Hello and welcome to my software security holes area.
This area documents security holes I have personally found over time in various software packages. These security holes were typically found during software code auditing, or more recently, black-box analysis / penetration testing too.
All discoveries were ethically reported. Some of these discoveries were sponsored by my employer, Google. We're always hiring for security.
NEW! This page is poorly maintained for the time being. You probably just want to get news by subscribing to me on Twitter: scarybeasts
NEW! In case you want to subscribe to a feed, I'll blog all new things at http://scarybeastsecurity.blogspot.com/
NEW! I've archived my colleague Tavis Ormandy's excellent reports on gzip, here and libtiff, here. They are worth a read.
You can contact me at scarybeasts@gmail.com to talk about all things security related!
| Disclosure date |
Program |
Severity |
Flaw type(s) |
Reference URL |
| Aug 5th 2009 |
Apple's ColorSync (as used by Safari) |
Arbitrary code execution |
Heap-based buffer overflow |
CESA-2009-011 |
| Jul 10th 2009 |
WebKit |
Possible arbitrary code execution |
Off-by-one heap write |
CESA-2009-010 (sponsored by Google) |
| Jul 10th 2009 |
mimetex |
Arbitrary code execution |
Buffer overflows; information disclosure |
CESA-2009-009 (sponsored by Google) |
| Jun 10th 2009 |
Apple Safari 4 Beta only |
Local file theft |
XXE |
CESA-2009-007 (sponsored by Google) |
| Jun 9th 2009 |
Apple Safari 3 / pre-production Google Chrome |
Cross-doman XML theft |
Missing cross-domain check |
CESA-2009-008 (sponsored by Google) |
| Jun 8th 2009 |
Apple Safari |
Local file theft |
XXE |
CESA-2009-006 (sponsored by Google) |
| Mar 27th 2009 |
Sun Java JRE |
Possible arbitrary code execution |
Memory access errors |
CESA-2009-005 |
| Mar 19th 2009 |
LittleCMS / lcms (consumers: Firefox, OpenJDK, GIMP, ...) |
Arbitrary code execution |
Stack-based buffer overflow, integer overflows, memory leak |
CESA-2009-003 (sponsored by Google) |
| Feb 25th 2009 |
Linux kernel (seccomp) |
Syscall policy violation |
Interesting corner case not considered |
CESA-2009-004 |
| Feb 24th 2009 |
Linux kernel |
Send signal that shouldn't be allowed |
Interesting corner case not considered |
CESA-2009-002 |
| Jan 23rd 2009 |
Linux syscall filtering technologies, e.g. systrace |
Syscall policy violation |
Interesting corner case not considered |
CESA-2009-001 |
| Dec 17th 2008 |
Firefox |
Cross-domain text theft |
Incorrect access check |
CESA-2008-011 (sponsored by Google) |
| Nov 18th 2008 |
Firefox |
Probably limited to none |
XML injection |
CESA-2008-010 |
| Nov 17th 2008 |
Firefox |
Cross-domain image theft |
Incorrect access check |
CESA-2008-009 (sponsored by Google) |
| Oct 19th 2008 |
Python |
Python VM breakouts |
Integer errors |
CESA-2008-008 |
| Aug 25th 2008 |
Webkit nightly |
Cross-domain image theft |
Design error |
CESA-2008-007 |
| Jul 31st 2008 |
libxslt |
Compromise |
Heap overflow |
CESA-2008-003 (sponsored by Google) |
| Jul 14th 2008 |
OpenOffice |
Unknown (lame - sorry) |
Unknown (lame - sorry) |
CESA-2008-006 (sponsored by Google) |
| Jul 13th 2008 |
bzip2 |
Seemingly harmless |
Buffer overflow |
CESA-2008-005 (sponsored by Google) |
| Jul 11th 2008 |
Apple Safari |
Possible compromise |
Buffer overflow / double frees |
CESA-2008-004 |
| Mar 5th 2008 |
Sun's Java JDK |
DoS / possible compromise |
Integer / buffer overflows |
CESA-2007-005 (sponsored by Google) |
| Feb 27th 2008 |
Ghostscript |
Compromise |
Buffer overflow |
CESA-2008-001 (sponsored by Google) |
| Feb 13th 2008 |
FTP clients (& servers) |
FTP data connection theft |
Failure to use crypto securely |
CESA-2008-002 |
| Feb 2nd 2008 |
Sun JRE / JDK |
File theft / firewall bypass |
Logic error / XXE |
CESA-2007-002 (sponsored by Google) |
| Nov 8th 2007 |
linux kernel |
Remote wireless DoS |
Integer underflow |
CESA-2007-007 |
| Nov 7th 2007 |
pcre |
Compromise |
