Ubuntu Security Notice 3148-1 – Tavis Ormandy discovered multiple vulnerabilities in the way that Ghostscript processes certain Postscript files. If a user or automated system were tricked into opening a specially crafted file, an attacker could cause a denial of service or possibly execute arbitrary code. Multiple vulnerabilities were discovered in Ghostscript related to information disclosure. If a user or automated system were tricked into opening a specially crafted file, an attacker could expose sensitive data. Various other issues were also addressed.
Monthly Archives: December 2016
Xfinity Gateway Remote Code Execution
Xfinity Gateway suffers from a remote code execution vulnerability.
python-tornado-4.4.2-1.fc24
Update to 4.4.2
Security fixes
* A difference in cookie parsing between Tornado and web browsers (especially when combined with Google Analytics) could allow an attacker to set arbitrary cookies and bypass XSRF protection. The cookie parser has been rewritten to fix this attack.
Backwards-compatibility notes
* Cookies containing certain special characters (in particular semicolon and square brackets) are now parsed differently.
* If the cookie header contains a combination of valid and invalid cookies, the valid ones will be returned (older versions of Tornado would reject the entire header for a single invalid cookie).
See also http://tornado.readthedocs.io/en/stable/releases/v4.4.0.html
Android IOMXNodeInstance::enableNativeBuffers Unchecked Index
The code in IOMXNodeInstance.cpp that handles enableNativeBuffers uses port_index without validation, leading to writing the dword value 0 or 1 at an attacker controlled offset from the IOMXNodeInstance structure.
CVE-2016-9638 (patrol)
In BMC Patrol before 9.13.10.02, the binary “listguests64” is configured with the setuid bit. However, when executing it, it will look for a binary named “virsh” using the PATH environment variable. The “listguests64” program will then run “virsh” using root privileges. This allows local users to elevate their privileges to root.
golang-1.6.4-2.fc24
Bump to 1.6.4
golang-1.7.4-1.fc25
Bump to 1.7.4
Android system_server Code Loading Bypass
As of Android Nougat, a new set of SELinux rules have been added which are designed to prevent system_server from loading arbitrary code into its address-space. However, as system_server is extremely privileged, there are a few vectors through which it may still load arbitrary code, thus bypassing the mitigation mentioned above.
CVE-2016-9479 (b2evolution)
The “lost password” functionality in b2evolution before 6.7.9 allows remote attackers to reset arbitrary user passwords via a crafted request.
Google Fixes 12 High-Severity Flaws In Chrome Browser
Chrome 55.0.2883.75 for Windows, Mac, and Linux was released Thursday and patched 36 vulnerabilities, including 12 high-severity flaws eligible for bounties.