GNU

org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU Emacs allows attackers to execute arbitrary commands via a file name or directory name

CVE-2023-28617 9.8 - Critical - March 19, 2023

org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU Emacs allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters.

Shell injection

emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto: URI

CVE-2023-27985 7.8 - High - March 09, 2023

emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification.

Shell injection

emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to Emacs Lisp code injections through a crafted mailto: URI with unescaped double-quote characters.

CVE-2023-27986 7.8 - High - March 09, 2023

emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to Emacs Lisp code injections through a crafted mailto: URI with unescaped double-quote characters.

Code Injection

A heap-based buffer overflow vulnerability exits in GNU LibreDWG v0.12.5

CVE-2023-25222 8.8 - High - March 01, 2023

A heap-based buffer overflow vulnerability exits in GNU LibreDWG v0.12.5 via the bit_read_RC function at bits.c.

Memory Corruption

GNU libmicrohttpd before 0.9.76

CVE-2023-27371 5.9 - Medium - February 28, 2023

GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHD_create_post_processor() method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\0' bytes in a multipart/form-data boundary field, which - assuming a specific heap layout - will result in an out-of-bounds read and a crash in the find_boundary() function.

Out-of-bounds Read

An issue was discovered in GNU Emacs through 28.2

CVE-2022-48339 7.8 - High - February 20, 2023

An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.

Command Injection

GNU Emacs through 28.2

CVE-2022-48337 9.8 - Critical - February 20, 2023

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input.

Command Injection

An issue was discovered in GNU Emacs through 28.2

CVE-2022-48338 7.3 - High - February 20, 2023

An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed.

Command Injection

A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS

CVE-2023-0361 7.5 - High - February 15, 2023

A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.

Side Channel Attack

In GNU Less before 609, crafted data

CVE-2022-46663 7.5 - High - February 07, 2023

In GNU Less before 609, crafted data can result in "less -R" not filtering ANSI escape sequences sent to the terminal.

** DISPUTED ** A vulnerability was found in GNU C Library 2.38

CVE-2023-0687 9.8 - Critical - February 06, 2023

** DISPUTED ** A vulnerability was found in GNU C Library 2.38. It has been declared as critical. This vulnerability affects the function __monstartup of the file gmon.c of the component Call Graph Monitor. The manipulation leads to buffer overflow. It is recommended to apply a patch to fix this issue. VDB-220246 is the identifier assigned to this vulnerability. NOTE: The real existence of this vulnerability is still doubted at the moment. The inputs that induce this vulnerability are basically addresses of the running application that is built with gmon enabled. It's basically trusted input or input that needs an actual security flaw to be compromised or controlled.

Classic Buffer Overflow

sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct buffer size

CVE-2023-25139 9.8 - Critical - February 03, 2023

sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct buffer size. This is unrelated to CWE-676. It may write beyond the bounds of the destination buffer when attempting to write a padded, thousands-separated string representation of a number, if the buffer is allocated the exact size required to represent that number as a string. For example, 1,234,567 (with padding to 13) overflows by two bytes.

Memory Corruption

GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump

CVE-2022-48303 7.8 - High - January 30, 2023

GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.

Out-of-bounds Read

An illegal memory access flaw was found in the binutils package

CVE-2022-4285 5.5 - Medium - January 27, 2023

An illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599.

NULL Pointer Dereference

A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform

CVE-2022-3715 7.8 - High - January 05, 2023

A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.

Memory Corruption

When rendering certain unicode sequences

CVE-2022-3775 7.1 - High - December 19, 2022

When rendering certain unicode sequences, grub2's font code doesn't proper validate if the informed glyph's width and height is constrained within bitmap size. As consequence an attacker can craft an input which will lead to a out-of-bounds write into grub2's heap, leading to memory corruption and availability issues. Although complex, arbitrary code execution could not be discarded.

Memory Corruption

A buffer overflow was found in grub_font_construct_glyph()

CVE-2022-2601 8.6 - High - December 14, 2022

A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an overflow when calculating the max_glyph_size value, allocating a smaller than needed buffer for the glyph, this further leads to a buffer overflow and a heap based out-of-bounds write. An attacker may use this vulnerability to circumvent the secure boot mechanism.

Memory Corruption

LibreDWG v0.12.4.4643 was discovered to contain a heap buffer overflow

CVE-2022-45332 7.8 - High - November 30, 2022

LibreDWG v0.12.4.4643 was discovered to contain a heap buffer overflow via the function decode_preR13_section_hdr at decode_r11.c.

