├── 2006
├── 2008
├── 2009
├── 2010
├── 2011
├── 2012
├── 2013
├── 2014
├── 2015
├── 2016
├── 2017
├── 2018
├── 2019
├── 2020
├── 2021
├── 2022
├── 2023
├── 2024
├── 2025
├── .gitignore
├── .gitattributes
├── todo
    ├── meta
    ├── urxvt
    ├── cli-passwd
    ├── nel
    ├── debmany
    ├── neomutt
    ├── path-traversal
    ├── tmp-trap
    ├── tmp-bootstrap
    ├── unshar
    ├── linux-vt
    ├── sane
    ├── github
    ├── apt
    ├── perl-tls
    ├── git
    ├── netrc
    ├── cgi
    ├── tmp-edit
    ├── misc
    └── tmp-misc
├── .github
    └── workflows
    │   └── ci.yml
├── Makefile
└── README


/.gitignore:
--------------------------------------------------------------------------------
1 | /stamp
2 | 


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | /2* linguist-detectable=true
2 | 


--------------------------------------------------------------------------------
/todo/meta:
--------------------------------------------------------------------------------
1 | Check which bugs have been never forwarded upstream.
2 | 


--------------------------------------------------------------------------------
/todo/urxvt:
--------------------------------------------------------------------------------
1 | .. code:: console
2 | 
3 |    $ printf '\33]50;%s\007' xft:mono-9999
4 | 
5 | .. vim:ts=3 sts=3 sw=3 et ft=rst
6 | 


--------------------------------------------------------------------------------
/2006:
--------------------------------------------------------------------------------
1 | .. 2006-07-29
2 | 
3 | [CVE-2008-7224] ELinks: buffer overflow
4 |  | https://bugs.debian.org/380347
5 | 
6 | .. vim:ft=rst
7 | 


--------------------------------------------------------------------------------
/todo/cli-passwd:
--------------------------------------------------------------------------------
1 | * https://manpages.debian.org/trixie/torsocks/torsocks.1.en.html#p,
2 | 
3 | .. vim:ts=3 sts=3 sw=3 et ft=rst
4 | 


--------------------------------------------------------------------------------
/2008:
--------------------------------------------------------------------------------
1 | .. 2008-06-25
2 | 
3 | [CVE-2008-2942] Mercurial: directory traversal
4 |  | https://bugs.debian.org/488628
5 | 
6 | .. vim:ft=rst
7 | 


--------------------------------------------------------------------------------
/todo/nel:
--------------------------------------------------------------------------------
1 | U+0085 is considered a line separator in Python,
2 | at least as far as `str.splitlines()` is concerned.
3 | 
4 | Could this be exploited for smuggling?
5 | 
6 | .. vim:ts=3 sts=3 sw=3 et ft=rst
7 | 


--------------------------------------------------------------------------------
/todo/debmany:
--------------------------------------------------------------------------------
1 | Can we abuse symlinks for DoS (or worse)?
2 | 
3 | Can we abuse ``.so`` requests for DoS (or worse)?
4 | 
5 | What does ``kfmclient exec`` do exactly?
6 | 
7 | .. vim:ts=3 sts=3 sw=3 et ft=rst
8 | 


--------------------------------------------------------------------------------
/todo/neomutt:
--------------------------------------------------------------------------------
1 | NeoMutt (20201127) can delete temporary files it still uses
2 | when you sent SIGQUIT in an inopportune moment.
3 | 
4 | It's not clear how to reproduce this.
5 | 
6 | .. vim:ts=3 sts=3 sw=3 et ft=rst
7 | 


--------------------------------------------------------------------------------
/todo/path-traversal:
--------------------------------------------------------------------------------
1 | * https://github.com/intel/cve-bin-tool/blob/v3.4/cve_bin_tool/extractor.py#L167
2 | * https://github.com/intel/cve-bin-tool/blob/v3.4/cve_bin_tool/extractor.py#L277
3 | 
4 | .. vim:ts=3 sts=3 sw=3 et ft=rst
5 | 


--------------------------------------------------------------------------------
/2021:
--------------------------------------------------------------------------------
 1 | .. 2021-07-22
 2 | 
 3 | Debian package ipython: untrusted search path
 4 |  | https://www.openwall.com/lists/oss-security/2021/07/22/4
 5 | 
 6 | .. 2021-11-18
 7 | 
 8 | debian-goodies: dman(1): insecure use of /tmp
 9 |  | https://bugs.debian.org/999899
10 | 
11 | .. vim:ft=rst
12 | 


--------------------------------------------------------------------------------
/todo/tmp-trap:
--------------------------------------------------------------------------------
1 | * https://sources.debian.org/src/vorbis-tools/1.4.0-11/debian/extra/vorbistagedit/#L86
2 | * https://sourceware.org/git/?p=elfutils.git;a=blob;f=src/make-debug-archive.in;hb=elfutils-0.186#l125
3 | * https://github.com/git/git/blob/v2.39.0/contrib/git-jump/git-jump#L73
4 | 
5 | .. vim:ts=3 sts=3 sw=3 et ft=rst
6 | 


--------------------------------------------------------------------------------
/.github/workflows/ci.yml:
--------------------------------------------------------------------------------
 1 | name: CI
 2 | permissions: {}
 3 | on:
 4 | - push
 5 | - pull_request
 6 | jobs:
 7 |   main:
 8 |     runs-on: ubuntu-latest
 9 |     steps:
10 |     - uses: actions/checkout@v4
11 |     - run: |
12 |         pip install docutils
13 |     - run: |
14 |         make
15 | 
16 | # vim:ts=2 sts=2 sw=2 et
17 | 


--------------------------------------------------------------------------------
/todo/tmp-bootstrap:
--------------------------------------------------------------------------------
1 | System bootstraping into a direct subdirectory of (/var)/tmp
2 | ============================================================
3 | 
4 | * vmdebootstrap
5 | * https://manpages.debian.org/bullseye/sbuild/sbuild-createchroot.8.en.html#EXAMPLES
6 | * https://sources.debian.org/src/mmdebstrap/0.7.5-2.2/mmdebstrap/?hl=5188#L5186
7 | 
8 | .. vim:ts=3 sts=3 sw=3 et ft=rst
9 | 


--------------------------------------------------------------------------------
/todo/unshar:
--------------------------------------------------------------------------------
 1 | .. code:: console
 2 | 
 3 |    $ printf '#!/bin/sh\ncowsay pwned\n' > test.shar
 4 |    $ unshar test.shar
 5 |    test.shar:
 6 |     _______
 7 |    < pwned >
 8 |     -------
 9 |            \   ^__^
10 |             \  (oo)\_______
11 |                (__)\       )\/\
12 |                    ||----w |
13 |                    ||     ||
14 | 
15 | .. vim:ts=3 sts=3 sw=3 et ft=rst
16 | 


--------------------------------------------------------------------------------
/todo/linux-vt:
--------------------------------------------------------------------------------
1 | https://web.archive.org/web/20031005121525/http://securitydigest.org/unix/archive/015
2 | https://lore.kernel.org/kernel-hardening/37ebc366-2d1f-4939-db58-da72fd179418@nmatt.com/
3 | https://lore.kernel.org/kernel-hardening/20170531005633.484a2e14@alans-desktop/
4 | https://lore.kernel.org/kernel-hardening/20170602210544.73680be8@lxorguk.ukuu.org.uk/
5 | 
6 | .. vim:ts=3 sts=3 sw=3 et ft=rst
7 | 


--------------------------------------------------------------------------------
/todo/sane:
--------------------------------------------------------------------------------
 1 | SANE tries to reads config from cwd:
 2 | 
 3 | .. code:: console
 4 | 
 5 |    $ strace -o '| grep -F /test.conf' scanimage -d test:0 --format pnm -n
 6 |    openat(AT_FDCWD, "./test.conf", O_RDONLY) = -1 ENOENT (No such file or directory)
 7 |    openat(AT_FDCWD, "/etc/sane.d/test.conf", O_RDONLY) = 3
 8 | 
 9 | Could this be expolited beyond DoS?
10 | 
11 | .. vim:ts=3 sts=3 sw=3 et ft=rst
12 | 


--------------------------------------------------------------------------------
/todo/github:
--------------------------------------------------------------------------------
 1 | * It used to be possible to associate unverified secondary e-mail addresses with commits:
 2 |   https://news.ycombinator.com/item?id=26621223
 3 | 
 4 |   Is this still the case?
 5 | 
 6 | * GitHub Actions runner images have world-writable ``/usr``.
 7 |   Huh?!
 8 | 
 9 | * Are newly-generated TOTP shared keys sufficiently long?
10 |   https://news.ycombinator.com/item?id=31282917
11 | 
12 | .. vim:ts=3 sts=3 sw=3 et ft=rst
13 | 


--------------------------------------------------------------------------------
/todo/apt:
--------------------------------------------------------------------------------
 1 | https://bugs.debian.org/990381
 2 | 
 3 | The `sources.list(5)`_ man page says:
 4 | 
 5 |    The file scheme […] is useful for NFS mounts and local mirrors or archives.
 6 | 
 7 | Is ``file://`` with NFS (or another networking fs) secure?
 8 | 
 9 | .. _sources.list(5):
10 |    https://manpages.debian.org/bullseye/apt/sources.list.5.en.html#URI_SPECIFICATION
11 | 
12 | ----
13 | 
14 | Is APT vulnerable to tty hijacking?
15 | 
16 | .. vim:ts=3 sts=3 sw=3 et ft=rst
17 | 


--------------------------------------------------------------------------------
/todo/perl-tls:
--------------------------------------------------------------------------------
 1 | Perl TLS security
 2 | =================
 3 | 
 4 | Does any software still use the ``Crypt::SSLeay`` module?
 5 | 
 6 | Does any software rely on the ``If-SSL-Cert-Subject`` header?
 7 | 
 8 | See also:
 9 | 
10 | * https://github.com/libwww-perl/lwp-protocol-https/issues/13
11 | 
12 | * `[openssl.org #1425] Request: make X509_NAME_oneline() use same formatter as X509_NAME_print_ex() <https://marc.info/?l=openssl-dev&m=116301442815719>`_
13 | 
14 | .. vim:ts=3 sts=3 sw=3 et ft=rst
15 | 


--------------------------------------------------------------------------------
/2020:
--------------------------------------------------------------------------------
 1 | .. 2020-07-06
 2 | 
 3 | bashtop: insecure use of /tmp
 4 |  | https://bugs.debian.org/964366
 5 | 
 6 | bashtop: untrusted search path
 7 |  | https://bugs.debian.org/964788
 8 | 
 9 | .. 2020-07-23
10 | 
11 | dash: stack overflow
12 |  | https://bugs.debian.org/966156
13 | 
14 | .. 2020-07-24
15 | 
16 | Azure CLI: insecure creation of ssh directory
17 |  | https://github.com/Azure/azure-cli/issues/14517
18 | 
19 | .. 2020-08-03
20 | 
21 | bash: stack overflow
22 |  | https://lists.gnu.org/archive/html/bug-bash/2020-08/msg00015.html
23 | 
24 | .. vim:ft=rst
25 | 


--------------------------------------------------------------------------------
/2025:
--------------------------------------------------------------------------------
 1 | .. 2025-04-23
 2 | 
 3 | busybox patch: incomplete fix for directory traversal
 4 |  | https://www.openwall.com/lists/oss-security/2025/04/23/3
 5 | 
 6 | .. 2025-05-28
 7 | 
 8 | Debian package isc-kea: Apparmor profile bypass
 9 |  | https://www.openwall.com/lists/oss-security/2025/05/28/11
10 | 
11 | .. 2025-06-20
12 | 
13 | cve-bin-tool: path traversal
14 |  | https://www.openwall.com/lists/oss-security/2025/06/20/1
15 | 
16 | .. 2025-07-24
17 | 
18 | vet: use of unfaithful pager
19 |  | https://news.ycombinator.com/item?id=44671221
20 | 
21 | .. vim:ft=rst
22 | 


--------------------------------------------------------------------------------
/todo/git:
--------------------------------------------------------------------------------
 1 | The `git-check-ref-format` man page says:
 2 | 
 3 |     4\. [Refnames] cannot have ASCII control characters
 4 |     (i.e. bytes whose values are lower than \\040, or \\177 DEL),
 5 |     space, tilde ~, caret ^, or colon : anywhere.
 6 | 
 7 | But on some terminals (at least Linux console, maybe others)
 8 | ``CSI`` (U+009B) is equivalent to ``ESC [``.
 9 | 
10 | Maybe related to: https://bugs.debian.org/889680
11 | 
12 | ----
13 | 
14 | ``git remote add`` enables tag fetching,
15 | which is a disaster waiting to happen.
16 | 
17 | .. vim:ts=3 sts=3 sw=3 et ft=rst
18 | 


--------------------------------------------------------------------------------
/todo/netrc:
--------------------------------------------------------------------------------
 1 | netrc security
 2 | ==============
 3 | 
 4 | (See https://jwilk.net/blog/20131104-netrc-security for background.)
 5 | 
 6 | TLS clients with netrc support:
 7 | 
 8 | * wget
 9 | * curl
10 | * fetchmail
11 | * https://github.com/psf/requests
12 | * https://www.python-httpx.org/
13 | * https://github.com/cli/cli/issues/288
14 | * https://github.com/ytdl-org/youtube-dl
15 | * https://github.com/yt-dlp/yt-dlp
16 | * https://github.com/aio-libs/aiohttp
17 | * https://aria2.github.io/
18 | * https://marlam.de/msmtp/
19 | * w3m
20 | 
21 | .. vim:ts=3 sts=3 sw=3 et ft=rst
22 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | export LC_ALL=C
 2 | 
 3 | rst2xml = $(notdir $(shell command -v rst2xml || echo rst2xml.py))
 4 | rst_files = $(wildcard [0-9][0-9][0-9][0-9] README todo/*)
 5 | stamp_files = $(addprefix stamp/,$(rst_files))
 6 | 
 7 | .PHONY: check
 8 | check: $(stamp_files)
 9 | 
10 | stamp/%: %
11 | 	$(if $(wildcard $(dir $@)),,mkdir -p $(dir $@))
12 | 	$(rst2xml) --input-encoding=UTF-8 --strict $(<) > /dev/null
13 | 	grep -E '^[.][.] [0-9]{4}-[0-9]{2}-[0-9]{2}' $(<) | sort -c
14 | 	touch $(@)
15 | 
16 | .PHONY: clean
17 | clean:
18 | 	rm -rf stamp
19 | 
20 | .error = GNU make is required
21 | 
22 | # vim:ts=4 sts=4 sw=4 noet
23 | 


