Stack overflow in PDFium in Google Chrome prior to 60.0.3112.78 for Linux, Windows, and Mac allowed a remote attacker to potentially exploit stack corruption via a crafted PDF file.

About Monorail User Guide Release Notes Feedback on Monorail Terms Privacy

CVE-2017-5095: 732661 - chromium - An open-source project to help move the web forward.

Inappropriate implementation in Omnibox in Google Chrome prior to 60.0.3112.78 for Linux, Windows, and Mac allowed a remote attacker to spoof the contents of the Omnibox via a crafted HTML page.

CVE-2017-5101: 681740 - chromium - An open-source project to help move the web forward.

A use after free in Apps in Google Chrome prior to 60.0.3112.78 for Windows allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.

CVE-2017-5100: 718292 - chromium - An open-source project to help move the web forward.

Type confusion in extensions JavaScript bindings in Google Chrome prior to 60.0.3112.78 for Mac, Windows, Linux, and Android allowed a remote attacker to potentially maliciously modify objects via a crafted HTML page.

CVE-2017-5094: 702946 - chromium - An open-source project to help move the web forward.

Adobe Flash Player version 27.0.0.159 and earlier has a flawed bytecode verification procedure, which allows for an untrusted value to be used in the calculation of an array index. This can lead to type confusion, and successful exploitation could lead to arbitrary code execution.

Security updates available for Flash Player | APSB17-32

Bulletin ID

Date Published

Priority

APSB17-32

October 16, 2017

1

Adobe has released a security update for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. This update addresses a critical type confusion vulnerability that could lead to code execution.

Adobe is aware of a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows.

Product

Version

Platform

Adobe Flash Player Desktop Runtime

27.0.0.159 and earlier versions

Windows, Macintosh

Adobe Flash Player for Google Chrome

27.0.0.159 and earlier versions

Windows, Macintosh, Linux and Chrome OS 

Adobe Flash Player for Microsoft Edge and Internet Explorer 11

27.0.0.130 and earlier versions

Windows 10 and 8.1

Adobe Flash Player Desktop Runtime

27.0.0.159 and earlier versions

Linux

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right- click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Note:

*   Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player 27.0.0.170 via the update mechanism within the product \[1\] or by visiting the Adobe Flash Player Download Center.
*   Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 27.0.0.170 for Windows, Macintosh, Linux and Chrome OS.
*   Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 27.0.0.170.
*   Please visit the Flash Player Help page for assistance in installing Flash Player.

\[1\] Users who have selected the option to 'Allow Adobe to install updates' will receive the update automatically. Users who do not have the 'Allow Adobe to install updates' option enabled can install the update via the update mechanism within the product when prompted.

Vulnerability Category

Vulnerability Impact

Severity

CVE Number

Type Confusion

Remote Code Execution

Critical

CVE-2017-11292

Adobe would like to thank Anton Ivanov of Kaspersky Labs for reporting this issue and for working with Adobe to help protect our customers.

October 16, 2017: Added "and earlier versions" to the Affected Product Versions table.

CVE-2017-11292: Adobe Security Bulletin

Double free vulnerability in the j2k_read_ppm_v3 function in OpenJPEG before r2997, as used in PDFium in Google Chrome, allows remote attackers to cause a denial of service (process crash) via a crafted PDF.

CVE-2015-1239: 457493 - chromium - An open-source project to help move the web forward. - Monorail

Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name.

CVE-2014-0208: Foreman :: Security

The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.

    commit 7478ea5dba7ed02ddffd91c1d17ec8141f7cf184
    Author: Michael Fraenkel <michael.fraenkel@gmail.com>
    Date:   Wed Oct 5 11:27:34 2016 -0400
    
        net/http: multipart ReadForm close file after copy
        
        Always close the file regardless of whether the copy succeeds or fails.
        Pass along the close error if the copy succeeds
        
        Fixes #16296
        
        Change-Id: Ib394655b91d25750f029f17b3846d985f673fb50
        Reviewed-on: https://go-review.googlesource.com/30410
        Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
        Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
        TryBot-Result: Gobot Gobot <gobot@golang.org>
    

Reportedly, it closes a potential DoS vector, exhausting a server's file descriptors.

