Chris Evans: Software security holes found via auditing, fuzzing, etc.

Hello and welcome to my software security holes area.

This area documents security holes I have personally found over time in various software packages. These security holes were typically found during software code auditing, or more recently, black-box analysis / penetration testing too.

All discoveries were ethically reported. Some of these discoveries were sponsored by my employer, Google. We're always hiring for security.

NEW! This page is poorly maintained for the time being. You probably just want to get news by subscribing to me on Twitter: scarybeasts

NEW! In case you want to subscribe to a feed, I'll blog all new things at http://scarybeastsecurity.blogspot.com/

NEW! I've archived my colleague Tavis Ormandy's excellent reports on gzip, here and libtiff, here. They are worth a read.

You can contact me at scarybeasts@gmail.com to talk about all things security related!

Disclosure date
Program
Severity
Flaw type(s)
Reference URL
Aug 5th 2009
Apple's ColorSync (as used by Safari)
Arbitrary code execution
Heap-based buffer overflow
CESA-2009-011
Jul 10th 2009
WebKit
Possible arbitrary code execution
Off-by-one heap write
CESA-2009-010 (sponsored by Google)
Jul 10th 2009
mimetex
Arbitrary code execution
Buffer overflows; information disclosure
CESA-2009-009 (sponsored by Google)
Jun 10th 2009
Apple Safari 4 Beta only
Local file theft
XXE
CESA-2009-007 (sponsored by Google)
Jun 9th 2009
Apple Safari 3 / pre-production Google Chrome
Cross-doman XML theft
Missing cross-domain check
CESA-2009-008 (sponsored by Google)
Jun 8th 2009
Apple Safari
Local file theft
XXE
CESA-2009-006 (sponsored by Google)
Mar 27th 2009
Sun Java JRE
Possible arbitrary code execution
Memory access errors
CESA-2009-005
Mar 19th 2009
LittleCMS / lcms (consumers: Firefox, OpenJDK, GIMP, ...)
Arbitrary code execution
Stack-based buffer overflow, integer overflows, memory leak
CESA-2009-003 (sponsored by Google)
Feb 25th 2009
Linux kernel (seccomp)
Syscall policy violation
Interesting corner case not considered
CESA-2009-004
Feb 24th 2009
Linux kernel
Send signal that shouldn't be allowed
Interesting corner case not considered
CESA-2009-002
Jan 23rd 2009
Linux syscall filtering technologies, e.g. systrace
Syscall policy violation
Interesting corner case not considered
CESA-2009-001
Dec 17th 2008
Firefox
Cross-domain text theft
Incorrect access check
CESA-2008-011 (sponsored by Google)
Nov 18th 2008
Firefox
Probably limited to none
XML injection
CESA-2008-010
Nov 17th 2008
Firefox
Cross-domain image theft
Incorrect access check
CESA-2008-009 (sponsored by Google)
Oct 19th 2008
Python
Python VM breakouts
Integer errors
CESA-2008-008
Aug 25th 2008
Webkit nightly
Cross-domain image theft
Design error
CESA-2008-007
Jul 31st 2008
libxslt
Compromise
Heap overflow
CESA-2008-003 (sponsored by Google)
Jul 14th 2008
OpenOffice
Unknown (lame - sorry)
Unknown (lame - sorry)
CESA-2008-006 (sponsored by Google)
Jul 13th 2008
bzip2
Seemingly harmless
Buffer overflow
CESA-2008-005 (sponsored by Google)
Jul 11th 2008
Apple Safari
Possible compromise
Buffer overflow / double frees
CESA-2008-004
Mar 5th 2008
Sun's Java JDK
DoS / possible compromise
Integer / buffer overflows
CESA-2007-005 (sponsored by Google)
Feb 27th 2008
Ghostscript
Compromise
Buffer overflow
CESA-2008-001 (sponsored by Google)
Feb 13th 2008
FTP clients (& servers)
FTP data connection theft
Failure to use crypto securely
CESA-2008-002
Feb 2nd 2008
Sun JRE / JDK
File theft / firewall bypass
Logic error / XXE
CESA-2007-002 (sponsored by Google)
Nov 8th 2007
