while your browser would connect to example.com given thesame URL.The problem exists for most protocol schemes. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624 CVE-2016-8623 Package: curl Score: 4.9 (Medium) Description: libcurl explicitly allows users to share cookies between multiple easy handlesthat are concurrently employed by different threads.When cookies to be sent to a server are collected, the matching functioncollects all cookies to send and the cookie lock is released immediatelyafterwards. That function however only returns a list with *references* back tothe original strings for name, value, path and so on. Therefore, if anotherthread quickly takes the lock and frees one of the original cookie structstogether with its strings, a use-after-free can occur and lead to informationdisclosure. Another thread can also replace the contents of the cookies fromseparate HTTP responses or API calls. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8623 CVE-2016-8622 Package: curl Score: 4.9 (Medium) Description: The URL percent-encoding decode function in libcurl is called`curl_easy_unescape`. Internally, even if this function would be made toallocate a unscape destination buffer larger than 2GB, it would return thatnew length in a signed 32 bit integer variable, thus the length would geteither just truncated or both truncated and turned negative. That could thenlead to libcurl writing outside of its heap based buffer.This can be triggered by a user on a 64bit system if the user can send in acustom (very large) URL to a libcurl using program. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8622 CVE-2016-8621 Package: curl Score: 4.9 (Medium) Description: The `curl_getdate` converts a given date string into a numerical timestamp andit supports a range of different formats and possibilites to express a dateand time. The underlying date parsing function is also used internally whenparsing for example HTTP cookies (possibly received from remote servers) andit can be used when doing conditional HTTP requests.The date parser function uses the libc sscanf() function at two places, withthe parsing strings "%02d:%02d" and ""%02d:%02d:%02d". The intent being thatit would parse either a string with HH:MM (two digits colon two digits) orHH:MM:SS (two digits colon two digits colon two digits). If instead the pieceof time that was sent in had the final digit cut off, thus ending with asingle-digit, the date parser code would advance its read pointer one byte toomuch and end up reading out of bounds. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8621 CVE-2016-8620 Package: curl Score: 6.9 (Medium) Description: The curl tool's "globbing" feature allows a user to specify a numerical rangethrough which curl will iterate. It is typically specified as [1-5],specifying the first and the last numbers in the range. Or with [a-z], usingletters.1. The curl code for parsing the second *unsigned* number did not check for aleading minus character, which allowed a user to specify `[1--1]` with nocomplaints and have the latter `-1` number get turned into the largestunsigned long value the system can handle. This would ultimately cause curl towrite outside the dedicated malloced buffer after no less than 100,000iterations, since it would have room for 5 digits but not 6.2. When the range is specified with letters, and the ending letter is left out`[L-]`, the code would still advance its read pointer 5 bytes even if thestring was just 4 bytes and end up reading outside the given buffer. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8620 CVE-2016-8619 Package: curl Score: 6.9 (Medium) Description: In curl's implementation of the Kerberos authentication mechanism, thefunction `read_data()` in security.c is used to fill the necessary krb5structures. When reading one of the length fields from the socket, it fails toensure that the length parameter passed to realloc() is not set to 0.This would lead to realloc() getting called with a zero size and when doing sorealloc() returns NULL *and* frees the memory - in contrary to normalrealloc() fails where it only returns NULL - causing libcurl to free thememory *again* in the error path.This flaw could be triggered by a malicious or just otherwise ill-behavingserver. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619 CVE-2016-8618 Package: curl Score: 6.9 (Medium) Description: The libcurl API function called `curl_maprintf()` can be tricked into doing adouble-free due to an unsafe `size_t` multiplication, on systems using 32 bit`size_t` variables. The function is also used internallty in numeroussituations.The function doubles an allocated memory area with realloc() and allows thesize to wrap and become zero and when doing so realloc() returns NULL *and*frees the memory - in contrary to normal realloc() fails where it only returnsNULL - causing libcurl to free the memory *again* in the error path.Systems with 64 bit versions of the `size_t` type are not affected by thisissue.This behavior is triggable using the publicly exposed function. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618 CVE-2016-8617 Package: curl Score: 6.9 (Medium) Description: In libcurl's base64 encode function, the output buffer is allocated as followswithout any checks on insize: malloc( insize * 4 / 3 + 4 )On systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), themultiplication in the expression wraps around if insize is at least 1GB ofdata. If this happens, an undersized output buffer will be allocated, but thefull result will be written, thus causing the memory behind the output bufferto be overwritten.If a username is set directly via `CURLOPT_USERNAME` (or curl's `-u, --user`option), this vulnerability can be triggered. The name has to be at least512MB big in a 32bit system.Systems with 64 bit versions of the `size_t` type are not affected by thisissue. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617 CVE-2016-8616 Package: curl Score: 3.9 (Low) Description: When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections.This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.We are not aware of any exploit of this flaw. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8616 CVE-2016-8615 Package: curl Score: 6.9 (Medium) Description: If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.The issue pertains to the function that loads cookies into memory, which reads the specified file into a fixed-size buffer in a line-by-line manner using the fgets() function. If an invocation of fgets() cannot read the whole line into the destination buffer due to it being too small, it truncates the output. This way, a very long cookie (name + value) sent by a malicious server would be stored in the file and subsequently that cookie could be read partially and crafted correctly, it could be treated as a different cookie for another server.We are not aware of any exploit of this flaw. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615 CVE-2016-8578 Package: Qemu Score: 2.0 (Low) Description: The v9fs_iov_vunmarshal function in fsdev/9p-iov-marshal.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) by sending an empty string parameter to a 9P operation. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8578 CVE-2016-8577 Package: Qemu Score: 2.0 (Low) Description: Memory leak in the v9fs_read function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors related to an I/O read operation. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8577 CVE-2016-8576 Package: Qemu Score: 2.0 (Low) Description: The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8576 CVE-2016-7995 Package: Qemu Score: 2.0 (Low) Description: Memory leak in the ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of crafted buffer page select (PG) indexes. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7995 CVE-2016-7994 Package: Qemu Score: 2.0 (Low) Description: Memory leak in the virtio_gpu_resource_create_2d function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_CREATE_2D commands. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7994 CVE-2016-7909 Package: Qemu Score: 5.0 (Medium) Description: The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7909 CVE-2016-7908 Package: Qemu Score: 2.0 (Low) Description: The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7908 CVE-2016-7795 Package: systemd Score: 4.9 (Medium) Description: The manager_invoke_notify_message function in systemd 231 and earlier allows local users to cause a denial of service (assertion failure and PID 1 hang) via a zero-length message received over a notify socket. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7795 CVE-2016-7466 Package: Qemu Score: 2.0 (Low) Description: Memory leak in the usb_xhci_exit function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator), when the xhci uses msix, allows local guest OS administrators to cause a denial of service (memory consumption and possibly QEMU process crash) by repeatedly unplugging a USB device. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7466 CVE-2016-7423 Package: Qemu Score: 2.0 (Low) Description: The mptsas_process_scsi_io_request function in QEMU (aka Quick Emulator), when built with LSI SAS1068 Host Bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors involving MPTSASRequest objects. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7423 CVE-2016-7422 Package: Qemu Score: 2.0 (Low) Description: The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via a large I/O descriptor buffer length value. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7422 CVE-2016-7421 Package: Qemu Score: 2.0 (Low) Description: The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit process IO loop to the ring size. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7421 CVE-2016-7170 Package: Qemu Score: 2.0 (Low) Description: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to cursor.mask[] and cursor.image[] array sizes when processing a DEFINE_CURSOR svga command. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7170 CVE-2016-7157 Package: Qemu Score: 2.0 (Low) Description: The (1) mptsas_config_manufacturing_1 and (2) mptsas_config_ioc_0 functions in hw/scsi/mptconfig.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via vectors involving MPTSAS_CONFIG_PACK. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7157 CVE-2016-7156 Package: Qemu Score: 2.0 (Low) Description: The pvscsi_convert_sglist function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging an incorrect cast. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7156 CVE-2016-7155 Package: Qemu Score: 2.0 (Low) Description: hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds access or infinite loop, and QEMU process crash) via a crafted page count for descriptor rings. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7155 CVE-2016-7116 Package: Qemu Score: 2.0 (Low) Description: Directory traversal vulnerability in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to access host files outside the export path via a .. (dot dot) in an unspecified string. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7116 CVE-2016-7097 Package: Kernel Score: 3.6 (Low) Description: The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr call, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7097 CVE-2016-6888 Package: Qemu Score: 2.0 (Low) Description: Integer overflow in the net_tx_pkt_init function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU process crash) via the maximum fragmentation count, which triggers an unchecked multiplication and NULL pointer dereference. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6888 CVE-2016-6836 Package: Qemu Score: 2.0 (Low) Description: The vmxnet3_complete_packet function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host memory information by leveraging failure to initialize the txcq_descr object. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6836 CVE-2016-6835 Package: Qemu Score: 2.0 (Low) Description: The vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (buffer over-read) by leveraging failure to check IP header length. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6835 CVE-2016-6834 Package: Qemu Score: 2.0 (Low) Description: The net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the current fragment length. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6834 CVE-2016-6833 Package: Qemu Score: 2.0 (Low) Description: Use-after-free vulnerability in the vmxnet3_io_bar0_write function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU instance crash) by leveraging failure to check if the device is active. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6833 CVE-2016-6490 Package: Qemu Score: 2.0 (Low) Description: The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the descriptor buffer. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6490 CVE-2016-6489 Package: nettle Score: 5.0 (Medium) Description: The RSA and DSA decryption code in Nettle makes it easier for attackers to discover private keys via a cache side channel attack. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6489 CVE-2016-6480 Package: Kernel Score: 4.7 (Medium) Description: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a "double fetch" vulnerability. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6480 CVE-2016-6354 Package: flex Score: 7.5 (High) Description: Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354 CVE-2016-6351 Package: Qemu Score: 7.0 (High) Description: The esp_do_dma function in hw/scsi/esp.c in QEMU (aka Quick Emulator), when built with ESP/NCR53C9x controller emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the QEMU host via vectors involving DMA read into ESP command buffer. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6351 CVE-2016-6323 Package: glibc Score: 5.0 (Medium) Description: The makecontext function in the GNU C Library (aka glibc or libc6) before 2.25 creates execution contexts incompatible with the unwinder on ARM EABI (32-bit) platforms, which might allow context-dependent attackers to cause a denial of service (hang), as demonstrated by applications compiled using gccgo, related to backtrace generation. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6323 CVE-2016-6321 Package: Tar (Gnu) Score: 5.0 (Medium) Description: Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321 CVE-2016-6318 Package: cracklib Score: 7.5 (High) Description: Stack-based buffer overflow in the FascistGecosUser function in lib/fascist.c in cracklib allows local users to cause a denial of service (application crash) or gain privileges via a long GECOS field, involving longbuffer. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318 CVE-2016-6301 Package: busybox Score: 7.1 (High) Description: The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6301 CVE-2016-6252 Package: shadow Score: 5.0 (Medium) Description: Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap. Patch: https://bugzilla.suse.com/attachment.cgi?id=684679&action=diff Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6252 CVE-2016-6185 Package: Perl Score: 5.0 (Medium) Description: The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6185 CVE-2016-6170 Package: bind Score: 6.0 (Medium) Description: DNS protocols were designed with the assumption that a certain amount of trust could be presumed between the operators of primary and secondary servers for a given zone. However, in current practice some organizations have scenarios which require them to accept zone data from sources that are not fully trusted (for example: providers of secondary name service). A party who is allowed to feed data into a zone (e.g. by AXFR, IXFR, or Dynamic DNS updates) can overwhelm the server which is accepting data by intentionally or accidentally exhausting that server's memory.https://kb.isc.org/article/AA-01390 Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6170 CVE-2016-6131 Package: gcc Score: 4.9 (Medium) Description: A stack overflow vulnerability in the libiberty demangler was found, which causes its host application to crash on a tainted branch instruction. The problem is caused by a self-reference in a mangled type string that is "remembered" for later reference. This leads to an infinite recursion during the demangling. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6131 CVE-2016-5636 Package: CPython Score: 10.0 (High) Description: Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636 CVE-2016-5403 Package: Qemu Score: 5.0 (Medium) Description: The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5403 CVE-2016-5338 Package: Qemu Score: 5.0 (Medium) Description: The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allow local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5338 CVE-2016-5337 Package: Qemu Score: 2.0 (Low) Description: The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allows local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5337 CVE-2016-5300 Package: expat Score: 7.8 (High) Description: The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300 CVE-2016-5238 Package: Qemu Score: 2.0 (Low) Description: The get_cmd function in hw/scsi/esp.c in QEMU might allow local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5238 CVE-2016-5131 Package: libxml2 Score: 10.0 (High) Description: Use-after-free vulnerability in libxml2 (used in