CVE-2017-1000098: net/http: backport "multipart ReadForm close file after copy" to 1.7 · Issue #17965 · golang/go

Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response.

I've just released a new stable version of dnsmasq 2.78

Download is available at

http://thekelleys.org.uk/dnsmasq/dnsmasq-2.78.tar.gz

This is a bugfix release, and, amongst other things, addresses a set of
serious security vulnerabilities. Update should be mandatory.

CHANGELOG is attached below.

version 2.78
        Fix logic of appending ".<layer>" to PXE basename. Thanks to    
        Chris Novakovic for the patch.

        Revert ping-check of address in DHCPDISCOVER if there
        already exists a lease for the address. Under some
        circumstances, and netbooted windows installation can reply
        to pings before if has a DHCP lease and block allocation
        of the address it already used during netboot. Thanks to
        Jan Psota for spotting this.

        Fix DHCP relaying, broken in 2.76 and 2.77 by commit
        ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to
        John Fitzgibbon for the diagnosis and patch.

        Try other servers if first returns REFUSED when
        --strict-order active. Thanks to Hans Dedecker
        for the patch

        Fix regression in 2.77, ironically added as a security
        improvement, which resulted in a crash when a DNS
        query exceeded 512 bytes (or the EDNS0 packet size,
        if different.) Thanks to Christian Kujau, Arne Woerner
        Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
        chasing this one down.  CVE-2017-13704 applies.

        Fix heap overflow in DNS code. This is a potentially serious
        security hole. It allows an attacker who can make DNS
        requests to dnsmasq, and who controls the contents of
        a domain, which is thereby queried, to overflow
        (by 2 bytes) a heap buffer and either crash, or
        even take control of, dnsmasq.
        CVE-2017-14491 applies.
        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
        Kevin Hamacher and Ron Bowes of the Google Security Team for
        finding this.
        Fix heap overflow in IPv6 router advertisement code.
        This is a potentially serious security hole, as a
        crafted RA request can overflow a buffer and crash or
        control dnsmasq. Attacker must be on the local network.
        CVE-2017-14492 applies.
        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
        and Kevin Hamacher of the Google Security Team for
        finding this.

        Fix stack overflow in DHCPv6 code. An attacker who can send
        a DHCPv6 request to dnsmasq can overflow the stack frame and
        crash or control dnsmasq.
        CVE-2017-14493 applies.
        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
        Kevin Hamacher and Ron Bowes of the Google Security Team for
        finding this.

        Fix information leak in DHCPv6. A crafted DHCPv6 packet can
        cause dnsmasq to forward memory from outside the packet
        buffer to a DHCPv6 server when acting as a relay.
        CVE-2017-14494 applies.
        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
        Kevin Hamacher and Ron Bowes of the Google Security Team for
        finding this.

        Fix DoS in DNS. Invalid boundary checks in the
        add\_pseudoheader function allows a memcpy call with negative
        size An attacker which can send malicious DNS queries
        to dnsmasq can trigger a DoS remotely.
        dnsmasq is vulnerable only if one of the following option is
        specified: --add-mac, --add-cpe-id or --add-subnet.
        CVE-2017-14496 applies.
        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
        Kevin Hamacher and Ron Bowes of the Google Security Team for
        finding this.

        Fix out-of-memory Dos vulnerability. An attacker which can
        send malicious DNS queries to dnsmasq can trigger memory
        allocations in the add\_pseudoheader function
        The allocated memory is never freed which leads to a DoS
        through memory exhaustion. dnsmasq is vulnerable only
        if one of the following option is specified:
        --add-mac, --add-cpe-id or --add-subnet.
        CVE-2017-14495 applies.
        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
        Kevin Hamacher and Ron Bowes of the Google Security Team for
        finding this.