Integer overflows leading to buffer overflows |
CESA-2007-006 (sponsored by Google) |
| Oct 2nd 2007 |
Internet Explorer |
XSS |
Misdesign |
CESA-2007-004 |
| Oct 2nd 2007 |
Sophos antivirus: another instance of my bzip2 decompression bomb |
Decompression bomb |
Unknown |
http://secunia.com/advisories/26580/ |
| Sep 6th 2007 |
C++ operator new implementations |
Buggy programs have have overflows instead of just crashing |
Integer overflow |
CESA-2007-003 |
| May 15th 2007 |
lcms |
Malicious ICC profile can execute arbitrary code if parsed |
Stack-based buffer overflow |
CESA-2007-001 |
| May 15th 2007 |
Sun's Java JDK |
Malicious image can execute arbitrary code if parsed |
Integer overflow (off-by-one) |
CESA-2006-004 (sponsored by Google) |
| Dec 19th 2006 |
Sun's Java JDK |
Malicious applet can execute arbitrary code |
Integer and buffer overflows |
CESA-2005-008 |
| Oct 7th 2006 |
OpenBSD / NetBSD kernel |
Local privilege escalation |
Integer overflow leading to arbitrary NULL byte writes |
CESA-2006-003 (sponsored by Google) |
| Jun 11th 2006 |
freetype |
Client / compromise |
Integer overflows and abuses |
CESA-2006-001 |
| Apr 25th 2006 |
beagle |
Client / possible compromise |
Command line injection |
CESA-2006-002 |
| Jan 6th 2006 |
xpdf and derivatives |
Client / compromise |
Integer overflows and more |
CESA-2005-003 |
| Nov 6th 2005 |
libungif / libgif |
Client / compromise |
Possible buffer overflow |
CESA-2005-007 |
| Oct 14th 2005 |
Abiword (more RTF trouble) |
Client / compromise |
Stack and BSS-based buffer overflows |
CESA-2005-006 |
| Oct 12th 2005 |
KWord |
Client / compromise |
Heap-based buffer overflow |
CESA-2005-005 |
| Oct 2nd 2005 |
Abiword |
Client / compromise |
Stack-based buffer overflow |
CESA-2005-004 |
| Sep 22nd 2005 |
Apple's RTF libraries (leak or parallel discovery) |
Client / compromise |
Stack-based buffer overflow |
APPLE-SA-2005-007 |
| Sep 22nd 2005 |
Apple's PDF libraries |
Uncharacterized crash |
Unknown |
CESA-2005-001 |
| May 20th 2005 |
bzip2 |
Decompression bomb |
Unknown |
CESA-2005-002 |
| Nov 1st 2004 |
xpdf-3 series |
Client / compromise |
Integer overflows and signedness |
CESA-2004-002 |
| Nov 1st 2004 |
xpdf-2 and xpdf-3 series |
Client / compromise |
Integer overflows and signedness |
CESA-2004-007 |
| Oct 13th 2004 |
libtiff |
Client / compromise |
Heap overflows |
CESA-2004-006 |
| Sep 15th 2004 |
GTK+ |
Client / compromise |
Stack and heap overflows |
CESA-2004-005 |
| Sep 15th 2004 |
libXpm |
Client / compromise |
Stack overflow |
CESA-2004-003 |
| Sep 2nd 2004 |
ImageMagick (BMP decoder) |
Client / compromise |
Heap overflow |
CVE-2004-0827 |
| Aug 25th 2004 |
imlib (BMP decoder) |
Client / compromise |
Heap overflow |
CVE-2004-0817 |
| Aug 19th 2004 |
qt |
Client / compromise |
Heap overflow |
CESA-2004-004, http://www.securityfocus.com/archive/1/372175/2004-08-17/2004-08-23/0 |
| Aug 4th 2004 |
libpng |
Client / compromise |
Buffer and integer overflows |
CESA-2004-001, http://www.securityfocus.com/archive/1/370853/2004-08-02/2004-08-08/0 |
| Mar 25th 2001 |
Linux kernel |
Local / Data leak |
Integer signedness |
http://nic.funet.fi/pub/Linux/PEOPLE/Linus/v2.2/patch-html/patch-2.2.19/linux_net_core_sock.c.html |
| Feb 9th 2001 |
Linux kernel |
Local / Data leak |
Integer signedness |
http://www.securityfocus.com/archive/1/161764 |
| Oct 7th 2000 |
iputils |
Local / Compromise |
Stack and BSS overflows |
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=18611 |
| Sep 28th 2000 |
traceroute (LBNL) |
Local / Compromise |
Heap mismanagement |
http://www.securityfocus.com/archive/1/136215 |
| Sep 26th 2000 |
LPRng |
Remote / Compromise |
Format string |
http://www.securityfocus.com/archive/1/85002 |
| Jun 28th 2000 |
rpc.statd (nfsutils) |
Remote / Compromise |
Format string |
http://www.securityfocus.com/archive/1/67343 |
| Jun 20th 2000 |
XFree86 (libICE) |
Remote / DoS |
Integer length overtrust |
http://www.securityfocus.com/archive/1/65692 |
