Security
Two approaches to reference count hardening
Reference counts are used throughout the kernel to track the lifecycles of objects; when a reference count is decremented to zero, the kernel knows that the associated object is no longer in use and can be freed. But reference counts, like almost any other mechanism, are subject to various sorts of bugs in their usage, and those bugs can lead to exploitable vulnerabilities. So it is not surprising that developers have been interested in hardening the kernel against such bugs for years.With reference counts, the most common bugs are failure to decrement a counter and decrementing the counter when a reference is not held. Both often happen in error paths and can go undetected for a long time, since those paths are lightly tested at best and rarely executed. An error situation might lead a function to return without performing a necessary decrement, or it may decrement a count that, in fact, had not yet been incremented. But these bugs can pop up in non-error paths as well; they often go unnoticed, since they rarely result in obvious explosions.
Excessive decrements will cause an object to be freed before the last real reference has been released, leading to a classic use-after-free situation. Such errors are often exploitable; see CVE-2016-4557 (and the associated fix) for a recent example. Excessive increments, if they can be provoked by an attacker, lead to a similar scenario: first the counter is overflowed, then decremented back to zero, leading to a premature freeing of the object. CVE-2016-0728 (fixed with this commit) is an example of the trouble that can ensue. Needless to say, it would be nice to catch this type of error before it gets to the point of being exploitable by an attacker.
As is so often the case, the oldest work in this area seems to have been done in the PaX project. This work starts with the kernel's atomic_t type, which is often used to implement reference counts. The kernel provides a set of helper functions for performing operations (increments and decrements, for example) on atomic_t variables, so it makes sense to add overflow checks to those functions. That must be done carefully, though, since operations on atomic_t variables are often in hot paths in the kernel; changes that increase the size of the atomic_t type are also unlikely to be accepted.
In the PaX case, the relevant operations, most of which are already implemented in assembly, are enhanced to perform overflow checks. Often that is just a matter of checking the condition-code flags set by the processor as a result of the increment or decrement operation. Should an overflow be detected, the response is architecture-dependent, but results in some sort of kernel trap. The overflow is undone, the process that overflowed the counter is killed, and a message is logged.
This checking catches attempts to exploit the overflow (excessive increment) bugs handily; that class of bugs is rendered unexploitable. Excessive decrements are harder to catch, since decrementing a reference count to zero is a part of normal operation. If such a bug exists, though, it will almost certainly show itself by decrementing the counter below zero occasionally, even in normal operations. With checking in place, somebody should notice the problem and it should be fixed.
There is one catch that makes this patch more invasive than one might expect, though: not all uses of atomic_t are reference counts. Other uses, which might legitimately wrap or go below zero, should not have this type of checking enabled. To get to that point, PaX adds atomic_unchecked_t type and converts a large set of in-kernel users; that leads to a fair amount of code churn.
Back in December, David Windsor posted a version of the PaX reference-count hardening patch set for review. A certain amount of discussion followed, and some problems were pointed out, but there was little opposition to the idea in general. Unfortunately, David vanished shortly thereafter and never followed up with a new version of the patches, so they remain outside of the mainline. Nobody else has stepped up to carry this work forward.
More recently, Jann Horn has posted a different approach to the refcount problem. Rather than change the atomic_t type, this patch set changes the kref mechanism, which exists explicitly for the implementation of reference counts. This choice means that far fewer locations in the kernel will be protected, but it makes the patch set far less invasive and allows testing of the underlying ideas.
Jann's patch set eschews assembly tweaks in favor of entirely architecture-independent checking, a choice which, he later conceded, might not be the most efficient in the end. With this patch in place, special things happen once a reference count reaches a maximum value (0x70000000): after that point, increments and decrements are no longer allowed. In essence, a reference count that large is deemed to have already overflowed, so it is "pinned" at a high number to prevent premature object freeing. No warnings are emitted, and no processes are killed.
While he had no objection to the patch as it was, Kees Cook said that he would rather see the checking done at the atomic_t level, since so much reference counting is done that way. Greg Kroah-Hartman agreed, noting that the process of auditing atomic_t users would turn up a lot of places where kref should be used instead. Adding overflow checking to atomic_t would protect kref automatically (since krefs are implemented as a wrapper around atomic_t), so it really does seem that, despite the large number of changes required, this protection should be done at the lower level.
