Computer Security
[EN] securityvulns.ru no-pyccku


SQLite multiple security vulnerabilities
updated since 16.04.2015
Published:05.05.2015
Source:
SecurityVulns ID:14389
Type:library
Threat Level:
6/10
Description:Over 20 errors, including uninitialized memory access.
Affected:SQLITE : SQLite 3.8
CVE:CVE-2015-3416 (The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement.)
 CVE-2015-3415 (The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement.)
 CVE-2015-3414 (SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement.)
Original documentdocumentDEBIAN, [ MDVSA-2015:217 ] sqlite3 (05.05.2015)
 documentMichal Zalewski, several issues in SQLite (+ catching up on several other bugs) (16.04.2015)

dnsmasq uninitialized memory dereference
updated since 04.05.2015
Published:05.05.2015
Source:
SecurityVulns ID:14423
Type:remote
Threat Level:
5/10
Description:Uninitilized memory dereference on DNS request parsing.
Affected:DNSMASQ : dnsmasq 2.73
CVE:CVE-2015-3294 (The tcp_request function in Dnsmasq before 2.73rc4 does not properly handle the return value of the setup_reply function, which allows remote attackers to read process memory and cause a denial of service (out-of-bounds read and crash) via a malformed DNS request.)
Original documentdocumentn.sampanis_(at)_obrela.com, Dnsmasq 2.72 Unchecked returned value (05.05.2015)
 documentUBUNTU, [USN-2593-1] Dnsmasq vulnerability (04.05.2015)

GNU glibc security vulnerabilities
Published:05.05.2015
Source:
SecurityVulns ID:14431
Type:library
Threat Level:
9/10
Description:Ğ¿gethostbyname_r() buffer overflow, getaddrinfo() race conditions.
Affected:GNU : glibc 2.19
CVE:CVE-2015-1781 (Buffer overflow in the gethostbyname_r and other unspecified NSS functions in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response, which triggers a call with a misaligned buffer.)
 CVE-2013-7423 (The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or libc6) before 2.20 does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of request that trigger a call to the getaddrinfo function.)
Original documentdocumentMANDRIVA, [ MDVSA-2015:218 ] glibc (05.05.2015)

HUAWEI MobiConnect weak permissions
Published:05.05.2015
Source:
SecurityVulns ID:14432
Type:local
Threat Level:
5/10
Description:Weak permissions for executable files.
Affected:HUAWEI : HUAWEI MobiConnect 23.9
Original documentdocumentVulnerability Lab, HUAWEI MobiConnect 23.9.17.216 - Privilege Escalation Vulnerability (05.05.2015)

owncloud multiple security vulnerabilities
Published:05.05.2015
Source:
SecurityVulns ID:14433
Type:remote
Threat Level:
5/10
Description:CSRF, XSS, limitations bypass.
Affected:OWNCLOUD : owncloud 7.0
CVE:CVE-2015-3013 (ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blacklist and upload arbitrary files via a file path with UTF-8 encoding, as demonstrated by uploading a .htaccess file.)
 CVE-2015-3012 (Multiple cross-site scripting (XSS) vulnerabilities in WebODF before 0.5.5, as used in ownCloud, allow remote attackers to inject arbitrary web script or HTML via a (1) style or (2) font name or (3) javascript or (4) data URI.)
 CVE-2015-3011 (Multiple cross-site scripting (XSS) vulnerabilities in the contacts application in ownCloud Server Community Edition before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a crafted contact.)
 CVE-2014-9045 (The FTP backend in user_external in ownCloud Server before 5.0.18 and 6.x before 6.0.6 allows remote attackers to bypass intended authentication requirements via a crafted password.)
 CVE-2014-9043 (The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to bypass authentication via a null byte in the password and a valid user name, which triggers an unauthenticated bind.)
 CVE-2014-9042 (Cross-site scripting (XSS) vulnerability in the import functionality in the bookmarks application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote authenticated users to inject arbitrary web script or HTML by importing a link with an unspecified protocol. NOTE: this can be leveraged by remote attackers using CVE-2014-9041.)
 CVE-2014-9041 (The import functionality in the bookmarks application in ownCloud server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 does not validate CSRF tokens, which allow remote attackers to conduct CSRF attacks.)
Original documentdocumentMANDRIVA, [SECURITY] [DSA 3244-1] owncloud security update (05.05.2015)
 documentMANDRIVA, [ MDVSA-2015:191 ] owncloud (05.05.2015)
 documentMANDRIVA, [ MDVSA-2015:190 ] owncloud (05.05.2015)

libphp-snoopy code execution
Published:05.05.2015
Source:
SecurityVulns ID:14434
Type:library
Threat Level:
6/10
Affected:SNOOPY : libphp-snoopy 2.0
CVE:CVE-2014-5008
Original documentdocumentDEBIAN, [SECURITY] [DSA 3248-1] libphp-snoopy security update (05.05.2015)