chromium-browser) through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5131 CVE-2016-5126 Package: Qemu Score: 5.0 (Medium) Description: Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5126 CVE-2016-5107 Package: Qemu Score: 2.0 (Low) Description: The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5107 CVE-2016-5106 Package: Qemu Score: 2.0 (Low) Description: The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5106 CVE-2016-5105 Package: Qemu Score: 2.0 (Low) Description: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, uses an uninitialized variable, which allows local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5105 CVE-2016-5008 Package: libvirt Score: 4.3 (Medium) Description: libvirt before 2.0.0 improperly disables password checking when the password on a VNC server is set to an empty string, which allows remote attackers to bypass authentication and establish a VNC session by connecting to the server. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5008 CVE-2016-4964 Package: Qemu Score: 5.0 (Medium) Description: The mptsas_fetch_requests function in hw/scsi/mptsas.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop, and CPU consumption or QEMU process crash) via vectors involving s->state. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4964 CVE-2016-4952 Package: Qemu Score: 2.0 (Low) Description: QEMU (aka Quick Emulator), when built with VMWARE PVSCSI paravirtual SCSI bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds array access) via vectors related to the (1) PVSCSI_CMD_SETUP_RINGS or (2) PVSCSI_CMD_SETUP_MSG_RING SCSI command. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4952 CVE-2016-4658 Package: libxml2 Score: 10.0 (High) Description: libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658 CVE-2016-4454 Package: Qemu Score: 3.0 (Low) Description: The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4454 CVE-2016-4453 Package: Qemu Score: 5.0 (Medium) Description: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4453 CVE-2016-4448 Package: libxml2 Score: 10.0 (High) Description: Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4448 CVE-2016-4441 Package: Qemu Score: 2.0 (Low) Description: The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check DMA length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via unspecified vectors, involving an SCSI command. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4441 CVE-2016-4439 Package: Qemu Score: 5.0 (Medium) Description: The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the QEMU host via unspecified vectors. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4439 CVE-2016-4037 Package: Qemu Score: 5.0 (Medium) Description: The ehci_advance_state function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular split isochronous transfer descriptor (siTD) list, a related issue to CVE-2015-8558. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4037 CVE-2016-4020 Package: Qemu Score: 2.0 (Low) Description: The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR). Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4020 CVE-2016-4002 Package: Qemu Score: 7.0 (High) Description: Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4002 CVE-2016-4001 Package: Qemu Score: 4.0 (Medium) Description: Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4001 CVE-2016-3712 Package: Qemu Score: 2.0 (Low) Description: Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3712 CVE-2016-3710 Package: Qemu Score: 7.0 (High) Description: The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the \"Dark Portal\" issue. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3710 CVE-2016-2858 Package: Qemu Score: 2.0 (Low) Description: QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2858 CVE-2016-2857 Package: Qemu Score: 2.0 (Low) Description: The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2857 CVE-2016-2775 Package: bind Score: 4.3 (Medium) Description: ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the named lwres option is enabled, allows remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2775 CVE-2016-2391 Package: Qemu Score: 2.0 (Low) Description: The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2391 CVE-2016-2381 Package: Perl Score: 5.0 (Medium) Description: Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381 CVE-2016-2183 Package: OpenSSL Score: 5.0 (Medium) Description: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183 CVE-2016-2147 Package: busybox Score: 5.0 (Medium) Description: Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147 CVE-2016-1568 Package: Qemu Score: 9.0 (High) Description: Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1568 CVE-2016-1238 Package: Qemu Score: 7.0 (High) Description: (1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1238 CVE-2016-10229 Package: kernel Score: 10.0 (High) Description: udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10229 CVE-2016-10208 Package: Kernel Score: 5.0 (Medium) Description: The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.9.8 does not properly validate meta block groups, which allows physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10208 CVE-2016-10154 Package: Kernel Score: 5.0 (Medium) Description: The smbhash function in fs/cifs/smbencrypt.c in the Linux kernel 4.9.x before 4.9.1 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a scatterlist. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10154 CVE-2016-10150 Package: KVM Score: 10.0 (High) Description: Use-after-free vulnerability in the kvm_ioctl_create_device function in virt/kvm/kvm_main.c in the Linux kernel before 4.8.13 allows host OS users to cause a denial of service (host OS crash) or possibly gain privileges via crafted ioctl calls on the /dev/kvm device. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10150 CVE-2016-10147 Package: Kernel Score: 5.0 (Medium) Description: crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users to cause a denial of service (NULL pointer dereference and system crash) by using an AF_ALG socket with an incompatible algorithm, as demonstrated by mcryptd(md5). Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10147 CVE-2016-10124 Package: LXC Score: 5.0 (Medium) Description: An issue was discovered in Linux Containers (LXC) before 2016-02-22. When executing a program via lxc-attach, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the container. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10124 CVE-2016-10087 Package: Libpng Score: 5.0 (Medium) Description: The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10087 CVE-2016-10044 Package: Kernel Score: 7.0 (High) Description: The aio_mount function in fs/aio.c in the Linux kernel before 4.7.7 does not properly restrict execute access, which makes it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10044 CVE-2016-10029 Package: Qemu Score: 2.0 (Low) Description: The virtio_gpu_set_scanout function in QEMU (aka Quick Emulator) built with Virtio GPU Device emulator support allows local guest OS users to cause a denial of service (out-of-bounds read and process crash) via a scanout id in a VIRTIO_GPU_CMD_SET_SCANOUT command larger than num_scanouts. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10029 CVE-2016-0800 Package: OpenSSL Score: 4.3 (Medium) Description: The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800 CVE-2016-0718 Package: expat Score: 7.5 (High) Description: Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718 CVE-2016-0634 Package: bash Score: 5.0 (Medium) Description: A vulnerability was found in a way bash expands the $HOSTNAME. Injecting the hostname with malicious code would cause it to run each time bash expanded \h in the prompt string. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0634 CVE-2015-8666 Package: Qemu Score: 1.9 (Low) Description: Heap-based buffer overflow in QEMU, when built with the Q35-chipset-based PC system emulator. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8666 CVE-2015-8613 Package: Qemu Score: 1.9 (Low) Description: Stack-based buffer overflow in the megasas_ctrl_get_info function in QEMU, when built with SCSI MegaRAID SAS HBA emulation support, allows local guest users to cause a denial of service (QEMU instance crash) via a crafted SCSI controller CTRL_GET_INFO command. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8613 CVE-2015-8568 Package: Qemu Score: 4.7 (Medium) Description: Memory leak in QEMU, when built with a VMWARE VMXNET3 paravirtual NIC emulator support, allows local guest users to cause a denial of service (host memory consumption) by trying to activate the vmxnet3 device repeatedly. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8568 CVE-2015-8567 Package: Qemu Score: 6.8 (Medium) Description: Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause a denial of service (memory consumption). Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8567 CVE-2015-8558 Package: Qemu Score: 5.0 (Medium) Description: The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular isochronous transfer descriptor (iTD) list. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8558 CVE-2015-7512 Package: Qemu Score: 7.0 (High) Description: Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7512 CVE-2015-7295 Package: Qemu Score: 5.0 (Medium) Description: hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7295 CVE-2015-6855 Package: Qemu Score: 10.0 (High) Description: hw/ide/core.c in QEMU does not properly restrict the commands accepted by an ATAPI device, which allows guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6855 CVE-2015-5224 Package: util-linux Score: 7.5 (High) Description: The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5224 CVE-2015-5158 Package: Qemu Score: 4.0 (Medium) Description: Stack-based buffer overflow in hw/scsi/scsi-bus.c in QEMU, when built with SCSI-device emulation support, allows guest OS users with CAP_SYS_RAWIO permissions to cause a denial of service (instance crash) via an invalid opcode in a SCSI command descriptor block. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5158 CVE-2015-4106 Package: Qemu Score: 7.0 (High) Description: QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4106 CVE-2015-3209 Package: Qemu Score: 8.0 (High) Description: Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3209 CVE-2015-1779 Package: Qemu Score: 8.0 (High) Description: The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1779 CVE-2014-9365 Package: python Score: 5.8 (Medium) Description: The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9365 CVE-2014-7840 Package: Qemu Score: 8.0 (High) Description: The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM during migration, allows remote attackers to execute arbitrary code via a crafted (1) offset or (2) length value in savevm data. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7840 CVE-2014-5388 Package: Qemu Score: 5.0 (Medium) Description: Off-by-one error in the pci_read function in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in QEMU allows local guest users to obtain sensitive information and have other unspecified impact related to a crafted PCI device that triggers memory corruption. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5388 CVE-2014-3615 Package: Qemu Score: 2.0 (Low) Description: The VGA emulator in QEMU allows local guest users to read host memory by setting the display to a high resolution. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3615 CVE-2009-0590 Package: OpenSSL Score: 5.0 (Medium) Description: The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0590