Lines 58-63
Link Here
|
58 |
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.) |
58 |
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.) |
59 |
--> |
59 |
--> |
60 |
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> |
60 |
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> |
|
|
61 |
<vuln vid="39270593-ce8f-11e9-86f3-f8b156ac3ff9"> |
62 |
<topic>FreeBSD -- Reference count overflow in mqueue filesystem 32-bit compat</topic> |
63 |
<affects> |
64 |
<package> |
65 |
<name>FreeBSD-kernel</name> |
66 |
<range><ge>12.0</ge><lt>12.0_10</lt></range> |
67 |
<range><ge>11.3</ge><lt>11.3_3</lt></range> |
68 |
<range><ge>11.2</ge><lt>11.2_14</lt></range> |
69 |
</package> |
70 |
</affects> |
71 |
<description> |
72 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
73 |
<h1>Problem Description:</h1> |
74 |
<p>System calls operating on file descriptors obtain a reference to |
75 |
relevant struct file which due to a programming error was not always |
76 |
put back, which in turn could be used to overflow the counter of |
77 |
affected struct file.</p> |
78 |
<h1>Impact:</h1> |
79 |
<p>A local user can use this flaw to obtain access to files, |
80 |
directories, sockets, etc., opened by processes owned by other users. |
81 |
If obtained struct file represents a directory from outside of user's |
82 |
jail, it can be used to access files outside of the jail. If the |
83 |
user in question is a jailed root they can obtain root privileges on |
84 |
the host system.</p> |
85 |
</body> |
86 |
</description> |
87 |
<references> |
88 |
<cvename>CVE-2019-5603</cvename> |
89 |
<freebsdsa>SA-19:24.mqueuefs</freebsdsa> |
90 |
</references> |
91 |
<dates> |
92 |
<discovery>2019-08-20</discovery> |
93 |
<entry>2019-09-03</entry> |
94 |
</dates> |
95 |
</vuln> |
96 |
|
97 |
<vuln vid="2a5a2fa7-ce8f-11e9-86f3-f8b156ac3ff9"> |
98 |
<topic>FreeBSD -- kernel memory disclosure from /dev/midistat</topic> |
99 |
<affects> |
100 |
<package> |
101 |
<name>FreeBSD-kernel</name> |
102 |
<range><ge>12.0</ge><lt>12.0_10</lt></range> |
103 |
<range><ge>11.3</ge><lt>11.3_3</lt></range> |
104 |
<range><ge>11.2</ge><lt>11.2_14</lt></range> |
105 |
</package> |
106 |
</affects> |
107 |
<description> |
108 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
109 |
<h1>Problem Description:</h1> |
110 |
<p>The kernel driver for /dev/midistat implements a handler for read(2). |
111 |
This handler is not thread-safe, and a multi-threaded program can |
112 |
exploit races in the handler to cause it to copy out kernel memory |
113 |
outside the boundaries of midistat's data buffer.</p> |
114 |
<h1>Impact:</h1> |
115 |
<p>The races allow a program to read kernel memory within a 4GB window |
116 |
centered at midistat's data buffer. The buffer is allocated each |
117 |
time the device is opened, so an attacker is not limited to a static |
118 |
4GB region of memory.</p> |
119 |
<p>On 32-bit platforms, an attempt to trigger the race may |
120 |
cause a page fault in kernel mode, leading to a panic.</p> |
121 |
</body> |
122 |
</description> |
123 |
<references> |
124 |
<cvename>CVE-2019-5612</cvename> |
125 |
<freebsdsa>SA-19:23.midi</freebsdsa> |
126 |
</references> |
127 |
<dates> |
128 |
<discovery>2019-08-20</discovery> |
129 |
<entry>2019-09-03</entry> |
130 |
</dates> |
131 |
</vuln> |
132 |
|
133 |
<vuln vid="1be14d59-ce8f-11e9-86f3-f8b156ac3ff9"> |
134 |
<topic>FreeBSD -- IPv6 remote Denial-of-Service</topic> |
135 |
<affects> |
136 |
<package> |
137 |
<name>FreeBSD-kernel</name> |
138 |
<range><ge>12.0</ge><lt>12.0_10</lt></range> |
139 |
<range><ge>11.3</ge><lt>11.3_3</lt></range> |
140 |