--------------------------------------------------------------------------------
/2012:
--------------------------------------------------------------------------------
 1 | .. 2012-01-07
 2 | 
 3 | rxvt-unicode: insecure use of /tmp in documentation
 4 |  | https://bugs.debian.org/654986
 5 | 
 6 | .. 2012-02-10
 7 | 
 8 | [CVE-2012-0842] surf: insecure cookie jar permissions
 9 |  | https://bugs.debian.org/659296
10 | 
11 | [CVE-2012-0844] NetSurf: insecure cookie jar permissions
12 |  | https://bugs.debian.org/659376
13 | 
14 | [CVE-2012-0843] uzbl: insecure cookie jar permissions
15 |  | https://bugs.debian.org/659379
16 | 
17 | .. 2012-02-15
18 | 
19 | mbank-cli: insecure cookie jar permissions
20 |  | https://github.com/jwilk/mbank-cli/blob/1.6/doc/SECURITY.rst#user-content-2012-02-15-insecure-file-permissions
21 | 
22 | .. 2012-07-19
23 | 
24 | Nuitka: insecure use of /tmp
25 |  | https://bugs.debian.org/682145
26 | 
27 | .. vim:ft=rst
28 | 


--------------------------------------------------------------------------------
/todo/cgi:
--------------------------------------------------------------------------------
 1 | QUERY_STRING
 2 | ------------
 3 | 
 4 | RFC 3875 §4.1.7 says:
 5 | 
 6 |    The QUERY_STRING variable contains a URL-encoded search or parameter
 7 |    string
 8 | 
 9 | Do HTTP servers ensure that the query string is actually URL-encoded?
10 | 
11 | (Failing to do so would facilitate exploiting argument injection vulnerabilities
12 | in CGI shell scripts.)
13 | 
14 | HTTP_PROXY
15 | ----------
16 | 
17 | Software supporting the ``HTTP_PROXY`` environment variable:
18 | 
19 | * https://github.com/thp/urlwatch
20 | * https://github.com/aio-libs/aiohttp
21 | * https://www.python-httpx.org/
22 | * https://github.com/david-dick/firefox-marionette
23 | * https://github.com/s0rg/crawley
24 | * elinks
25 | 
26 | (See https://httpoxy.org/ for background.)
27 | 
28 | .. vim:ts=3 sts=3 sw=3 et ft=rst
29 | 


--------------------------------------------------------------------------------
/2019:
--------------------------------------------------------------------------------
 1 | .. 2019-02-25
 2 | 
 3 | XML::Parser: shell injection
 4 |  | https://bugs.debian.org/923223
 5 | 
 6 | Pod::POM: shell injection
 7 |  | https://bugs.debian.org/923224
 8 | 
 9 | .. 2019-03-01
10 | 
11 | [CVE-2019-12439] bubblewrap: insecure use of /tmp
12 |  | https://bugs.debian.org/923557
13 | 
14 | .. 2019-03-09
15 | 
16 | tvtime: insecure use of /tmp
17 |  | https://bugs.debian.org/924076
18 | 
19 | .. 2019-03-15
20 | 
21 | Apport: /var/crash/.lock created insecurely
22 |  | https://bugs.debian.org/924692
23 | 
24 | Apport: world-writable /var/crash/.lock
25 |  | https://bugs.debian.org/924693
26 | 
27 | .. 2019-04-02
28 | 
29 | Double Commander: insecure use of /tmp
30 |  | https://bugs.debian.org/926223
31 | 
32 | .. 2019-11-05
33 | 
34 | Debian msmtp: password disclosure
35 |  | https://bugs.debian.org/944188
36 | 
37 | .. 2019-11-13
38 | 
39 | bubblewrap: insecure file permissions
40 |  | https://bugs.debian.org/944673
41 | 
42 | .. vim:ft=rst
43 | 


--------------------------------------------------------------------------------
/todo/tmp-edit:
--------------------------------------------------------------------------------
 1 | Editing files directly in (/var)/tmp
 2 | ====================================
 3 | 
 4 | (See https://www.openwall.com/lists/oss-security/2017/10/31/5 for background.)
 5 | 
 6 | * https://git.joeyh.name/index.cgi/moreutils.git/tree/vidir?h=0.67#n118
 7 | * https://git.joeyh.name/index.cgi/moreutils.git/tree/vipe?h=0.67#n65
 8 | * https://sources.debian.org/src/mailcap/3.69/run-mailcap/
 9 | * https://sources.debian.org/src/vorbis-tools/1.4.0-11/debian/extra/vorbistagedit/#L85
10 | * https://sources.debian.org/src/devscripts/2.21.3%2Bdeb11u1/scripts/bts.pl/#L4191
11 | * https://github.com/quodlibet/quodlibet/blob/release-4.5.0/quodlibet/operon/commands.py#L227
12 | * sudoedit(8)
13 | * mutt(1), neomutt(1)
14 | * https://github.com/AlecAivazis/survey/blob/v2.3.5/editor.go#L148
15 | * https://www.cons.org/cracauer/sigint.html (``emacs /tmp/foo``)
16 | * bash (``fc``, ^X^E)
17 | * zsh (``fc``)
18 | * mksh (``fc``)
19 | * ksh93 (``fc``)
20 | * rolo
21 | 
22 | .. vim:ts=3 sts=3 sw=3 et ft=rst
23 | 


--------------------------------------------------------------------------------
/2011:
--------------------------------------------------------------------------------
 1 | .. 2011-02-25
 2 | 
 3 | [CVE-2011-4944] Python: insecure creation of ~/.pypirc
 4 |  | https://bugs.debian.org/615118
 5 |  | https://bugs.debian.org/650555
 6 |  | https://bugs.python.org/issue13512
 7 | 
 8 | .. 2011-04-09
 9 | 
10 | libxml2: quadratic complexity
11 |  | https://bugzilla.gnome.org/show_bug.cgi?id=647312
12 | 
13 | .. 2011-05-25
14 | 
15 | [CVE-2011-0082] Iceweasel: improper certificate verification for pages loaded from cache
16 |  | https://bugs.debian.org/627552
17 |  | https://bugzilla.mozilla.org/show_bug.cgi?id=660749
18 | 
19 | .. 2011-07-15
20 | 
21 | [CVE-2011-5271] Pacemaker: insecure use of /tmp
22 |  | https://bugs.debian.org/633964
23 | 
24 | .. 2011-09-18
25 | 
26 | theunarchiver: unar(1): directory traversal
27 |  | https://bugs.debian.org/642028
28 |  | https://code.google.com/archive/p/theunarchiver/issues/392
29 | 
30 | .. 2011-12-10
31 | 
32 | [CVE-2011-4606] Rocks'n'Diamonds: insecure permissions of ~/.rocksndiamonds/
33 |  | https://bugs.debian.org/651620
34 | 
35 | .. vim:ft=rst
36 | 


--------------------------------------------------------------------------------
/2009:
--------------------------------------------------------------------------------
 1 | .. 2009-04-28
 2 | 
 3 | Python: email.header.Header allows embedding raw newlines into message
 4 |  | https://bugs.python.org/issue5871
 5 |  | https://bugs.debian.org/545191
 6 | 
 7 | .. 2009-06-26
 8 | 
 9 | [CVE-2009-3938] Poppler: buffer overflow
10 |  | https://bugs.debian.org/534680
11 | 
12 | .. 2009-07-08
13 | 
14 | lxml: doesn't prevent creation of ill-formed XML
15 |  | https://bugs.debian.org/536273
16 |  | https://bugs.launchpad.net/lxml/+bug/502967
17 | 
18 | .. 2009-07-08
19 | 
20 | Python: ElementTree doesn't prevent creation of ill-formed XML (rediscovered)
21 |  | https://bugs.debian.org/536278
22 |  | https://bugs.python.org/issue7599
23 | 
24 | .. 2009-12-08
25 | 
26 | mbank-cli: improper certificate validation
27 |  | https://github.com/jwilk/mbank-cli/blob/1.6/doc/SECURITY.rst#user-content-2009-12-08-insufficient-certificate-validation
28 |  | see also CVE-2011-0633
29 | 
30 | .. 2009-12-10
31 | 
32 | [CVE-2009-5042] Docutils: rst.el: insecure use of /tmp
33 |  | https://bugs.debian.org/560755
34 | 
35 | .. vim:ft=rst
36 | 


--------------------------------------------------------------------------------
/2024:
--------------------------------------------------------------------------------
 1 | .. 2024-01-20
 2 | 
 3 | debian-goodies: debmany(1) man page: shell injection
 4 |  | https://bugs.debian.org/1031267#33
 5 | 
 6 | .. 2024-01-25
 7 | 
 8 | waybackpack: insecure use of assert (leading to directory traversal)
 9 |  | https://github.com/jsvine/waybackpack/pull/75
10 | 
11 | .. 2024-01-25
12 | 
13 | waybackpack: directory traversal
14 |  | https://github.com/jsvine/waybackpack/pull/76
15 | 
16 | .. 2024-01-26
17 | 
18 | WinFF: shell injection (2nd)
19 |  | https://bugs.debian.org/1053373#17
20 | 
21 | .. 2024-01-26
22 | 
23 | WinFF: insecure permissions (re-researched)
24 |  | https://bugs.debian.org/1061586
25 | 
26 | .. 2024-02-01
27 | 
28 | `halfdog's tty hijacking write-up <https://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/>`_: incomplete fix for tty hijacking
29 |  | https://www.openwall.com/lists/oss-security/2024/01/31/7
30 | 
31 | .. 2024-03-27
32 | 
33 | util-linux: wall(1)/write(1) C1 injection
34 |  | https://www.openwall.com/lists/oss-security/2024/03/27/7
35 | 
36 | .. 2024-04-05
37 | 
38 | WinFF: shell injection (3rd)
39 |  | https://bugs.debian.org/1068471
40 | 
41 | .. 2024-04-12
42 | 
43 | [CVE-2024-32487] less: shell injection
44 |  | https://www.openwall.com/lists/oss-security/2024/04/12/5
45 | 
46 | .. 2024-12-16
47 | 
48 | Python: tarfile directory traversal
49 |  | https://github.com/python/cpython/issues/127987
50 | 
51 | .. vim:ft=rst
52 | 


--------------------------------------------------------------------------------
/todo/misc:
--------------------------------------------------------------------------------
 1 | * https://salsa.debian.org/reproducible-builds/diffoscope/-/blob/215/diffoscope/comparators/python.py#L79
 2 | * https://gitlab.gnome.org/GNOME/gimp/-/blob/GIMP_2_99_12/libgimpbase/gimputils.c#L1278-1295 (pid may be misinterpreted as core)
 3 | * https://github.com/util-linux/util-linux/blob/v2.38.1/login-utils/login.c#L475 (chown/chmod race?)
 4 | * https://github.com/shadow-maint/shadow/blob/4.12.3/libmisc/chowntty.c#L30 (chown/chmod race?)
 5 | * https://github.com/Matthias-Wandel/jhead/blob/3.06.0.1/jhead.c#L321 (is this secure with ``LC_ALL=zh_CN.GBK``?)
 6 | * https://github.com/zealdocs/zeal/blob/6fee23700f26ea80/src/libs/core/httpserver.cpp
 7 | * https://www.man7.org/linux/man-pages/man5/core.5.html#EXAMPLES
 8 | * https://sources.debian.org/src/devscripts/2.23.2/scripts/debootsnap/?hl=511#L496
 9 | * https://sources.debian.org/src/devscripts/2.23.2/scripts/debootsnap/?hl=502#L496
10 | * https://sources.debian.org/src/devscripts/2.23.2/scripts/debootsnap/?hl=580#L566
11 | * https://sources.debian.org/src/mmdebstrap/1.3.3-6/gpgvnoexpkeysig/
12 | * https://sources.debian.org/src/debvm/0.2.9/bin/debvm-create/?hl=352#L349
13 | * https://hackerone.com/reports/1283871 (is disabling ``/dev/tty`` access sufficient on macOS?)
14 | * https://github.com/mkalinowski/python-mythes/blob/master/README.md (``LD_LIBRARY_PATH``)
15 | * https://github.com/pypa/pip/blob/6.0/CHANGES.txt#L35
16 | * https://git.savannah.gnu.org/cgit/gettext.git/commit/?id=2406f51927025aec5df668b40096f965a8ec069c ("xgettext: Implement a "reproducible" POT-Creation-Date value.")
17 | 
18 | .. vim:ts=3 sts=3 sw=3 et ft=rst
19 | 


--------------------------------------------------------------------------------
/2023:
--------------------------------------------------------------------------------
 1 | .. 2023-01-03
 2 | 
 3 | pixie: buggy /proc/*pid*/stat parser
 4 |  | https://github.com/pixie-io/pixie/issues/678
 5 | 
 6 | .. 2023-01-03
 7 | 
 8 | user-mode-linux: hostfs directory traversal
 9 |  | https://bugs.debian.org/1027833
10 | 
11 | .. 2023-01-09
12 | 
13 | rhertzog/message-id-url: shell injection
14 |  | https://github.com/rhertzog/message-id-url/issues/1
15 | 
16 | .. 2023-01-10
17 | 
18 | NeoMutt: insecure use of /tmp
19 |  | https://github.com/neomutt/neomutt/issues/3591
20 | 
21 | .. 2023-01-10
22 | 
23 | Vim: insecure use of /var/tmp
24 |  | https://bugs.debian.org/1028409
25 | 
26 | .. 2023-01-11
27 | 
28 | BPF Compiler Collection: insecure use of /tmp
29 |  | https://bugs.debian.org/1028479
30 | 
31 | .. 2023-01-17
32 | 
33 | waybackpack: directory traversal
34 |  | https://github.com/jsvine/waybackpack/issues/63
35 | 
36 | .. 2023-02-14
37 | 
38 | [CVE-2023-27635] debian-goodies: debmany(1): shell injection
39 |  | https://bugs.debian.org/1031267
40 | 
41 | .. 2023-02-25
42 | 
43 | debian-goodies: debmany(1): option injection
44 |  | https://bugs.debian.org/1031938
45 | 
46 | .. 2023-03-14
47 | 
48 | Linux: tty hijacking via TIOCLINUX
49 |  | https://www.openwall.com/lists/oss-security/2023/03/14/3
50 |  | see also CVE-2023-28100
51 | 
52 | .. 2023-03-16
53 | 
54 | mmdebstrap: world-writable ``apt.conf``
55 |  | https://gitlab.mister-muffin.de/josch/mmdebstrap/commit/a719ffd20a70fa27
56 | 
57 | .. 2023-08-11
58 | 
59 | fnt: directory traversal
60 |  | https://bugs.debian.org/1043469
61 | 
62 | .. 2023-10-02
63 | 
64 | WinFF: shell injection
65 |  | https://bugs.debian.org/1053373
66 | 
67 | .. vim:ft=rst
68 | 