linux kernel
Remote wireless DoS
Integer underflow
CESA-2007-007
Nov 7th 2007
pcre
Compromise
Integer overflows leading to buffer overflows
CESA-2007-006 (sponsored by Google)
Oct 2nd 2007
Internet Explorer
XSS
Misdesign
CESA-2007-004
Oct 2nd 2007
Sophos antivirus: another instance of my bzip2 decompression bomb
Decompression bomb
Unknown
http://secunia.com/advisories/26580/
Sep 6th 2007
C++ operator new implementations
Buggy programs have have overflows instead of just crashing
Integer overflow
CESA-2007-003
May 15th 2007
lcms
Malicious ICC profile can execute arbitrary code if parsed
Stack-based buffer overflow
CESA-2007-001
May 15th 2007
Sun's Java JDK
Malicious image can execute arbitrary code if parsed
Integer overflow (off-by-one)
CESA-2006-004 (sponsored by Google)
Dec 19th 2006
Sun's Java JDK
Malicious applet can execute arbitrary code
Integer and buffer overflows
CESA-2005-008
Oct 7th 2006
OpenBSD / NetBSD kernel
Local privilege escalation
Integer overflow leading to arbitrary NULL byte writes
CESA-2006-003 (sponsored by Google)
Jun 11th 2006
freetype
Client / compromise
Integer overflows and abuses
CESA-2006-001
Apr 25th 2006
beagle
Client / possible compromise
Command line injection
CESA-2006-002
Jan 6th 2006
xpdf and derivatives
Client / compromise
Integer overflows and more
CESA-2005-003
Nov 6th 2005
libungif / libgif
Client / compromise
Possible buffer overflow
CESA-2005-007
Oct 14th 2005
Abiword (more RTF trouble)
Client / compromise
Stack and BSS-based buffer overflows
CESA-2005-006
Oct 12th 2005
KWord
Client / compromise
Heap-based buffer overflow
CESA-2005-005
Oct 2nd 2005
Abiword
Client / compromise
Stack-based buffer overflow
CESA-2005-004
Sep 22nd 2005
Apple's RTF libraries (leak or parallel discovery)
Client / compromise
Stack-based buffer overflow
APPLE-SA-2005-007
Sep 22nd 2005
Apple's PDF libraries
Uncharacterized crash
Unknown
CESA-2005-001
May 20th 2005
bzip2
Decompression bomb
Unknown
CESA-2005-002
Nov 1st 2004
xpdf-3 series
Client / compromise
Integer overflows and signedness
CESA-2004-002
Nov 1st 2004
xpdf-2 and xpdf-3 series
Client / compromise
Integer overflows and signedness
CESA-2004-007
Oct 13th 2004
libtiff
Client / compromise
Heap overflows
CESA-2004-006
Sep 15th 2004
GTK+
Client / compromise
Stack and heap overflows
CESA-2004-005
Sep 15th 2004
libXpm
Client / compromise
Stack overflow
CESA-2004-003
Sep 2nd 2004
ImageMagick (BMP decoder)
Client / compromise
Heap overflow
CVE-2004-0827
Aug 25th 2004
imlib (BMP decoder)
Client / compromise
Heap overflow
CVE-2004-0817
Aug 19th 2004
qt
Client / compromise
Heap overflow
CESA-2004-004, http://www.securityfocus.com/archive/1/372175/2004-08-17/2004-08-23/0
Aug 4th 2004
libpng
Client / compromise
Buffer and integer overflows
CESA-2004-001, http://www.securityfocus.com/archive/1/370853/2004-08-02/2004-08-08/0
Mar 25th 2001
Linux kernel
Local / Data leak
Integer signedness
http://nic.funet.fi/pub/Linux/PEOPLE/Linus/v2.2/patch-html/patch-2.2.19/linux_net_core_sock.c.html
Feb 9th 2001
Linux kernel
Local / Data leak
Integer signedness
http://www.securityfocus.com/archive/1/161764
Oct 7th 2000
iputils
Local / Compromise
Stack and BSS overflows
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=18611
Sep 28th 2000
traceroute (LBNL)
Local / Compromise
Heap mismanagement
http://www.securityfocus.com/archive/1/136215
Sep 26th 2000
LPRng
Remote / Compromise
Format string
http://www.securityfocus.com/archive/1/85002
Jun 28th 2000
rpc.statd (nfsutils)
Remote / Compromise
Format string
http://www.securityfocus.com/archive/1/67343
Jun 20th 2000
XFree86 (libICE)
Remote / DoS