Of course, there is already a working patch set for the detection of atomic_t overflows: the PaX code. The work to separate it out and turn it into a standalone kernel patch has even been done. The flag-day nature of the change (all non-reference-count uses of atomic_t have to change when the semantics of atomic_t do) is will make the process of upstreaming this patch a bit harder, but such changes can be made when they are justified. Closing off a class of errors that has demonstrably led to exploitable kernel vulnerabilities would seem like a reasonably strong justification.
Brief items
Security quotes of the week
The search giant today revealed that it’s been rolling out a new form of encryption in its Chrome browser that’s designed to resist not just existing crypto-cracking methods, but also attacks that might take advantage of a future quantum computer that accelerates codebreaking techniques untold gajillions of times over. For now, it’s only testing that new so-called “post-quantum” crypto in some single digit percentage of Chrome desktop installations, which will be updated so that they use the new encryption protocol when they connect to some Google services. But the experiment nonetheless represents the biggest real-world rollout ever of encryption that’s resistant to quantum attacks, and a milestone in the security world’s preparations to head off a potentially disastrous but still-distant quantum cryptopocalypse.
Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption (Bits Please)
The "Bits Please" blog has a detailed description of how one breaks full-disk encryption on an Android phone. Included therein is a lot of information on how full-disk encryption works on Android devices and its inherent limitations. "Instead of creating a scheme which directly uses the hardware key without ever divulging it to software or firmware, the code above performs the encryption and validation of the key blobs using keys which are directly available to the TrustZone software! Note that the keys are also constant - they are directly derived from the SHK (which is fused into the hardware) and from two 'hard-coded' strings. Let's take a moment to explore some of the implications of this finding."
Linux Security Summit schedule published
On his blog, James Morris has announced that the schedule for the Linux Security Summit (LSS) is now available. "The keynote speaker for this year’s event is Julia Lawall. Julia is a research scientist at Inria, the developer of Coccinelle, and the Linux Kernel coordinator for the Outreachy project. Refereed presentations include: The State of Kernel Self Protection Project – Kees Cook, Google; Towards Measured Boot Out of the Box – Matthew Garrett, CoreOS; Securing Filesystem Images for Unprivileged Containers – James Bottomley, IBM; Opportunistic Encryption Using IPsec – Paul Wouters, Libreswan IPsec VPN Project; and Android: Protecting the Kernel – Jeffrey Vander Stoep, Google." LSS will be held August 25-26 in Toronto, co-located with LinuxCon North America.
10 million Android phones infected by all-powerful auto-rooting apps (Ars Technica)
Ars Technica reports on the "HummingBad" malware that has infected millions of Android devices: "Researchers from security firm Check Point Software said the malware installs more than 50,000 fraudulent apps each day, displays 20 million malicious advertisements, and generates more than $300,000 per month in revenue. The success is largely the result of the malware's ability to silently root a large percentage of the phones it infects by exploiting vulnerabilities that remain unfixed in older versions of Android." The article is based on a report [PDF] from Check Point, though the article notes that "
researchers from mobile security company Lookout say HummingBad is in fact Shedun, a family of auto-rooting malware that came to light last November and had already infected a large number of devices".