--------------------------------------------------------------------------------
/2013:
--------------------------------------------------------------------------------
 1 | .. 2013-01-03
 2 | 
 3 | OpenGrm-NGram: insecure use of /tmp
 4 |  | https://lists.debian.org/20130103155531.GA6408@jwilk.net
 5 | 
 6 | .. 2013-02-10
 7 | 
 8 | fetchmail: --sslfingerprint uses MD5
 9 |  | https://bugs.debian.org/700266
10 | 
11 | .. 2013-02-25
12 | 
13 | pyspread: insecure creation of ~/.pyspreadrc
14 |  | https://bugs.debian.org/701650
15 | 
16 | .. 2013-05-22
17 | 
18 | colortest: insecure use of /tmp
19 |  | https://bugs.debian.org/709282
20 | 
21 | .. 2013-06-28
22 | 
23 | Python: gettext: DoS via crafted Plural-Forms
24 |  | https://bugs.python.org/issue18317
25 | 
26 | .. 2013-07-24
27 | 
28 | PyICU: use-after-free
29 |  | https://bugs.debian.org/717721
30 | 
31 | .. 2013-11-04
32 | 
33 | security threats of ~/.netrc support
34 |  | https://jwilk.net/blog/20131104-netrc-security
35 | 
36 | .. 2013-11-28
37 | 
38 | [CVE-2013-6409] adequate: privilege escalation via tty hijacking
39 |  | https://bugs.debian.org/730691
40 | 
41 | .. 2013-12-10
42 | 
43 | [CVE-2013-7050] devscripts: uscan(1): remote code execution
44 |  | https://bugs.debian.org/731849
45 | 
46 | .. 2013-12-12
47 | 
48 | [CVE-2013-7085] devscripts: uscan(1): remote file deletion
49 |  | https://bugs.debian.org/732006
50 | 
51 | .. 2013-12-18
52 | 
53 | [CVE-2013-7325] devscripts: uscan(1): insecure tar extraction
54 |  | https://salsa.debian.org/debian/devscripts/commit/4b7e58ee6000
55 | 
56 | .. 2013-12-20
57 | 
58 | uwsgi: untrusted RPATH
59 |  | https://bugs.debian.org/732674
60 | 
61 | .. 2013-12-25
62 | 
63 | [CVE-2014-1829] python-requests: password disclosure on redirect
64 |  | https://bugs.debian.org/733108
65 |  | https://github.com/kennethreitz/requests/issues/1885
66 |  | see also CVE-2014-1830
67 | 
68 | .. vim:ft=rst
69 | 


--------------------------------------------------------------------------------
/2022:
--------------------------------------------------------------------------------
 1 | .. 2022-02-09
 2 | 
 3 | Azure CLI: untrusted search path
 4 |  | https://bugs.debian.org/1005251
 5 | 
 6 | .. 2022-02-21
 7 | 
 8 | Jakub's wget-changes: directory traversal
 9 |  | https://github.com/jwilk/deb-toolbox/commit/60a7fb55f8f41462
10 | 
11 | .. 2022-04-19
12 | 
13 | Jakub's gitardiff: insecure use of git
14 |  | https://github.com/jwilk/gitardiff/commit/94e8a4ab70ddb13a
15 | 
16 | .. 2022-05-06
17 | 
18 | [CVE-2022-30688] needrestart: local privilege escalation
19 |  | https://github.com/liske/needrestart/commit/e6e58136e1e3c922
20 | 
21 | .. 2022-08-22
22 | 
23 | notmuch-web: XSS
24 |  | https://nmbug.notmuchmail.org/nmweb/show/20220822064717.qftn4tr7cs4r2ian%40jwilk.net
25 | 
26 | .. 2022-09-15
27 | 
28 | MuPDF: insecure use of /var/tmp
29 |  | https://bugs.debian.org/1019848
30 | 
31 | .. 2022-10-10
32 | 
33 | util-linux: MAC address leak
34 |  | https://github.com/util-linux/util-linux/issues/1837
35 | 
36 | .. 2022-10-17
37 | 
38 | man-db: less(1) option injection
39 |  | https://bugs.debian.org/1021951
40 | 
41 | .. 2022-10-19
42 | 
43 | jhead: shell injection
44 |  | https://github.com/Matthias-Wandel/jhead/issues/60
45 | 
46 | .. 2022-11-15
47 | 
48 | [CVE-2024-26621] Linux: weak ASLR
49 |  | https://bugs.debian.org/1024149
50 | 
51 | .. 2022-12-12
52 | 
53 | info: buffer overflow
54 |  | https://bugs.debian.org/1025940
55 | 
56 | .. 2022-12-13
57 | 
58 | python-debianbts: missing certificate verification
59 |  | https://bugs.debian.org/1026030
60 | 
61 | .. 2022-12-23
62 | 
63 | Poppler: pdfdetach(1): directory traversal
64 |  | https://bugs.debian.org/1026908
65 | 
66 | .. 2022-12-28
67 | 
68 | pa: insecure use of /dev/shm
69 |  | https://github.com/biox/pa/issues/7
70 | 
71 | .. vim:ft=rst
72 | 


--------------------------------------------------------------------------------
/README:
--------------------------------------------------------------------------------
 1 | This repository documents security research of a *certain individual*.
 2 | 
 3 | Here, threshold for what is considered a security issue is intentionally very low.
 4 | 
 5 | Some security-related stuff is hosted separately:
 6 | 
 7 | * `python-afl <https://github.com/jwilk/python-afl>`_,
 8 |   which enables `American fuzzy lop`_ instrumentation of Python code
 9 | * `detsan <https://github.com/jwilk/detsan>`_,
10 |   which helps you find sources of non-determinism in C (or C++) programs
11 | * `longutf8 <https://github.com/jwilk/longutf8>`_ —
12 |   overlong UTF-8 sequence generator
13 | * `traversal-archives <https://github.com/jwilk/traversal-archives>`_ —
14 |   archive file samples for testing against directory traversal
15 | * `fuzzing <https://github.com/jwilk/fuzzing>`_ goodies
16 | * `ttyjack <https://github.com/jwilk/ttyjack>`_ —
17 |   proof-of-concept tty hijacking
18 | * `vcsnoop <https://github.com/jwilk/vcsnoop>`_ —
19 |   Linux virtual console snooping via TIOCLINUX
20 | * `getenvy <https://github.com/jwilk/getenvy>`_ —
21 |   LD_PRELOAD library to snoop on ``getenv()`` calls
22 | * `stopgp32 <https://github.com/jwilk/stopgp32>`_ —
23 |   tool to brute-force 32-bit OpenPGP key IDs
24 | * `docbook-xsl-mitm <https://github.com/jwilk/docbook-xsl-mitm>`_ —
25 |   DocBook XSL MitM proxy
26 | * `git-landmine <https://github.com/jwilk/git-landmine>`_ —
27 |   tool to create local malicious git repos
28 | * `unfaithful-less <https://github.com/jwilk/unfaithful-less>`_ —
29 |   demonstration that less(1) is not a faithful pager
30 | * `url.sh <https://github.com/jwilk/url.sh>`_ —
31 |   URL/shell-script hybrid
32 | * `abmagick <https://github.com/jwilk/abmagick>`_ —
33 |   demonstration that ImageMagick can be abused to create arbitrary files
34 | * `cdhttpd <https://github.com/jwilk/cdhttpd>`_ —
35 |   HTTP server for testing Content-Disposition
36 | * `crafted.deb <https://github.com/jwilk/crafted.deb>`_ —
37 |   various generators of crafted \*.deb packages
38 | * `surrealpath <https://codeberg.org/jwilk/surrealpath>`_ —
39 |   demonstration of ``realpath()`` spoofing
40 | 
41 | .. _American fuzzy lop:
42 |    https://lcamtuf.coredump.cx/afl/
43 | 
44 | .. vim:ts=3 sts=3 sw=3 et ft=rst
45 | 


--------------------------------------------------------------------------------
/2016:
--------------------------------------------------------------------------------
 1 | .. 2016-02-15
 2 | 
 3 | Plan9 sha1sum: buffer overflow
 4 |  | https://bugs.debian.org/814792
 5 | 
 6 | .. 2016-02-26
 7 | 
 8 | Wine: insecure use of /tmp
 9 |  | https://bugs.debian.org/816034
10 | 
11 | .. 2016-03-03
12 | 
13 | corekeeper: insecure use of world-writable /var/crash
14 |  |  https://bugs.debian.org/924397
15 | 
16 | corekeeper: insecure argument parsing
17 |  | https://bugs.debian.org/924398
18 | 
19 | .. 2016-03-20
20 | 
21 | libdebug: buffer overflow
22 |  | https://gitlab.com/libdebug/libdebug/commit/ec25924ea597
23 | 
24 | .. 2016-04-20
25 | 
26 | Mutt: unfaithful pager
27 |  | https://bugs.debian.org/821951
28 | 
29 | .. 2016-04-22
30 | 
31 | git: unfaithful pager
32 |  | https://www.openwall.com/lists/oss-security/2016/04/21/9
33 | 
34 | less: unfaithful pager
35 |  | https://www.openwall.com/lists/oss-security/2016/04/21/9
36 | 
37 | .. 2016-05-24
38 | 
39 | check-all-the-things: code execution via pylint
40 |  | https://github.com/collab-qa/check-all-the-things/commit/9c8437c049b1
41 | 
42 | .. 2016-06-26
43 | 
44 | pylint: untrusted search path
45 |  | https://github.com/PyCQA/pylint/issues/959
46 | 
47 | .. 2016-06-27
48 | 
49 | check-all-the-things: code execution via uscan
50 |  | https://github.com/collab-qa/check-all-the-things/commit/a9f96092970c
51 | 
52 | .. 2016-06-29
53 | 
54 | check-all-the-things: code execution via Lintian
55 |  | https://github.com/collab-qa/check-all-the-things/commit/6fb6c41b9309
56 | 
57 | .. 2016-06-30
58 | 
59 | List::MoreUtils: untrusted search path
60 |  | https://bugs.debian.org/829138
61 |  | see also CVE-2016-6185
62 | 
63 | .. 2016-08-03
64 | 
65 | python.org website: 32-bit OpenPGP key IDs
66 |  | https://github.com/python/pythondotorg/issues/978
67 | 
68 | .. 2016-09-06
69 | 
70 | [CVE-2016-7793, CVE-2016-7794] git-hub: missing data sanitization
71 |  | https://github.com/sociomantic-tsunami/git-hub/issues/197
72 | 
73 | .. 2016-10-07
74 | 
75 | [CVE-2018-7032] webcheckout: missing URL sanitization
76 |  | https://bugs.debian.org/840014
77 | 
78 | .. 2016-10-12
79 | 
80 | pipelight: broken signature validation
81 |  | https://bugs.launchpad.net/pipelight/+bug/1632502
82 | 
83 | .. 2016-12-25
84 | 
85 | [CVE-2016-10075] tqdm: insecure use of git
86 |  | https://github.com/tqdm/tqdm/issues/328
87 | 
88 | .. vim:ft=rst
89 | 


--------------------------------------------------------------------------------
/2010:
--------------------------------------------------------------------------------
  1 | .. 2010-02-06
  2 | 
  3 | [CVE-2010-3444] PyFriBidi: buffer overflow
  4 |  | https://bugs.debian.org/570068
  5 | 
  6 | .. 2010-03-13
  7 | 
  8 | [CVE-2010-0398] autokey: insecure use of /tmp
  9 |  | https://bugs.launchpad.net/ubuntu/+source/autokey/+bug/538471
 10 | 
 11 | .. 2010-07-04
 12 | 
 13 | Pylint: code execution
 14 |  | https://bugs.debian.org/591676
 15 |  | https://github.com/PyCQA/pylint/issues/347
 16 | 
 17 | .. 2010-08-06
 18 | 
 19 | Babiloo: insecure use of /tmp
 20 |  | https://bugs.debian.org/591995
 21 |  | possibly CVE-2010-3440
 22 | 
 23 | Babiloo: directory traversal on tarball unpacking
 24 |  | https://bugs.debian.org/591995
 25 |  | possibly CVE-2010-3440
 26 |  | see also CVE-2007-4559
 27 | 
 28 | .. 2010-09-26
 29 | 
 30 | [CVE-2010-4338] ocrodjvu: insecure use of /tmp
 31 |  | https://bugs.debian.org/598134
 32 | 
 33 | .. 2010-10-01
 34 | 
 35 | [CVE-2010-4167] ImageMagick: untrusted search path
 36 |  | https://bugs.debian.org/601824
 37 | 
 38 | .. 2010-10-14
 39 | 
 40 | Debian package no-ip: insecure use of /dev/shm
 41 |  | https://bugs.debian.org/601229
 42 | 
 43 | .. 2010-10-15
 44 | 
 45 | Tesseract: XSS
 46 |  | https://groups.google.com/d/topic/tesseract-issues/AdZhdGFkTrA
 47 | 
 48 | .. 2010-11-07
 49 | 
 50 | Apple's Calendar and Contacts Server: untrusted PYTHONPATH
 51 |  | https://bugs.debian.org/605157
 52 | 
 53 | distcc: untrusted PYTHONPATH
 54 |  | https://bugs.debian.org/605168
 55 | 
 56 | GNOME Schedule: untrusted PYTHONPATH
 57 |  | https://bugs.debian.org/605167
 58 | 
 59 | GNUmed client: untrusted PYTHONPATH
 60 |  | https://bugs.debian.org/605159
 61 | 
 62 | gquilt: untrusted PYTHONPATH
 63 |  | https://bugs.debian.org/605152
 64 | 
 65 | Guake: untrusted PYTHONPATH
 66 |  | https://bugs.debian.org/605163
 67 | 
 68 | IronPython: untrusted IRONPYTHONPATH
 69 |  | https://bugs.debian.org/605158
 70 | 
 71 | mMass: untrusted PYTHONPATH
 72 |  | https://bugs.debian.org/605150
 73 | 
 74 | OpenDNSSEC: untrusted PYTHONPATH
 75 |  | https://bugs.debian.org/605161
 76 | 
 77 | pybliographer: untrusted PYTHONPATH
 78 |  | https://bugs.debian.org/605153
 79 | 
 80 | PyMca: untrusted PYTHONPATH
 81 |  | https://bugs.debian.org/605160
 82 | 
 83 | salome: untrusted PYTHONPATH
 84 |  | https://bugs.debian.org/605154
 85 | 
 86 | SnapPea: untrusted PYTHONPATH
 87 |  | https://bugs.debian.org/605151
 88 | 
 89 | ibus-anthy: untrusted PYTHONPATH
 90 |  | https://bugs.debian.org/605171
 91 | 
 92 | ibus-skk: untrusted PYTHONPATH
 93 |  | https://bugs.debian.org/605173
 94 | 
 95 | ibus-xkbc: untrusted PYTHONPATH
 96 |  | https://bugs.debian.org/605176
 97 | 
 98 | Divmod Axiom: untrusted PYTHONPATH
 99 |  | https://bugs.debian.org/605170
100 | 
101 | Epsilon: untrusted PYTHONPATH
102 |  | https://bugs.debian.org/605175
103 | 
104 | matplotlib: untrusted PYTHONPATH in documentation
105 |  | https://bugs.debian.org/605179
106 | 
107 | omniORB: untrusted PYTHONPATH in documentation
108 |  | https://bugs.debian.org/605188
109 | 
110 | SQLObject: untrusted PYTHONPATH in documentation
111 |  | https://bugs.debian.org/605183
112 | 
113 | VPython: untrusted PYTHONPATH in documentation
114 |  | https://bugs.debian.org/605189
115 | 
116 | PyTables: untrusted PYTHONPATH in documentation
117 |  | https://bugs.debian.org/605180
118 | 
119 | Python-UNO: untrusted PYTHONPATH in documentation
120 |  | https://bugs.debian.org/605178
121 | 
122 | Python: untrusted PYTHONPATH in documentation
123 |  | https://bugs.debian.org/605182
124 |  | https://bugs.debian.org/605184
125 |  | https://bugs.debian.org/605187
126 | 
127 | Twisted: untrusted PYTHONPATH in documentation
128 |  | https://bugs.debian.org/605190
129 | 
130 | .. 2010-11-29
131 | 
132 | [CVE-2010-4337] GNU Gnash: insecure use of /tmp
133 |  | https://bugs.debian.org/605419
134 | 
135 | .. 2010-12-29
136 | 
137 | [CVE-2010-1679] dpkg-source(1): directory traversal
138 |  | https://lists.gnu.org/archive/html/bug-patch/2010-12/msg00000.html
139 | 
140 | [CVE-2010-4651] GNU patch: directory traversal
141 |  | https://lists.gnu.org/archive/html/bug-patch/2010-12/msg00000.html
142 | 
143 | .. vim:ft=rst
144 | 