Elasticsearch directory traversal
Published:05.05.2015
Source:
SecurityVulns ID:14437
Type:remote
Threat Level:
6/10
Description:Directory traversal via requests to /_plugin
Affected:ELASTIC : Elasticsearch 1.5
CVE:CVE-2015-3337 (Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.)
Original documentdocumentKevin Kluge, Elasticsearch vulnerability CVE-2015-3337 (05.05.2015)
 documentDEBIAN, [SECURITY] [DSA 3241-1] elasticsearch security update (05.05.2015)

icecast DoS
Published:05.05.2015
Source:
SecurityVulns ID:14438
Type:remote
Threat Level:
5/10
Description:NULL pointer dereference on authentication by URL.
Affected:ICECAST : icecasat 2.4
CVE:CVE-2015-3026 (Icecast before 2.4.2, when a stream_auth handler is defined for URL authentication, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request without login credentials, as demonstrated by a request to "admin/killsource?mount=/test.ogg.")
Original documentdocumentDEBIAN, [SECURITY] [DSA 3239-1] icecast2 security update (05.05.2015)

glusterfs DoS
Published:05.05.2015
Source:
SecurityVulns ID:14439
Type:local
Threat Level:
4/10
Description:Infinite loop.
Affected:GLUSTERFS : GlusterFS 3.5
CVE:CVE-2014-3619 (The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header.)
Original documentdocumentMANDRIVA, [ MDVSA-2015:211 ] glusterfs (05.05.2015)

automount privilege escalation
Published:05.05.2015
Source:
SecurityVulns ID:14440
Type:local
Threat Level:
4/10
Description:Insufficient local variables filtering.
Affected:AUTOMOUNT : automount 5.0
CVE:CVE-2014-8169 (automount 5.0.8, when a program map uses certain interpreted languages, uses the calling user's USER and HOME environment variable values instead of the values for the user used to run the mapped program, which allows local users to gain privileges via a Trojan horse program in the user home directory.)
Original documentdocumentUBUNTU, [USN-2579-1] autofs vulnerability (05.05.2015)

LibreOffice memory corruption
Published:05.05.2015
Source:
SecurityVulns ID:14441
Type:local
Threat Level:
5/10
Description:Memory corruption on HWP documents parsing.
Affected:LIBREOFFICE : LibreOffice 4.4
 LIBREOFFICE : OpenOffice 4.1
CVE:CVE-2015-1774 (The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted HWP document, which triggers an out-of-bounds write.)
Original documentdocumentUBUNTU, [USN-2578-1] LibreOffice vulnerabilities (05.05.2015)

PHP security vulnerabilities
Published:05.05.2015
Source:
SecurityVulns ID:14443
Type:library
Threat Level:
5/10
Description:apache2handler code execution, memory corruption on archives parsing.
Affected:PHP : PHP 5.5
CVE:CVE-2015-3330 (The php_handler function in sapi/apache2handler/sapi_apache2.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, when the Apache HTTP Server 2.4.x is used, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via pipelined HTTP requests that result in a "deconfigured interpreter.")
 CVE-2015-3329 (Multiple stack-based buffer overflows in the phar_set_inode function in phar_internal.h in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allow remote attackers to execute arbitrary code via a crafted length value in a (1) tar, (2) phar, or (3) ZIP archive.)
 CVE-2015-2783 (ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read and application crash) via a crafted length value in conjunction with crafted serialized data in a phar archive, related to the phar_parse_metadata and phar_parse_pharfile functions.)
Original documentdocumentMANDRIVA, [ MDVSA-2015:209 ] php (05.05.2015)

librsync weak permission
Published:05.05.2015
Source:
SecurityVulns ID:14445
Type:library
Threat Level:
4/10
Description:Weak hash function is used.
Affected:LIBRSYNC : librsync 1.0
CVE:CVE-2014-8242
Original documentdocumentMANDRIVA, [ MDVSA-2015:204 ] librsync (05.05.2015)

usb-creator privilege escalation
Published:05.05.2015
Source:
SecurityVulns ID:14447
Type:local
Threat Level:
5/10
Original documentdocumentUBUNTU, [USN-2576-1] usb-creator vulnerability (05.05.2015)