Memory Corruption

GNU Emacs through 28.2

CVE-2022-45939 7.8 - High - November 28, 2022

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input.

Shell injection

GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check

CVE-2021-46848 9.1 - Critical - October 24, 2022

GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.

Out-of-bounds Read

GNU oSIP v5.3.0 was discovered to contain an integer overflow

CVE-2022-41550 6.5 - Medium - October 11, 2022

GNU oSIP v5.3.0 was discovered to contain an integer overflow via the component osip_body_parse_header.

Integer Overflow or Wraparound

A heap-based buffer overflow flaw was found in the Fribidi package and affects the fribidi_cap_rtl_to_unicode() function of the fribidi-char-sets-cap-rtl.c file

CVE-2022-25309 5.5 - Medium - September 06, 2022

A heap-based buffer overflow flaw was found in the Fribidi package and affects the fribidi_cap_rtl_to_unicode() function of the fribidi-char-sets-cap-rtl.c file. This flaw allows an attacker to pass a specially crafted file to the Fribidi application with the '--caprtl' option, leading to a crash and causing a denial of service.

Heap-based Buffer Overflow

A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bidi_marks() function of the lib/fribidi.c file

CVE-2022-25310 5.5 - Medium - September 06, 2022

A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bidi_marks() function of the lib/fribidi.c file. This flaw allows an attacker to pass a specially crafted file to Fribidi, leading to a crash and causing a denial of service.

Buffer Overflow

A stack-based buffer overflow flaw was found in the Fribidi package

CVE-2022-25308 7.8 - High - September 06, 2022

A stack-based buffer overflow flaw was found in the Fribidi package. This flaw allows an attacker to pass a specially crafted file to the Fribidi application, which leads to a possible memory leak or a denial of service.

Stack Overflow

An issue was discovered in PSPP 1.6.2

CVE-2022-39831 7.8 - High - September 05, 2022

An issue was discovered in PSPP 1.6.2. There is a heap-based buffer overflow at the function read_bytes_internal in utilities/pspp-dump-sav.c, which allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact. This issue is different from CVE-2018-20230.

Memory Corruption

An issue was discovered in PSPP 1.6.2

CVE-2022-39832 7.8 - High - September 05, 2022

An issue was discovered in PSPP 1.6.2. There is a heap-based buffer overflow at the function read_string in utilities/pspp-dump-sav.c, which allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact.

Memory Corruption

Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty

CVE-2021-3826 7.5 - High - September 01, 2022

Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.

Buffer Overflow

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility

CVE-2022-1271 8.8 - High - August 31, 2022

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.

Improper Input Validation

An issue was discovered in the GNU C Library (glibc) 2.36

CVE-2022-39046 5.3 - Medium - August 31, 2022

An issue was discovered in the GNU C Library (glibc) 2.36. When the syslog function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap.

Insertion of Sensitive Information into Log File

telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference

CVE-2022-39028 7.5 - High - August 30, 2022

telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a "telnet/tcp server failing (looping), service terminated" error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.

NULL Pointer Dereference

In GNU Binutils before 2.40, there is a heap-buffer-overflow in the error function bfd_getl32 when called from the strip_main function in strip-new

CVE-2022-38533 5.5 - Medium - August 26, 2022

In GNU Binutils before 2.40, there is a heap-buffer-overflow in the error function bfd_getl32 when called from the strip_main function in strip-new via a crafted file.

Memory Corruption

A flaw was found in glibc

CVE-2021-3998 7.5 - High - August 24, 2022

A flaw was found in glibc. The realpath() function can mistakenly return an unexpected value, potentially leading to information leakage and disclosure of sensitive data.

Out-of-bounds Read

A flaw was found in glibc

CVE-2021-3999 7.8 - High - August 24, 2022

A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.

off-by-five

A NULL pointer dereference flaw was found in GnuTLS

CVE-2021-4209 6.5 - Medium - August 24, 2022

A NULL pointer dereference flaw was found in GnuTLS. As Nettle's hash update functions internally call memcpy, providing zero-length input may cause undefined behavior. This flaw leads to a denial of service after authentication in rare circumstances.

NULL Pointer Dereference

LibreDWG v0.12.4.4608 & commit f2dea29 was discovered to contain a heap use-after-free

CVE-2022-35164 9.8 - Critical - August 18, 2022

LibreDWG v0.12.4.4608 & commit f2dea29 was discovered to contain a heap use-after-free via bit_copy_chain.