--------------------------------------------------------------------------------
/2018:
--------------------------------------------------------------------------------
  1 | .. 2018-01-04
  2 | 
  3 | GNU tar: use-after-free
  4 |  | https://bugs.debian.org/886352
  5 | 
  6 | .. 2018-01-08
  7 | 
  8 | vmdebootstrap: insecure permissions
  9 |  | https://bugs.debian.org/886691
 10 | 
 11 | .. 2018-01-09
 12 | 
 13 | Travis CI: insecure OpenPGP key retrieval
 14 |  | https://news.ycombinator.com/item?id=16101118
 15 | 
 16 | .. 2018-02-18
 17 | 
 18 | GNU patch: stack overflow
 19 |  | https://bugs.debian.org/890746
 20 | 
 21 | .. 2018-02-28
 22 | 
 23 | rsstail: 32-bit OpenPGP key ID
 24 |  | https://github.com/flok99/rsstail/pull/27
 25 | 
 26 | .. 2018-03-04
 27 | 
 28 | vim-anywhere: insecure use of /tmp
 29 |  | https://github.com/cknadler/vim-anywhere/issues/81
 30 | 
 31 | .. 2018-03-09
 32 | 
 33 | `Tina Müller's blog <http://blogs.perl.org/users/tinita/2018/02/safely-load-untrusted-yaml-in-perl.html>`_: insecure YAML deserialization
 34 |  | https://github.com/ingydotnet/yaml-libyaml-pm/issues/45#issuecomment-371786236
 35 | 
 36 | .. 2018-03-30
 37 | 
 38 | urxvt plugin confirm-paste: insufficient input validation
 39 |  | https://lwn.net/Articles/750586/
 40 | 
 41 | .. 2018-04-05
 42 | 
 43 | beep: insecure file open
 44 |  | https://news.ycombinator.com/item?id=16753709
 45 | 
 46 | .. 2018-04-13
 47 | 
 48 | jlint: option injection
 49 |  | https://bugs.debian.org/895606
 50 | 
 51 | .. 2018-04-23
 52 | 
 53 | Jakub's git-forall: insecure use of git
 54 |  | https://github.com/jwilk/git-toolbox/commit/22c8544e9c4e6c87
 55 | 
 56 | .. 2018-05-27
 57 | 
 58 | TeX Live: tlmgr(1): 32-bit OpenPGP key IDs
 59 |  | https://bugs.debian.org/900236
 60 | 
 61 | .. 2018-06-08
 62 | 
 63 | archiver: directory traversal
 64 |  | https://github.com/mholt/archiver/issues/69
 65 | 
 66 | .. 2018-06-08
 67 | 
 68 | github-backup: denial of service
 69 |  | https://lwn.net/Articles/756920/
 70 | 
 71 | .. 2018-07-03
 72 | 
 73 | termtosvg: insecure use of /tmp
 74 |  | https://github.com/nbedos/termtosvg/issues/12
 75 | 
 76 | .. 2018-07-03
 77 | 
 78 | GNU units: units_cur: missing input validation
 79 |  | https://bugs.debian.org/902935
 80 | 
 81 | .. 2018-07-07
 82 | 
 83 | alpine-chroot-install: insecure use of /tmp
 84 |  | https://github.com/alpinelinux/alpine-chroot-install/issues/9
 85 | 
 86 | .. 2018-07-17
 87 | 
 88 | x1carbon2018s3: insecure use of /tmp
 89 |  | https://github.com/fiji-flo/x1carbon2018s3/issues/5
 90 | 
 91 | .. 2018-08-23
 92 | 
 93 | G'MIC: MITM RCE
 94 |  | https://bugs.debian.org/907056
 95 | 
 96 | .. 2018-08-25
 97 | 
 98 | Travis CI: insecure OpenPGP key retrieval
 99 |  | https://www.openwall.com/lists/oss-security/2018/08/25/3
100 | 
101 | .. 2018-09-05
102 | 
103 | crow: insecure use of pip
104 |  | https://github.com/acopar/crow/pull/40
105 | 
106 | .. 2018-09-18
107 | 
108 | YubiKey-Guide: broken signature verification
109 |  | https://github.com/drduh/YubiKey-Guide/pull/70
110 | 
111 | .. 2018-09-22
112 | 
113 | rvm: broken signature verification
114 |  | https://github.com/rvm/rvm/pull/4458
115 | 
116 | .. 2018-09-22
117 | 
118 | QtWebKit: crash
119 |  | https://bugs.debian.org/909366
120 | 
121 | .. 2018-09-27
122 | 
123 | GnuPG: import screener bypass via crafted subkey (rediscovered)
124 |  | https://bugs.debian.org/909755
125 | 
126 | .. 2018-10-23
127 | 
128 | devscripts: who-uploads(1): insecure use of /tmp
129 |  | https://bugs.debian.org/911720
130 | 
131 | .. 2018-10-26
132 | 
133 | devscripts: cvs-debi(1), cvs-debrelease(1): insecure use of /tmp
134 |  | https://bugs.debian.org/911969
135 | 
136 | devscripts: deb-reversion(1): insecure use of /tmp
137 |  | https://bugs.debian.org/911969
138 | 
139 | devscripts: debsign(1): insecure use of /tmp
140 |  | https://bugs.debian.org/911969
141 | 
142 | devscripts: dscextract(1): insecure use of /tmp
143 |  | https://bugs.debian.org/911969
144 | 
145 | devscripts: getbuildlog(1): insecure use of /tmp
146 |  | https://bugs.debian.org/911969
147 | 
148 | devscripts: mergechanges(1): insecure use of /tmp
149 |  | https://bugs.debian.org/911969
150 | 
151 | devscripts: pts-subscribe(1): insecure use of /tmp
152 |  | https://bugs.debian.org/911969
153 | 
154 | devscripts: wnpp-alert(1): insecure use of /tmp
155 |  | https://bugs.debian.org/911969
156 | 
157 | devscripts: wnpp-check(1): insecure use of /tmp
158 |  | https://bugs.debian.org/911969
159 | 
160 | .. 2018-11-26
161 | 
162 | hungrycat: insecure use of /tmp
163 |  | https://github.com/jwilk/hungrycat/commit/f0a4bca711fc899b
164 | 
165 | .. 2018-12-06
166 | 
167 | pytest: insecure use of /tmp
168 |  | https://bugs.debian.org/915803
169 | 
170 | .. 2018-12-17
171 | 
172 | Perl::Tidy: untrusted file access
173 |  | https://bugs.debian.org/916681
174 | 
175 | .. 2018-12-28
176 | 
177 | beep (proposed patch): directory traversal
178 |  | https://github.com/johnath/beep/issues/11#issuecomment-450346961
179 | 
180 | beep (proposed patch): information disclosure
181 |  | https://github.com/johnath/beep/issues/11#issuecomment-450436645
182 | 
183 | .. vim:ft=rst
184 | 


--------------------------------------------------------------------------------
/todo/tmp-misc:
--------------------------------------------------------------------------------
 1 | * https://git.savannah.gnu.org/cgit/bash.git/tree/support/bashbug.sh.in?h=bash-5.1#n44
 2 | * https://cgit.freedesktop.org/xdg/xdg-utils/tree/scripts/xdg-screensaver.in?h=v1.1.3#n34
 3 | * https://gitlab.com/dogtail/dogtail/-/blob/DOGTAIL_0_9_11/dogtail/config.py#L14
 4 | * https://github.com/Cisco-Talos/clamav/blob/main/clamsubmit/clamsubmit.c#L660
 5 | * https://sourceware.org/git/?p=elfutils.git;a=blob;f=src/make-debug-archive.in;hb=elfutils-0.186#l25
 6 | * https://github.com/util-linux/util-linux/blob/v2.37.4/misc-utils/look.1.adoc#examples
 7 | * https://github.com/util-linux/util-linux/blob/v2.38.1/misc-utils/uuidd.8.adoc#example
 8 | * https://sources.debian.org/src/tracker-miners/2.3.5-2.1/src/tracker-extract/tracker-extract-persistence.c/?hl=49#L41
 9 | * https://rr-project.org/ (``cd tmp``)
10 | * https://github.com/gperftools/gperftools/blob/gperftools-2.10/docs/heap_checker.html#L329
11 | * https://github.com/orjail/orjail/blob/v1.1/usr/sbin/orjail#L115
12 | * https://hg.mozilla.org/releases/mozilla-release/file/FIREFOX_101_0_1_RELEASE/toolkit/content/aboutNetworking.js#l306
13 | * https://hg.mozilla.org/releases/mozilla-release/file/FIREFOX_101_0_1_RELEASE/toolkit/content/aboutUrlClassifier.js#l631
14 | * https://github.com/micahflee/torbrowser-launcher/blob/v0.3.5/torbrowser_launcher/common.py#L153
15 | * https://github.com/brendangregg/perf-tools/blob/v1.0/opensnoop#L50
16 | * https://github.com/openjdk/jdk/blob/jdk-18-ga/src/hotspot/share/utilities/vmError.cpp#L1383 (``/tmp/hs_err_pid*.log``)
17 | * https://gitlab.gnome.org/GNOME/gimp/-/blob/GIMP_2_99_12/app/gegl/gimp-gegl.c#L117
18 | * https://gitlab.gnome.org/GNOME/gimp/-/blob/GIMP_2_99_12/app/core/gimp.c#L1225
19 | * https://github.com/JaGoLi/ytdl-gui/blob/3.0/src/mainactions.cpp#L236
20 | * https://repo.or.cz/socat.git/blob/tag-1.7.4.3:/doc/socat.yo#l3427
21 | * https://www.gnu.org/software/emacs/manual/html_node/elisp/File-Locks.html#index-lock_002dfile_002dname_002dtransforms
22 | * https://github.com/abiyani/automate-save-page-as/blob/master/README.md (``--destination "/tmp"``)
23 | * https://bugs.debian.org/725434#45
24 | * https://github.com/mariusae/trickle/blob/a2aeb9f30aa3c651/trickled.c#L177
25 | * https://github.com/crigler/dtach/blob/v0.9/dtach.1#L182
26 | * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/README.rst?h=v6.0#n216
27 | * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/firmware-guide/acpi/method-customizing.rst#n40
28 | * https://github.com/rubyzip/rubyzip/blob/v2.3.2/test/path_traversal_test.rb#L43
29 | * https://github.com/KDE/krita/blob/5.1.3/libs/ui/opengl/kis_opengl.cpp#L298
30 | * https://github.com/evilsocket/opensnitch/blob/v1.5.3/daemon/default-config.json#L4
31 | * https://github.com/queer/boxxy/blob/v0.2.5/src/enclosure/fs.rs#L18
32 | * https://github.com/rootless-containers/slirp4netns/tree/v1.2.0#usage
33 | * https://github.com/seccomp/libseccomp/blob/v2.5.4/doc/man/man3/seccomp_export_bpf.3#L85
34 | * https://git.launchpad.net/cloud-init/tree/cloudinit/temp_utils.py?h=23.2#n15
35 | * https://github.com/LibreOffice/core/blob/libreoffice-7.5.4.2/desktop/source/app/cmdlinehelp.cxx#L180
36 | * https://www.cyberciti.biz/faq/linux-unix-reuse-openssh-connection/
37 | * https://github.com/hanoglu/TermiC/blob/main/TermiC.sh
38 | * https://sources.debian.org/src/apt/2.6.1/cmdline/apt-dump-solver.cc/?hl=79#L75
39 | * https://sources.debian.org/src/apt/2.6.1/doc/offline.dbk/?hl=131#L122
40 | * https://wiki.debian.org/MeetBot#Installing_MeetBot_on_OS_X
41 | * https://github.com/jstrieb/paperify
42 | * https://sources.debian.org/src/sane-backends/1.2.1-2/doc/scanimage.man/#L470
43 | * https://manpages.debian.org/bookworm/libsane-common/sane-dll.5.en.html#SANE_CONFIG_DIR
44 | * https://github.com/ziirish/zerocli#examples
45 | * https://github.com/lilydjwg/pssh
46 | * https://man7.org/linux/man-pages/man2/close_range.2.html#EXAMPLES
47 | * https://github.com/gammu/gammu/blob/1.42.0/docs/manual/gammu/index.rst#reporting-bugs
48 | * https://pymotw.com/2/readline/#completing-text
49 | * https://baecher.dev/stdout/reproducible-git-bundles/
50 | * https://man7.org/linux/man-pages/man3/seccomp_export_bpf.3.html#EXAMPLES
51 | * https://virtio-fs.gitlab.io/howto-qemu.html
52 | * https://sources.debian.org/src/presentty/0.2.1-1.1/README.rst/?hl=75#L66
53 | * https://sources.debian.org/src/mono/6.8.0.105+dfsg-3.6/mono/metadata/attach.c/?hl=205#L190
54 | * https://sources.debian.org/src/snapd/2.62-1/cmd/snap-confine/mount-support.c/#L53
55 | * https://sources.debian.org/src/python-boto3/1.34.46+dfsg-1/boto3/s3/transfer.py/?hl=103#L79
56 | * https://sources.debian.org/src/systemd/255.5-1/test/units/testsuite-54.sh/?hl=20#L18
57 | * https://manpages.debian.org/bookworm/devscripts/dcmd.1.en.html#EXAMPLES
58 | * https://vimdoc.sourceforge.net/htmldoc/spell.html#:mkspell
59 | * https://github.com/h4l/json.bash
60 | * https://github.com/josegonzalez/python-github-backup#github-backup-examples
61 | * https://manpages.debian.org/bookworm/qemu-utils/qemu-nbd.8.en.html#EXAMPLES
62 | * https://github.com/vimpostor/copycat#copycat
63 | * https://sources.debian.org/src/podman/5.4.1+ds1-1/libpod/define/config.go/?hl=12#L10 (``/dev/shm/libpod_lock``)
64 | * https://github.com/naelstrof/slop#practical-applications
65 | * https://github.com/BLAKE3-team/BLAKE3#the-b3sum-utility
66 | * https://github.com/stef/klutshnik#testing
67 | * https://sources.debian.org/src/virtme-ng/1.35-1/virtme/commands/run.py/#L950
68 | * https://github.com/arighi/virtme-ng#examples
69 | 
70 | .. vim:ts=3 sts=3 sw=3 et ft=rst
71 | 


