[FD] libnsgif: stack overflow (CVE-2015-7505) and out-of-bounds read (CVE-2015-7506)

/* flags */ | 0x0c, /* code size */ | 0x0d, /* block_size */ | | /* image data */ | 0x10, 0xcb, | 0x41, 0xf3, | 0xf3, 0xf3, | 0xf3, 0xf3, | 0xf3, 0xf3, | 0xf3, 0xf3, | 0xf3, | | /* end of image data */ | 0x00, | | /* end o

[FD] libnsbmp: heap overflow (CVE-2015-7508) and out-of-bounds read (CVE-2015-7507)

0, 0x00, 0x00, /* x coordinate of blue endpoint */ | 0x00, 0x00, 0x00, 0x00, /* y coordinate of blue endpoint */ | 0x00, 0x00, 0x00, 0x00, /* z coordinate of blue endpoint */ | 0x00, 0x00, 0x00, 0x00, /* gamma red coordinate scale value */ | 0x00, 0x00, 0x00, 0x00, /* gamma green coordinate scale value */ | 0x00, 0x00, 0x00, 0x00, /* gamma blue coordinate scale value */ | 0xff, 0xff, 0xff, 0x00 /* bmp->colour_table[0] */ | }; ` Solution Both vulnerabilities are fixed in git HEAD[2]. Footnotes _ [1] [http://www.netsurf-browser.org/projects/libnsbmp/] [2] [http://source.netsurf-browser.org/libnsbmp.git/] Hans Jerry Illikainen ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] giflib: heap overflow in giffix (CVE-2015-7555)

ge.Width */ | 0x01, 0x00, /* GifFile->Image.Height */ | 0x00, /* BitsPerPixel = (this & 0x07) + 1 */ | | /* DGifSetupDecompress() */ | 0x00, /* CodeSize */ | | /* end of image data */ | 0x00, | | /* end of gif */ | 0x3b | }; ` Solut

[FD] libtiff: invalid write (CVE-2015-7554)

1, | | /* tif->tif_nextdiroff */ | 0x00, 0x00, 0x00, 0x00, | | /* bits per sample */ | 0x08, 0x00, | 0x08, 0x00, | 0x08, 0x00, | }; ` This issue has been assigned CVE-2015-7554 and it has yet to be fixed. -- Hans Jerry Illikainen

[FD] CVE-2016-2191: optipng: invalid write

ff, | 0x00, 0x02, 0x11, 0xff, | 0x00, 0x02, 0x00, 0xff, | | /* | * absolute mode (0x00, 0x03..0xff) followed by the value that's | * bmp_fread_fn() to *crt_row | */ | 0x00, 0xff, 0x44, 0x33, 0x22, 0x11 | }; ` Solution This issue has been ass

[FD] CVE-2016-3074: libgd: signedness vulnerability

has been fixed in git HEAD [4]. Footnotes _ [1] [http://libgd.org/] [2] [https://en.wikipedia.org/wiki/Libgd] [3] [https://github.com/dyntopia/exploits/tree/master/CVE-2016-3074] [4] [https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19] -- Hans Jerry

[FD] CVE-2016-3078: php: integer overflow in ZipArchive::getFrom*

} | ?> ` Solution This issue has been fixed in php 7.0.6. Footnotes _ [1] [https://github.com/dyntopia/exploits/tree/master/CVE-2016-3078] -- Hans Jerry Illikainen ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2016-5399: php: out-of-bounds write in bzread()

sue in the underlying bzip2 library[3]. Footnotes _ [1] [https://secure.php.net/manual/en/function.bzread.php] [2] [https://github.com/dyntopia/exploits/tree/master/CVE-2016-5399] [3] [https://bugs.php.net/bug.php?id=72613] -- Hans Jerry Illikainen ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2017-17670: vlc: type conversion vulnerability

About = A type conversion vulnerability exist in the MP4 demux module in VLC <=2.2.8. This issue has been assigned CVE-2017-17670 and it could be used to cause an arbitrary free. Details === MP4 is a container format for video, audio, subtitles and images. The various parts of an .mp4

Re: [FD] [oss-security] CVE-2017-17670: vlc: type conversion vulnerability

On Fri, Dec 15, 2017 at 05:28:45AM -0500, Stiepan wrote: > Nice job! By the way, when is back-porting of the fix to the current > stable version(s) envisioned? (I doubt most oss OS distributions use > the "HEAD of the VLC master branch", nor that most Windows or Mac > users use the latest bleeding-