n0o.com - Personal archive of discovered vulns & writeups.

[CVE-2019-13752] Out of bounds read in SQLite


Reported on : 16 Nov 2019 Shipped on : 11 Dec 2019 Type : Out-of-bounds Read In Function : .. Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
https://nvd.nist.gov/vuln/detail/CVE-2019-13752

[CVE-2019-13751] Uninitialized data in SQLite


Reported on : 16 Nov 2019 Shipped on : 11 Dec 2019 Type : Uninitialized Use In Function : .. Uninitialized data in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
https://nvd.nist.gov/vuln/detail/CVE-2019-13751

[CVE-2019-13750] Insufficient data validation in SQLite


Reported on : 16 Nov 2019 Shipped on : 11 Dec 2019 Type : Protection Bypass In Function : .. Insufficient data validation in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass defense-in-depth measures via a crafted HTML page.
https://nvd.nist.gov/vuln/detail/CVE-2019-13750

[CVE-2019-13734] Out of bounds write in SQLite


Reported on : 16 Nov 2019 Shipped on : 11 Dec 2019 Type : Out-of-bounds Write In Function : .. Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
https://nvd.nist.gov/vuln/detail/CVE-2019-13734

[CVE-2020-19646] ffmpeg, Out-of-Bounds Read and Information Leak in ftp.c:393


Reported on : 21 Aug 2018 Shipped on : 13 Feb 2019 Type : Out-of-bounds Read In Function : ftp_file_size If the server response data with 213\0, the `filesize` will be a value converted from out side the buffer. And there's a small chance to leak the data, if the heap being reused is containing chars: 0-9,+,-,e since the filesize is used to communicate with server to download later.
https://patchwork.ffmpeg.org/patch/12060/

[CVE-2020-19645] ffmpeg, Out-of-Bounds access in process_line()


Reported on : 21 Aug 2018 Shipped on : 13 Feb 2019 Type : Out-of-bounds Write In Function : process_line while(!av_isspace(*p)) p++; *(p++) = 0; If the server response data with no space after it, the p will go beyond the buffer end. Then it will write a zero out-of-bound to some place.
https://patchwork.ffmpeg.org/patch/12061/

[CVE-2019-5835] chromium-browser: Out of bounds read in Swiftshader


Reported on : 7 Mar 2019 Shipped on : 4 Jun 2019 Type : Type Confusion (Arbitrary Memory Read) In Function : parseLayoutQualifier chromium-browser: Out of bounds read in Swiftshader Vulnerability in Swiftshader could allow an attacker to read arbitrary memory via a Type Confusion from unsigned integer to TString object.
https://bugs.chromium.org/p/chromium/issues/detail?id=939239

#version 300 es
layout(location=0x86868686u

[CVE-2019-3822] NTLMv2 type-3 header stack buffer overflow


Reported on : 31 Dec 2018 Shipped on : 6 Feb 2019 Type : Stack buffer overflow In Function : Curl_auth_create_ntlm_type3_message The function creating an outgoing NTLM type-3 header (lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large "nt response" data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a "large value" needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.
https://curl.haxx.se/docs/CVE-2019-3822.html

PENDING

[CVE-2018-16890] NTLM type-2 out-of-bounds buffer read


Reported on : 31 Dec 2018 Shipped on : 6 Feb 2019 Type : OOB Access - Read - Send to Remote In Function : ntlm_decode_type2_target libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.
https://curl.haxx.se/docs/CVE-2018-16890.html

PENDING

[CVE-2018-20506] Denial of Service in SQLite3


Reported on : 1 Nov 2018 Shipped on : 13 Dec 2018 Type : DoS In Function : to be confirmed Assertion fault due to malformed PRIMARY KEY DoS in query planner that results when a row-value expression is used with a PRIMARY KEY with redundant column.
https://sqlite.org/src/info/1a84668dcfdebaf12415d

CREATE TABLE t1(a,b,PRIMARY KEY(b,b));
SELECT * FROM t1 WHERE (a,b) IN (VALUES(1,2));
1  2  3  4