Will Drewry

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X versions prior to 10.6.7 **Description** The issue is related to multiple buffer overflows in Apple Type Services (ATS) that allow remote attackers to execute arbitrary code. This can be achieved by using a document containing a crafted embedded TrueType font. **Recommendations** For versions prior to 10.6.7, update to version 10.6.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X versions prior to 10.6.7 **Description** A heap-based buffer overflow issue exists, allowing remote attackers to execute arbitrary code via a document containing a crafted embedded OpenType font. **Recommendations** For Apple Mac OS X versions prior to 10.6.7, update to version 10.6.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 4.0.3 Mozilla Firefox versions prior to 3.0.12 Mac OS X versions 10.4.11 and 10.5.8 **Description** The issue is related to an integer overflow in Apple CoreGraphics, which can be triggered by a long text run. This can cause a heap-based buffer overflow during font glyph rendering, potentially leading to a denial of service (application crash) or execution of arbitrary code. **Recommendations** For Safari versions prior to 4.0.3, update to version 4.0.3 or later. For Mozilla Firefox versions prior to 3.0.12, update to version 3.0.12 or later. For Mac OS X versions 10.4.11 and 10.5.8, consider upgrading to a later version of Mac OS X that incorporates the fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Pango versions prior to 1.24 **Description** The issue is related to an integer overflow in the `pango glyph string set size` function, which can be triggered by a long glyph string. This can cause a denial of service, resulting in an application crash, or potentially allow the execution of arbitrary code due to a heap-based buffer overflow. The overflow can be demonstrated using a long document.location value in Firefox. **Recommendations** For versions prior to 1.24, update to version 1.24 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** xine-lib versions 1.1.12 through 1.1.14 **Description** The issue is related to the failure of malloc checks in certain functions, including the `mymng process header` function in demux mng.c, the `open mod file` function in demux mod.c, and frame buffer allocation in the `real parse audio specific data` function in demux real.c. This can be exploited by remote attackers using a crafted media file, potentially leading to a denial of service (crash) or possibly the execution of arbitrary code. **Recommendations** For xine-lib versions 1.1.12 through 1.1.14, update to version 1.1.15 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** xine-lib versions 1.1.12 through 1.1.15 **Description** The issue is related to multiple heap-based buffer overflows that allow remote attackers to execute arbitrary code. This is achieved through vectors related to a crafted EBML element length processed by the `parse block group` function, a certain combination of `sps`, `w`, and `h` values processed by the `real parse audio specific data` and `demux real send chunk` functions, and an unspecified combination of three values processed by the `open ra file` function. One of the vectors reportedly exists due to an incomplete fix in version 1.1.15. **Recommendations** For xine-lib versions 1.1.12 through 1.1.15, update to a version later than 1.1.15 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** xine-lib versions 1.1.15 and earlier **Description** The issue arises from improper handling of negative and zero values during certain read function calls in various files, including input file.c, input net.c, input smb.c, and input http.c. This can be exploited by remote attackers through vectors such as a file or an HTTP response, potentially leading to a denial of service (crash) or the execution of arbitrary code. The exploitation triggers out-of-bounds reads and heap-based buffer overflows. **Recommendations** For xine-lib versions 1.1.15 and earlier, consider updating to a version that properly handles negative and zero values during read function calls to prevent potential denial of service or arbitrary code execution. As a temporary workaround, restrict access to files and HTTP responses that could trigger the vulnerability until a patch is available.

**Name of the Vulnerable Software and Affected Versions** xine-lib versions 1.1.12 and earlier, including 1.1.15 and earlier **Description** The issue relies on an untrusted input value to determine memory allocation without checking the result. This affects the processing of certain elements and chunks, including the MATROSKA ID TR CODECPRIVATE track entry element in demux matroska.c, and PROP TAG, MDPR TAG, and CONT TAG chunks in the real parse headers function in demux real.c. This can allow remote attackers to cause a denial of service, such as a NULL pointer dereference and crash, or possibly execute arbitrary code via a crafted value. **Recommendations** For xine-lib versions 1.1.12 and earlier, including 1.1.15 and earlier, consider updating to a version that does not rely on untrusted input for memory allocation or implement input validation to prevent crafted values from causing a denial of service or code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** xine-lib versions 1.1.12 and earlier, including 1.1.15 and earlier **Description** The issue is related to an integer underflow in the demux qt.c file, which can be triggered by a crafted media file. This results in a denial of service, causing the program to crash. The problem occurs when a compressed MOV file contains a small value of moov atom size, leading to the underflow. **Recommendations** For xine-lib versions 1.1.12 and earlier, including 1.1.15 and earlier, update to a version that fixes the integer underflow issue in demux qt.c to prevent denial of service attacks.

**Name of the Vulnerable Software and Affected Versions** xine-lib versions 1.1.12 and earlier, including 1.1.15 and earlier **Description** The issue concerns a lack of validation in the count field before memory allocation, which can be exploited by remote attackers using a crafted media file. This can lead to a denial of service (crash) or potentially allow the execution of arbitrary code. **Recommendations** For xine-lib versions 1.1.12 and earlier, including 1.1.15 and earlier, update to a version that fixes the issue in demux qt.c, ensuring proper validation of the count field before calling calloc for STSD ATOM atom allocation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** xine-lib versions 1.1.12 through 1.1.15 **Description** The issue concerns the `real parse audio specific data` function in `demux real.c`, which uses an untrusted height value, also referred to as `codec data length`, as a divisor. This allows remote attackers to cause a denial of service by triggering a divide-by-zero error and crash via a zero value. **Recommendations** For xine-lib versions 1.1.12 through 1.1.15, consider applying a patch that checks for and handles the zero value in the `real parse audio specific data` function to prevent the divide-by-zero error. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libvorbis versions 1.0rc2 through 1.2.0 libvorbis-devel version 1.0rc2 **Description** The issue affects the libvorbis package, allowing remote attackers to exploit multiple vulnerabilities, potentially leading to a denial of service, integer overflow, or disruption of confidentiality, integrity, and availability of protected information. The vulnerability can be triggered by a zero value for `codebook.dim`, causing a crash or infinite loop. **Recommendations** For libvorbis versions 1.0rc2 through 1.2.0, update to a version later than 1.2.0 to resolve the issue. For libvorbis-devel version 1.0rc2, update to a version later than 1.0rc2 to resolve the issue. As a temporary workaround, consider restricting access to the libvorbis package until a patch is available.

**Name of the Vulnerable Software and Affected Versions** libvorbis versions prior to 1.2.1 rc1 libvorbis versions 1.0rc2 through 1.2.0 **Description** The issue is related to multiple vulnerabilities in the libvorbis package, which can be exploited remotely to compromise the confidentiality, integrity, and availability of protected information. Specifically, an integer overflow in residue partition value evaluation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to execute arbitrary code via a crafted OGG file, triggering a heap overflow. **Recommendations** For libvorbis versions prior to 1.2.1 rc1, update to version 1.2.1 rc1 or later to resolve the issue. For libvorbis versions 1.0rc2 through 1.2.0, update to version 1.2.1 rc1 or later to resolve the issue. As a temporary workaround, consider restricting access to libvorbis until a patch is available.

**Name of the Vulnerable Software and Affected Versions** libvorbis versions prior to 1.0 **Description** The issue is related to multiple vulnerabilities in the libvorbis package, which can be exploited remotely to compromise the confidentiality, integrity, and availability of protected information. Specifically, it does not properly check for underpopulated Huffman trees, allowing remote attackers to cause a denial of service via a crafted OGG file that triggers memory corruption during execution of the make decode tree function. **Recommendations** For versions prior to 1.0, update to version 1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to potentially vulnerable functions, such as make decode tree, until a patch is available. Avoid using crafted OGG files that may trigger memory corruption in the affected libvorbis package.

**Name of the Vulnerable Software and Affected Versions** Perl version 5.8.8 **Description** A double free issue in Perl allows context-dependent attackers to cause a denial of service, resulting in memory corruption and crash, via a crafted regular expression containing UTF8 characters. This issue might only be present on certain operating systems. **Recommendations** For Perl version 5.8.8, consider avoiding the use of crafted regular expressions containing UTF8 characters until a fix is available. As a temporary workaround, restrict the use of regular expressions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apple Safari versions prior to 3.1 **Description** A buffer overflow issue in WebKit, used by Apple Safari, allows remote attackers to execute arbitrary code via crafted regular expressions in JavaScript. **Recommendations** For versions prior to 3.1, update to version 3.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Boost regex library versions 1.33 through 1.34 Boost library versions prior to 1.34.1-r2 **Description** The issue allows context-dependent attackers to cause a denial of service, potentially leading to a crash, via an invalid regular expression. Multiple vulnerabilities in the Boost package can be exploited remotely, leading to disruption of protected information availability. **Recommendations** For Boost regex library versions 1.33 through 1.34, consider updating to a version later than 1.34. For Boost library versions prior to 1.34.1-r2, update to version 1.34.1-r2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `get repeat type` function in `basic regex creator.hpp` until a patch is available.

Name of the Vulnerable Software and Affected Versions: OpenSSL versions prior to 0.9.8d Description: The issue affects the OpenSSL package, allowing remote exploitation that may lead to a breach of confidentiality, integrity, and availability of protected information. This can be achieved through remote attack vectors, including a long list of ciphers, potentially leading to a buffer overflow in the `SSL get shared ciphers` function. The vulnerability may also enable an attacker to cause a denial of service or gain access to encrypted data without knowledge of the encryption key. Recommendations: For OpenSSL versions prior to 0.9.8d, update to version 0.9.8d or later to resolve the issue. As a temporary workaround, consider restricting access to the `SSL get shared ciphers` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: GNU Debugger (GDB) version 6.5 gdb package version 6.3.0.0 Description: The issue is related to a buffer overflow in the debugging code of GNU Debugger (GDB), specifically in the DWARF and DWARF2 debugging code. This allows attackers to execute arbitrary code via a crafted file with a location block that contains a large number of operations. The vulnerability can be exploited remotely, potentially leading to a breach of confidentiality, integrity, and availability of protected information. Recommendations: For GNU Debugger (GDB) version 6.5, consider updating to a newer version to mitigate the risk. For gdb package version 6.3.0.0, update to a newer version to resolve the issue. As a temporary workaround, consider restricting access to the debugging functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** cscope versions 15.5 and earlier **Description** The issue involves multiple buffer overflows that can be exploited by attackers with user intervention, potentially leading to a denial of service (crash) and possibly the execution of arbitrary code. This can occur through several vectors, including a long pathname not handled properly during file list parsing, long pathnames resulting from path variable expansion (such as tilde expansion for the HOME environment variable), and a long -f (or reffile) command line argument. **Recommendations** For cscope versions 15.5 and earlier, update to a version that addresses these buffer overflow issues to prevent potential denial of service and arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.