--------------------------------------------------------------------------------
/2015:
--------------------------------------------------------------------------------
  1 | .. 2015-01-02
  2 | 
  3 | Python: UTF-7 decoder accepts lone surrogates
  4 |  | (no bug filed, because this appears to be deliberate)
  5 |  | https://bugs.python.org/issue13333
  6 | 
  7 | Python: JSON decoder accepts lone surrogates
  8 |  | (no bug filed, because this appears to be deliberate)
  9 |  | https://docs.python.org/3/library/json.html#character-encodings
 10 | 
 11 | .. 2015-01-02
 12 | 
 13 | [CVE-2015-0556] ARJ: directory traversal
 14 |  | https://bugs.debian.org/774434
 15 | 
 16 | [CVE-2015-0557] ARJ: directory traversal
 17 |  | https://bugs.debian.org/774435
 18 | 
 19 | .. 2015-01-02
 20 | 
 21 | ARC: out-of-bounds read
 22 |  | https://bugs.debian.org/774439
 23 | 
 24 | .. 2015-01-02
 25 | 
 26 | Zoo: directory traversal
 27 |  | https://bugs.debian.org/774453
 28 | 
 29 | .. 2015-01-03
 30 | 
 31 | vorbis-tools: null pointer dereference
 32 |  | https://bugs.debian.org/774516
 33 | 
 34 | .. 2015-01-03
 35 | 
 36 | [CVE-2015-9275] ARC: directory traversal
 37 |  | https://bugs.debian.org/774527
 38 | 
 39 | .. 2015-01-04
 40 | 
 41 | [CVE-2015-0552] gcab: directory traversal
 42 |  | https://bugs.debian.org/774580
 43 | 
 44 | .. 2015-01-06
 45 | 
 46 | [CVE-2015-4467] libmspack: CHM decompression: division by zero
 47 |  | https://bugs.debian.org/774725
 48 | 
 49 | [CVE-2015-4468 CVE-2015-4469] libmspack: CHM decompression: pointer arithmetic overflow
 50 |  | https://bugs.debian.org/774726
 51 | 
 52 | .. 2015-01-09
 53 | 
 54 | theunarchiver: lsar(1): null pointer dereference
 55 |  | https://bugs.debian.org/774961
 56 | 
 57 | .. 2015-01-09
 58 | 
 59 | star: directory traversal
 60 |  | https://www.openwall.com/lists/oss-security/2015/01/09/10
 61 | 
 62 | .. 2015-01-09
 63 | 
 64 | [CVE-2015-2063] unace v1.2: buffer overflow
 65 |  | https://bugs.debian.org/775003
 66 | 
 67 | .. 2015-01-11
 68 | 
 69 | unace v2.5: stack corruption
 70 |  | https://bugs.debian.org/775134
 71 | 
 72 | .. 2015-01-11
 73 | 
 74 | [CVE-2015-5700] TeX Live: mktexlsr(1): insecure use of /tmp
 75 |  | https://bugs.debian.org/775139
 76 | 
 77 | .. 2015-01-12
 78 | 
 79 | DjVuLibre: djvudigital(1): insecure use of /tmp
 80 |  | https://bugs.debian.org/775193
 81 | 
 82 | .. 2015-01-12
 83 | 
 84 | mutt: smime_keys(1): insecure use of /tmp
 85 |  | https://bugs.debian.org/775199
 86 | 
 87 | .. 2015-01-12
 88 | 
 89 | [CVE-2015-1196] GNU patch: directory traversal
 90 |  | https://bugs.debian.org/775227
 91 | 
 92 | .. 2015-01-12
 93 | 
 94 | unalz: unexpected disk access
 95 |  | https://bugs.debian.org/775233
 96 | 
 97 | .. 2015-01-12
 98 | 
 99 | unalz: buffer overflow
100 |  | https://bugs.debian.org/775237
101 | 
102 | .. 2015-01-13
103 | 
104 | pax-utils: scanelf(1): out-of-bounds read
105 |  | https://bugs.debian.org/775270
106 | 
107 | .. 2015-01-14
108 | 
109 | catdvi: null pointer dereference
110 |  | https://bugs.debian.org/775348
111 | 
112 | .. 2015-01-14
113 | 
114 | util-linux: blkid(1): out-of-bounds read
115 |  | https://bugs.debian.org/775374
116 | 
117 | .. 2015-01-15
118 | 
119 | UPX: reachable assertion
120 |  | https://bugs.debian.org/775451
121 | 
122 | .. 2015-01-15
123 | 
124 | UPX: crash
125 |  | https://bugs.debian.org/775455
126 | 
127 | .. 2015-01-15
128 | 
129 | wxPython: wx.tools.img2py: insecure use of /tmp
130 |  | https://bugs.debian.org/775461
131 | 
132 | .. 2015-01-15
133 | 
134 | wxPython: wx.build.config: insecure use of /tmp
135 |  | https://bugs.debian.org/775462
136 | 
137 | .. 2015-01-16
138 | 
139 | [CVE-2015-4470] libmspack: CAB decompression: out-of-bounds read
140 |  | https://bugs.debian.org/775498
141 | 
142 | .. 2015-01-16
143 | 
144 | [CVE-2015-4471] libmspack: CAB decompression: out-of-bounds read
145 |  | https://bugs.debian.org/775499
146 | 
147 | .. 2015-01-18
148 | 
149 | [CVE-2015-4472] libmspack: CHM decompression: pointer arithmetic overflow
150 |  | https://bugs.debian.org/775687
151 | 
152 | .. 2015-01-18
153 | 
154 | binutils: readelf(1): out-of-bounds read
155 |  | https://bugs.debian.org/775688
156 | 
157 | .. 2015-01-20
158 | 
159 | [CVE-2015-1395] GNU patch: directory traversal
160 |  | https://bugs.debian.org/775873
161 | 
162 | .. 2015-01-21
163 | 
164 | [CVE-2015-1396] GNU patch: directory traversal
165 |  | https://bugs.debian.org/775901
166 | 
167 | .. 2015-01-21
168 | 
169 | splint: memory corruption
170 |  | https://bugs.debian.org/775917
171 | 
172 | .. 2015-01-21
173 | 
174 | gcab: null pointer dereference
175 |  | https://bugs.debian.org/775941
176 | 
177 | .. 2015-01-22
178 | 
179 | [CVE-2015-9099] LAME: crash
180 |  | https://bugs.debian.org/775959
181 | 
182 | .. 2015-01-22
183 | 
184 | CHMLIB: modulo by zero
185 |  | https://bugs.debian.org/775984
186 | 
187 | .. 2015-01-22
188 | 
189 | TCC: null pointer dereference
190 |  | https://bugs.debian.org/775992
191 | 
192 | .. 2015-01-24
193 | 
194 | QEMU: stack overflow
195 |  | https://bugs.debian.org/776161
196 | 
197 | .. 2015-01-24
198 | 
199 | [CVE-2015-1589] arCHMage: directory traversal
200 |  | https://bugs.debian.org/776164
201 | 
202 | .. 2015-01-25
203 | 
204 | [CVE-2015-1386] Unshield: directory traversal
205 |  | https://bugs.debian.org/776193
206 | 
207 | .. 2015-01-26
208 | 
209 | Unshield: reachable assertion
210 |  | https://bugs.debian.org/776238
211 | 
212 | Unshield: out-of-bounds read
213 |  | https://bugs.debian.org/776239
214 | 
215 | .. 2015-01-27
216 | 
217 | ZPAQ: out-of-bounds read
218 |  | https://bugs.debian.org/776379
219 | 
220 | .. 2015-01-27
221 | 
222 | Iceweasel: OOM + crash
223 |  | https://bugs.debian.org/776423
224 | 
225 | .. 2015-01-28
226 | 
227 | Iceweasel: site identity spoofing
228 |  | https://bugs.debian.org/776439
229 | 
230 | .. 2015-02-01
231 | 
232 | Git: directory traversal
233 |  | https://bugs.debian.org/776779
234 | 
235 | .. 2015-02-02
236 | 
237 | miniunzip(1): directory traversal
238 |  | https://bugs.debian.org/776831
239 | 
240 | ..  2015-02-08
241 | 
242 | DjVuLibre: null pointer dereference
243 |  | https://bugs.debian.org/777404
244 | 
245 | .. 2015-02-08
246 | 
247 | netpbm: winicontoppm(1): out-of-bounds read + null pointer dereference
248 |  | https://bugs.debian.org/777495
249 | 
250 | netpbm: icontopbm(1): buffer overflow
251 |  | https://bugs.debian.org/777489
252 | 
253 | netpbm: bmptopnm(1): out-of-bounds read
254 |  | https://bugs.debian.org/777485
255 | 
256 | netpbm: giftopnm(1): out-of-bounds read
257 |  | https://bugs.debian.org/777480
258 | 
259 | .. 2015-02-09
260 | 
261 | netpbm: pnmtofits(1): buffer overflow
262 |  | https://bugs.debian.org/777533
263 | 
264 | netpbm: pnmtofiasco(1): buffer overflow (rediscovered)
265 |  | https://bugs.debian.org/692186
266 | 
267 | .. 2015-02-15
268 | 
269 | imlib2: GIF loader: null pointer dereference (rediscovered)
270 |  | https://bugs.debian.org/773967
271 | 
272 | .. 2015-02-16
273 | 
274 | dvipng: null pointer dereference
275 |  | https://bugs.debian.org/778524
276 | 
277 | .. 2015-02-21
278 | 
279 | cppcheck: crash
280 |  | https://bugs.debian.org/778926
281 | 
282 | .. 2015-02-24
283 | 
284 | bsdtar: buffer overflow
285 |  | https://bugs.debian.org/779158
286 | 
287 | .. 2015-02-26
288 | 
289 | [CVE-2015-3905] t1utils: t1disasm(1): buffer overflow
290 |  | https://bugs.debian.org/779274
291 | 
292 | .. 2015-02-28
293 | 
294 | [CVE-2015-8985] glibc: regexec(3): reachable assertion
295 |  | https://bugs.debian.org/779392
296 | 
297 | .. 2015-03-04
298 | 
299 | P7ZIP: out-of-bounds read
300 |  | https://bugs.debian.org/779723
301 | 
302 | .. 2015-03-04
303 | 
304 | mpv: memory corruption
305 |  | https://bugs.debian.org/779789
306 | 
307 | .. 2015-03-05
308 | 
309 | jbig2dec: buffer overflow
310 |  | https://bugs.debian.org/779849
311 | 
312 | .. 2015-03-09
313 | 
314 | TinyXML: reachable assertion
315 |  | https://bugs.debian.org/780147
316 | 
317 | TinyXML: infinite loop
318 |  | https://bugs.debian.org/780149
319 | 
320 | TinyXML-2: null pointer dereference
321 |  | https://bugs.debian.org/780153
322 | 
323 | .. 2015-03-10
324 | 
325 | dvbsnoop: out-of-bounds read
326 |  | https://bugs.debian.org/780222
327 | 
328 | .. 2015-03-11
329 | 
330 | rpm2cpio: null pointer deference
331 |  | https://bugs.debian.org/780309
332 | 
333 | .. 2015-03-19
334 | 
335 | Iceweasel: null pointer dereference in SSLServerCertVerification.cpp
336 |  | https://bugs.debian.org/780801
337 | 
338 | .. 2015-03-25
339 | 
340 | Exiv2: buffer overflow in RIFF video parser
341 |  | https://bugs.debian.org/781123
342 | 
343 | .. 2015-03-26
344 | 
345 | DjVuLibre: crash in JB2Codec
346 |  | https://bugs.debian.org/781255
347 | 
348 | .. 2015-05-01
349 | 
350 | ARJ: out-of-bounds read
351 |  | https://bugs.debian.org/783948
352 | 
353 | .. 2015-05-01
354 | 
355 | mkvtoolnix: reachable assertion
356 |  | https://bugs.debian.org/783984
357 | 
358 | .. 2015-05-02
359 | 
360 | libe-book: PDB parser: null pointer deference
361 |  | https://bugs.debian.org/784080
362 | 
363 | .. 2015-05-05
364 | 
365 | pdfium: reachable assertion
366 |  | https://bugs.chromium.org/p/pdfium/issues/detail?id=152
367 | 
368 | .. 2015-05-07
369 | 
370 | Exempi: out-of-bounds read
371 |  | https://bugs.debian.org/784631
372 | 
373 | .. 2015-05-08
374 | 
375 | DjVuLibre: insufficient input sanitization in the INCL chunk handling
376 |  | https://bugs.debian.org/784785
377 | 
378 | .. 2015-05-09
379 | 
380 | Gamera: TIFF plugin: out-of-bounds read
381 |  | https://bugs.debian.org/784795
382 | 
383 | .. 2015-05-09
384 | 
385 | didjvu: insecure use of /tmp
386 |  | https://github.com/jwilk/didjvu/issues/8
387 | 
388 | pdf2djvu: insecure use of /tmp
389 |  | https://github.com/jwilk/pdf2djvu/issues/103
390 | 
391 | .. 2015-05-10
392 | 
393 | DjVuLibre: integer overflow
394 |  | https://bugs.debian.org/784919
395 | 
396 | .. 2015-05-15
397 | 
398 | [CVE-2016-3994] imlib2: GIF loader: out-of-bounds read
399 |  | https://bugs.debian.org/785369
400 | 
401 | imlib2: BMP loader: infinite loop (rediscovered)
402 |  | https://bugs.debian.org/773968
403 | 
404 | .. 2015-05-15
405 | 
406 | unace v1.2: out-of-bounds read
407 |  | https://bugs.debian.org/785377
408 | 
409 | .. 2015-05-17
410 | 
411 | Gamera: heap-based buffer overflow
412 |  | https://bugs.debian.org/785548
413 | 
414 | .. 2015-05-20
415 | 
416 | woff-tools: out-of-bounds read
417 |  | https://bugs.debian.org/785795
418 | 
419 | .. 2015-06-03
420 | 
421 | OptiPNG: reachable assertion
422 |  | https://bugs.debian.org/787647
423 | 
424 | .. 2015-06-20
425 | 
426 | pbuilder: /tmp exposed to users when bootstrapping
427 |  | https://bugs.debian.org/789401
428 | 
429 | pbuilder: insecure use of /tmp
430 |  | https://bugs.debian.org/789404
431 | 
432 | .. 2015-08-15
433 | 
434 | APT: insecure use of /tmp
435 |  | https://bugs.debian.org/795600
436 | 
437 | .. 2015-10-18
438 | 
439 | [CVE-2015-8863] jq: heap-based buffer overflow
440 |  | https://bugs.debian.org/802231
441 | 
442 | .. 2015-10-20
443 | 
444 | Lintian: spellintian: untrusted search path
445 |  | https://bugs.debian.org/802476
446 | 
447 | ..  2015-11-29
448 | 
449 | mitmproxy: improper validation of certificate with host mismatch
450 |  | https://bugs.debian.org/806637
451 | 
452 | .. vim:ft=rst
453 | 


