Security

A defect in BIND's handling of responses containing a DNAME answer can cause a resolver to exit after encountering an assertion failure in db.c or resolver.c

During processing of a recursive response that contains a DNAME record in the answer section, BIND can stop execution after encountering an assertion error in resolver.c (error message: "INSIST((valoptions & 0x0002U) != 0) failed") or db.c (error message: "REQUIRE(targetp != ((void *)0) && *targetp == ((void *)0)) failed").

A server encountering either of these error conditions will stop, resulting in denial of service to clients. The risk to authoritative servers is minimal; recursive servers are chiefly at risk.

It was discovered that there was a possible DoS attack in Cairo, a multi-platform library providing vector-based rendering. An SVG could generate invalid pointers from a _cairo_image_surface in write_png.

Integer overflow in the kbasep_vinstr_attach_client function in midgard/mali_kbase_vinstr.c in Google Chrome before 52.0.2743.85 allows remote attackers to cause a denial of service (heap-based buffer overflow and use-after-free) by leveraging an unrestricted multiplication.

- CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646)

- CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645)

- CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643)

- CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642)

- CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640)

- CVE-2016-8619: double-free in krb5 code (bsc#1005638)

- CVE-2016-8618: double-free in curl_maprintf (bsc#1005637)

- CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635)

- CVE-2016-8616: case insensitive password comparison (bsc#1005634)

- CVE-2016-8615: cookie injection for other servers (bsc#1005633)

- CVE-2014-9907: DOS due to corrupted DDS files (bsc#1000714)

- CVE-2015-8959: DOS due to corrupted DDS files (bsc#1000713)

- CVE-2016-7513: Off-by-one error leading to segfault (bsc#1000686)

- CVE-2016-7514: Out-of-bounds read in coders/psd.c (bsc#1000688)

- CVE-2016-7518: Out-of-bounds read in coders/sun.c (bsc#1000694)

- CVE-2016-7520: Heap overflow in hdr file handling (bsc#1000696)

- CVE-2016-7521: Heap buffer overflow in psd file handling (bsc#1000697)

- CVE-2016-7523: AddressSanitizer:heap-buffer-overflow READ of size 1 meta.c:496 (bsc#1000699)

- CVE-2016-7525: Heap buffer overflow in psd file coder (bsc#1000701)

- CVE-2016-7530: Out of bound in quantum handling (bsc#1000703)

- CVE-2016-7532: Fix handling of corrupted psd file (bsc#1000706)

- CVE-2016-7534: Out of bound access in generic decoder (bsc#1000708)

- CVE-2016-7535: Out of bound access for corrupted psd file (bsc#1000709)

- CVE-2016-7536: SEGV reported in corrupted profile handling (bsc#1000710)

- CVE-2016-7538: SIGABRT for corrupted pdb file (bsc#1000712)

- CVE-2016-7539: Potential DOS by not releasing memory (bsc#1000715)

- CVE-2016-7540: Writing to RGF format aborts (bsc#1000394)

- CVE-2016-8677: Memory allocation failure in AcquireQuantumPixels (bsc#1005328)

Unspecified vulnerability in Oracle Java SE 6u121, 7u111, and 8u102 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to 2D.

The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors involving the ma variable.

Agostino Sarubbo from Gentoo discovered a flaw in libwmf's Windows Metafile Format (WMF) parser which caused allocation of excessive amount of memory potentially leading to a crash.

A use-after-free vulnerability via namespace nodes in XPointer ranges was found in libxml2.

It was discovered that the Mailman administrative web interface did not protect against cross-site request forgery (CSRF) attacks. If an authenticated user were tricked into visiting a malicious website while logged into Mailman, a remote attacker could perform administrative actions. This issue only affected Ubuntu 12.04 LTS.

Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to Server: Optimizer. (CVE-2016-3492)

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML. (CVE-2016-5612)

Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: MyISAM. (CVE-2016-5616)

Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier allows remote authenticated users to affect availability via vectors related to DML. (CVE-2016-5624)

Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to GIS. (CVE-2016-5626)

Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote administrators to affect availability via vectors related to Server: Federated. (CVE-2016-5629)

Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to Server: Types. (CVE-2016-8283)

- CVE-2016-8704 (arbitrary code execution): An integer overflow in the process_bin_append_prepend function which is responsible for processing multiple commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution.

- CVE-2016-8705 (arbitrary code execution): Multiple integer overflows in process_bin_update function which is responsible for processing multiple commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution.

