GNU

A heap buffer overflow was discovered in copy_compressed_bytes in decode_r2007.c in dwgread before 0.12.4

CVE-2021-42585 8.8 - High - May 23, 2022

A heap buffer overflow was discovered in copy_compressed_bytes in decode_r2007.c in dwgread before 0.12.4 via a crafted dwg file.

Memory Corruption

A heap buffer overflow was discovered in copy_bytes in decode_r2007.c in dwgread before 0.12.4

CVE-2021-42586 8.8 - High - May 23, 2022

A heap buffer overflow was discovered in copy_bytes in decode_r2007.c in dwgread before 0.12.4 via a crafted dwg file.

Memory Corruption

ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.

CVE-2022-29458 7.1 - High - April 18, 2022

ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.

Out-of-bounds Read

libiberty/rust-demangle.c in GNU GCC 11.2

CVE-2022-27943 5.5 - Medium - March 26, 2022

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

Resource Exhaustion

A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set

CVE-2021-3981 3.3 - Low - March 10, 2022

A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set allowing non privileged users to read its content. This represents a low severity confidentiality issue, as those users can eventually read any encrypted passwords present in grub.cfg. This flaw affects grub2 2.06 and previous versions. This issue has been fixed in grub upstream but no version with the fix is currently released.

Incorrect Default Permissions

An untrusted pointer dereference in rec_db_destroy() at rec-db.c of GNU Recutils v1.8.90

CVE-2021-46019 5.5 - Medium - January 14, 2022

An untrusted pointer dereference in rec_db_destroy() at rec-db.c of GNU Recutils v1.8.90 can lead to a segmentation fault or application crash.

NULL Pointer Dereference

GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c

CVE-2021-46195 5.5 - Medium - January 14, 2022

GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.

Stack Exhaustion

An Use-After-Free vulnerability in rec_record_destroy() at rec-record.c of GNU Recutils v1.8.90

CVE-2021-46021 5.5 - Medium - January 14, 2022

An Use-After-Free vulnerability in rec_record_destroy() at rec-record.c of GNU Recutils v1.8.90 can lead to a segmentation fault or application crash.

Dangling pointer

An Use-After-Free vulnerability in rec_mset_elem_destroy() at rec-mset.c of GNU Recutils v1.8.90

CVE-2021-46022 5.5 - Medium - January 14, 2022

An Use-After-Free vulnerability in rec_mset_elem_destroy() at rec-mset.c of GNU Recutils v1.8.90 can lead to a segmentation fault or application crash.

Dangling pointer

The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length

CVE-2022-23219 9.8 - Critical - January 14, 2022

The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

Classic Buffer Overflow

The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length

CVE-2022-23218 9.8 - Critical - January 14, 2022

The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

Classic Buffer Overflow

LibreDWG 0.12.4.4313 through 0.12.4.4367 has an out-of-bounds write in dwg_free_BLOCK_private (called

CVE-2021-45950 6.5 - Medium - January 01, 2022

LibreDWG 0.12.4.4313 through 0.12.4.4367 has an out-of-bounds write in dwg_free_BLOCK_private (called from dwg_free_BLOCK and dwg_free_object).

Memory Corruption

An Invalid Pointer vulnerability exists in GNU patch 2.7

CVE-2021-45261 5.5 - Medium - December 22, 2021

An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.

Release of Invalid Pointer or Reference

stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37

CVE-2021-45078 7.8 - High - December 15, 2021

stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699.

Memory Corruption

LibreDWG v0.12.3 was discovered to contain a NULL pointer dereference

CVE-2021-28236 7.5 - High - December 02, 2021

LibreDWG v0.12.3 was discovered to contain a NULL pointer dereference via out_dxfb.c.

NULL Pointer Dereference

LibreDWG v0.12.3 was discovered to contain a heap-buffer overflow

CVE-2021-28237 9.8 - Critical - December 02, 2021

LibreDWG v0.12.3 was discovered to contain a heap-buffer overflow via decode_preR13.

Memory Corruption

In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using

CVE-2021-44227 8.8 - High - December 02, 2021

In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes.

Session Riding

GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability

CVE-2021-37322 7.8 - High - November 18, 2021

GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.

Dangling pointer

In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page

CVE-2021-43331 6.1 - Medium - November 12, 2021

In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for XSS.

XSS

In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password

CVE-2021-43332 6.5 - Medium - November 12, 2021

In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.