Dangling pointer

A vulnerability found in gnutls

CVE-2022-2509 7.5 - High - August 01, 2022

A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.

Double-free

GNU SASL libgsasl server-side read-out-of-bounds with malicious authenticated GSS-API client

CVE-2022-2469 8.1 - High - July 19, 2022

GNU SASL libgsasl server-side read-out-of-bounds with malicious authenticated GSS-API client

Out-of-bounds Read

A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write in the heap area

CVE-2021-3695 4.5 - Medium - July 06, 2022

A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write in the heap area. An attacker may take advantage of that to cause heap data corruption or eventually arbitrary code execution and circumvent secure boot protections. This issue has a high complexity to be exploited as an attacker needs to perform some triage over the heap layout to achieve signifcant results, also the values written into the memory are repeated three times in a row making difficult to produce valid payloads. This flaw affects grub2 versions prior grub-2.12.

Memory Corruption

A heap out-of-bounds write may heppen during the handling of Huffman tables in the PNG reader

CVE-2021-3696 4.5 - Medium - July 06, 2022

A heap out-of-bounds write may heppen during the handling of Huffman tables in the PNG reader. This may lead to data corruption in the heap space. Confidentiality, Integrity and Availablity impact may be considered Low as it's very complex to an attacker control the encoding and positioning of corrupted Huffman entries to achieve results such as arbitrary code execution and/or secure boot circumvention. This flaw affects grub2 versions prior grub-2.12.

Memory Corruption

A crafted JPEG image may lead the JPEG reader to underflow its data pointer, allowing user-controlled data to be written in heap

CVE-2021-3697 7 - High - July 06, 2022

A crafted JPEG image may lead the JPEG reader to underflow its data pointer, allowing user-controlled data to be written in heap. To a successful to be performed the attacker needs to perform some triage over the heap layout and craft an image with a malicious format and payload. This vulnerability can lead to data corruption and eventual code execution or secure boot circumvention. This flaw affects grub2 versions prior grub-2.12.

Memory Corruption

There is an Assertion `int decode_preR13_entities(BITCODE_RL

CVE-2022-33024 7.5 - High - June 23, 2022

There is an Assertion `int decode_preR13_entities(BITCODE_RL, BITCODE_RL, unsigned int, BITCODE_RL, BITCODE_RL, Bit_Chain *, Dwg_Data *' failed at dwg2dxf: decode.c:5801 in libredwg v0.12.4.4608.

assertion failure

LibreDWG v0.12.4.4608 was discovered to contain a heap-use-after-free

CVE-2022-33025 7.8 - High - June 23, 2022

LibreDWG v0.12.4.4608 was discovered to contain a heap-use-after-free via the function decode_preR13_section at decode_r11.c.

Dangling pointer

LibreDWG v0.12.4.4608 was discovered to contain a heap buffer overflow

CVE-2022-33026 7.8 - High - June 23, 2022

LibreDWG v0.12.4.4608 was discovered to contain a heap buffer overflow via the function bit_calc_CRC at bits.c.

Memory Corruption

LibreDWG v0.12.4.4608 was discovered to contain a heap-use-after-free

CVE-2022-33027 7.8 - High - June 23, 2022

LibreDWG v0.12.4.4608 was discovered to contain a heap-use-after-free via the function dwg_add_handleref at dwg.c.

Dangling pointer

LibreDWG v0.12.4.4608 was discovered to contain a heap buffer overflow

CVE-2022-33028 7.8 - High - June 23, 2022

LibreDWG v0.12.4.4608 was discovered to contain a heap buffer overflow via the function dwg_add_object at decode.c.

Memory Corruption

LibreDWG v0.12.4.4608 was discovered to contain a heap-buffer-overflow

CVE-2022-33032 7.8 - High - June 23, 2022

LibreDWG v0.12.4.4608 was discovered to contain a heap-buffer-overflow via the function decode_preR13_section_hdr at decode_r11.c.

Memory Corruption

LibreDWG v0.12.4.4608 was discovered to contain a double-free

CVE-2022-33033 7.8 - High - June 23, 2022

LibreDWG v0.12.4.4608 was discovered to contain a double-free via the function dwg_read_file at dwg.c.