- CVE-2016-8706 (arbitrary code execution): An integer overflow in process_bin_sasl_auth function which is responsible for authentication commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution.

Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Error Handling.

A regular expression denial of service flaw was found in Tough-Cookie. An attacker able to make an application using Touch-Cookie to parse a sufficiently large HTTP request Cookie header could cause the application to consume an excessive amount of CPU. (CVE-2016-1000232)

A cross-site scripting flaw was discovered in openstack-manila-ui's Metadata field contained in its "Create Share" form. A user could inject malicious HTML/JavaScript code that would then be reflected in the "Shares" overview. Remote, authenticated, but unprivileged users could exploit this vulnerability to steal session cookies and escalate their privileges. (CVE-2016-6519)

It was discovered that a long running unload handler could cause an incognito profile to be reused in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information.

Marti Raudsepp discovered that Django incorrectly used a hardcoded password when running tests on an Oracle database. A remote attacker could possibly connect to the database while the tests are running and prevent the test user with the hardcoded password from being removed. (CVE-2016-9013)

Aymeric Augustin discovered that Django incorrectly validated hosts when being run with the debug setting enabled. A remote attacker could possibly use this issue to perform DNS rebinding attacks. (CVE-2016-9014)

Multiple vulnerabilities have been discovered in qemu-kvm, a full virtualization solution on x86 hardware based on Quick Emulator(Qemu). The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2016-7909: Quick Emulator(Qemu) built with the AMD PC-Net II emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets via pcnet_receive().

A privileged user/process inside guest could use this issue to crash the Qemu process on the host leading to DoS.

CVE-2016-8909: Quick Emulator(Qemu) built with the Intel HDA controller emulation support is vulnerable to an infinite loop issue. It could occur while processing the DMA buffer stream while doing data transfer in 'intel_hda_xfer'.

A privileged user inside guest could use this flaw to consume excessive CPU cycles on the host, resulting in DoS.

CVE-2016-8910: Quick Emulator(Qemu) built with the RTL8139 ethernet controller emulation support is vulnerable to an infinite loop issue. It could occur while transmitting packets in C+ mode of operation.

A privileged user inside guest could use this flaw to consume excessive CPU cycles on the host, resulting in DoS situation.

Further issues fixed where the CVE requests are pending:

* Quick Emulator(Qemu) built with the i8255x (PRO100) NIC emulation support is vulnerable to a memory leakage issue. It could occur while unplugging the device, and doing so repeatedly would result in leaking host memory affecting, other services on the host.

A privileged user inside guest could use this flaw to cause a DoS on the host and/or potentially crash the Qemu process on the host.

* Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to a several memory leakage issues.

A privileged user inside guest could use this flaw to leak the host memory bytes resulting in DoS for other services.

* Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an integer overflow issue. It could occur by accessing xattributes values.

A privileged user inside guest could use this flaw to crash the Qemu process instance resulting in DoS.

* Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to memory leakage issue. It could occur while creating extended attribute via 'Txattrcreate' message.

A privileged user inside guest could use this flaw to leak host memory, thus affecting other services on the host and/or potentially crash the Qemu process on the host.

A vulnerability has been discovered in the tar package that could allow an attacker to overwrite arbitrary files through crafted files.

The DumpModeEncode function in tif_dumpmode.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the "-c none" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image. (CVE-2016-3619)

The ZIPEncode function in tif_zip.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the "-c zip" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image. (CVE-2016-3620)

The LZWEncode function in tif_lzw.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the "-c lzw" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image. (CVE-2016-3621)

The (1) cpStrips and (2) cpTiles functions in the thumbnail tool in LibTIFF 4.0.6 and earlier allow remote attackers to cause a denial of service (out-of-bounds read) via vectors related to the bytecounts[] array variable. (CVE-2016-3631)

The setrow function in the thumbnail tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors related to the src variable. (CVE-2016-3633)

The tagCompare function in tif_dirinfo.c in the thumbnail tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors related to field_tag matching. (CVE-2016-3634)

An exploitable remote code execution vulnerability exists in the handling of TIFF images in LibTIFF version 4.0.6. A crafted TIFF document can lead to a type confusion vulnerability resulting in remote code execution. This vulnerability can be triggered via a TIFF file delivered to the application using LibTIFF's tag extension functionality. (CVE-2016-8331)

The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the "-v" option to -1. (CVE-2016-3624)

CVE-2016-5102, CVE-2016-5318, CVE-2016-5319, and CVE-2016-5652 are unspecified.

A vulnerability has been found in the tre package that could allow an attacker to perform controlled heap corruption.