Nico Golde

**Nome do software vulnerável e versões afetadas** Compilador Arm, versões 5 a 5.06u6 **Descrição** O problema diz respeito a um recurso de proteção de pilha projetado para ajudar a detectar estouros de buffer baseados na pilha em matrizes locais. Quando esse recurso está ativado, uma função protegida grava um valor de proteção na pilha antes de qualquer matriz vulnerável. O valor de proteção é verificado quanto a corrupção no retorno da função, levando a uma chamada do manipulador de erros se estiver corrompido. No entanto, em certas circunstâncias, o valor de referência comparado com o valor de proteção também é gravado na pilha, potencialmente após as matrizes vulneráveis, quando a função fica sem registros para dados temporários. Isso pode fazer com que a proteção de pilha não consiga detectar a corrupção se tanto o valor de referência quanto o valor de proteção forem sobrescritos com o mesmo valor, o que exigiria tanto um estouro de buffer quanto um subfluxo de buffer nas matrizes vulneráveis, ou outra vulnerabilidade que causasse a corrupção de duas entradas separadas na pilha. **Recomendações** Para as versões 5 a 5.06u6 do Arm Compiler, considere desativar temporariamente o recurso de proteção da pilha até que um patch esteja disponível, como uma solução alternativa para minimizar o risco de exploração. Restrinja o uso de matrizes vulneráveis em funções locais para reduzir a probabilidade de estouros e subfluxos de buffer. Evite usar a pilha para dados temporários sempre que possível, para impedir que o valor de referência seja gravado na pilha. No momento, não há informações sobre uma versão mais recente que contenha