Double-free

LibreDWG v0.12.4.4608 was discovered to contain a stack overflow

CVE-2022-33034 7.8 - High - June 23, 2022

LibreDWG v0.12.4.4608 was discovered to contain a stack overflow via the function copy_bytes at decode_r2007.c.

Memory Corruption

A heap buffer overflow was discovered in copy_compressed_bytes in decode_r2007.c in dwgread before 0.12.4

CVE-2021-42585 8.8 - High - May 23, 2022

A heap buffer overflow was discovered in copy_compressed_bytes in decode_r2007.c in dwgread before 0.12.4 via a crafted dwg file.

Memory Corruption

A heap buffer overflow was discovered in copy_bytes in decode_r2007.c in dwgread before 0.12.4

CVE-2021-42586 8.8 - High - May 23, 2022

A heap buffer overflow was discovered in copy_bytes in decode_r2007.c in dwgread before 0.12.4 via a crafted dwg file.

Memory Corruption

ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.

CVE-2022-29458 7.1 - High - April 18, 2022

ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.

Out-of-bounds Read

libiberty/rust-demangle.c in GNU GCC 11.2

CVE-2022-27943 5.5 - Medium - March 26, 2022

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

Resource Exhaustion

A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set

CVE-2021-3981 3.3 - Low - March 10, 2022

A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set allowing non privileged users to read its content. This represents a low severity confidentiality issue, as those users can eventually read any encrypted passwords present in grub.cfg. This flaw affects grub2 2.06 and previous versions. This issue has been fixed in grub upstream but no version with the fix is currently released.

Incorrect Default Permissions

An untrusted pointer dereference in rec_db_destroy() at rec-db.c of GNU Recutils v1.8.90

CVE-2021-46019 5.5 - Medium - January 14, 2022

An untrusted pointer dereference in rec_db_destroy() at rec-db.c of GNU Recutils v1.8.90 can lead to a segmentation fault or application crash.

NULL Pointer Dereference

GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c

CVE-2021-46195 5.5 - Medium - January 14, 2022

GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.

Stack Exhaustion

An Use-After-Free vulnerability in rec_record_destroy() at rec-record.c of GNU Recutils v1.8.90

CVE-2021-46021 5.5 - Medium - January 14, 2022

An Use-After-Free vulnerability in rec_record_destroy() at rec-record.c of GNU Recutils v1.8.90 can lead to a segmentation fault or application crash.

Dangling pointer

An Use-After-Free vulnerability in rec_mset_elem_destroy() at rec-mset.c of GNU Recutils v1.8.90

CVE-2021-46022 5.5 - Medium - January 14, 2022

An Use-After-Free vulnerability in rec_mset_elem_destroy() at rec-mset.c of GNU Recutils v1.8.90 can lead to a segmentation fault or application crash.

Dangling pointer

The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length

CVE-2022-23219 9.8 - Critical - January 14, 2022

The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

Classic Buffer Overflow

The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length

CVE-2022-23218 9.8 - Critical - January 14, 2022

The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

Classic Buffer Overflow

LibreDWG 0.12.4.4313 through 0.12.4.4367 has an out-of-bounds write in dwg_free_BLOCK_private (called

CVE-2021-45950 6.5 - Medium - January 01, 2022

LibreDWG 0.12.4.4313 through 0.12.4.4367 has an out-of-bounds write in dwg_free_BLOCK_private (called from dwg_free_BLOCK and dwg_free_object).

Memory Corruption

An Invalid Pointer vulnerability exists in GNU patch 2.7

CVE-2021-45261 5.5 - Medium - December 22, 2021

An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.

Release of Invalid Pointer or Reference

stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37

CVE-2021-45078 7.8 - High - December 15, 2021

stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699.

Memory Corruption

LibreDWG v0.12.3 was discovered to contain a NULL pointer dereference

CVE-2021-28236 7.5 - High - December 02, 2021

LibreDWG v0.12.3 was discovered to contain a NULL pointer dereference via out_dxfb.c.

NULL Pointer Dereference

LibreDWG v0.12.3 was discovered to contain a heap-buffer overflow

CVE-2021-28237 9.8 - Critical - December 02, 2021

LibreDWG v0.12.3 was discovered to contain a heap-buffer overflow via decode_preR13.

Memory Corruption

In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using

CVE-2021-44227 8.8 - High - December 02, 2021

In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes.

Session Riding

GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability

CVE-2021-37322 7.8 - High - November 18, 2021

GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.