New vulnerabilities
cronic: predictable temporary files
| Package(s): | cronic | CVE #(s): | CVE-2016-3992 | ||||
| Created: | July 6, 2016 | Updated: | July 7, 2016 | ||||
| Description: | From the openSUSE bug report:
It looks like cronic uses very predictable temporary files (like /tmp/cronic.out.$$) that depends only on PID: OUT=/tmp/cronic.out.$$ ERR=/tmp/cronic.err.$$ TRACE=/tmp/cronic.trace.$$ set +e "$@" >$OUT 2>$TRACE RESULT=$? set -e | ||||||
| Alerts: |
| ||||||
graphicsmagick: multiple vulnerabilities
| Package(s): | GraphicsMagick | CVE #(s): | CVE-2014-9805 CVE-2014-9807 CVE-2014-9808 CVE-2014-9809 CVE-2014-9810 CVE-2014-9811 CVE-2014-9813 CVE-2014-9814 CVE-2014-9815 CVE-2014-9816 CVE-2014-9817 CVE-2014-9818 CVE-2014-9819 CVE-2014-9820 CVE-2014-9828 CVE-2014-9829 CVE-2014-9830 CVE-2014-9831 CVE-2014-9834 CVE-2014-9835 CVE-2014-9837 CVE-2014-9839 CVE-2014-9840 CVE-2014-9844 CVE-2014-9845 CVE-2014-9846 CVE-2014-9847 CVE-2014-9853 CVE-2015-8894 CVE-2015-8901 CVE-2015-8903 CVE-2016-5688 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 5, 2016 | Updated: | July 7, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the openSUSE advisory:
CVE-2014-9805: SEGV due to a corrupted pnm file. (bsc#983752). CVE-2014-9807: Double free in pdb coder. (bsc#983794). CVE-2014-9808: SEGV due to corrupted dpc images. (bsc#983796). CVE-2014-9809: SEGV due to corrupted xwd images. (bsc#983799). CVE-2014-9810: SEGV in dpx file handler (bsc#983803). CVE-2014-9811: Crash in xwd file handler (bsc#984032). CVE-2014-9813: Crash on corrupted viff file (bsc#984035). CVE-2014-9814: NULL pointer dereference in wpg file handling (bsc#984193). CVE-2014-9815: Crash on corrupted wpg file (bsc#984372). CVE-2014-9816: Out of bound access in viff image (bsc#984398). CVE-2014-9817: Heap buffer overflow in pdb file handling (bsc#984400). CVE-2014-9818: Out of bound access on malformed sun file (bsc#984181). CVE-2014-9819: Heap overflow in palm files (bsc#984142). CVE-2014-9820: Heap overflow in xpm files (bsc#984150). CVE-2014-9828: corrupted (too many colors) psd file (bsc#984028). CVE-2014-9829: Out of bound access in sun file (bsc#984409). CVE-2014-9830: Handling of corrupted sun file (bsc#984135). CVE-2014-9831: Handling of corrupted wpg file (bsc#984375). CVE-2014-9834: Heap overflow in pict file (bsc#984436). CVE-2014-9835: Heap overflow in wpf file (bsc#984145). CVE-2014-9837: Additional PNM sanity checks (bsc#984166). CVE-2014-9839: Theoretical out of bound access in magick/colormap-private.h (bsc#984379). CVE-2014-9840: Out of bound access in palm file (bsc#984433). CVE-2014-9844: Out of bound issue in rle file (bsc#984373). CVE-2014-9845: Crash due to corrupted dib file (bsc#984394). CVE-2014-9846: Added checks to prevent overflow in rle file (bsc#983521). CVE-2014-9847: Incorrect handling of "previous" image in the JNG decoder (bsc#984144). CVE-2014-9853: Memory leak in rle file handling (bsc#984408). CVE-2015-8894: Double free in coders/tga.c:221 (bsc#983523). CVE-2015-8901: MIFF file DoS (endless loop) (bsc#983234). CVE-2015-8903: Denial of service (cpu) in vicar (bsc#983259). CVE-2016-5688: Various invalid memory reads in ImageMagick WPG (bsc#985442). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
imagemagick: many vulnerabilities
| Package(s): | ImageMagick | CVE #(s): | CVE-2014-9806 CVE-2014-9812 CVE-2014-9821 CVE-2014-9822 CVE-2014-9823 CVE-2014-9824 CVE-2014-9825 CVE-2014-9826 CVE-2014-9832 CVE-2014-9833 CVE-2014-9836 CVE-2014-9838 CVE-2014-9841 CVE-2014-9842 CVE-2014-9843 CVE-2014-9848 CVE-2014-9849 CVE-2014-9850 CVE-2014-9851 CVE-2014-9852 CVE-2014-9854 CVE-2015-8900 CVE-2015-8902 CVE-2016-4562 CVE-2016-4564 CVE-2016-5687 CVE-2016-5689 CVE-2016-5690 CVE-2016-5691 CVE-2016-5841 CVE-2016-5842 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 7, 2016 | Updated: | December 1, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the openSUSE advisory:
| ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2014-9904 CVE-2016-5828 CVE-2016-5829 CVE-2016-6130 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 5, 2016 | Updated: | July 7, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