Improper Restriction of Excessive Authentication Attempts

An issue was discovered in GNU Hurd before 0.9 20210404-9

CVE-2021-43411 7.5 - High - November 07, 2021

An issue was discovered in GNU Hurd before 0.9 20210404-9. When trying to exec a setuid executable, there's a window of time when the process already has the new privileges, but still refers to the old task and is accessible through the old process port. This can be exploited to get full root access.

AuthZ

An issue was discovered in GNU Hurd before 0.9 20210404-9

CVE-2021-43412 7.8 - High - November 07, 2021

An issue was discovered in GNU Hurd before 0.9 20210404-9. libports accepts fake notification messages from any client on any port, which can lead to port use-after-free. This can be exploited for local privilege escalation to get full root access.

Dangling pointer

An issue was discovered in GNU Hurd before 0.9 20210404-9

CVE-2021-43413 8.8 - High - November 07, 2021

An issue was discovered in GNU Hurd before 0.9 20210404-9. A single pager port is shared among everyone who mmaps a file, allowing anyone to modify any files that they can read. This can be trivially exploited to get full root access.

An issue was discovered in GNU Hurd before 0.9 20210404-9

CVE-2021-43414 7 - High - November 07, 2021

An issue was discovered in GNU Hurd before 0.9 20210404-9. The use of an authentication protocol in the proc server is vulnerable to man-in-the-middle attacks, which can be exploited for local privilege escalation to get full root access.

AuthZ

** DISPUTED ** In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data

CVE-2021-43396 7.5 - High - November 04, 2021

** DISPUTED ** In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset. This may affect data integrity in certain iconv() use cases. NOTE: the vendor states "the bug cannot be invoked through user input and requires iconv to be invoked with a NULL inbuf, which ought to require a separate application bug to do so unintentionally. Hence there's no security impact to the bug."

GNU Mailman before 2.1.35 may allow remote Privilege Escalation

CVE-2021-42096 4.3 - Medium - October 21, 2021

GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.

Improper Restriction of Excessive Authentication Attempts

GNU Mailman before 2.1.35 may allow remote Privilege Escalation

CVE-2021-42097 8 - High - October 21, 2021

GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).

Session Riding

An issue was discovered in ncurses through v6.2-1

CVE-2021-39537 8.8 - High - September 20, 2021

An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.

Memory Corruption

An issue was discovered in libredwg through v0.10.1.3751

CVE-2021-39521 6.5 - Medium - September 20, 2021

An issue was discovered in libredwg through v0.10.1.3751. A NULL pointer dereference exists in the function bit_read_BB() located in bits.c. It allows an attacker to cause Denial of Service.

NULL Pointer Dereference

An issue was discovered in libredwg through v0.10.1.3751

CVE-2021-39522 8.8 - High - September 20, 2021

An issue was discovered in libredwg through v0.10.1.3751. bit_wcs2len() in bits.c has a heap-based buffer overflow.

Memory Corruption

An issue was discovered in libredwg through v0.10.1.3751

CVE-2021-39523 6.5 - Medium - September 20, 2021

An issue was discovered in libredwg through v0.10.1.3751. A NULL pointer dereference exists in the function check_POLYLINE_handles() located in decode.c. It allows an attacker to cause Denial of Service.

NULL Pointer Dereference

An issue was discovered in libredwg through v0.10.1.3751

CVE-2021-39525 8.8 - High - September 20, 2021

An issue was discovered in libredwg through v0.10.1.3751. bit_read_fixed() in bits.c has a heap-based buffer overflow.

Memory Corruption

An issue was discovered in libredwg through v0.10.1.3751

CVE-2021-39527 8.8 - High - September 20, 2021

An issue was discovered in libredwg through v0.10.1.3751. appinfo_private() in decode.c has a heap-based buffer overflow.

Memory Corruption

An issue was discovered in libredwg through v0.10.1.3751

CVE-2021-39528 8.8 - High - September 20, 2021

An issue was discovered in libredwg through v0.10.1.3751. dwg_free_MATERIAL_private() in dwg.spec has a double free.

Double-free

An issue was discovered in libredwg through v0.10.1.3751

CVE-2021-39530 8.8 - High - September 20, 2021

An issue was discovered in libredwg through v0.10.1.3751. bit_wcs2nlen() in bits.c has a heap-based buffer overflow.

Memory Corruption

The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server address

CVE-2021-40491 6.5 - Medium - September 03, 2021

The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server address. This is similar to CVE-2020-8284 for curl.

