Security

Multiple unspecified vulnerabilities in Google Chrome before 29.0.1547.57 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. (CVE-2013-2887)

The FilePath::ReferencesParent function in files/file_path.cc in Google Chrome before 29.0.1547.57 on Windows does not properly handle pathname components composed entirely of . (dot) and whitespace characters, which allows remote attackers to conduct directory traversal attacks via a crafted directory name. (CVE-2013-2900)

Multiple integer overflows in (1) libGLESv2/renderer/Renderer9.cpp and (2) libGLESv2/renderer/Renderer11.cpp in Almost Native Graphics Layer Engine (ANGLE), as used in Google Chrome before 29.0.1547.57, allow remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2013-2901)

Use-after-free vulnerability in the XSLT ProcessingInstruction implementation in Blink, as used in Google Chrome before 29.0.1547.57, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to an applyXSLTransform call involving (1) an HTML document or (2) an xsl:processing-instruction element that is still in the process of loading. (CVE-2013-2902)

Use-after-free vulnerability in the HTMLMediaElement::didMoveToNewDocument function in core/html/HTMLMediaElement.cpp in Blink, as used in Google Chrome before 29.0.1547.57, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving moving a (1) AUDIO or (2) VIDEO element between documents. (CVE-2013-2903)

Use-after-free vulnerability in the Document::finishedParsing function in core/dom/Document.cpp in Blink, as used in Google Chrome before 29.0.1547.57, allows remote attackers to cause a denial of service or possibly have unspecified other impact via an onload event that changes an IFRAME element so that its src attribute is no longer an XML document, leading to unintended garbage collection of this document. (CVE-2013-2904)

The SharedMemory::Create function in memory/shared_memory_posix.cc in Google Chrome before 29.0.1547.57 uses weak permissions under /dev/shm/, which allows attackers to obtain sensitive information via direct access to a POSIX shared-memory file. (CVE-2013-2905)

From the Red Hat advisory:

A denial of service flaw was found in the way HTCondor's policy definition evaluator processed certain policy definitions. If an administrator used an attribute defined on a job in a CONTINUE, KILL, PREEMPT, or SUSPEND condor_startd policy, a remote HTCondor service user could use this flaw to cause condor_startd to exit by submitting a job that caused such a policy definition to be evaluated to either the ERROR or UNDEFINED states. (CVE-2013-4255)

From the Fedora advisory:

CVE-2012-4412 glibc: strcoll() integer overflow leading to buffer overflow
CVE-2012-4424 glibc: alloca() stack overflow in the strcoll() interface
CVE-2013-2207 glibc (pt_chown): Improper pseudotty ownership and permissions changes when granting access to the slave pseudoterminal
CVE-2013-4237 glibc: Buffer overwrite when using readdir_r on file systems returning file names longer than NAME_MAX characters

From the Red Hat bugzilla entries [1, 2]:

CVE-2013-4254: Linux kernel built for the ARM(CONFIG_ARM/CONFIG_ARM64) platforms along with the hardware performance counter support(CONFIG_HW_PERF_EVENTS) is vulnerable to a NULL pointer dereference flaw. This could lead to the kernel crash resulting in DoS or potential privilege escalation to gain root privileges by a non-root user.

An unprivileged user/program could use this flaw to crash the kernel resulting in DoS or potential privilege escalation to gain root access to a machine.

CVE-2013-0343: Due to the way the Linux kernel handles the creation of IPv6 temporary addresses a malicious LAN user can remotely disable them altogether which may lead to privacy violations and information disclosure.

Reference:
http://seclists.org/oss-sec/2012/q4/292
http://seclists.org/oss-sec/2013/q1/92

CVE-2013-3077: Clement Lecigne from the Google Security Team reported an integer overflow in computing the size of a temporary buffer in the IP multicast code, which can result in a buffer which is too small for the requested operation. An unprivileged process can read or write pages of memory which belong to the kernel. These may lead to exposure of sensitive information or allow privilege escalation.

CVE-2013-4851: Rick Macklem, Christopher Key and Tim Zingelman reported that the FreeBSD kernel incorrectly uses client supplied credentials instead of the one configured in exports(5) when filling out the anonymous credential for a NFS export, when -network or -host restrictions are used at the same time. The remote client may supply privileged credentials (e.g. the root user) when accessing a file under the NFS share, which will bypass the normal access checks.

CVE-2013-5209: Julian Seward and Michael Tuexen reported a kernel memory disclosure when initializing the SCTP state cookie being sent in INIT-ACK chunks, a buffer allocated from the kernel stack is not completely initialized. Fragments of kernel memory may be included in SCTP packets and transmitted over the network. For each SCTP session, there are two separate instances in which a 4-byte fragment may be transmitted.

This memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include an user-entered password.

Three buffer overflows in Little CMS version 1.19 could possibly be exploited through user input.

It is possible to write arbitrary files to a remote system, through a specially crafted server response for NMAP http-domino-enum-passwords.nse script (from the official Nmap repository).

Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID. (CVE-2011-4718)

The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. (CVE-2013-4248)

From the openSUSE advisory:

PDF files could emit messages with terminal escape sequences which could be used to inject shell code if the user ran a PDF viewer from a terminal shell (CVE-2012-2142).

The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

From the Red Hat bugzilla entry:

When displaying the value of a URLField -- a model field type for storing URLs -- this interface treated the values of such fields as safe, thus failing to properly accommodate the potential for dangerous values. A proof-of-concept application has been provided to the Django project, showing how this can be exploited to perform XSS in the administrative interface.

In a normal Django deployment, this will only affect the administrative interface, as the incorrect handling occurs only in form-widget code in django.contrib.admin. It is, however, possible that other applications may be affected, if those applications make use of form widgets provided by the admin interface.

Pedro Ribeiro and Huzaifa S. Sidhpurwala discovered multiple vulnerabilities in various tools shipped by the tiff library. Processing a malformed file may lead to denial of service or the execution of arbitrary code.

Multiple vulnerabilities have been discovered in Wireshark. A remote attacker could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition.