Findings for Container Security, Medium, [TheRedHatter/javagoof:Dockerfile]:Integer Overflow or Wraparound
Created by: armorcodegithubpreprod[bot]
Findings for Container Security, Medium, [TheRedHatter/javagoof:Dockerfile]:Integer Overflow or Wraparound
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><4.0.8-2+deb9u5
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream tiff
package.
See How to fix?
for Debian:9
relevant versions.
_TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through 4.0.10 mishandle Integer Overflow checks because they rely on compiler behavior that is undefined by the applicable C standards. This can, for example, lead to an application crash.
References
- ADVISORY
- BUGTRAQ
- BUGTRAQ
- CONFIRM
- DEBIAN
- DEBIAN
- Debian Security Announcement
- Debian Security Tracker
- FEDORA
- FEDORA
- MISC
- SUSE
- SUSE
- Ubuntu CVE Tracker
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><57.1-6+deb9u2
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream icu
package.
See How to fix?
for Debian:9
relevant versions.
Integer overflow in international date handling in International Components for Unicode (ICU) for C/C++ before 60.1, as used in V8 in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
References
- Chromium Issue
- Debian Security Advisory
- Debian Security Tracker
- Gentoo Security Advisory
- MISC
- RHSA Security Advisory
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><3.16.2-5+deb9u2
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream sqlite3
package.
See How to fix?
for Debian:9
relevant versions.
SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.
References
- ADVISORY
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- Debian Security Tracker
- FEDORA
- FREEBSD
- FULLDISC
- FULLDISC
- FULLDISC
- FULLDISC
- GENTOO
- MISC
- MISC
- MISC
- MISC
- MLIST
- MLIST
- UBUNTU
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><2.36.5-2+deb9u2
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream gdk-pixbuf
package.
See How to fix?
for Debian:9
relevant versions.
Integer overflow in io-ico.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (segmentation fault and application crash) via a crafted image entry offset in an ICO file, which triggers an out-of-bounds read, related to compiler optimizations.
References
- CVE Details
- Debian Security Tracker
- FEDORA
- FEDORA
- Gentoo Security Advisory
- http://mov.sx/2017/02/21/bug-hunting-gdk-pixbuf.html
- https://bugzilla.gnome.org/show_bug.cgi?id=779012
- MLIST
- OSS security Advisory
- OSS security Advisory
- Security Focus
- Ubuntu CVE Tracker
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1.1.0l-1~deb9u3
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream openssl
package.
See How to fix?
for Debian:9
relevant versions.
The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
References
- ADVISORY
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- DEBIAN
- FULLDISC
- FULLDISC
- FULLDISC
- GENTOO
- MISC
- MISC
- N/A
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): >*
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream pcre3
package.
libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1.4.11
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream apt
package.
See How to fix?
for Debian:9
relevant versions.
APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1;
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><2:1.6.4-3+deb9u2
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream libx11
package.
See How to fix?
for Debian:9
relevant versions.
An integer overflow leading to a heap-buffer overflow was found in The X Input Method (XIM) client was implemented in libX11 before version 1.6.10. As per upstream this is security relevant when setuid programs call XIM client functions while running with elevated privileges. No such programs are shipped with Red Hat Enterprise Linux.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1.0.2u-1~deb9u4
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream openssl1.0
package.
See How to fix?
for Debian:9
relevant versions.
The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
References
- ADVISORY
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- DEBIAN
- FULLDISC
- FULLDISC
- FULLDISC
- GENTOO
- MISC
- MISC
- N/A
Origin : null Type : null Image Id : null
Snyk Project Status: Active