OpenFire certificate validation vulnerability
Published:05.05.2015
Source:
SecurityVulns ID:14448
Type:m-i-t-m
Threat Level:
5/10
Affected:OPENFIRE : OpenFire 3.9
CVE:CVE-2014-3451
Original documentdocumentsimon.waters_(at)_surevine.com, Incorrect handling of self signed certificates in OpenFire XMPP Server (05.05.2015)

qt multiple security vulnerabilities
Published:05.05.2015
Source:
SecurityVulns ID:14449
Type:library
Threat Level:
7/10
Description:Memory corruptions on different graphics formats parsing.
Affected:QT : qt 5.5
CVE:CVE-2015-1860 (Multiple buffer overflows in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted GIF image.)
 CVE-2015-1859 (Multiple buffer overflows in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted ICO image.)
 CVE-2015-1858 (Multiple buffer overflows in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted BMP image.)
 CVE-2015-0295 (The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.)
Original documentdocumentSLACKWARE, [slackware-security] qt (SSA:2015-111-13) (05.05.2015)

ProFTPD unauthorized files access
Published:05.05.2015
Source:
SecurityVulns ID:14450
Type:remote
Threat Level:
5/10
Description:Unauthorized files copy via mod_copy.
Affected:PROFTPD : ProFTPD 1.3
CVE:CVE-2015-3306 (The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.)
Original documentdocumentSLACKWARE, [slackware-security] proftpd (SSA:2015-111-12) (05.05.2015)

Linux kernel multiple security vulnerabilities
updated since 05.05.2015
Published:10.05.2015
Source:
SecurityVulns ID:14436
Type:library
Threat Level:
6/10
Description:DoS, privilege escalation, protection bypass.
Affected:XEN : xen 3.3
 LINUX : kernel 3.19
CVE:CVE-2015-3339 (Race condition in the prepare_binprm function in fs/exec.c in the Linux kernel before 3.19.6 allows local users to gain privileges by executing a setuid program at a time instant when a chown to root is in progress, and the ownership is changed but the setuid bit is not yet stripped.)
 CVE-2015-3332 (A certain backport in the TCP Fast Open implementation for the Linux kernel before 3.18 does not properly maintain a count value, which allow local users to cause a denial of service (system crash) via the Fast Open feature, as demonstrated by visiting the chrome://flags/#enable-tcp-fast-open URL when using certain 3.10.x through 3.16.x kernel builds, including longterm-maintenance releases and ckt (aka Canonical Kernel Team) builds.)
 CVE-2015-3331 (The __driver_rfc4106_decrypt function in arch/x86/crypto/aesni-intel_glue.c in the Linux kernel before 3.19.3 does not properly determine the memory locations used for encrypted data, which allows context-dependent attackers to cause a denial of service (buffer overflow and system crash) or possibly execute arbitrary code by triggering a crypto API call, as demonstrated by use of a libkcapi test program with an AF_ALG(aead) socket.)
 CVE-2015-2922 (The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message.)
 CVE-2015-2830 (arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrated by an attack against seccomp before 3.16.)
 CVE-2015-2666 (Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to the initrd.)
 CVE-2015-2150 (Xen 3.3.x through 4.5.x and the Linux kernel through 3.19.1 do not properly restrict access to PCI command registers, which might allow local guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response.)
 CVE-2014-9715 (include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5 uses an insufficiently large data type for certain extension data, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via outbound network traffic that triggers extension loading, as demonstrated by configuring a PPTP tunnel in a NAT environment.)
 CVE-2014-9710 (The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time window, related to a race condition, or (2) after an xattr-replacement attempt that fails because the data does not fit.)
Original documentdocumentUBUNTU, [USN-2597-2] Linux kernel (Trusty HWE) regression (10.05.2015)
 documentDEBIAN, [SECURITY] [DSA 3237-1] linux security update (05.05.2015)
 documentHector Marco, AMD Bulldozer Linux ASLR weakness: Reducing entropy by 87.5% (05.05.2015)
 documentHector Marco, Linux ASLR mmap weakness: Reducing entropy by half (05.05.2015)
 documentUBUNTU, [USN-2583-1] Linux kernel vulnerability (05.05.2015)
 documentUBUNTU, [USN-2590-1] Linux kernel vulnerabilities (05.05.2015)