Dangling pointer

In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page

CVE-2021-43331 6.1 - Medium - November 12, 2021

In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for XSS.

XSS

In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password

CVE-2021-43332 6.5 - Medium - November 12, 2021

In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.

Insufficiently Protected Credentials

An issue was discovered in GNU Hurd before 0.9 20210404-9

CVE-2021-43411 7.5 - High - November 07, 2021

An issue was discovered in GNU Hurd before 0.9 20210404-9. When trying to exec a setuid executable, there's a window of time when the process already has the new privileges, but still refers to the old task and is accessible through the old process port. This can be exploited to get full root access.

Race Condition

An issue was discovered in GNU Hurd before 0.9 20210404-9

CVE-2021-43412 7.8 - High - November 07, 2021

An issue was discovered in GNU Hurd before 0.9 20210404-9. libports accepts fake notification messages from any client on any port, which can lead to port use-after-free. This can be exploited for local privilege escalation to get full root access.

Dangling pointer

An issue was discovered in GNU Hurd before 0.9 20210404-9

CVE-2021-43413 8.8 - High - November 07, 2021

An issue was discovered in GNU Hurd before 0.9 20210404-9. A single pager port is shared among everyone who mmaps a file, allowing anyone to modify any files that they can read. This can be trivially exploited to get full root access.

An issue was discovered in GNU Hurd before 0.9 20210404-9

CVE-2021-43414 7 - High - November 07, 2021

An issue was discovered in GNU Hurd before 0.9 20210404-9. The use of an authentication protocol in the proc server is vulnerable to man-in-the-middle attacks, which can be exploited for local privilege escalation to get full root access.

AuthZ

** DISPUTED ** In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data

CVE-2021-43396 7.5 - High - November 04, 2021

** DISPUTED ** In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset. This may affect data integrity in certain iconv() use cases. NOTE: the vendor states "the bug cannot be invoked through user input and requires iconv to be invoked with a NULL inbuf, which ought to require a separate application bug to do so unintentionally. Hence there's no security impact to the bug."

GNU Mailman before 2.1.35 may allow remote Privilege Escalation

CVE-2021-42096 4.3 - Medium - October 21, 2021

GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.

Improper Restriction of Excessive Authentication Attempts

GNU Mailman before 2.1.35 may allow remote Privilege Escalation

CVE-2021-42097 8 - High - October 21, 2021

GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).

Session Riding

An issue was discovered in libredwg through v0.10.1.3751

CVE-2021-39523 6.5 - Medium - September 20, 2021

An issue was discovered in libredwg through v0.10.1.3751. A NULL pointer dereference exists in the function check_POLYLINE_handles() located in decode.c. It allows an attacker to cause Denial of Service.

NULL Pointer Dereference

An issue was discovered in libredwg through v0.10.1.3751

CVE-2021-39530 8.8 - High - September 20, 2021

An issue was discovered in libredwg through v0.10.1.3751. bit_wcs2nlen() in bits.c has a heap-based buffer overflow.

Memory Corruption

An issue was discovered in ncurses through v6.2-1

CVE-2021-39537 8.8 - High - September 20, 2021

An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.

Memory Corruption

An issue was discovered in libredwg through v0.10.1.3751

CVE-2021-39527 8.8 - High - September 20, 2021

An issue was discovered in libredwg through v0.10.1.3751. appinfo_private() in decode.c has a heap-based buffer overflow.

Memory Corruption

An issue was discovered in libredwg through v0.10.1.3751

CVE-2021-39525 8.8 - High - September 20, 2021

An issue was discovered in libredwg through v0.10.1.3751. bit_read_fixed() in bits.c has a heap-based buffer overflow.

Memory Corruption

An issue was discovered in libredwg through v0.10.1.3751

CVE-2021-39521 6.5 - Medium - September 20, 2021

An issue was discovered in libredwg through v0.10.1.3751. A NULL pointer dereference exists in the function bit_read_BB() located in bits.c. It allows an attacker to cause Denial of Service.

NULL Pointer Dereference

An issue was discovered in libredwg through v0.10.1.3751

CVE-2021-39522 8.8 - High - September 20, 2021

An issue was discovered in libredwg through v0.10.1.3751. bit_wcs2len() in bits.c has a heap-based buffer overflow.

Memory Corruption

An issue was discovered in libredwg through v0.10.1.3751

CVE-2021-39528 8.8 - High - September 20, 2021

An issue was discovered in libredwg through v0.10.1.3751. dwg_free_MATERIAL_private() in dwg.spec has a double free.