| Jun 20th 2000 |
XFree86 (libX11) |
Various; Local / Compromise and
Client / Compromise |
Overflow, DoS and integer
signedness |
http://www.securityfocus.com/archive/1/65699 |
| Jun 20th 2000 |
kon2 |
Local / Compromise |
Overflow |
http://www.securityfocus.com/archive/1/65702 |
| Jun 20th 2000 |
xdm |
Remote / Possible compromise |
Overflow |
http://www.securityfocus.com/archive/1/65689 |
| May 22nd 2000 |
gdm |
Remote / Compromise |
Overflow |
http://www.securityfocus.com/archive/1/61099 |
| May 18th 2000 |
XFree86 (server) |
Remote / DoS |
Integer signedness |
http://www.securityfocus.com/archive/1/60869 |
| May 18th 2000 |
kerberos (MIT) |
Local / Compromise |
Overflow / Integer arithmetic |
http://www.securityfocus.com/archive/1/60853 |
| May 1st 2000 |
knfsd (Linux kernel) |
Remote / DoS |
Integer signedness |
http://www.securityfocus.com/archive/1/58033 |
| Apr 18th 2000 |
xfs (X) |
Remote / Possible compromise |
Overflow |
http://www.securityfocus.com/archive/1/55864 |
| Dec 3rd 1999 |
ORBit |
Remote / DoS (or worse) |
Integer signedness |
http://www.redhat.com/support/errata/archives/RHSA-1999-058.html |
| Oct 21st 1999 |
screen (RedHat) |
Local / Misbehaviour |
Misconfiguration |
http://www.securityfocus.com/archive/1/31573 |
| Jun 26th 1999 |
Accelerated X |
Local / Compromise |
Overflow |
http://www.securityfocus.com/archive/1/16804 |
| May 26th 1999 |
pop2d (imap) |
Remote / Partial compromise |
Overflow |
http://www.securityfocus.com/archive/1/13917 |
| Apr 5th 1999 |
procmail |
Local / Read any file |
File mishandling |
http://www.securityfocus.com/archive/1/13125 |
| Feb 19th 1999 |
zgv |
Local / Compromise |
Privilege leak |
http://www.securityfocus.com/archive/1/12626 |
| Feb 8th 1999 |
pine |
Client / Compromise |
Overflow |
http://www.securityfocus.com/archive/1/12357 |
| Dec 13th 1998 |
bootpd |
Remote / Compromise |
Overflow |
http://www.securityfocus.com/archive/1/11558 |
| Sep 10th 1998 |
jidentd |
Remote / Compromise |
Overflow |
http://www.securityfocus.com/archive/1/10583 |
| July 30th 1998 |
SysVInit |
Local / Securelevel compromise |
Overflow |
http://www.redhat.com/support/errata/archives/rh50-errata-general.html#SysVinit |
| June 13th 1998 |
elm |
Local / Partial compromise |
Overflow |
http://lists.nas.nasa.gov/archives/ext/linux-security-audit/1998/06/msg00135.html |
| June 1st 1998 |
linuxconf |
Local / Compromise |
Overflow |
http://www.securityfocus.com/archive/1/9452 |
| June 1st 1998 |
bootp (bootpd) |
Remote / Compromise |
Overflow |
http://www.redhat.com/support/errata/archives/rh42-errata-general.html#bootp |
| June 1st 1998 |
dchpcd |
Client / Compromise |
Overflow |
http://www.redhat.com/support/errata/archives/rh50-errata-general.html#dhcpcd |
| May 27th 1998 |
xosview |
Local / Compromise |
Overflow |
http://www.securityfocus.com/archive/1/9410 |
| May 18th 1998 |
dhcp (dhcpd) |
Remote / Compromise |
Overflow |
http://www.securityfocus.com/archive/1/9347 |
| Apr 25th 1998 |
cxhextris |
Local / Minor |
Overflow |
http://www.securityfocus.com/archive/1/9092 |
| Apr 18th 1998 |
lpr (lprm) |
Local / Compromise |
Overflow |
http://www.securityfocus.com/archive/1/9023 |
| Apr 8th 1998 | Quake (client) | Client / Compromise | Overflow | http://www.securityfocus.com/archive/1/8948 |
| Apr 6th 1998 | Quake (server) | Remote / Compromise | Overflow | http://www.securityfocus.com/archive/1/8932 |
| Mar 21st 1998 |
mh |
Local / Compromise |
Overflow |
http://www.redhat.com/support/errata/archives/rh42-errata-general.html#mh |
| Early 1998 |
SunRPC (libc) |
Remote / DoS |
Integer signedness |
http://www.linuxsecurity.org/advisories/freebsd_advisory-1178.html |
| Early 1998 |
Linux kernel |
Local / unauthorizaed file writing |
Logic error |
http://www.linuxhq.com/kernel/v2.0/34/mm/mmap.c |
| Aug 11th 1997 |
Linux kernel |
Local / unauthorized file truncation |
Logic error |
http://www.uwsg.iu.edu/hypermail/linux/kernel/9708.1/0249.html |