perl-Module-Signature content spoofing
updated since 05.05.2015
Published:12.05.2015
Source:
SecurityVulns ID:14444
Type:library
Threat Level:
5/10
Description:Unsigned content can be interpreted as a signed.
Affected:PERL : perl-Module-Signature 0.730
CVE:CVE-2015-3409 (Untrusted search path vulnerability in Module::Signature before 0.75 allows local users to gain privileges via a Trojan horse module under the current working directory, as demonstrated by a Trojan horse Text::Diff module.)
 CVE-2015-3408 (Module::Signature before 0.74 allows remote attackers to execute arbitrary shell commands via a crafted SIGNATURE file which is not properly handled when generating checksums from a signed manifest.)
 CVE-2015-3407 (Module::Signature before 0.74 allows remote attackers to bypass signature verification for files via a signature file that does not list the files.)
 CVE-2015-3406
Original documentdocumentUBUNTU, [USN-2607-1] Module::Signature vulnerabilities (12.05.2015)
 documentMANDRIVA, [ MDVSA-2015:207 ] perl-Module-Signature (05.05.2015)

libvirt / qemu security vulnerabilities
updated since 05.05.2015
Published:17.05.2015
Source:
SecurityVulns ID:14442
Type:local
Threat Level:
6/10
Description:Crash on PCI registers, IDE controller and Physical Region Descriptor Table decoder. Code execution.
Affected:QEMU : qemu 2.1
 QEMU : qemu 1.6
CVE:CVE-2015-3456 (The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.)
 CVE-2015-2756 (QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access to PCI command registers, which might allow local HVM guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response.)
 CVE-2015-1779
 CVE-2014-9718 (The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality in QEMU 1.0 through 2.1.3 have multiple interpretations of a function's return value, which allows guest OS users to cause a host OS denial of service (memory consumption or infinite loop, and system crash) via a PRDT with zero complete sectors, related to the bmdma_prepare_buf and ahci_dma_prepare_buf functions.)
Original documentdocumentUBUNTU, [USN-2608-1] QEMU vulnerabilities (17.05.2015)
 documentMANDRIVA, [ MDVSA-2015:210 ] qemu (05.05.2015)

