doc.export* Methods Allow Arbitrary File Creation
Discovered: 07.13.09. Several JavaScript methods of the Document Object do not honor the Privileged Context and Safe Path settings. IOActive was able to execute certain privileged JavaScript methods that can be used to create arbitrary files and folders on a targeted file system.
Recursive Stack Overflow in ClamAV
Reported: 10.30.08. Patched: 12.01.08. Disclosed: 06.09.0. ClamAV’s JPEG parser contains code that recursively checks thumbnails, if they are included. Since the thumbnails can be JPEGs, there is no limit to the amount of recursions that can occur. This can lead to stack overflows.
Heap Corruption in Tor
Discovered: January 2009. Reported: 01.20.09. Disclosed: 06.08.09. There is a potential heap corruption bug in Tor when escaping data for logging purposes. Only certain deployments are vulnerable, and the bug can be triggered only from certain locales.
AppleTalk Response Packet Parsing Array Over-indexing Vulnerability
Discovered: 03.03.09. Reported: 03.03.09. Disclosed: 08.05.09. CVE-ID: CVE-2009-2193. The Mac OS X AppleTalk stack contains an array over-indexing vulnerability that, if exploited correctly while AppleTalk is powered on, could lead to a remote system compromise. Even if only partially exploited, it could lead to denial-of-service conditions and cause a kernel panic remotely, effectively shutting down the system.
Pointer Dereference in OpenSolaris
Reported: 09.29.08. Disclosed: 02.04.09. Patched: 02.05.09. The OpenSolaris kernel exhibits a vulnerability around a userland pointer dereference, and allows both reading from and writing to the kernel.
QNX ker_msg_sendv System Call Integer Overflow
Discovered: 10.30.08. Reported: 10.30.08. Disclosed: 10.31.08. QNX’s ker_msg_sendv() system call contains an integer overflow that could lead to heap corruption and, if correctly exploited, system compromise. If only partially exploited, this could lead to denial-of-service conditions and kernel panic, effectively shutting down the system.
DNS TXT Record Parsing Bug in LibSPF2
Reported: 10.20.08. Disclosed: 10.21.08. Researchers discovered a relatively common bug that parses TXT records delivered over DNS-dating back at least to 2002 in Sendmail 8.2.0 and almost certainly much earlier-in LibSPF2. This library retrieves Sender Policy Framework (SPF) records and applies policy according to those records. This implementation flaw allows for relatively flexible memory corruption and should be treated as a path to anonymous remote code execution.
Diskimages-helper band-size Vulnerability
Reported to Vendor: 09.30.08. Patch Released: 04.29.09. CVE ID: CVE-2009-0150. A signed-to-unsigned conversion flaw exists in diskimages-helper when it reads the band-size parameter. When the value specified for the band-size key is changed to a negative number, the diskimages-helper process crashes when the user attempts to log in.
Multiple Vulnerabilities in Apple’s MobileMe Service
Reported: 08.05.08. Patched: 11.06.08 Disclosed: 11.20.08. Apple’s MobileMe (me.com) web service contains several serious security vulnerabilities. The most critical vulnerability combines cross-site request forgery and cross-site scripting, and allows an attacker to access the service without a valid password.
Multiple Buffer Overflows in legacy mod_jk2 apache module 2.0.3-DEV and earlier
CVE-2007-6257, VU#245025. Discovered: 05.01.07. Reported: 06.27.07. Disclosed: 09.20.07. A buffer overflow vulnerability exists in the Host Header field of the legacy version of the mod_jk2 apache module (jakata-tomcat-connectors), which allows for remote code execution in the context of the Apache process.