Findings for Container Security, High, [TheRedHatter/javagoof:Dockerfile]:Integer Overflow or Wraparound
Created by: armorcodegithubpreprod[bot]
Findings for Container Security, High, [TheRedHatter/javagoof:Dockerfile]:Integer Overflow or Wraparound
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><57.1-6+deb9u4
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream icu
package.
See How to fix?
for Debian:9
relevant versions.
An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
References
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Tracker
- FEDORA
- Fedora Security Update
- Fedora Security Update
- Gentoo Security Advisory
- GitHub Commit
- GitHub PR
- MISC
- MISC
- MISC
- MISC
- MISC
- RHSA Security Advisory
- SUSE
- UBUNTU
- Ubuntu CVE Tracker
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><5.24.1-3+deb9u7
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream perl
package.
See How to fix?
for Debian:9
relevant versions.
Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.
References
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- Debian Security Tracker
- FEDORA
- GENTOO
- MISC
- MISC
- MISC
- MISC
- N/A
- SUSE
- Ubuntu CVE Tracker
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1.7.0-1+deb9u2
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream libssh2
package.
See How to fix?
for Debian:9
relevant versions.
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.
References
- Debian Security Announcement
- Debian Security Tracker
- FEDORA
- Fedora Security Update
- GitHub Additional Information
- GitHub Commit
- MISC
- MISC
- MISC
- OpenSuse Security Announcement
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><4.0.8-2+deb9u5
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream tiff
package.
See How to fix?
for Debian:9
relevant versions.
An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.
References
- CVE Details
- DEBIAN
- Debian Security Announcement
- Debian Security Tracker
- MISC
- MISC
- REDHAT
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1:1.1.14-1+deb9u1
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream libxcursor
package.
See How to fix?
for Debian:9
relevant versions.
libXcursor before 1.1.15 has various integer overflows that could lead to heap buffer overflows when processing malicious cursors, e.g., with programs like GIMP. It is also possible that an attack vector exists against the related code in cursor/xcursor.c in Wayland through 1.14.0.
References
- CVE Details
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Tracker
- Gentoo Security Advisory
- HP Security Bulletin
- https://bugzilla.suse.com/show_bug.cgi?id=1065386
- https://cgit.freedesktop.org/wayland/wayland/commit/?id=5d201df72f3d4f4cb8b8f75f980169b03507da38
- https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
- http://security.cucumberlinux.com/security/details.php?id=156
- https://lists.freedesktop.org/archives/wayland-devel/2017-November/035979.html
- OSS security Advisory
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1.1.0l-1~deb9u3
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream openssl
package.
See How to fix?
for Debian:9
relevant versions.
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
References
- ADVISORY
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- DEBIAN
- GENTOO
- MISC
- MISC
- MLIST
- MLIST
- N/A
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><3.16.2-5+deb9u2
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream sqlite3
package.
See How to fix?
for Debian:9
relevant versions.
SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a "merge" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346.
References
- Apple Security Advisory
- Apple Security Advisory
- Apple Security Advisory
- Apple Security Advisory
- Apple Security Advisory
- Apple Security Advisory
- Bugtraq Mailing List
- Bugtraq Mailing List
- Bugtraq Mailing List
- Bugtraq Mailing List
- Bugtraq Mailing List
- Bugtraq Mailing List
- Debian Security Tracker
- MISC
- MLIST
- N/A
- Netapp Security Advisory
- OpenSuse Security Announcement
- Seclists Full Disclosure
- Seclists Full Disclosure
- Seclists Full Disclosure
- Seclists Full Disclosure
- Seclists Full Disclosure
- Seclists Full Disclosure
- Security Focus
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1.0.2u-1~deb9u4
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream openssl1.0
package.
See How to fix?
for Debian:9
relevant versions.
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
References
- ADVISORY
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- DEBIAN
- GENTOO
- MISC
- MISC
- MLIST
- MLIST
- N/A
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><4.0.8-2+deb9u6
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream tiff
package.
See How to fix?
for Debian:9
relevant versions.
An integer overflow flaw was found in libtiff that exists in the tif_getimage.c file. This flaw allows an attacker to inject and execute arbitrary code when a user opens a crafted TIFF file. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><3.16.2-5+deb9u2
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream sqlite3
package.
See How to fix?
for Debian:9
relevant versions.
SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.
References
- Apple Security Advisory
- Apple Security Advisory
- Apple Security Advisory
- Apple Security Advisory
- Apple Security Advisory
- Apple Security Advisory
- Chromium Issue
- CONFIRM
- CVE Details
- Debian Security Announcement
- Debian Security Tracker
- Fedora Security Update
- FREEBSD
- Gentoo Security Advisory
- MISC
- MISC
- MISC
- MISC
- MISC
- MISC
- MISC
- MISC
- MISC
- MISC
- MISC
- MLIST
- N/A
- OpenSuse Security Announcement
- OpenSuse Security Announcement
- RedHat Bugzilla Bug
- RedHat Bugzilla Bug
- Security Focus
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><2:1.6.4-3+deb9u3
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream libx11
package.
See How to fix?
for Debian:9
relevant versions.
An integer overflow vulnerability leading to a double-free was found in libX11. This flaw allows a local privileged attacker to cause an application compiled with libX11 to crash, or in some cases, result in arbitrary code execution. The highest threat from this flaw is to confidentiality, integrity as well as system availability.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1.12.0-1+deb9u1
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream wayland
package.
See How to fix?
for Debian:9
relevant versions.
libXcursor before 1.1.15 has various integer overflows that could lead to heap buffer overflows when processing malicious cursors, e.g., with programs like GIMP. It is also possible that an attack vector exists against the related code in cursor/xcursor.c in Wayland through 1.14.0.
References
- CVE Details
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Tracker
- Gentoo Security Advisory
- HP Security Bulletin
- https://bugzilla.suse.com/show_bug.cgi?id=1065386
- https://cgit.freedesktop.org/wayland/wayland/commit/?id=5d201df72f3d4f4cb8b8f75f980169b03507da38
- https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
- http://security.cucumberlinux.com/security/details.php?id=156
- https://lists.freedesktop.org/archives/wayland-devel/2017-November/035979.html
- OSS security Advisory
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><0.23.3-2+deb9u1
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream p11-kit
package.
See How to fix?
for Debian:9
relevant versions.
An issue was discovered in p11-kit 0.21.1 through 0.23.21. Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><2.36.5-2+deb9u2
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream gdk-pixbuf
package.
See How to fix?
for Debian:9
relevant versions.
Gnome gdk-pixbuf 2.36.8 and older is vulnerable to several integer overflow in the gif_get_lzw function resulting in memory corruption and potential code execution
References
- CONFIRM
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Tracker
- Gentoo Security Advisory
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active