--------------------------------------------------------------------------------
/2014:
--------------------------------------------------------------------------------
  1 | .. 2014-01-09
  2 | 
  3 | [CVE-2014-1402] jinja2: insecure use of /tmp
  4 |  | https://bugs.debian.org/734747
  5 | 
  6 | .. 2014-01-14
  7 | 
  8 | [CVE-2014-1604] RPLY: insecure use of /tmp
  9 |  | https://bugs.debian.org/735263
 10 | 
 11 | .. 2014-01-21
 12 | 
 13 | [CVE-2014-1624] pyxdg: insecure use of /tmp
 14 |  | https://bugs.debian.org/736247
 15 | 
 16 | .. 2014-01-27
 17 | 
 18 | [CVE-2014-1831] Phusion Passenger: insecure use of /tmp
 19 |  | https://github.com/phusion/passenger/commit/34b1087870c2
 20 |  | https://bugs.debian.org/736958
 21 | 
 22 | .. 2014-01-29
 23 | 
 24 | [CVE-2014-1838] logilab-common: insecure use of /tmp
 25 |  | https://bugs.debian.org/737051
 26 | 
 27 | [CVE-2014-1839] logilab-common: insecure use of /tmp
 28 |  | https://bugs.debian.org/737051
 29 | 
 30 | .. 2014-01-29
 31 | 
 32 | [CVE-2014-1932] PIL: insecure use of /tmp
 33 |  | https://bugs.debian.org/737059
 34 |  | see also CVE-2014-3007
 35 | 
 36 | [CVE-2014-1933] PIL: insecure use of /tmp
 37 |  | https://bugs.debian.org/737059
 38 | 
 39 | .. 2014-01-29
 40 | 
 41 | [CVE-2014-1934] eyeD3: insecure use of /tmp
 42 |  | https://bugs.debian.org/737062
 43 | 
 44 | .. 2014-01-30
 45 | 
 46 | [CVE-2014-1936] Byron Rakitzis's rc: insecure use of /tmp in the test suite
 47 |  | https://bugs.debian.org/737125
 48 | 
 49 | .. 2014-01-30
 50 | 
 51 | Python: doctest: insecure use of /tmp
 52 |  | https://bugs.python.org/issue20447
 53 | 
 54 | .. 2014-01-30
 55 | 
 56 | [CVE-2014-1833] devscripts: uupdate(1): symlink directory traversal
 57 |  | https://bugs.debian.org/737160
 58 | 
 59 | .. 2014-01-31
 60 | 
 61 | [CVE-2014-1935] Plan9 rc: insecure use of /tmp
 62 |  | https://bugs.debian.org/737206
 63 | 
 64 | .. 2014-02-01
 65 | 
 66 | [CVE-2014-1937] Gamera: insecure use of /tmp
 67 |  | https://bugs.debian.org/737324
 68 | 
 69 | .. 2014-02-02
 70 | 
 71 | [CVE-2001-1593] a2ps: insecure use of /tmp (rediscovered)
 72 |  | https://bugs.debian.org/737385
 73 | 
 74 | .. 2014-02-03
 75 | 
 76 | [CVE-2014-1876] OpenJDK: unpack200(1): insecure use of /tmp
 77 |  | https://bugs.debian.org/737562
 78 | 
 79 | .. 2014-02-04
 80 | 
 81 | [CVE-2014-1938] RPLY: insecure use of /tmp (redux)
 82 |  | https://bugs.debian.org/737627
 83 | 
 84 | .. 2014-02-05
 85 | 
 86 | [CVE-2014-1858, CVE-2014-1859] NumPy: insecure use of /tmp
 87 |  | https://bugs.debian.org/737778
 88 | 
 89 | .. 2014-02-06
 90 | 
 91 | [CVE-2014-1875] Capture::Tiny: insecure use of /tmp
 92 |  | https://bugs.debian.org/737835
 93 | 
 94 | .. 2014-02-13
 95 | 
 96 | Online Python Tutor: sandbox bypass
 97 |  | https://lists.debian.org/20140409121133.GA2826@jwilk.net
 98 |  | https://github.com/pgbovine/OnlinePythonTutor/commit/eab7cb1c717a
 99 | 
100 | .. 2014-02-23
101 | 
102 | Python: missing documentation for tar unpacking security
103 |  | https://bugs.python.org/issue20749
104 |  | see also CVE-2007-4559
105 | 
106 | .. 2014-02-24
107 | 
108 | [CVE-2014-2093, CVE-2014-2094, CVE-2014-2095, CVE-2014-2096] Catfish: untrusted search path
109 |  | https://bugs.debian.org/739958
110 | 
111 | .. 2014-03-03
112 | 
113 | Perltidy: insecure use of /tmp
114 |  | possibly CVE-2014-2277
115 |  | https://bugs.debian.org/740670
116 | 
117 | .. 2014-03-04
118 | 
119 | mozilla-devscripts: xpi-repack(1): insecure use of /tmp
120 |  | https://bugs.debian.org/740759
121 | 
122 | .. 2014-03-05
123 | 
124 | listadmin: insecure use of /tmp
125 |  | https://bugs.debian.org/740891
126 | 
127 | .. 2014-03-06
128 | 
129 | ELinks: improper validation of certificate with host mismatch
130 |  | https://bugs.debian.org/740981
131 | 
132 | .. 2014-04-13
133 | 
134 | [CVE-2014-0471] dpkg-source(1): directory traversal
135 |  | https://www.debian.org/security/2014/dsa-2915
136 |  | see also CVE-2014-3127
137 |  | see also CVE-2014-3227
138 |  | see also CVE-2014-3864
139 |  | see also CVE-2014-3865
140 | 
141 | .. 2014-04-14
142 | 
143 | ELinks: HTTP to file:// redirects
144 |  | https://bugs.debian.org/744799
145 | 
146 | .. 2014-04-15
147 | 
148 | [CVE-2014-2893] clang: scan-build(1): insecure use of /tmp
149 |  | https://bugs.debian.org/744817
150 | 
151 | .. 2014-05-01
152 | 
153 | LWP::Protocol::https: HTTPS_CA_DIR or HTTPS_CA_FILE disables certificate verification for IO::Socket::SSL
154 |  | possibly CVE-2014-3230
155 |  | https://bugs.debian.org/746579
156 |  | https://github.com/libwww-perl/lwp-protocol-https/pull/14
157 | 
158 | .. 2014-05-19
159 | 
160 | python-vtk6: untrusted RPATH
161 |  | https://bugs.debian.org/748667
162 | 
163 | .. 2014-05-29
164 | 
165 | [CVE-2014-0478] APT: no authentication checks for source packages
166 |  | https://bugs.debian.org/749795
167 | 
168 | .. 2014-06-01
169 | 
170 | OpenSSL: insecure creation of ~/.rnd
171 |  | https://bugs.debian.org/750103
172 | 
173 | .. 2014-06-14
174 | 
175 | [CVE-2015-8621] t-coffee: insecure permissions of ~/.t_coffee
176 |  | https://bugs.debian.org/751579
177 | 
178 | .. 2014-06-14
179 | 
180 | Debian package python-biopython: HOME=/tmp
181 |  | https://bugs.debian.org/751586
182 | 
183 | .. 2014-06-15
184 | 
185 | Ngraph-gtk: XDG_RUNTIME_DIR=/tmp
186 |  | https://bugs.debian.org/751664
187 | 
188 | .. 2014-06-16
189 | 
190 | Debian package tox: HOME=/tmp
191 |  | https://bugs.debian.org/751804
192 | 
193 | .. 2014-07-06
194 | 
195 | APT: "apt-get build-dep *pkgname*" insecure in untrusted directory
196 |  | https://bugs.debian.org/754041
197 | 
198 | .. 2014-07-09
199 | 
200 | OpenJDK 7: untrusted RPATH
201 |  | https://bugs.debian.org/754278
202 | 
203 | .. 2014-07-11
204 | 
205 | mbank-cli: untrusted search path
206 |  | https://github.com/jwilk/mbank-cli/blob/1.6/doc/SECURITY.rst#user-content-2014-07-11-insecure-module-search-path
207 | 
208 | .. 2014-07-24
209 | 
210 | [CVE-2014-0479] reportbug: MITM RCE
211 |  | https://www.debian.org/security/2014/dsa-2997
212 | 
213 | .. 2014-08-07
214 | 
215 | APT: design error of /etc/apt/auth.conf
216 |  | https://lists.debian.org/deity/2014/08/msg00020.html
217 | 
218 | .. 2014-08-12
219 | 
220 | Python: commands.mkarg(): command injection
221 |  | https://bugs.python.org/issue22187
222 | 
223 | .. 2014-08-30
224 | 
225 | Noise: untrusted RPATH
226 |  | https://bugs.debian.org/759868
227 | 
228 | .. 2014-08-31
229 | 
230 | ledger: untrusted RPATH
231 |  | https://bugs.debian.org/760110
232 | 
233 | .. 2014-09-04
234 | 
235 | GNU Automake: install-sh(1): insecure use of /tmp
236 |  | https://bugs.debian.org/760455
237 | 
238 | .. 2014-09-14
239 | 
240 | Debian package openssh: pam_env user_readenv=1 enabled in sshd.pam
241 |  | https://bugs.debian.org/761600
242 |  | see also CVE-2010-4708
243 | 
244 | .. 2014-09-15
245 | 
246 | [CVE-2015-0383] OpenJDK 7: insecure use of /tmp/hsperfdata_* (rediscovered)
247 |  | https://bugs.debian.org/761683
248 | 
249 | .. 2014-09-19
250 | 
251 | Debian package lilypond: HOME=/tmp
252 |  | https://bugs.debian.org/762230
253 | 
254 | .. 2014-09-28
255 | 
256 | Lynx: improper handling of overlong UTF-8 sequences
257 |  | https://bugs.debian.org/763268
258 | 
259 | Vim: improper handling of overlong UTF-8 sequences
260 |  | (no bug filed, because this appears to be deliberate)
261 |  | https://vimdoc.sourceforge.net/htmldoc/mbyte.html#mbyte-combining
262 | 
263 | .. 2014-10-06
264 | 
265 | Ultimate Debian Database: bts-usertags.cgi: XSS
266 |  | https://bugs.debian.org/764199
267 | 
268 | .. 2014-10-06
269 | 
270 | bashcheck: insecure use of /tmp
271 |  | https://github.com/hannob/bashcheck/issues/27
272 | 
273 | .. 2014-10-16
274 | 
275 | [CVE-2014-9681] procmail: improper environment sanitization (TZ)
276 |  | https://www.openwall.com/lists/oss-security/2014/10/15/24
277 |  | https://bugs.debian.org/772706
278 | 
279 | .. 2014-10-16
280 | 
281 | [CVE-2014-9680] sudo: improper environment sanitization (TZ)
282 |  | https://www.openwall.com/lists/oss-security/2014/10/15/24
283 |  | https://bugs.debian.org/772707
284 | 
285 | .. 2014-10-27
286 | 
287 | LWP: design error in the If-SSL-Cert-Subject feature (improper validation of certificate with host mismatch)
288 |  | https://github.com/libwww-perl/lwp-protocol-https/issues/13#issuecomment-60663636
289 | 
290 | .. 2014-11-17
291 | 
292 | gettext: msgunfmt(1): integer overflow
293 |  | https://bugs.debian.org/769901
294 | 
295 | .. 2014-11-17
296 | 
297 | procmail: formail(1): buffer overflow
298 |  | https://bugs.debian.org/769937
299 | 
300 | .. 2014-11-17
301 | 
302 | procmail: null pointer dereference
303 |  | https://bugs.debian.org/769938
304 | 
305 | .. 2014-11-27
306 | 
307 | [CVE-2014-9116] mutt: buffer overflow
308 |  | https://bugs.debian.org/771125
309 |  | https://dev.mutt.org/trac/ticket/3716
310 | 
311 | .. 2014-11-28
312 | 
313 | Debian package nvi: insecure use of /var/tmp
314 |  | https://bugs.debian.org/771375
315 | 
316 | .. 2014-11-29
317 | 
318 | Debian package netenv: insecure use of /var/tmp
319 |  | https://bugs.debian.org/771458
320 | 
321 | .. 2014-11-29
322 | 
323 | netenv: insecure use of /var/tmp
324 |  | https://bugs.debian.org/771786
325 | 
326 | .. 2014-12-02
327 | 
328 | Debian package pcp: insecure use of /var/tmp
329 |  | https://bugs.debian.org/771793
330 | 
331 | .. 2014-12-04
332 | 
333 | gettext: msgunfmt(1): buffer overflow
334 |  | https://bugs.debian.org/772088
335 | 
336 | .. 2014-12-08
337 | 
338 | JSON-GLib: reachable assertion
339 |  | https://bugs.debian.org/772585
340 | 
341 | .. 2014-12-10
342 | 
343 | glibc: tzset(3): buffer overflow
344 |  | https://bugs.debian.org/772705
345 |  | https://sourceware.org/bugzilla/show_bug.cgi?id=17715
346 | 
347 | .. 2014-12-10
348 | 
349 | t1utils: t1disasm(1): infinite loop
350 |  | https://bugs.debian.org/772774
351 | 
352 | .. 2014-12-11
353 | 
354 | [CVE-2014-9556] cabextract: infinite loop
355 |  | https://bugs.debian.org/772891
356 | 
357 | .. 2014-12-12
358 | 
359 | dumpasn1.c: excessive iteration
360 |  | https://bugs.debian.org/773041
361 | 
362 | .. 2014-12-15
363 | 
364 | qprint: infinite loop
365 |  | https://bugs.debian.org/773186
366 | 
367 | .. 2014-12-16
368 | 
369 | HT: null pointer dereference
370 |  | https://bugs.debian.org/773308
371 | 
372 | .. 2014-12-21
373 | 
374 | [CVE-2014-9732] cabextract: null pointer dereference
375 |  | https://bugs.debian.org/773659
376 | 
377 | .. 2014-12-22
378 | 
379 | [CVE-2016-4021] pgpdump: infinite loop
380 |  | https://bugs.debian.org/773747
381 | 
382 | .. 2014-12-23
383 | 
384 | e2fsprogs: e2fsck(8): buffer overflow
385 |  | https://bugs.debian.org/773795
386 | 
387 | .. 2014-12-24
388 | 
389 | dosfstools: fsck.fat(1): buffer overflow
390 |  | https://bugs.debian.org/773885
391 | 
392 | .. 2014-12-24
393 | 
394 | util-linux: fsck.minix(1): crash
395 |  | https://bugs.debian.org/773892
396 | 
397 | .. 2014-12-27
398 | 
399 | [CVE-2015-2782] ARJ: buffer overflow
400 |  | https://bugs.debian.org/774015
401 | 
402 | .. 2014-12-27
403 | 
404 | theunarchiver: unar(1): crash
405 |  | https://bugs.debian.org/774016
406 | 
407 | .. 2014-12-27
408 | 
409 | uwsgi: untrusted RPATH
410 |  | https://bugs.debian.org/774026
411 |  | https://bugs.debian.org/774027
412 | 
413 | .. 2014-12-27
414 | 
415 | Zoo: crash
416 |  | https://bugs.debian.org/774032
417 | 
418 | .. 2014-12-27
419 | 
420 | rzip: crash
421 |  | https://bugs.debian.org/774037
422 | 
423 | .. 2014-12-27
424 | 
425 | lrzip: crash
426 |  | https://bugs.debian.org/774040
427 | 
428 | .. 2014-12-29
429 | 
430 | libisofs: null pointer dereference
431 |  | https://bugs.debian.org/774152
432 | 
433 | .. 2014-12-29
434 | 
435 | ELinks: excessive iteration
436 |  | https://bugs.debian.org/774159
437 | 
438 | .. 2014-12-29
439 | 
440 | UnRAR: directory traversal
441 |  | https://bugs.debian.org/774171
442 | 
443 | [CVE-2014-9983] RAR: directory traversal
444 |  | https://bugs.debian.org/774172
445 | 
446 | .. 2014-12-31
447 | 
448 | libiso9660: crash
449 |  | https://bugs.debian.org/774267
450 | 
451 | .. 2014-12-31
452 | 
453 | [CVE-2014-9485] miniunzip(1): directory traversal
454 |  | https://bugs.debian.org/774321
455 | 
456 | .. vim:ft=rst
457 | 