The snd_compress_check_input function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel before 3.17 does not properly check for an integer overflow, which allows local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call. (CVE-2014-9904) The start_thread function in arch/powerpc/kernel/process.c in the Linux kernel through 4.6.3 on powerpc platforms mishandles transactional state, which allows local users to cause a denial of service (invalid process state or TM Bad Thing exception, and system crash) or possibly have unspecified other impact by starting and suspending a transaction before an exec system call. (CVE-2016-5828) Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call. (CVE-2016-5829) Race condition in the sclp_ctl_ioctl_sccb function in drivers/s390/char/sclp_ctl.c in the Linux kernel before 4.6 allows local users to obtain sensitive information from kernel memory by changing a certain length value, aka a "double fetch" vulnerability. (CVE-2016-6130) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2016-5728 | ||||||||||||||||||||||||||||||||||||
| Created: | July 1, 2016 | Updated: | July 7, 2016 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bug report: Race condition vulnerability was found in drivers/misc/mic/vop/vop_vringh.c in the MIC VOP driver in the Linux kernel before 4.6.1. MIC VOP driver does two successive reads from user space to read a variable length data structure. Local user can obtain sensitive information form kernel memory or can cause DoS by corrupting kernel memory if the data structure changes between the two reads. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
libarchive: multiple vulnerabilities
| Package(s): | libarchive | CVE #(s): | CVE-2015-8934 CVE-2016-4300 CVE-2016-4301 CVE-2016-4302 CVE-2016-5844 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 6, 2016 | Updated: | July 7, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
An out of bounds read in the rar parser: invalid read in function copy_from_lzss_window() when unpacking malformed rar (CVE-2015-8934). An exploitable heap overflow vulnerability exists in the 7zip read_SubStreamsInfo functionality of libarchive. A specially crafted 7zip file can cause a integer overflow resulting in memory corruption that can lead to code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4300). An exploitable stack based buffer overflow vulnerability exists in the mtree parse_device functionality of libarchive. A specially crafted mtree file can cause a buffer overflow resulting in memory corruption/code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4301). An exploitable heap overflow vulnerability exists in the Rar decompression functionality of libarchive. A specially crafted Rar file can cause a heap corruption eventually leading to code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4302). A signed integer overflow in iso parser: integer overflow when computing location of volume descriptor (CVE-2016-5844). The libarchive package has been updated to version 3.2.1, fixing those issues and other bugs. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libgd: denial of service
| Package(s): | libgd | CVE #(s): | CVE-2016-6128 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 6, 2016 | Updated: | July 7, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
Improperly handling invalid color index in gdImageCropThreshold() could result in denial of service. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
libircclient: insecure cipher suites
| Package(s): | libircclient | CVE #(s): | |||||||||||||
| Created: | July 6, 2016 | Updated: | July 11, 2016 | ||||||||||||
| Description: | From the openSUSE advisory:
This update for libircclient adjusts the cipher suites from
ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH to | ||||||||||||||
| Alerts: |
| ||||||||||||||
libreoffice: code execution
| Package(s): | libreoffice | CVE #(s): | CVE-2016-4324 | ||||||||||||||||||||||||||||||||||||
| Created: | June 30, 2016 | Updated: | November 11, 2016 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Aleksandar Nikolic discovered that missing input sanitising in the RTF parser in Libreoffice may result in the execution of arbitrary code if a malformed documented is opened. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
libvirt: authentication bypass
| Package(s): | libvirt | CVE #(s): | CVE-2016-5008 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 1, 2016 | Updated: | November 11, 2016 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: Setting an empty graphics password is documented as a way to disable VNC/SPICE access, but QEMU does not always behave like that. VNC would happily accept the empty password. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
mbedtls: three vulnerabilities
| Package(s): | mbedtls | CVE #(s): | |||||||||||||||||