Insufficient Verification of Data Authenticity

In librt in the GNU C Library (aka glibc) through 2.34

CVE-2021-38604 7.5 - High - August 12, 2021

In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain NOTIFY_REMOVED data, leading to a NULL pointer dereference. NOTE: this vulnerability was introduced as a side effect of the CVE-2021-33574 fix.

NULL Pointer Dereference

GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow

CVE-2021-38185 7.8 - High - August 08, 2021

GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.

Integer Overflow or Wraparound

The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted

CVE-2021-35942 9.1 - Critical - July 22, 2021

The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.

Integer Overflow or Wraparound

objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acommon::ObjStack::dup_top (called

CVE-2019-25051 7.8 - High - July 20, 2021

objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acommon::ObjStack::dup_top (called from acommon::StringMap::add and acommon::Config::lookup_list).

Memory Corruption

GNU LibreDWG 0.12.3.4163 through 0.12.3.4191 has a double-free in bit_chain_free (called

CVE-2021-36080 8.8 - High - July 01, 2021

GNU LibreDWG 0.12.3.4163 through 0.12.3.4191 has a double-free in bit_chain_free (called from dwg_encode_MTEXT and dwg_encode_add_object).

Double-free

A flaw was discovered in GNU libiberty within demangle_path() in rust-demangle.c, as distributed in GNU Binutils version 2.36

CVE-2021-3530 7.5 - High - June 02, 2021

A flaw was discovered in GNU libiberty within demangle_path() in rust-demangle.c, as distributed in GNU Binutils version 2.36. A crafted symbol can cause stack memory to be exhausted leading to a crash.

Stack Exhaustion

A NULL-pointer deference issue was discovered in GNU_gama::set() in ellipsoid.h in Gama 2.04 which can lead to a denial of service (DOS)

CVE-2020-18395 7.5 - High - May 28, 2021

A NULL-pointer deference issue was discovered in GNU_gama::set() in ellipsoid.h in Gama 2.04 which can lead to a denial of service (DOS) via segment faults caused by crafted inputs.

NULL Pointer Dereference

An out of bounds flaw was found in GNU binutils objdump utility version 2.36

CVE-2021-3549 7.1 - High - May 26, 2021

An out of bounds flaw was found in GNU binutils objdump utility version 2.36. An attacker could use this flaw and pass a large section to avr_elf32_load_records_from_section() probably resulting in a crash or in some cases memory corruption. The highest threat from this vulnerability is to integrity as well as system availability.

Buffer Overflow

The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free

CVE-2021-33574 9.8 - Critical - May 25, 2021

The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.

Dangling pointer

A heap-based buffer overflow vulnerability exists in LibreDWG 0.10.1

CVE-2020-23861 5.5 - Medium - May 18, 2021

A heap-based buffer overflow vulnerability exists in LibreDWG 0.10.1 via the read_system_page function at libredwg-0.10.1/src/decode_r2007.c:666:5, which causes a denial of service by submitting a dwg file.

Memory Corruption

Use-after-Free vulnerability in cflow 1.6 in the void call(char *name, int line) function at src/parser.c, which could cause a denial of service

CVE-2020-23856 5.5 - Medium - May 18, 2021

Use-after-Free vulnerability in cflow 1.6 in the void call(char *name, int line) function at src/parser.c, which could cause a denial of service via the pointer variable caller->callee.

Dangling pointer

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bit_read_RC

CVE-2020-21843 8.8 - High - May 17, 2021

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bit_read_RC ../../src/bits.c:318.

Memory Corruption

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory

CVE-2020-21842 8.8 - High - May 17, 2021

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.

Memory Corruption

GNU LibreDWG 0.10 is affected by: memcpy-param-overlap

CVE-2020-21844 8.8 - High - May 17, 2021

GNU LibreDWG 0.10 is affected by: memcpy-param-overlap. The impact is: execute arbitrary code (remote). The component is: read_2004_section_header ../../src/decode.c:2580.

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles

CVE-2020-21831 8.8 - High - May 17, 2021

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.

Memory Corruption

A heap based buffer overflow vulneraibility exists in GNU LibreDWG 0.10 via bit_calc_CRC

CVE-2020-21830 8.8 - High - May 17, 2021

A heap based buffer overflow vulneraibility exists in GNU LibreDWG 0.10 via bit_calc_CRC ../../src/bits.c:2213.

Memory Corruption

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bit_read_B

CVE-2020-21841 8.8 - High - May 17, 2021

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bit_read_B ../../src/bits.c:135.

Memory Corruption

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bit_search_sentinel

CVE-2020-21840 8.8 - High - May 17, 2021

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bit_search_sentinel ../../src/bits.c:1985.