 **![Attachment:](https://www.mail-archive.com/attachment.png) signature.asc**  
_Description:_ OpenPGP digital signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

CVE-2017-14491: [Dnsmasq-discuss] Announce: dnsmasq-2.78.

The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact via a crafted mp4 file.

![Openwall](http://openwall.com/logo.png)

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Thu, 21 Sep 2017 06:27:15 +0000
From: 连一汉 <lianyihan@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2017-14160: libvorbis-1.3.5 bark\_noise\_hybridmp() integer signedness bug

Hi,

I’m a security researcher of Qihoo 360 GearTeam.
My partner Zhibin Hu and I found a vulnerability of libvorbis-1.3.5.
And we have applied for CVE-2017-14160 of this vulnerability.
================== test command ====================

ffmpeg �Ci poc.mp4 �Cy 1.mkv
// libvorbis-1.3.5 has been compiled into ffmpeg static.

================= needed version ====================

I compile it as https://github.com/google/oss-fuzz/blob/master/projects/ffmpeg/build.sh

This is the problem of libvorbis-1.3.5, and I tried libvorbis in ubuntu repo, it could also trigger this vul or bug.

=================== crash info ======================

(gdb) bt
#0  0x0000000001f95afd in bark\_noise\_hybridmp (n=256, b=0x32cd940, f=0x32e5010, noise=0x32f7ed0, offset=140, fixed=-1) at psy.c:630

#1  0x0000000001f95430 in \_vp\_noisemask (p=0x32aa820, logmdct=0x32e5010, logmask=0x32f7ed0) at psy.c:705
#2  0x0000000001facac9 in mapping0\_forward (vb=0x329cfb0) at mapping0.c:417
#3  0x0000000001f92c9e in vorbis\_analysis (vb=0x329cfb0, op=0x0) at analysis.c:46
#4  0x0000000000bc2725 in libvorbis\_encode\_frame (avctx=0x329ca00, avpkt=0x32ab540, frame=0x32e4400, got\_packet\_ptr=0x7fffffffdbf4) at libavcodec/libvorbisenc.c:311
#5  0x00000000009e5717 in avcodec\_encode\_audio2 (avctx=0x329ca00, avpkt=0x32ab540, frame=0x32e4400, got\_packet\_ptr=0x7fffffffdbf4)at libavcodec/encode.c:198
#6  0x00000000009e62d8 in do\_encode (avctx=0x329ca00, frame=0x32e4400, got\_packet=0x7fffffffdbf4) at libavcodec/encode.c:375

#7  0x00000000009e6224 in avcodec\_send\_frame (avctx=0x329ca00, frame=0x32e4400) at libavcodec/encode.c:421
#8  0x0000000000438ef5 in do\_audio\_out (of=0x3299560, ost=0x329c7a0, frame=0x32e4400) at ffmpeg.c:921
#9  0x0000000000436c5b in reap\_filters (flush=0) at ffmpeg.c:1515
#10 0x000000000042dc30 in transcode\_step () at ffmpeg.c:4553
#11 0x000000000042bc49 in transcode () at ffmpeg.c:4597
#12 0x000000000042b092 in main (argc=5, argv=0x7fffffffe678) at ffmpeg.c:4803

(gdb) l
625
626         lo = b\[i\] >> 16;
627         hi = b\[i\] & 0xffff;
628         if(hi>=n)break;
629
630         tN = N\[hi\] - N\[lo\];
631         tX = X\[hi\] - X\[lo\];
632         tXX = XX\[hi\] - XX\[lo\];
633         tY = Y\[hi\] - Y\[lo\];
634         tXY = XY\[hi\] - XY\[lo\];
(gdb) p hi
$4 = 0
(gdb) p lo
$5 = 49656                                                                 // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(gdb) p i
$6 = 259

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

![Powered by Openwall GNU/*/Linux](http://openwall.com/Owl/artwork/buttons/80x15/Owl-80x15-4.png) ![Powered by OpenVZ](http://openwall.com/images/OpenVZ-80x15-cd.png)

Tag

#google