N0O

[CVE-2019-13752] Out of bounds read in SQLite

Reported on : 16 Nov 2019 Shipped on : 11 Dec 2019 Type : Out-of-bounds Read In Function : .. Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. PoC

https://nvd.nist.gov/vuln/detail/CVE-2019-13752

[CVE-2019-13751] Uninitialized data in SQLite

Reported on : 16 Nov 2019 Shipped on : 11 Dec 2019 Type : Uninitialized Use In Function : .. Uninitialized data in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. PoC

https://nvd.nist.gov/vuln/detail/CVE-2019-13751

[CVE-2019-13750] Insufficient data validation in SQLite

Reported on : 16 Nov 2019 Shipped on : 11 Dec 2019 Type : Protection Bypass In Function : .. Insufficient data validation in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass defense-in-depth measures via a crafted HTML page. PoC

https://nvd.nist.gov/vuln/detail/CVE-2019-13750

[CVE-2019-13734] Out of bounds write in SQLite

Reported on : 16 Nov 2019 Shipped on : 11 Dec 2019 Type : Out-of-bounds Write In Function : .. Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. PoC

https://nvd.nist.gov/vuln/detail/CVE-2019-13734

[CVE-2020-19646] ffmpeg, Out-of-Bounds Read and Information Leak in ftp.c:393

Reported on : 21 Aug 2018 Shipped on : 13 Feb 2019 Type : Out-of-bounds Read In Function : ftp_file_size If the server response data with 213\0, the `filesize` will be a value converted from out side the buffer. And there's a small chance to leak the data, if the heap being reused is containing chars: 0-9,+,-,e since the filesize is used to communicate with server to download later. PoC

https://patchwork.ffmpeg.org/patch/12060/

[CVE-2020-19645] ffmpeg, Out-of-Bounds access in process_line()

Reported on : 21 Aug 2018 Shipped on : 13 Feb 2019 Type : Out-of-bounds Write In Function : process_line while(!av_isspace(*p)) p++; *(p++) = 0; If the server response data with no space after it, the p will go beyond the buffer end. Then it will write a zero out-of-bound to some place. PoC

https://patchwork.ffmpeg.org/patch/12061/

[CVE-2019-5835] chromium-browser: Out of bounds read in Swiftshader

Reported on : 7 Mar 2019 Shipped on : 4 Jun 2019 Type : Type Confusion (Arbitrary Memory Read) In Function : parseLayoutQualifier chromium-browser: Out of bounds read in Swiftshader Vulnerability in Swiftshader could allow an attacker to read arbitrary memory via a Type Confusion from unsigned integer to TString object. PoC

https://bugs.chromium.org/p/chromium/issues/detail?id=939239

#version 300 es
layout(location=0x86868686u

[CVE-2019-3822] NTLMv2 type-3 header stack buffer overflow

Reported on : 31 Dec 2018 Shipped on : 6 Feb 2019 Type : Stack buffer overflow In Function : Curl_auth_create_ntlm_type3_message The function creating an outgoing NTLM type-3 header (lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large "nt response" data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a "large value" needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header. PoC

https://curl.haxx.se/docs/CVE-2019-3822.html

PENDING

[CVE-2018-16890] NTLM type-2 out-of-bounds buffer read

Reported on : 31 Dec 2018 Shipped on : 6 Feb 2019 Type : OOB Access - Read - Send to Remote In Function : ntlm_decode_type2_target libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds. PoC

https://curl.haxx.se/docs/CVE-2018-16890.html

PENDING

[CVE-2018-20506] Denial of Service in SQLite3

Reported on : 1 Nov 2018 Shipped on : 13 Dec 2018 Type : DoS In Function : to be confirmed Assertion fault due to malformed PRIMARY KEY DoS in query planner that results when a row-value expression is used with a PRIMARY KEY with redundant column. PoC

https://sqlite.org/src/info/1a84668dcfdebaf12415d

CREATE TABLE t1(a,b,PRIMARY KEY(b,b));
SELECT * FROM t1 WHERE (a,b) IN (VALUES(1,2));

1 2 3 4