<range><ge>11.2</ge><lt>11.2_14</lt></range> |
141 |
</package> |
142 |
</affects> |
143 |
<description> |
144 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
145 |
<h1>Problem Description:</h1> |
146 |
<p>Due do a missing check in the code of m_pulldown(9) data returned may |
147 |
not be contiguous as requested by the caller.</p> |
148 |
<h1>Impact:</h1> |
149 |
<p>Extra checks in the IPv6 code catch the error condition and trigger a |
150 |
kernel panic leading to a remote DoS (denial-of-service) attack with |
151 |
certain Ethernet interfaces. At this point it is unknown if any |
152 |
other than the IPv6 code paths can trigger a similar condition.</p> |
153 |
</body> |
154 |
</description> |
155 |
<references> |
156 |
<cvename>CVE-2019-5611</cvename> |
157 |
<freebsdsa>SA-19:22.mbuf</freebsdsa> |
158 |
</references> |
159 |
<dates> |
160 |
<discovery>2019-08-20</discovery> |
161 |
<entry>2019-09-03</entry> |
162 |
</dates> |
163 |
</vuln> |
164 |
|
165 |
<vuln vid="0cc30281-ce8f-11e9-86f3-f8b156ac3ff9"> |
166 |
<topic>FreeBSD -- Insufficient validation of guest-supplied data (e1000 device)</topic> |
167 |
<affects> |
168 |
<package> |
169 |
<name>FreeBSD</name> |
170 |
<range><ge>12.0</ge><lt>12.0_9</lt></range> |
171 |
<range><ge>11.3</ge><lt>11.3_2</lt></range> |
172 |
<range><ge>11.2</ge><lt>11.2_13</lt></range> |
173 |
</package> |
174 |
</affects> |
175 |
<description> |
176 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
177 |
<h1>Problem Description:</h1> |
178 |
<p>The e1000 network adapters permit a variety of modifications to an |
179 |
Ethernet packet when it is being transmitted. These include the |
180 |
insertion of IP and TCP checksums, insertion of an Ethernet VLAN |
181 |
header, and TCP segmentation offload ("TSO"). The e1000 device model |
182 |
uses an on-stack buffer to generate the modified packet header when |
183 |
simulating these modifications on transmitted packets.</p> |
184 |
<p>When TCP segmentation offload is requested for a |
185 |
transmitted packet, the e1000 device model used a |
186 |
guest-provided value to determine the size of the on-stack |
187 |
buffer without validation. The subsequent header generation |
188 |
could overflow an incorrectly sized buffer or indirect a |
189 |
pointer composed of stack garbage.</p> |
190 |
<h1>Impact:</h1> |
191 |
<p>A misbehaving bhyve guest could overwrite memory in the bhyve process |
192 |
on the host.</p> |
193 |
</body> |
194 |
</description> |
195 |
<references> |
196 |
<cvename>CVE-2019-5609</cvename> |
197 |
<freebsdsa>SA-19:21.bhyve</freebsdsa> |
198 |
</references> |
199 |
<dates> |
200 |
<discovery>2019-08-06</discovery> |
201 |
<entry>2019-09-03</entry> |
202 |
</dates> |
203 |
</vuln> |
204 |
|
205 |
<vuln vid="1e267a9a-ce71-11e9-86f3-f8b156ac3ff9"> |
206 |
<topic>FreeBSD -- Insufficient message length validation in bsnmp library</topic> |
207 |
<affects> |
208 |
<package> |
209 |
<name>FreeBSD</name> |
210 |
<range><ge>12.0</ge><lt>12.0_9</lt></range> |
211 |
<range><ge>11.3</ge><lt>11.3_2</lt></range> |
212 |
<range><ge>11.2</ge><lt>11.2_13</lt></range> |
213 |
</package> |
214 |
</affects> |
215 |
<description> |
216 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
217 |
<h1>Problem Description:</h1> |
218 |
<p>A function extracting the length from type-length-value encoding is |
219 |
not properly validating the submitted length.</p> |
220 |
<h1>Impact:</h1> |
221 |
<p>A remote user could cause, for example, an out-of-bounds read, |
222 |
decoding of unrelated data, or trigger a crash of the software such |
223 |
as bsnmpd resulting in a denial of service.</p> |
224 |
</body> |
225 |