Google Chrome / Chromium multiple security vulnerabilities
updated since 05.05.2015
Published:25.05.2015
Source:
SecurityVulns ID:14435
Type:client
Threat Level:
6/10
Affected:GOOGLE : Chrome 41
 GOOGLE : Chrome 42
CVE:CVE-2015-3336 (Google Chrome before 42.0.2311.90 does not always ask the user before proceeding with CONTENT_SETTINGS_TYPE_FULLSCREEN and CONTENT_SETTINGS_TYPE_MOUSELOCK changes, which allows user-assisted remote attackers to cause a denial of service (UI disruption) by constructing a crafted HTML document containing JavaScript code with requestFullScreen and requestPointerLock calls, and arranging for the user to access this document with a file: URL.)
 CVE-2015-3334 (browser/ui/website_settings/website_settings.cc in Google Chrome before 42.0.2311.90 does not always display "Media: Allowed by you" in a Permissions table after the user has granted camera permission to a web site, which might make it easier for user-assisted remote attackers to obtain sensitive video data from a device's physical environment via a crafted web site that turns on the camera at a time when the user believes that camera access is prohibited.)
 CVE-2015-3333 (Multiple unspecified vulnerabilities in Google V8 before 4.2.77.14, as used in Google Chrome before 42.0.2311.90, allow attackers to cause a denial of service or possibly have other impact via unknown vectors.)
 CVE-2015-1265 (Multiple unspecified vulnerabilities in Google Chrome before 43.0.2357.65 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.)
 CVE-2015-1264 (Cross-site scripting (XSS) vulnerability in Google Chrome before 43.0.2357.65 allows user-assisted remote attackers to inject arbitrary web script or HTML via crafted data that is improperly handled by the Bookmarks feature.)
 CVE-2015-1263 (The Spellcheck API implementation in Google Chrome before 43.0.2357.65 does not use an HTTPS session for downloading a Hunspell dictionary, which allows man-in-the-middle attackers to deliver incorrect spelling suggestions or possibly have unspecified other impact via a crafted file.)
 CVE-2015-1262 (platform/fonts/shaping/HarfBuzzShaper.cpp in Blink, as used in Google Chrome before 43.0.2357.65, does not initialize a certain width field, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted Unicode text.)
 CVE-2015-1261 (android/java/src/org/chromium/chrome/browser/WebsiteSettingsPopup.java in Google Chrome before 43.0.2357.65 on Android does not properly restrict use of a URL's fragment identifier during construction of a page-info popup, which allows remote attackers to spoof the URL bar or deliver misleading popup content via crafted text.)
 CVE-2015-1260 (Multiple use-after-free vulnerabilities in content/renderer/media/user_media_client_impl.cc in the WebRTC implementation in Google Chrome before 43.0.2357.65 allow remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that executes upon completion of a getUserMedia request.)
 CVE-2015-1259 (PDFium, as used in Google Chrome before 43.0.2357.65, does not properly initialize memory, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.)
 CVE-2015-1258 (Google Chrome before 43.0.2357.65 relies on libvpx code that was not built with an appropriate --size-limit value, which allows remote attackers to trigger a negative value for a size field, and consequently cause a denial of service or possibly have unspecified other impact, via a crafted frame size in VP9 video data.)
 CVE-2015-1257 (platform/graphics/filters/FEColorMatrix.cpp in the SVG implementation in Blink, as used in Google Chrome before 43.0.2357.65, does not properly handle an insufficient number of values in an feColorMatrix filter, which allows remote attackers to cause a denial of service (container overflow) or possibly have unspecified other impact via a crafted document.)
 CVE-2015-1256 (Use-after-free vulnerability in the SVG implementation in Blink, as used in Google Chrome before 43.0.2357.65, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document that leverages improper handling of a shadow tree for a use element.)
 CVE-2015-1255 (Use-after-free vulnerability in content/renderer/media/webaudio_capturer_source.cc in the WebAudio implementation in Google Chrome before 43.0.2357.65 allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact by leveraging improper handling of a stop action for an audio track.)
 CVE-2015-1254 (core/dom/Document.cpp in Blink, as used in Google Chrome before 43.0.2357.65, enables the inheritance of the designMode attribute, which allows remote attackers to bypass the Same Origin Policy by leveraging the availability of editing.)
 CVE-2015-1253 (core/html/parser/HTMLConstructionSite.cpp in the DOM implementation in Blink, as used in Google Chrome before 43.0.2357.65, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code that appends a child to a SCRIPT element, related to the insert and executeReparentTask functions.)
 CVE-2015-1252 (common/partial_circular_buffer.cc in Google Chrome before 43.0.2357.65 does not properly handle wraps, which allows remote attackers to bypass a sandbox protection mechanism or cause a denial of service (out-of-bounds write) via vectors that trigger a write operation with a large amount of data, related to the PartialCircularBuffer::Write and PartialCircularBuffer::DoWrite functions.)
 CVE-2015-1251 (Use-after-free vulnerability in the SpeechRecognitionClient implementation in the Speech subsystem in Google Chrome before 43.0.2357.65 allows remote attackers to execute arbitrary code via a crafted document.)
 CVE-2015-1250 (Multiple unspecified vulnerabilities in Google Chrome before 42.0.2311.135 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.)
 CVE-2015-1249 (Multiple unspecified vulnerabilities in Google Chrome before 42.0.2311.90 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.)
 CVE-2015-1248 (The FileSystem API in Google Chrome before 40.0.2214.91 allows remote attackers to bypass the SafeBrowsing for Executable Files protection mechanism by creating a .exe file in a temporary filesystem and then referencing this file with a filesystem:http: URL.)
 CVE-2015-1247 (The SearchEngineTabHelper::OnPageHasOSDD function in browser/ui/search_engines/search_engine_tab_helper.cc in Google Chrome before 42.0.2311.90 does not prevent use of a file: URL for an OpenSearch descriptor XML document, which might allow remote attackers to obtain sensitive information from local files via a crafted (1) http or (2) https web site.)
 CVE-2015-1246 (Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.)
 CVE-2015-1245 (Use-after-free vulnerability in the OpenPDFInReaderView::Update function in browser/ui/views/location_bar/open_pdf_in_reader_view.cc in Google Chrome before 41.0.2272.76 might allow user-assisted remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact by triggering interaction with a PDFium "Open PDF in Reader" button that has an invalid tab association.)
 CVE-2015-1244 (The URLRequest::GetHSTSRedirect function in url_request/url_request.cc in Google Chrome before 42.0.2311.90 does not replace the ws scheme with the wss scheme whenever an HSTS Policy is active, which makes it easier for remote attackers to obtain sensitive information by sniffing the network for WebSocket traffic.)
 CVE-2015-1243 (Use-after-free vulnerability in the MutationObserver::disconnect function in core/dom/MutationObserver.cpp in the DOM implementation in Blink, as used in Google Chrome before 42.0.2311.135, allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering an attempt to unregister a MutationObserver object that is not currently registered.)
 CVE-2015-1242 (The ReduceTransitionElementsKind function in hydrogen-check-elimination.cc in Google V8 before 4.2.77.8, as used in Google Chrome before 42.0.2311.90, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that leverages "type confusion" in the check-elimination optimization.)
 CVE-2015-1241 (Google Chrome before 42.0.2311.90 does not properly consider the interaction of page navigation with the handling of touch events and gesture events, which allows remote attackers to trigger unintended UI actions via a crafted web site that conducts a "tapjacking" attack.)
 CVE-2015-1240 (gpu/blink/webgraphicscontext3d_impl.cc in the WebGL implementation in Google Chrome before 42.0.2311.90 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WebGL program that triggers a state inconsistency.)
 CVE-2015-1238 (Skia, as used in Google Chrome before 42.0.2311.90, allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via unknown vectors.)
 CVE-2015-1237 (Use-after-free vulnerability in the RenderFrameImpl::OnMessageReceived function in content/renderer/render_frame_impl.cc in Google Chrome before 42.0.2311.90 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger renderer IPC messages during a detach operation.)
 CVE-2015-1236 (The MediaElementAudioSourceNode::process function in modules/webaudio/MediaElementAudioSourceNode.cpp in the Web Audio API implementation in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy and obtain sensitive audio sample values via a crafted web site containing a media element.)
 CVE-2015-1235 (The ContainerNode::parserRemoveChild function in core/dom/ContainerNode.cpp in the HTML parser in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy via a crafted HTML document with an IFRAME element.)
Original documentdocumentDEBIAN, [SECURITY] [DSA 3267-1] chromium-browser security update (25.05.2015)
 documentDEBIAN, [SECURITY] [DSA 3238-1] chromium-browser security update (05.05.2015)
 documentDEBIAN, [SECURITY] [DSA 3242-1] chromium-browser security update (05.05.2015)