Memory Corruption

An issue was discovered in GNU LibreDWG 0.10

CVE-2020-21839 6.5 - Medium - May 17, 2021

An issue was discovered in GNU LibreDWG 0.10. Crafted input will lead to an memory leak in dwg_decode_eed ../../src/decode.c:3638.

Improper Resource Shutdown or Release

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via: read_2004_section_appinfo

CVE-2020-21838 8.8 - High - May 17, 2021

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via: read_2004_section_appinfo ../../src/decode.c:2842.

Memory Corruption

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_preview

CVE-2020-21836 8.8 - High - May 17, 2021

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_preview ../../src/decode.c:3175.

Memory Corruption

A null pointer deference issue exists in GNU LibreDWG 0.10 via read_2004_compressed_section

CVE-2020-21835 6.5 - Medium - May 17, 2021

A null pointer deference issue exists in GNU LibreDWG 0.10 via read_2004_compressed_section ../../src/decode.c:2337.

NULL Pointer Dereference

A null pointer deference issue exists in GNU LibreDWG 0.10 via get_bmp

CVE-2020-21834 6.5 - Medium - May 17, 2021

A null pointer deference issue exists in GNU LibreDWG 0.10 via get_bmp ../../programs/dwgbmp.c:164.

Memory Corruption

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via: read_2004_section_classes

CVE-2020-21833 8.8 - High - May 17, 2021

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via: read_2004_section_classes ../../src/decode.c:2440.

Memory Corruption

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_compressed_section

CVE-2020-21832 8.8 - High - May 17, 2021

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_compressed_section ../../src/decode.c:2417.

Memory Corruption

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_compressed_section

CVE-2020-21827 7.8 - High - May 17, 2021

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_compressed_section ../../src/decode.c:2379.

Memory Corruption

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10.2641via htmlescape

CVE-2020-21819 8.8 - High - May 17, 2021

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10.2641via htmlescape ../../programs/escape.c:51.

Memory Corruption

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10.2641 via htmlescape

CVE-2020-21818 8.8 - High - May 17, 2021

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10.2641 via htmlescape ../../programs/escape.c:48.

Memory Corruption

A null pointer dereference issue exists in GNU LibreDWG 0.10.2641 via htmlescape

CVE-2020-21817 6.5 - Medium - May 17, 2021

A null pointer dereference issue exists in GNU LibreDWG 0.10.2641 via htmlescape ../../programs/escape.c:29. which causes a denial of service (application crash).

NULL Pointer Dereference

A heab based buffer overflow issue exists in GNU LibreDWG 0.10.2641 via htmlescape

CVE-2020-21816 8.8 - High - May 17, 2021

A heab based buffer overflow issue exists in GNU LibreDWG 0.10.2641 via htmlescape ../../programs/escape.c:46.

Memory Corruption

A null pointer deference issue exists in GNU LibreDWG 0.10.2641 via output_TEXT

CVE-2020-21815 6.5 - Medium - May 17, 2021

A null pointer deference issue exists in GNU LibreDWG 0.10.2641 via output_TEXT ../../programs/dwg2SVG.c:114, which causes a denial of service (application crash).

NULL Pointer Dereference

A heap based buffer overflow issue exists in GNU LibreDWG 0.10.2641 via htmlwescape

CVE-2020-21814 8.8 - High - May 17, 2021

A heap based buffer overflow issue exists in GNU LibreDWG 0.10.2641 via htmlwescape ../../programs/escape.c:97.

Memory Corruption

A heap based buffer overflow issue exists in GNU LibreDWG 0.10.2641 via output_TEXT

CVE-2020-21813 7.8 - High - May 17, 2021

A heap based buffer overflow issue exists in GNU LibreDWG 0.10.2641 via output_TEXT ../../programs/dwg2SVG.c:114.

Memory Corruption

A flaw was found in binutils readelf 2.35 program

CVE-2021-20294 7.8 - High - April 29, 2021

A flaw was found in binutils readelf 2.35 program. An attacker who is able to convince a victim using readelf to read a crafted file could trigger a stack buffer overflow, out-of-bounds write of arbitrary data supplied by the attacker. The highest impact of this flaw is to confidentiality, integrity, and availability.

Memory Corruption

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin

CVE-2021-31879 6.1 - Medium - April 29, 2021

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.