Integer length overtrust
http://www.securityfocus.com/archive/1/65692
Jun 20th 2000
XFree86 (libX11)
Various; Local / Compromise and Client / Compromise
Overflow, DoS and integer signedness
http://www.securityfocus.com/archive/1/65699
Jun 20th 2000
kon2
Local / Compromise
Overflow
http://www.securityfocus.com/archive/1/65702
Jun 20th 2000
xdm
Remote / Possible compromise
Overflow
http://www.securityfocus.com/archive/1/65689
May 22nd 2000
gdm
Remote / Compromise
Overflow
http://www.securityfocus.com/archive/1/61099
May 18th 2000
XFree86 (server)
Remote / DoS
Integer signedness
http://www.securityfocus.com/archive/1/60869
May 18th 2000
kerberos (MIT)
Local / Compromise
Overflow / Integer arithmetic
http://www.securityfocus.com/archive/1/60853
May 1st 2000
knfsd (Linux kernel)
Remote / DoS
Integer signedness
http://www.securityfocus.com/archive/1/58033
Apr 18th 2000
xfs (X)
Remote / Possible compromise
Overflow
http://www.securityfocus.com/archive/1/55864
Dec 3rd 1999
ORBit
Remote / DoS (or worse)
Integer signedness
http://www.redhat.com/support/errata/archives/RHSA-1999-058.html
Oct 21st 1999
screen (RedHat)
Local / Misbehaviour
Misconfiguration
http://www.securityfocus.com/archive/1/31573
Jun 26th 1999
Accelerated X
Local / Compromise
Overflow
http://www.securityfocus.com/archive/1/16804
May 26th 1999
pop2d (imap)
Remote / Partial compromise
Overflow
http://www.securityfocus.com/archive/1/13917
Apr 5th 1999
procmail
Local / Read any file
File mishandling
http://www.securityfocus.com/archive/1/13125
Feb 19th 1999
zgv
Local / Compromise
Privilege leak
http://www.securityfocus.com/archive/1/12626
Feb 8th 1999
pine
Client / Compromise
Overflow
http://www.securityfocus.com/archive/1/12357
Dec 13th 1998
bootpd
Remote / Compromise
Overflow
http://www.securityfocus.com/archive/1/11558
Sep 10th 1998
jidentd
Remote / Compromise
Overflow
http://www.securityfocus.com/archive/1/10583
July 30th 1998
SysVInit
Local / Securelevel compromise
Overflow
http://www.redhat.com/support/errata/archives/rh50-errata-general.html#SysVinit
June 13th 1998
elm
Local / Partial compromise
Overflow
http://lists.nas.nasa.gov/archives/ext/linux-security-audit/1998/06/msg00135.html
June 1st 1998
linuxconf
Local / Compromise
Overflow
http://www.securityfocus.com/archive/1/9452
June 1st 1998
bootp (bootpd)
Remote / Compromise
Overflow
http://www.redhat.com/support/errata/archives/rh42-errata-general.html#bootp
June 1st 1998
dchpcd
Client / Compromise
Overflow
http://www.redhat.com/support/errata/archives/rh50-errata-general.html#dhcpcd
May 27th 1998
xosview
Local / Compromise
Overflow
http://www.securityfocus.com/archive/1/9410
May 18th 1998
dhcp (dhcpd)
Remote / Compromise
Overflow
http://www.securityfocus.com/archive/1/9347
Apr 25th 1998
cxhextris
Local / Minor
Overflow
http://www.securityfocus.com/archive/1/9092
Apr 18th 1998
lpr (lprm)
Local / Compromise
Overflow
http://www.securityfocus.com/archive/1/9023
Apr 8th 1998 Quake (client) Client / Compromise Overflow http://www.securityfocus.com/archive/1/8948
Apr 6th 1998 Quake (server) Remote / Compromise Overflow http://www.securityfocus.com/archive/1/8932
Mar 21st 1998
mh
Local / Compromise
Overflow
http://www.redhat.com/support/errata/archives/rh42-errata-general.html#mh
Early 1998
SunRPC (libc)
Remote / DoS
Integer signedness
http://www.linuxsecurity.org/advisories/freebsd_advisory-1178.html
Early 1998
Linux kernel
Local / unauthorizaed file writing
Logic error
http://www.linuxhq.com/kernel/v2.0/34/mm/mmap.c
Aug 11th 1997
Linux kernel
Local / unauthorized file truncation
Logic error
http://www.uwsg.iu.edu/hypermail/linux/kernel/9708.1/0249.html