--------------------------------------------------------------------------------
/2017:
--------------------------------------------------------------------------------
  1 | .. 2017-01-14
  2 | 
  3 | check-all-the-things: code execution via ``python -m``
  4 |  | https://github.com/collab-qa/check-all-the-things/commit/0b35c329585c
  5 | 
  6 | .. 2017-02-04
  7 | 
  8 | mitmproxy is open proxy by default (rediscovered)
  9 |  | https://github.com/mitmproxy/mitmproxy/issues/1293
 10 | 
 11 | .. 2017-02-16
 12 | 
 13 | git-spindle: missing data sanitization
 14 |  | https://github.com/seveas/git-spindle/issues/154
 15 | 
 16 | .. 2017-04-27
 17 | 
 18 | check-all-the-things: code execution via perlcritic
 19 |  | https://github.com/collab-qa/check-all-the-things/commit/96105db05404
 20 | 
 21 | .. 2017-04-29
 22 | 
 23 | [CVE-2017-0373] Config::Model: untrusted search path
 24 |  | https://github.com/dod38fr/config-model/commit/8f78baf997d1175e6c0efebb89ec7a0dd9203705
 25 | 
 26 | [CVE-2017-0374] Config::Model: untrusted search path
 27 |  | https://github.com/dod38fr/config-model/commit/9bd64d9ec6c0939166a2216a37d58dd19a725951
 28 | 
 29 | .. 2017-05-01
 30 | 
 31 | [CVE-2017-8418] RuboCop: insecure use of /tmp
 32 |  | https://github.com/rubocop-hq/rubocop/issues/4336
 33 | 
 34 | .. 2017-05-06
 35 | 
 36 | [CVE-2017-8829] Lintian: insecure YAML validation
 37 |  | https://bugs.debian.org/861958
 38 | 
 39 | check-all-the-things: code execution via complexity
 40 |  | https://github.com/collab-qa/check-all-the-things/commit/c1ffc81cfbbd
 41 | 
 42 | check-all-the-things: code execution via rpmlint
 43 |  | https://github.com/collab-qa/check-all-the-things/commit/aa3fb92382cc
 44 | 
 45 | check-all-the-things: code execution via luacheck
 46 |  | https://github.com/collab-qa/check-all-the-things/commit/912717f04dcb
 47 | 
 48 | .. 2017-05-07
 49 | 
 50 | check-all-the-things: code execution via ocaml-lintian
 51 |  | https://github.com/collab-qa/check-all-the-things/commit/1bb455634056
 52 | 
 53 | check-all-the-things: code execution via puppet-lint
 54 |  | https://github.com/collab-qa/check-all-the-things/commit/519eb9488396
 55 | 
 56 | .. 2017-05-10
 57 | 
 58 | check-all-the-things: code execution via erl_tidy
 59 |  | https://github.com/collab-qa/check-all-the-things/commit/f7726abc8332
 60 | 
 61 | OpenJDK: java(1): untrusted search path
 62 |  | https://www.openwall.com/lists/oss-security/2017/06/13/7
 63 | 
 64 | .. 2017-05-14
 65 | 
 66 | perlcritic: arbitrary file overwrite via Perl::Tidy
 67 |  | https://bugs.debian.org/834213
 68 |  | see also CVE-2016-10374
 69 | 
 70 | .. 2017-05-25
 71 | 
 72 | APT: replay attack
 73 |  | https://bugs.debian.org/863317
 74 | 
 75 | .. 2017-05-29
 76 | 
 77 | Astropy: untrusted file read
 78 |  | https://github.com/astropy/astropy/issues/6126
 79 | 
 80 | .. 2017-06-11
 81 | 
 82 | [CVE-2017-10140] Berkeley DB: untrusted file read
 83 |  | https://www.openwall.com/lists/oss-security/2017/06/10/1
 84 | 
 85 | .. 2017-06-11
 86 | 
 87 | Debian package camo: hardcoded secret key
 88 |  | https://bugs.debian.org/864620
 89 | 
 90 | .. 2017-06-16
 91 | 
 92 | [CVE-2017-12837] Perl: heap-based buffer overflow
 93 |  | https://rt.perl.org/Ticket/Display.html?id=131582
 94 | 
 95 | .. 2017-06-18
 96 | 
 97 | [CVE-2017-12883] Perl: out-of-bounds read
 98 |  | https://rt.perl.org/Ticket/Display.html?id=131598
 99 | 
100 | .. 2017-06-21
101 | 
102 | [CVE-2020-10543] Perl: out-of-bounds read
103 |  (TBD)
104 | 
105 | .. 2017-06-23
106 | 
107 | glib: information disclosure via pkexec
108 |  | https://www.openwall.com/lists/oss-security/2017/06/23/8
109 | 
110 | .. 2017-06-25
111 | 
112 | [CVE-2018-18314] Perl: heap-based buffer overflow
113 |  | https://rt.perl.org/Ticket/Display.html?id=131649
114 | 
115 | .. 2017-06-26
116 | 
117 | Limba: runapp: double free
118 |  | https://bugs.debian.org/866040
119 | 
120 | .. 2017-06-27
121 | 
122 | UnRAR: out-of-bounds read in Unpack::MakeDecodeTables
123 |  (TBD)
124 | 
125 | .. 2017-07-04
126 | 
127 | [CVE-2017-12941] UnRAR: out-of-bounds read in Unpack::Unpack20
128 |  | https://www.openwall.com/lists/oss-security/2017/08/14/3
129 | 
130 | [CVE-2017-12940] UnRAR: out-of-bounds read in EncodeFileName::Decode (rediscovered)
131 |  | https://www.openwall.com/lists/oss-security/2017/08/14/3
132 | 
133 | .. 2017-07-06
134 | 
135 | [CVE-2017-12938] UnRAR: directory traversal
136 |  | https://www.openwall.com/lists/oss-security/2017/08/14/3
137 | 
138 | .. 2017-07-06
139 | 
140 | ARJ: directory traversal
141 |  | https://bugs.debian.org/867520
142 | 
143 | .. 2017-07-08
144 | 
145 | ARJ: out-of-bounds read
146 |  | https://bugs.debian.org/867696
147 | 
148 | .. 2017-07-09
149 | 
150 | cppcheck: crash
151 |  | https://bugs.debian.org/867726
152 | 
153 | .. 2017-07-09
154 | 
155 | TCC: null pointer dereference
156 |  | https://bugs.debian.org/867769
157 | 
158 | TCC: null pointer dereference
159 |  | https://bugs.debian.org/867770
160 | 
161 | .. 2017-07-09
162 | 
163 | UnRAR: left shift of negative value in Unpack::DecodeAudio
164 |  (TBD)
165 | 
166 | UnRAR: signed integer overflow in atoilw
167 |  (TBD)
168 | 
169 | .. 2017-07-10
170 | 
171 | UnRAR: memmove with null argument in RarVM::SetMemory
172 |  (TBD)
173 | 
174 | UnRAR: null pointer dereference in Archive::GetComment
175 |  (TBD)
176 | 
177 | UnRAR: shifting too much in RawRead::GetV
178 |  (TBD)
179 | 
180 | [CVE-2017-12942] UnRAR: buffer overflow in Unpack::LongLZ
181 |  | https://www.openwall.com/lists/oss-security/2017/08/14/3
182 | 
183 | .. 2017-07-11
184 | 
185 | dosfstools: integer overflow
186 |  | https://github.com/dosfstools/dosfstools/pull/57
187 | 
188 | .. 2017-07-12
189 | 
190 | t1utils: t1disasm(1): out-of-bounds read
191 |  | https://bugs.debian.org/868134
192 | 
193 | .. 2017-07-12
194 | 
195 | imlib2: XPM loader: uninitialized memory read
196 |  | https://bugs.debian.org/868151
197 | 
198 | imlib2: PNM loader: buffer overflow
199 |  | https://bugs.debian.org/868174
200 | 
201 | imlib2: ARGB loader: invalid free()
202 |  | https://bugs.debian.org/868177
203 | 
204 | .. 2017-07-14
205 | 
206 | imlib2: XPM loader: out-of-bounds read
207 |  | https://bugs.debian.org/868310
208 | 
209 | .. 2017-07-14
210 | 
211 | dpkg: integer overflow
212 |  | https://bugs.debian.org/868356
213 | 
214 | .. 2017-07-15
215 | 
216 | e2fsprogs: e2fsck(8): null pointer dereference
217 |  | https://bugs.debian.org/868476
218 | 
219 | e2fsprogs: e2fsck(8): division error
220 |  | https://bugs.debian.org/868489
221 | 
222 | .. 2017-07-16
223 | 
224 | pev: null pointer dereference
225 |  | https://bugs.debian.org/868554
226 |  | https://github.com/merces/pev/pull/110
227 | 
228 | pev: uninitialized memory read
229 |  | https://github.com/merces/pev/issues/111
230 | 
231 | .. 2017-07-17
232 | 
233 | pev: pehash(1): buffer overflow
234 |  | https://github.com/merces/pev/pull/113
235 | 
236 | pev: pehash(1): misuse of sprintf()
237 |  | https://github.com/merces/pev/pull/114
238 | 
239 | pev: pehash(1): buffer underwrite
240 |  | https://github.com/merces/pev/pull/115
241 | 
242 | pev: pehash(1): buffer overflow
243 |  | https://github.com/merces/pev/pull/116
244 | 
245 | libpe: pointer arithmetic overflow
246 |  | https://github.com/merces/libpe/pull/16
247 | 
248 | pev: pehash(1): buffer overflow
249 |  | https://github.com/merces/pev/pull/118
250 | 
251 | .. 2017-07-18
252 | 
253 | msitools: msiinfo(1): double free
254 |  | https://bugs.debian.org/868795
255 | 
256 | .. 2017-07-19
257 | 
258 | MuPDF: mutool(1): null pointer dereference
259 |  | https://bugs.debian.org/868822
260 | 
261 | MuPDF: mutool(1): buffer overflow
262 |  | https://bugs.debian.org/868821
263 | 
264 | .. 2017-07-19
265 | 
266 | icoutils: wrestool(1): out-of-bounds read
267 |  | https://bugs.debian.org/868879
268 | 
269 | .. 2017-07-20
270 | 
271 | msitools: msiinfo(1): invalid free
272 |  | https://bugs.debian.org/869082
273 | 
274 | .. 2017-07-24
275 | 
276 | DjVuLibre: division by zero
277 |  | https://bugs.debian.org/869527
278 | 
279 | DjVuLibre: null pointer dereference
280 |  | https://bugs.debian.org/869524
281 | 
282 | .. 2017-07-24
283 | 
284 | Exempi: use-after-free (rediscovered)
285 |  | https://bugs.freedesktop.org/show_bug.cgi?id=100397
286 | 
287 | .. 2017-07-25
288 | 
289 | Exempi: reachable assertion
290 |  | https://bugs.freedesktop.org/show_bug.cgi?id=101913
291 | 
292 | Exempi: invalid pointer dereference
293 |  | https://bugs.freedesktop.org/show_bug.cgi?id=101914
294 | 
295 | .. 2017-07-25
296 | 
297 | GMime: infinite loop
298 |  | https://bugs.debian.org/869736
299 | 
300 | .. 2017-07-26
301 | 
302 | t1utils: t1disasm(1): integer overflow
303 |  | https://bugs.debian.org/869797
304 | 
305 | .. 2017-07-27
306 | 
307 | pgpdump: infinite loop
308 |  | https://bugs.debian.org/869891
309 | 
310 | .. 2017-07-31
311 | 
312 | GMime: out-of-bounds read
313 |  | https://github.com/jstedfast/gmime/pull/9
314 | 
315 | GMime: integer overflow
316 |  | https://github.com/jstedfast/gmime/pull/10
317 | 
318 | .. 2017-07-31
319 | 
320 | Python: posixpath.realpath(): infinite recursion
321 |  (TBD)
322 | 
323 | .. 2017-08-07
324 | 
325 | HT: buffer overflow
326 |  | https://bugs.debian.org/871219
327 | 
328 | .. 2017-08-08
329 | 
330 | msitools: msiinfo(1): buffer overflow
331 |  | https://bugs.debian.org/871503
332 | 
333 | msitools: msiinfo(1): null pointer dereference
334 |  | https://bugs.debian.org/871504
335 | 
336 | msitools: msiinfo(1): integer overflow
337 |  | https://bugs.debian.org/871529
338 | 
339 | .. 2017-08-09
340 | 
341 | e2fsprogs: e2fsck(8): buffer underwrite
342 |  | https://bugs.debian.org/871539
343 | 
344 | e2fsprogs: e2fsck(8): out-of-bounds read
345 |  | https://bugs.debian.org/871540
346 | 
347 | .. 2017-08-09
348 | 