**Name of the Vulnerable Software and Affected Versions** syscp version 1.4.2.1 **Description** The issue allows attackers to add arbitrary paths via the documentroot of a domain by appending a colon to it and setting the open basedir path to use that domain documentroot. **Recommendations** For version 1.4.2.1, consider restricting the ability to modify the documentroot of a domain and the open basedir path to prevent adding arbitrary paths. As a temporary workaround, restrict access to the domain settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 11.3 **Description** An issue was discovered in certain Apple products, involving the `Telephony` component. The issue allows remote attackers to execute arbitrary code due to a buffer overflow. **Recommendations** For iOS versions prior to 11.3, update to version 11.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Android versions prior to 4.4.4 **Description** The issue is related to the `rootdir/init.rc` function in the Android operating system, which has insufficient access control. This allows attackers to gain privileges via a crafted application. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Android versions prior to 4.4.4, update to version 4.4.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** BusyBox versions prior to 1.25.0 **Description** The issue is related to an integer overflow in the DHCP client (udhcpc) of BusyBox, which allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name. This triggers an out-of-bounds heap write. **Recommendations** For versions prior to 1.25.0, update to version 1.25.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `udhcpc` DHCP client until a patch is available. Avoid using malformed RFC1035-encoded domain names in the affected DHCP client to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BusyBox versions prior to 1.25.0 **Description** The issue is related to a heap-based buffer overflow in the DHCP client (udhcpc) of BusyBox, which can be exploited by remote attackers via vectors involving OPTION 6RD parsing. This can allow an attacker to access confidential data, compromise data integrity, and cause a denial of service. **Recommendations** For versions prior to 1.25.0, update to version 1.25.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the DHCP client (udhcpc) until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** dhcpcd versions prior to 6.10.0 **Description** The issue allows remote attackers to cause a denial of service, resulting in an invalid read and crash. This is related to vectors involving the option length. **Recommendations** For versions prior to 6.10.0, update to version 6.10.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12.1 **Description** The issue allows local users to cause a denial of service by leveraging root privileges for a zero-length write operation in the `lbs debugfs write` function. **Recommendations** For versions prior to 3.12.1, update to version 3.12.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12.1 **Description** The issue allows local users to cause a denial of service or possibly have unspecified other impact via an SNMP ioctl call with a length value that is incompatible with the command-buffer size. This is due to a buffer overflow in the `qeth snmp command` function in `drivers/s390/net/qeth core main.c`. The `ioctl` call `IOC QETH ADP SET SNMP CONTROL` is involved in the system call. **Recommendations** For Linux kernel versions prior to 3.12.1, update to version 3.12.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `qeth snmp command` function until a patch is available. Avoid using the `IOC QETH ADP SET SNMP CONTROL` ioctl call with incompatible length values in the command-buffer size until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 3.12.1 **Description** The issue is related to the `aac send raw srb` function in the Linux kernel, which does not properly validate a certain size value. This can be exploited by local users with `CAP SYS ADMIN` privileges to cause a denial of service or possibly have other unspecified impacts via a crafted SRB command using the `FSACTL SEND RAW SRB` ioctl call. Local users can potentially elevate their privileges by exploiting the `aacraid` driver. **Recommendations** For Linux kernel versions through 3.12.1, consider restricting access to the `FSACTL SEND RAW SRB` ioctl call to minimize the risk of exploitation. As a temporary workaround, consider disabling the `aac send raw srb` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12 **Description** The issue allows local users to obtain sensitive information from kernel memory. This is due to the bcm char ioctl function in drivers/staging/bcm/Bcmchar.c not initializing a certain data structure, which can be exploited via an IOCTL BCM GET DEVICE DRIVER INFO ioctl call. **Recommendations** For versions prior to 3.12, update to version 3.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the bcm char ioctl function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12 **Description** The issue is related to multiple buffer overflows in the Linux kernel, specifically in the drivers/staging/wlags49 h2/wl priv.c file. This can be exploited by local users with the CAP NET ADMIN capability to cause a denial of service or possibly have other unspecified impacts. The exploitation is related to the `wvlan uil put info` and `wvlan set station nickname` functions when a long station-name string is provided. **Recommendations** For Linux kernel versions prior to 3.12, update to version 3.12 or later to resolve the issue. As a temporary workaround, consider restricting the CAP NET ADMIN capability to minimize the risk of exploitation. Additionally, avoid providing long station-name strings to prevent triggering the buffer overflows in the `wvlan uil put info` and `wvlan set station nickname` functions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12 **Description** The issue is related to the uio mmap physical function in the Linux kernel, which does not validate the size of a memory block. This allows local users to cause a denial of service, such as memory corruption, or possibly gain privileges via crafted mmap operations. **Recommendations** For Linux kernel versions prior to 3.12, update to version 3.12 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12 **Description** The issue allows local users to obtain sensitive information from kernel stack memory. This is due to the mp get count function in drivers/staging/sb105x/sb pci mp.c not initializing a certain data structure, which can be exploited via a TIOCGICOUNT ioctl call. **Recommendations** For Linux kernel versions prior to 3.12, update to version 3.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the TIOCGICOUNT ioctl call to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12 **Description** The issue is related to a buffer overflow in the exitcode proc write function, which can be exploited by local users with write privileges to the /proc/exitcode file. This could potentially allow users to cause a denial of service or have other unspecified impacts, possibly including privilege escalation. The estimated number of potentially affected devices is not specified. **Recommendations** For Linux kernel versions prior to 3.12, update to version 3.12 or later to resolve the issue. As a temporary workaround, consider restricting write access to the /proc/exitcode file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12 **Description** The issue is related to multiple integer overflows in Alchemy LCD frame-buffer drivers. Local users can create a read-write memory mapping for the entirety of kernel memory and gain privileges via crafted `mmap` operations. This is related to the `au1100fb fb mmap` function in `drivers/video/au1100fb.c` and the `au1200fb fb mmap` function in `drivers/video/au1200fb.c`. **Recommendations** For Linux kernel versions prior to 3.12, update to version 3.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the `au1100fb fb mmap` and `au1200fb fb mmap` functions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** latd versions 1.25 through 1.30 and earlier **Description** The issue is a stack-based buffer overflow that occurs in the llogincircuit.cc file. This can be triggered by remote attackers sending a long string in the llogin version, potentially causing a denial of service (crash) and possibly allowing the execution of arbitrary code. **Recommendations** For latd versions 1.25 through 1.30 and earlier, update to a version that fixes the stack-based buffer overflow issue in llogincircuit.cc.

**Name of the Vulnerable Software and Affected Versions** Tor versions prior to 0.2.2.39 Tor versions 0.2.3.x prior to 0.2.3.21-rc **Description** The issue allows remote attackers to cause a denial of service, resulting in an assertion failure and daemon exit. This occurs when a zero-valued port field is not properly handled during policy comparison. **Recommendations** For Tor versions prior to 0.2.2.39, update to version 0.2.2.39 or later. For Tor versions 0.2.3.x prior to 0.2.3.21-rc, update to version 0.2.3.21-rc or later.

**Name of the Vulnerable Software and Affected Versions** Tor versions prior to 0.2.2.39 Tor versions 0.2.3.x prior to 0.2.3.22-rc **Description** The issue is related to the tor timegm function in common/util.c, which does not properly validate time values. This allows remote attackers to cause a denial of service via a malformed directory object. **Recommendations** For Tor versions prior to 0.2.2.39, update to version 0.2.2.39 or later. For Tor versions 0.2.3.x prior to 0.2.3.22-rc, update to version 0.2.3.22-rc or later.

**Name of the Vulnerable Software and Affected Versions** Gajim version 0.15 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on a temporary latex file, related to the `get tmpfile name` function in `src/common/latex.py`. **Recommendations** For Gajim version 0.15, consider restricting access to the `get tmpfile name` function in `src/common/latex.py` to prevent symlink attacks until a patch is available.