Open Redirect

A security vulnerability that can lead to local privilege escalation has been found in guix-daemon

CVE-2021-27851 5.5 - Medium - April 26, 2021

A security vulnerability that can lead to local privilege escalation has been found in guix-daemon. It affects multi-user setups in which guix-daemon runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with `guix build`, that makes its build directory world-writable. The user then creates a hardlink to a root-owned file such as /etc/shadow in that build directory. If the user passed the --keep-failed option and the build eventually fails, the daemon changes ownership of the whole build tree, including the hardlink, to the user. At that point, the user has write access to the target file. Versions after and including v0.11.0-3298-g2608e40988, and versions prior to v1.2.0-75109-g94f0312546 are vulnerable.

Improper Privilege Management

There's a flaw in the BFD library of binutils in versions before 2.36

CVE-2021-3487 6.5 - Medium - April 15, 2021

There's a flaw in the BFD library of binutils in versions before 2.36. An attacker who supplies a crafted file to an application linked with BFD, and using the DWARF functionality, could cause an impact to system availability by way of excessive memory consumption.

Improper Input Validation

GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted PGN (Portable Game Notation) data

CVE-2021-30184 7.8 - High - April 07, 2021

GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted PGN (Portable Game Notation) data. This is related to a buffer overflow in the use of a .tmp.epd temporary file in the cmd_pgnload and cmd_pgnreplay functions in frontend/cmd.cc.

Classic Buffer Overflow

There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar

CVE-2021-20197 6.3 - Medium - March 26, 2021

There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink.

insecure temporary file

A flaw was found in GNU Binutils 2.35.1

CVE-2021-20284 5.5 - Medium - March 26, 2021

A flaw was found in GNU Binutils 2.35.1, where there is a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c due to the number of symbols not calculated correctly. The highest threat from this vulnerability is to system availability.

Buffer Overflow

A flaw was found in the src/list.c of tar 1.33 and earlier

CVE-2021-20193 5.5 - Medium - March 26, 2021

A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.

Out-of-bounds Read

A flaw was found in libmicrohttpd

CVE-2021-3466 9.8 - Critical - March 25, 2021

A flaw was found in libmicrohttpd. A missing bounds check in the post_process_urlencoded function leads to a buffer overflow, allowing a remote attacker to write arbitrary data in an application that uses libmicrohttpd. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Only version 0.9.70 is vulnerable.

Classic Buffer Overflow

An issue was discovered in PunBB before 1.4.6

CVE-2021-28968 5.4 - Medium - March 22, 2021

An issue was discovered in PunBB before 1.4.6. An XSS vulnerability in the [email] BBcode tag allows (with authentication) injecting arbitrary JavaScript into any forum message.

XSS

If certificates that signed grub are installed into db, grub can be booted directly

CVE-2021-3418 6.4 - Medium - March 15, 2021

If certificates that signed grub are installed into db, grub can be booted directly. It will then boot any kernel without signature validation. The booted kernel will think it was booted in secureboot mode and will implement lockdown, yet it could have been tampered. This flaw is a reintroduction of CVE-2020-15705 and only affects grub2 versions prior to 2.06 and upstream and distributions using the shim_lock mechanism.

Improper Preservation of Permissions

A flaw was found in gnutls

CVE-2021-20231 9.8 - Critical - March 12, 2021

A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.

Dangling pointer

A flaw was found in gnutls

CVE-2021-20232 9.8 - Critical - March 12, 2021

A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.

Dangling pointer

A flaw was found in grub2 in versions prior to 2.06

CVE-2021-20225 6.7 - Medium - March 03, 2021

A flaw was found in grub2 in versions prior to 2.06. The option parser allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Memory Corruption

A flaw was found in grub2 in versions prior to 2.06

CVE-2021-20233 8.2 - High - March 03, 2021

A flaw was found in grub2 in versions prior to 2.06. Setparam_prefix() in the menu rendering code performs a length calculation on the assumption that expressing a quoted single quote will require 3 characters, while it actually requires 4 characters which allows an attacker to corrupt memory by one byte for each quote in the input. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Memory Corruption

A flaw was found in grub2 in versions prior to 2.06, where it incorrectly enables the usage of the ACPI command when Secure Boot is enabled

CVE-2020-14372 7.5 - High - March 03, 2021

A flaw was found in grub2 in versions prior to 2.06, where it incorrectly enables the usage of the ACPI command when Secure Boot is enabled. This flaw allows an attacker with privileged access to craft a Secondary System Description Table (SSDT) containing code to overwrite the Linux kernel lockdown variable content directly into memory. The table is further loaded and executed by the kernel, defeating its Secure Boot lockdown and allowing the attacker to load unsigned code. The highest threat from this vulnerability is to data confidentiality and integrity, as well as system availability.