| Created: | July 5, 2016 | Updated: | July 28, 2016 | ||||||||||||||||
| Description: | From the mbed TLS advisory:
(2.3, 2.1, 1.3) Fixed missing padding length check required by PKCS1 v2.2 in mbedtls_rsa_rsaes_pkcs1_v15_decrypt(). (considered low impact) (2.3, 2.1, 1.3) Fixed potential integer overflow to buffer overflow in mbedtls_rsa_rsaes_pkcs1_v15_encrypt() and mbedtls_rsa_rsaes_oaep_encrypt(). (not triggerable remotely in (D)TLS). (2.3, 2.1, 1.3) Fixed potential integer underflow to buffer overread in mbedtls_rsa_rsaes_oaep_decrypt(). It is not triggerable remotely in SSL/TLS. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
openstack-ironic: authentication bypass
| Package(s): | openstack-ironic | CVE #(s): | CVE-2016-4985 | ||||||||
| Created: | July 5, 2016 | Updated: | July 7, 2016 | ||||||||
| Description: | From the Red Hat advisory:
An authentication vulnerability was found in openstack-ironic. A client with network access to the ironic-api service could bypass OpenStack Identity authentication, and retrieve all information about any node registered with OpenStack Bare Metal. If an unprivileged attacker knew (or was able to guess) the MAC address of a network card belonging to a node, the flaw could be exploited by sending a crafted POST request to the node's /v1/drivers/$DRIVER_NAME/vendor_passthru resource. The response included the node's full details, including management passwords, even if the /etc/ironic/policy.json file was configured to hide passwords in API responses. | ||||||||||
| Alerts: |
| ||||||||||
phpMyAdmin: code execution
| Package(s): | phpMyAdmin | CVE #(s): | CVE-2016-5734 | ||||||||||||
| Created: | July 5, 2016 | Updated: | July 7, 2016 | ||||||||||||
| Description: | From the CVE entry:
phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation. | ||||||||||||||
| Alerts: |
| ||||||||||||||
sqlite3: information leak
| Package(s): | sqlite3 | CVE #(s): | CVE-2016-6153 | ||||||||||||||||||||
| Created: | July 6, 2016 | Updated: | August 12, 2016 | ||||||||||||||||||||
| Description: | From the Debian LTS advisory:
It was discovered that sqlite3, a C library that implements a SQL database engine, would reject a temporary directory (e.g., as specified by the TMPDIR environment variable) to which the executing user did not have read permissions. This could result in information leakage as less secure global temporary directories (e.g., /var/tmp or /tmp) would be used instead. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
struts: multiple vulnerabilities
| Package(s): | struts | CVE #(s): | CVE-2016-1181 CVE-2016-1182 | ||||||||||||
| Created: | July 1, 2016 | Updated: | July 11, 2016 | ||||||||||||
| Description: | From the Fedora advisory: CVE-2016-1181 - Vulnerability in ActionForm allows unintended remote operations against components on server memory. CVE-2016-1182 - Improper input validation in Validator. | ||||||||||||||
| Alerts: |
| ||||||||||||||
wordpress: multiple vulnerabilities
| Package(s): | wordpress | CVE #(s): | CVE-2016-5832 CVE-2016-5833 CVE-2016-5834 CVE-2016-5835 CVE-2016-5836 CVE-2016-5837 CVE-2016-5838 CVE-2016-5839 | ||||||||||||||||||||||||
| Created: | July 1, 2016 | Updated: | August 4, 2016 | ||||||||||||||||||||||||
| Description: | From the CVE entries: CVE-2016-5832 - The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors. CVE-2016-5833 - Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5834. CVE-2016-5834 - Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833. CVE-2016-5835 - WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, related to wp-admin/includes/ajax-actions.php and wp-admin/revision.php. CVE-2016-5836 - The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors. CVE-2016-5837 - WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors. CVE-2016-5838 - WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie. CVE-2016-5839 - WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
xerces-c: denial of service
| Package(s): | xerces-c | CVE #(s): | CVE-2016-4463 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 30, 2016 | Updated: | July 7, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Brandon Perry discovered that xerces-c, a validating XML parser library for C++, fails to successfully parse a DTD that is deeply nested, causing a stack overflow. A remote unauthenticated attacker can take advantage of this flaw to cause a denial of service against applications using the xerces-c library. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>