349 | msitools: msiinfo(1): invalid pointer dereference
350 |  | https://bugs.debian.org/871571
351 | 
352 | .. 2017-08-10
353 | 
354 | Exempi: out-of-bounds read (rediscovered)
355 |  | https://cgit.freedesktop.org/exempi/diff/XMPFiles/source/FileHandlers/PostScript_Handler.cpp?id=6071af09b5e263b63e57b28ab8a78484bc65e3fe
356 | 
357 | .. 2017-08-10
358 | 
359 | unalz: null pointer dereference
360 |  | https://bugs.debian.org/871722
361 | 
362 | .. 2017-08-11
363 | 
364 | Exempi: infinite loop
365 |  | https://bugs.freedesktop.org/show_bug.cgi?id=102151
366 | 
367 | .. 2017-08-12
368 | 
369 | mkvtoolnix: null pointer dereference
370 |  | https://bugs.debian.org/871941
371 | 
372 | .. 2017-08-13
373 | 
374 | Exempi: invalid free()
375 |  | https://bugs.freedesktop.org/show_bug.cgi?id=102197
376 | 
377 | .. 2017-08-16
378 | 
379 | libisofs: null pointer dereference
380 |  | https://bugs.debian.org/872372
381 | 
382 | .. 2017-08-17
383 | 
384 | libisofs: buffer under-read
385 |  | https://bugs.debian.org/872475
386 | 
387 | .. 2017-08-18
388 | 
389 | libisofs: heap-based buffer overflow
390 |  | https://bugs.debian.org/872545
391 | 
392 | libisofs: integer overflow
393 |  | https://bugs.debian.org/872590
394 | 
395 | .. 2017-08-20
396 | 
397 | libisofs: stack overflow
398 |  | https://bugs.debian.org/872761
399 | 
400 | .. 2017-08-25
401 | 
402 | UPX: crash
403 |  | https://bugs.debian.org/873260
404 | 
405 | .. 2017-08-30
406 | 
407 | Exempi: infinite loop
408 |  | https://bugs.freedesktop.org/show_bug.cgi?id=102483
409 | 
410 | Exempi: infinite loop
411 |  | https://bugs.freedesktop.org/show_bug.cgi?id=102484
412 | 
413 | .. 2017-08-30
414 | 
415 | e2fsprogs: e2fsck(8): buffer overflow
416 |  | https://bugs.debian.org/873757
417 | 
418 | .. 2017-09-16
419 | 
420 | [CVE-2017-14503] libarchive: out-of-bounds read
421 |  | https://bugs.debian.org/875960
422 | 
423 | [CVE-2017-14501] libarchive: out-of-bounds read
424 |  | https://bugs.debian.org/875966
425 | 
426 | [CVE-2017-14502] libarchive: out-of-bounds read (rediscovered)
427 |  | https://bugs.debian.org/875974
428 | 
429 | .. 2017-09-22
430 | 
431 | gettext: msgunfmt(1): heap corruption
432 |  | https://bugs.debian.org/876498
433 | 
434 | .. 2017-09-23
435 | 
436 | [CVE-2017-16844] procmail: formail(1): heap-based buffer overflow
437 |  | https://bugs.debian.org/876511
438 | 
439 | .. 2017-09-23
440 | 
441 | NeoMutt: buffer overflow
442 |  | https://github.com/neomutt/neomutt/pull/775
443 | 
444 | .. 2017-09-24
445 | 
446 | Mutt, NeoMutt: null pointer dereference
447 |  | https://github.com/neomutt/neomutt/issues/778
448 |  | https://bugs.debian.org/883106
449 | 
450 | NeoMutt: null pointer dereference
451 |  | https://github.com/neomutt/neomutt/issues/780
452 | 
453 | .. 2017-09-25
454 | 
455 | NeoMutt: out-of-bounds read
456 |  | https://github.com/neomutt/neomutt/issues/784
457 | 
458 | .. 2017-09-27
459 | 
460 | procmail: formail(1): out-of-bounds read
461 |  | https://bugs.debian.org/876992
462 | 
463 | .. 2017-09-27
464 | 
465 | NeoMutt: integer overflow
466 |  | https://github.com/neomutt/neomutt/issues/794
467 | 
468 | .. 2017-09-28
469 | 
470 | MuPDF: mutool(1): heap-based buffer overflow
471 |  | https://bugs.debian.org/877062
472 | 
473 | .. 2017-09-28
474 | 
475 | maildrop: reformail(1): use-after-free
476 |  | https://bugs.debian.org/877108
477 | 
478 | .. 2017-09-30
479 | 
480 | gettext: out-of-bounds read
481 |  | https://lists.gnu.org/archive/html/bug-gettext/2017-09/msg00014.html
482 | 
483 | .. 2017-09-30
484 | 
485 | [CVE-2018-12015] Perl: Archive::Tar: directory traversal
486 |  | https://bugs.debian.org/900834
487 | 
488 | .. 2017-10-04
489 | 
490 | NeoMutt: integer overflow
491 |  | https://github.com/neomutt/neomutt/issues/819
492 | 
493 | .. 2017-10-05
494 | 
495 | maildrop: mailbot(1): null pointer dereference
496 |  | https://bugs.debian.org/877793
497 | 
498 | .. 2017-10-05
499 | 
500 | NeoMutt: integer overflow
501 |  | https://github.com/neomutt/neomutt/issues/820
502 | 
503 | .. 2017-10-07
504 | 
505 | GMime: stack overflow
506 |  | https://github.com/jstedfast/gmime/issues/15
507 | 
508 | GMime: out-of-bounds read
509 |  | https://github.com/jstedfast/gmime/pull/16
510 | 
511 | GMime: integer overflow
512 |  | https://github.com/jstedfast/gmime/pull/17
513 | 
514 | .. 2017-10-08
515 | 
516 | GNOME Nautilus: directory traversal
517 |  | https://bugs.debian.org/878012
518 | 
519 | .. 2017-10-09
520 | 
521 | e2fsprogs: debugfs(8): out-of-bounds read
522 |  | https://bugs.debian.org/878104
523 | 
524 | .. 2017-10-10
525 | 
526 | [CVE-2018-6485] glibc: posix_memalign(): integer overflow
527 |  | https://bugs.debian.org/878159
528 | 
529 | .. 2017-10-11
530 | 
531 | Ark: directory traversal
532 |  | https://bugs.debian.org/878269
533 | 
534 | .. 2017-10-11
535 | 
536 | nomarch: out-of-bounds read
537 |  | https://bugs.debian.org/878260
538 | 
539 | .. 2017-10-12
540 | 
541 | ncompress: integer overflow
542 |  | https://github.com/vapier/ncompress/pull/11
543 | 
544 | .. 2017-10-12
545 | 
546 | Travis CI: travis-build: insecure use of apt-get
547 |  | https://www.openwall.com/lists/oss-security/2018/08/25/3
548 | 
549 | .. 2017-10-13
550 | 
551 | pev: peres(1): uninitialized memory read
552 |  | https://github.com/merces/pev/issues/122
553 | 
554 | .. 2017-10-14
555 | 
556 | MirBSD pax: out-of-bounds read
557 |  | https://bugs.debian.org/878512
558 | 
559 | .. 2017-10-15
560 | 
561 | MirBSD pax: out-of-bounds write
562 |  | https://bugs.debian.org/878642
563 | 
564 | MirBSD pax: buffer under-read
565 |  | https://bugs.debian.org/878645
566 | 
567 | .. 2017-10-15
568 | 
569 | dash: out-of-bounds write
570 |  | https://bugs.debian.org/878697
571 | 
572 | .. 2017-10-18
573 | 
574 | mksh: excessive memory use
575 |  | https://bugs.debian.org/878947
576 | 
577 | .. 2017-10-18
578 | 
579 | ksh: out-of-bounds read
580 |  | https://bugs.debian.org/879060
581 | 
582 | .. 2017-10-20
583 | 
584 | e2fsprogs: e2fsck(8): division by 0
585 |  | https://bugs.debian.org/879220
586 | 
587 | .. 2017-10-21
588 | 
589 | ksh: buffer overflow
590 |  | https://bugs.debian.org/879464
591 | 
592 | .. 2017-10-22
593 | 
594 | dash -n: code execution (rediscovered)
595 |  | https://bugs.debian.org/858288
596 | 
597 | .. 2017-10-22
598 | 
599 | zsh -n: use-after-free
600 |  | https://bugs.debian.org/879548
601 | 
602 | .. 2017-10-23
603 | 
604 | zsh -n: excessive use of resources
605 |  | https://bugs.debian.org/879596
606 | 
607 | .. 2017-10-27
608 | 
609 | bash -n: out-of-bounds read
610 |  | https://lists.gnu.org/archive/html/bug-bash/2017-10/msg00102.html
611 | 
612 | .. 2017-10-28
613 | 
614 | dpkg-deb(1): directory traversal
615 |  | https://bugs.debian.org/879982
616 | 
617 | .. 2017-10-28
618 | 
619 | [CVE-2018-14681] libmspack: KWAJ decompression: buffer overflow
620 |  | https://github.com/kyz/libmspack/issues/13
621 | 
622 | .. 2017-10-29
623 | 
624 | P7ZIP: out-of-bounds read
625 |  | https://bugs.debian.org/880048
626 | 
627 | .. 2017-10-29
628 | 
629 | Perl: deep recursion
630 |  | https://bugs.debian.org/880085
631 | 
632 | .. 2017-10-31
633 | 
634 | vim (or vim users): insecure use of /tmp
635 |  | https://www.openwall.com/lists/oss-security/2017/10/31/5
636 | 
637 | .. 2017-11-02
638 | 
639 | GNUstep Base Library: use-after-free
640 |  | https://bugs.debian.org/880575
641 | 
642 | .. 2017-11-02
643 | 
644 | theunarchiver: lsar(1): unbounded VLA
645 |  | https://bugs.debian.org/880585
646 | 
647 | .. 2017-11-03
648 | 
649 | icoutils: wrestool(1): out-of-bounds read
650 |  | https://bugs.debian.org/880684
651 | 
652 | .. 2017-11-04
653 | 
654 | Debian package nvi: code execution
655 |  | https://bugs.debian.org/769719
656 | 
657 | nvi: insecure use of /var/tmp
658 |  | https://www.openwall.com/lists/oss-security/2017/11/04/2
659 | 
660 | .. 2017-11-06
661 | 
662 | nomarch: buffer overflow
663 |  | https://bugs.debian.org/880959
664 | 
665 | .. 2017-11-06
666 | 
667 | lhasa: integer overflow
668 |  | https://github.com/fragglet/lhasa/pull/22
669 | 
670 | .. 2017-11-09
671 | 
672 | nvi: insecure use of /var/tmp
673 |  | https://www.openwall.com/lists/oss-security/2017/11/09/3
674 | 
675 | .. 2017-11-11
676 | 
677 | fig2dev: buffer overflow
678 |  | https://bugs.debian.org/881396
679 | 
680 | .. 2017-11-16
681 | 
682 | gcab: out-of-bounds read
683 |  | https://bugs.debian.org/881922
684 | 
685 | .. 2017-11-17
686 | 
687 | fig2dev: buffer overflow
688 |  | https://bugs.debian.org/882021
689 | 
690 | fig2dev: buffer underwrite
691 |  | https://bugs.debian.org/882022
692 | 
693 | .. 2017-11-18
694 | 
695 | theunarchiver: lsar(1): buffer overflow
696 |  | https://bugs.debian.org/882094
697 | 
698 | .. 2017-11-19
699 | 
700 | busybox: ar(1): out-of-bounds read
701 |  | https://bugs.debian.org/882175
702 | 
703 | busybox: unzip(1): insecure permissions
704 |  | https://bugs.debian.org/882177
705 | 
706 | .. 2017-11-21
707 | 
708 | zsh -n: null pointer dereference
709 |  | https://bugs.debian.org/882373
710 | 
711 | .. 2017-12-04
712 | 
713 | fgcov: insecure use of /tmp
714 |  | https://github.com/Photonios/fgcov/issues/2
715 | 
716 | .. 2017-12-06
717 | 
718 | Travis CI: travis-build: 32-bit OpenPGP key IDs
719 |  | https://github.com/travis-ci/travis-build/pull/1269
720 | 
721 | .. 2017-12-08
722 | 
723 | debian-goodies: which-pkg-broke(1): untrusted search path
724 |  | https://bugs.debian.org/883889
725 | 
726 | .. 2017-12-18
727 | 
728 | Jakub's travis-toolbox: broken CA pinning
729 |  | https://github.com/jwilk/travis-toolbox/commit/4002870f55702aac9b29e9018713379791f56642
730 | 
731 | Jakub's github-toolbox: broken CA pinning
732 |  | https://github.com/jwilk/github-toolbox/commit/9de12c109418ac85c977d86008e67aa9d77fde38
733 | 
734 | .. vim:ft=rst
735 | 


--------------------------------------------------------------------------------