Denylist / Deny List

A flaw was found in grub2 in versions prior to 2.06

CVE-2020-25632 8.2 - High - March 03, 2021

A flaw was found in grub2 in versions prior to 2.06. The rmmod implementation allows the unloading of a module used as a dependency without checking if any other dependent module is still loaded leading to a use-after-free scenario. This could allow arbitrary code to be executed or a bypass of Secure Boot protections. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Dangling pointer

A flaw was found in grub2 in versions prior to 2.06

CVE-2020-25647 7.6 - High - March 03, 2021

A flaw was found in grub2 in versions prior to 2.06. During USB device initialization, descriptors are read with very little bounds checking and assumes the USB device is providing sane values. If properly exploited, an attacker could trigger memory corruption leading to arbitrary code execution allowing a bypass of the Secure Boot mechanism. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Memory Corruption

A flaw was found in grub2 in versions prior to 2.06

CVE-2020-27749 6.7 - Medium - March 03, 2021

A flaw was found in grub2 in versions prior to 2.06. Variable names present are expanded in the supplied command line into their corresponding variable contents, using a 1kB stack buffer for temporary storage, without sufficient bounds checking. If the function is called with a command line that references a variable with a sufficiently large payload, it is possible to overflow the stack buffer, corrupt the stack frame and control execution which could also circumvent Secure Boot protections. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Stack Overflow

A flaw was found in grub2 in versions prior to 2.06

CVE-2020-27779 7.5 - High - March 03, 2021

A flaw was found in grub2 in versions prior to 2.06. The cutmem command does not honor secure boot locking allowing an privileged attacker to remove address ranges from memory creating an opportunity to circumvent SecureBoot protections after proper triage about grub's memory layout. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability

CVE-2020-27618 5.5 - Medium - February 26, 2021

The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.

Infinite Loop

The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33

CVE-2021-27645 2.5 - Low - February 24, 2021

The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.

Double-free

encoding.c in GNU Screen through 4.8.0

CVE-2021-26937 9.8 - Critical - February 09, 2021

encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence.

Argument Injection

The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier

CVE-2021-3326 7.5 - High - January 27, 2021

The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.

assertion failure

The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32

CVE-2019-25013 5.9 - Medium - January 04, 2021

The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.

Out-of-bounds Read

There's a flaw in bfd_pef_scan_start_address() of bfd/pef.c in binutils which could

CVE-2020-35496 5.5 - Medium - January 04, 2021

There's a flaw in bfd_pef_scan_start_address() of bfd/pef.c in binutils which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability. This flaw affects binutils versions prior to 2.34.

NULL Pointer Dereference

A flaw exists in binutils in bfd/pef.c

CVE-2020-35493 5.5 - Medium - January 04, 2021

A flaw exists in binutils in bfd/pef.c. An attacker who is able to submit a crafted PEF file to be parsed by objdump could cause a heap buffer overflow -> out-of-bounds read that could lead to an impact to application availability. This flaw affects binutils versions prior to 2.34.

Improper Input Validation

There's a flaw in binutils /bfd/pef.c

CVE-2020-35495 5.5 - Medium - January 04, 2021

There's a flaw in binutils /bfd/pef.c. An attacker who is able to submit a crafted input file to be processed by the objdump program could cause a null pointer dereference. The greatest threat from this flaw is to application availability. This flaw affects binutils versions prior to 2.34.

NULL Pointer Dereference

There's a flaw in bfd_pef_parse_function_stubs of bfd/pef.c in binutils in versions prior to 2.34 which could

CVE-2020-35507 5.5 - Medium - January 04, 2021

There's a flaw in bfd_pef_parse_function_stubs of bfd/pef.c in binutils in versions prior to 2.34 which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability.

NULL Pointer Dereference

There's a flaw in binutils /opcodes/tic4x-dis.c

CVE-2020-35494 6.1 - Medium - January 04, 2021

There's a flaw in binutils /opcodes/tic4x-dis.c. An attacker who is able to submit a crafted input file to be processed by binutils could cause usage of uninitialized memory. The highest threat is to application availability with a lower threat to data confidentiality. This flaw affects binutils versions prior to 2.34.

Use of Uninitialized Resource

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35.1

CVE-2020-35448 3.3 - Low - December 27, 2020

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35.1. A heap-based buffer over-read can occur in bfd_getl_signed_32 in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section in elf.c.

Out-of-bounds Read