Double-free

The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server address

CVE-2021-40491 6.5 - Medium - September 03, 2021

The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server address. This is similar to CVE-2020-8284 for curl.

Insufficient Verification of Data Authenticity

In librt in the GNU C Library (aka glibc) through 2.34

CVE-2021-38604 7.5 - High - August 12, 2021

In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain NOTIFY_REMOVED data, leading to a NULL pointer dereference. NOTE: this vulnerability was introduced as a side effect of the CVE-2021-33574 fix.

NULL Pointer Dereference

GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow

CVE-2021-38185 7.8 - High - August 08, 2021

GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.

Integer Overflow or Wraparound

The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted

CVE-2021-35942 9.1 - Critical - July 22, 2021

The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.

Integer Overflow or Wraparound

objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acommon::ObjStack::dup_top (called

CVE-2019-25051 7.8 - High - July 20, 2021

objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acommon::ObjStack::dup_top (called from acommon::StringMap::add and acommon::Config::lookup_list).

Memory Corruption

GNU LibreDWG 0.12.3.4163 through 0.12.3.4191 has a double-free in bit_chain_free (called

CVE-2021-36080 8.8 - High - July 01, 2021

GNU LibreDWG 0.12.3.4163 through 0.12.3.4191 has a double-free in bit_chain_free (called from dwg_encode_MTEXT and dwg_encode_add_object).

Double-free

A flaw was discovered in GNU libiberty within demangle_path() in rust-demangle.c, as distributed in GNU Binutils version 2.36

CVE-2021-3530 7.5 - High - June 02, 2021

A flaw was discovered in GNU libiberty within demangle_path() in rust-demangle.c, as distributed in GNU Binutils version 2.36. A crafted symbol can cause stack memory to be exhausted leading to a crash.

Stack Exhaustion

A NULL-pointer deference issue was discovered in GNU_gama::set() in ellipsoid.h in Gama 2.04 which can lead to a denial of service (DOS)

CVE-2020-18395 7.5 - High - May 28, 2021

A NULL-pointer deference issue was discovered in GNU_gama::set() in ellipsoid.h in Gama 2.04 which can lead to a denial of service (DOS) via segment faults caused by crafted inputs.

NULL Pointer Dereference

An out of bounds flaw was found in GNU binutils objdump utility version 2.36

CVE-2021-3549 7.1 - High - May 26, 2021

An out of bounds flaw was found in GNU binutils objdump utility version 2.36. An attacker could use this flaw and pass a large section to avr_elf32_load_records_from_section() probably resulting in a crash or in some cases memory corruption. The highest threat from this vulnerability is to integrity as well as system availability.

Memory Corruption

The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free

CVE-2021-33574 9.8 - Critical - May 25, 2021

The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.

Dangling pointer

A heap-based buffer overflow vulnerability exists in LibreDWG 0.10.1

CVE-2020-23861 5.5 - Medium - May 18, 2021

A heap-based buffer overflow vulnerability exists in LibreDWG 0.10.1 via the read_system_page function at libredwg-0.10.1/src/decode_r2007.c:666:5, which causes a denial of service by submitting a dwg file.

Memory Corruption

Use-after-Free vulnerability in cflow 1.6 in the void call(char *name, int line) function at src/parser.c, which could cause a denial of service

CVE-2020-23856 5.5 - Medium - May 18, 2021

Use-after-Free vulnerability in cflow 1.6 in the void call(char *name, int line) function at src/parser.c, which could cause a denial of service via the pointer variable caller->callee.

Dangling pointer

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory

CVE-2020-21842 8.8 - High - May 17, 2021

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.

Memory Corruption

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bit_read_RC

CVE-2020-21843 8.8 - High - May 17, 2021

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bit_read_RC ../../src/bits.c:318.

Memory Corruption

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles

CVE-2020-21831 8.8 - High - May 17, 2021

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.

Memory Corruption

GNU LibreDWG 0.10 is affected by: memcpy-param-overlap

CVE-2020-21844 8.8 - High - May 17, 2021

GNU LibreDWG 0.10 is affected by: memcpy-param-overlap. The impact is: execute arbitrary code (remote). The component is: read_2004_section_header ../../src/decode.c:2580.

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bit_read_B

CVE-2020-21841 8.8 - High - May 17, 2021

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bit_read_B ../../src/bits.c:135.

Memory Corruption