wpa_supplicant multiple security vulnerabilities
updated since 05.05.2015
Published:21.06.2015
Source:
SecurityVulns ID:14446
Type:remote
Threat Level:
7/10
Description:Buffer overflows, DoS vulnerabilities.
Affected:WPASUPPLICANT : wpa_supplicant 2.4
 GOOGLE : Android 5.1
CVE:CVE-2015-4146 (The EAP-pwd peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not clear the L (Length) and M (More) flags before determining if a response should be fragmented, which allows remote attackers to cause a denial of service (crash) via a crafted message.)
 CVE-2015-4145 (The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate a fragment is already being processed, which allows remote attackers to cause a denial of service (memory leak) via a crafted message.)
 CVE-2015-4144 (The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate that a message is long enough to contain the Total-Length field, which allows remote attackers to cause a denial of service (crash) via a crafted message.)
 CVE-2015-4143 (The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted (1) Commit or (2) Confirm message payload.)
 CVE-2015-4142 (Integer underflow in the WMM Action frame parser in hostapd 0.5.5 through 2.4 and wpa_supplicant 0.7.0 through 2.4, when used for AP mode MLME/SME functionality, allows remote attackers to cause a denial of service (crash) via a crafted frame, which triggers an out-of-bounds read.)
 CVE-2015-4141 (The WPS UPnP function in hostapd, when using WPS AP, and wpa_supplicant, when using WPS external registrar (ER), 0.7.0 through 2.4 allows remote attackers to cause a denial of service (crash) via a negative chunk length, which triggers an out-of-bounds read or heap-based buffer overflow.)
 CVE-2015-1863 (Heap-based buffer overflow in wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a denial of service (crash), read memory, or possibly execute arbitrary code via crafted SSID information in a management frame when creating or updating P2P entries.)
Original documentdocumentUBUNTU, [USN-2650-1] wpa_supplicant and hostapd vulnerabilities (21.06.2015)
 documentUBUNTU, [USN-2577-1] wpa_supplicant vulnerability (05.05.2015)
 documentxing_fang_(at)_vulnhunt.com, [ALICLOUDSEC-VUL2015-001]Android wpa_supplicant WLAN Direct remote buffer overflow (05.05.2015)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod