Monthly Archives: February 2017

NVD

CVE-2016-7448

The Utah RLE reader in GraphicsMagick before 1.3.25 allows remote attackers to cause a denial of service (CPU consumption or large memory allocations) via vectors involving the header information and the file size.

NVD

CVE-2017-5368

ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others).

NVD

CVE-2016-5102

Buffer overflow in the readgifimage function in gif2tiff.c in the gif2tiff tool in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (segmentation fault) via a crafted gif file.

NVD

CVE-2016-7447

Heap-based buffer overflow in the EscapeParenthesis function in GraphicsMagick before 1.3.25 allows remote attackers to have unspecified impact via unknown vectors.

Fedora

gnome-boxes-3.20.4-1.fc24

gnome-boxes 3.20.4 release, fixing a possible security issue with storing the express installation password in clear text.

– Store the user password in the keyring during an express installation.
– Fix typo in debug string.
– Fix printf format strings.

Fedora

gnome-boxes-3.22.4-1.fc25

gnome-boxes 3.22.4 release, fixing a possible security issue with storing the express installation password in clear text.

– Store the user password in the keyring during an express installation.
– Fix typo in debug string in vm-configurator.
– Fix printf format strings in the selectiontoolbar.