</description> |
226 |
<references> |
227 |
<cvename>CVE-2019-5610</cvename> |
228 |
<freebsdsa>SA-19:20.bsnmp</freebsdsa> |
229 |
</references> |
230 |
<dates> |
231 |
<discovery>2019-08-06</discovery> |
232 |
<entry>2019-09-03</entry> |
233 |
</dates> |
234 |
</vuln> |
235 |
|
236 |
<vuln vid="14aed964-ce71-11e9-86f3-f8b156ac3ff9"> |
237 |
<topic>FreeBSD -- ICMPv6 / MLDv2 out-of-bounds memory access</topic> |
238 |
<affects> |
239 |
<package> |
240 |
<name>FreeBSD-kernel</name> |
241 |
<range><ge>12.0</ge><lt>12.0_9</lt></range> |
242 |
<range><ge>11.3</ge><lt>11.3_2</lt></range> |
243 |
<range><ge>11.2</ge><lt>11.2_13</lt></range> |
244 |
</package> |
245 |
</affects> |
246 |
<description> |
247 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
248 |
<h1>Problem Description:</h1> |
249 |
<p>The ICMPv6 input path incorrectly handles cases where an MLDv2 |
250 |
listener query packet is internally fragmented across multiple mbufs.</p> |
251 |
<h1>Impact:</h1> |
252 |
<p>A remote attacker may be able to cause an out-of-bounds read or write |
253 |
that may cause the kernel to attempt to access an unmapped page and |
254 |
subsequently panic.</p> |
255 |
</body> |
256 |
</description> |
257 |
<references> |
258 |
<cvename>CVE-2019-5608</cvename> |
259 |
<freebsdsa>SA-19:19.mldv2</freebsdsa> |
260 |
</references> |
261 |
<dates> |
262 |
<discovery>2019-08-06</discovery> |
263 |
<entry>2019-09-03</entry> |
264 |
</dates> |
265 |
</vuln> |
266 |
|
267 |
<vuln vid="c5df0c4c-ce6e-11e9-86f3-f8b156ac3ff9"> |
268 |
<topic>FreeBSD -- Multiple vulnerabilities in bzip2</topic> |
269 |
<affects> |
270 |
<package> |
271 |
<name>FreeBSD</name> |
272 |
<range><ge>12.0</ge><lt>12.0_9</lt></range> |
273 |
<range><ge>11.3</ge><lt>11.3_2</lt></range> |
274 |
<range><ge>11.2</ge><lt>11.2_13</lt></range> |
275 |
</package> |
276 |
</affects> |
277 |
<description> |
278 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
279 |
<h1>Problem Description:</h1> |
280 |
<p>The decompressor used in bzip2 contains a bug which can lead to an |
281 |
out-of-bounds write when processing a specially crafted bzip2(1) |
282 |
file.</p> |
283 |
<p>bzip2recover contains a heap use-after-free bug which can |
284 |
be triggered when processing a specially crafted bzip2(1) |
285 |
file.</p> |
286 |
<h1>Impact:</h1> |
287 |
<p>An attacker who can cause maliciously crafted input to be processed |
288 |
may trigger either of these bugs. The bzip2recover bug may cause a |
289 |
crash, permitting a denial-of-service. The bzip2 decompressor bug |
290 |
could potentially be exploited to execute arbitrary code.</p> |
291 |
<p>Note that some utilities, including the tar(1) archiver |
292 |
and the bspatch(1) binary patching utility (used in |
293 |
portsnap(8) and freebsd-update(8)) decompress |
294 |
bzip2(1)-compressed data internally; system administrators |
295 |
should assume that their systems will at some point |
296 |
decompress bzip2(1)-compressed data even if they never |
297 |
explicitly invoke the bunzip2(1) utility.</p> |
298 |
</body> |
299 |
</description> |
300 |
<references> |
301 |
<cvename>CVE-2016-3189</cvename> |
302 |
<cvename>CVE-2019-12900</cvename> |
303 |
<freebsdsa>SA-19:18.bzip2</freebsdsa> |
304 |
</references> |
305 |
<dates> |
306 |
<discovery>2019-08-06</discovery> |
307 |
<entry>2019-09-03</entry> |
308 |
</dates> |
309 |
</vuln> |
310 |
|
61 |
<vuln vid="05463e0a-abd3-4fa4-bd5f-cd5ed132d4c6"> |
311 |
<vuln vid="05463e0a-abd3-4fa4-bd5f-cd5ed132d4c6"> |
62 |
<topic>mozilla -- multiple vulnerabilities</topic> |
312 |
<topic>mozilla -- multiple vulnerabilities</topic> |
63 |
<affects> |
313 |
<affects> |