Hi,
Yes I think I did submitted it to upstream.
I don't have a particular patch, but I believe it is trivial to add a
check for the overflow.
Thanks,
Sang Kil
On Sat, Nov 30, 2013 at 3:40 AM, Charles Plessy wrote:
> Le Sun, Nov 10, 2013 at 09:20:08PM -0500, Sang Kil Cha a écrit :
&g
to the public BTS as well. So if
you think this program is not on the attack surface, then please
ignore the report.
Thanks,
Sang Kil
On Mon, Nov 11, 2013 at 4:21 AM, Steinar H. Gunderson
wrote:
> On Sun, Nov 10, 2013 at 09:19:30PM -0500, Sang Kil Cha wrote:
>> Package: pvm-dev
>>
I concur. We thought they are different bugs, but it was our mistake.
On Mon, Nov 11, 2013 at 9:02 AM, Steinar H. Gunderson
wrote:
> On Mon, Nov 11, 2013 at 08:54:02AM -0500, Sang Kil Cha wrote:
>> I was running a tool called Mayhem on linux binaries to find vulnerabilities.
>>
Package: trueprint
Version: 5.3-4
Severity: grave
Tags: security
Justification: user security hole
trueprint has a buffer overflow vulnerability. A PoC file is attached.
$ /usr/bin/trueprint foo
Program received signal SIGSEGV, Segmentation fault.
0xbf81 in ?? ()
(gdb)
-- System Informat
Package: staden-io-lib-utils
Version: 1.12.4-1
Severity: grave
Tags: security
Justification: user security hole
index_tar has a buffer overflow vulnerability. A PoC file is attached.
$ gdb --args /usr/bin/index_tar foo
Program received signal SIGSEGV, Segmentation
0x41414141 in ?? ()
(gdb)
-
Package: pvm-dev
Version: 3.4.5-12.5
Severity: grave
Tags: security
Justification: user security hole
trcsort has a buffer overflow vulnerability. A PoC file is attached.
Command line to reproduce the bug:
$ /usr/bin/trcsort foo
-- System Information:
Debian Release: 7.1
APT prefers stable
Package: mpeg3-utils
Version: 1.5.4-5
Severity: grave
Tags: security
Justification: user security hole
mpeg3cat has a buffer overflow vulnerability. A PoC file is attached.
gdb --args /usr/bin/mpeg3cat foo.mp3
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)
--
Package: binutils-h8300-hms
Version: 2.16.1-8
Severity: grave
Tags: security
Justification: user security hole
h8300-hitachi-coff-size has a buffer overflow vulnerability. A PoC file is
attached.
$ gdb --args /usr/bin/h8300-hitachi-coff-size foo
Program received signal SIGSEGV, Segmentation faul
Package: graphviz
Version: 2.26.3-14
Severity: grave
Tags: security
Justification: user security hole
dijkstra (also nop) has a buffer overflow vulnerability. A PoC file is
attached.
command line to reproduce:
$ /usr/bin/dijkstra a < foo
or
$ /usr/bin/nop foo
Program received signal SIGSEGV, S
Package: imview
Version: 1.1.9c-9
Severity: grave
Tags: security
imview has stack smashing vulnerability when parsing ics header @
io/readics.cxx:320
/* get the filename from the ICS file */
t = temp1;
while (*bp != delim2)
*t++ = *bp++;
This bug
Package: latd
Version: 1.30
Severity: critical
Tags: security
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTY
Package: tar
Version: 1.26-4
Severity: important
tar has a null pointer dereference bug with option (-T) if a file starts with a
null byte character.
echo -en "\x00" > foo
tar -T foo
The above commands will segfault tar.
-- System Information:
Debian Release: wheezy/sid
APT prefers test
Package: binutils
Version: 2.22-6.1
Severity: normal
Tags: patch
There is a null dereference bug in srec_scan (srec.c) around Line 480 -- 615.
This bug causes any bintuils (nm, objdump, objcopy, etc.) to be crashed.
If Line 480 evalutes to 0, then the buf pointer will be used later as a NULL
poin
Package: alsaplayer-common
Version: 0.99.80-5.1
Severity: normal
Tags: patch
alsaplayer is segfaulting because of the wrong option string in getopt.
Here is the patch for the bug:
--- Main.cpp.orig 2012-07-09 12:06:56.0 -0400
+++ Main.cpp.patched2012-07-09 12:07:14.0 -0
Package: freeradius
Version: 2.1.10
Severity: important
Tags: squeeze sid
There is a buffer overflow bug in radmin program in
freeradius-server (radmin), in conffile.c file.
In function cf_expand_variables, there is a getenv call, and the
env value is copied to a buffer without checking the lengt
15 matches
Mail list logo
