| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2013-3266 |
20 |
|
DoS Exec Code Mem. Corr. |
2013-05-02 |
2013-05-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The nfsrvd_readdir function in sys/fs/nfsserver/nfs_nfsdport.c in the new NFS server in FreeBSD 8.0 through 9.1-RELEASE-p3 does not verify that a READDIR request is for a directory node, which allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code by specifying a plain file instead of a directory. |
|
2 |
CVE-2012-3549 |
|
1
|
DoS |
2012-10-09 |
2013-01-30 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference and kernel panic) via a crafted ASCONF chunk. |
|
3 |
CVE-2012-2143 |
310 |
|
|
2012-07-05 |
2013-04-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password. |
|
4 |
CVE-2011-4862 |
119 |
1
|
Exec Code Overflow |
2011-12-24 |
2012-11-06 |
10.0 |
Admin |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011. |
|
5 |
CVE-2011-4122 |
22 |
|
+Priv Dir. Trav. |
2011-11-17 |
2012-01-10 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Directory traversal vulnerability in openpam_configure.c in OpenPAM before r478 on FreeBSD 8.1 allows local users to load arbitrary DSOs and gain privileges via a .. (dot dot) in the service_name argument to the pam_start function, as demonstrated by a .. in the -c option to kcheckpass. |
|
6 |
CVE-2011-4062 |
119 |
1
|
DoS Overflow +Priv |
2011-10-17 |
2011-12-12 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Buffer overflow in the kernel in FreeBSD 7.3 through 9.0-RC1 allows local users to cause a denial of service (panic) or possibly gain privileges via a bind system call with a long pathname for a UNIX socket. |
|
7 |
CVE-2011-2895 |
119 |
|
Exec Code Overflow |
2011-08-19 |
2012-12-18 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896. |
|
8 |
CVE-2011-2393 |
399 |
|
DoS |
2012-02-02 |
2012-02-03 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The Neighbor Discovery (ND) protocol implementation in the IPv6 stack in FreeBSD, NetBSD, and possibly other BSD-based operating systems allows remote attackers to cause a denial of service (CPU consumption and device hang) by sending many Router Advertisement (RA) messages with different source addresses, a similar vulnerability to CVE-2010-4670. |
|
9 |
CVE-2011-1739 |
20 |
|
Bypass |
2011-05-03 |
2011-05-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The makemask function in mountd.c in mountd in FreeBSD 7.4 through 8.2 does not properly handle a -network field specifying a CIDR block with a prefix length that is not an integer multiple of 8, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances via an NFS mount request. |
|
10 |
CVE-2011-1074 |
200 |
|
Dir. Trav. +Info |
2011-03-04 |
2011-09-21 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
crontab.c in crontab in FreeBSD allows local users to determine the existence of arbitrary directories via a command-line argument composed of a directory name concatenated with a directory traversal sequence that leads to the /etc/crontab pathname. |
|
11 |
CVE-2011-1073 |
59 |
|
|
2011-03-04 |
2011-09-21 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
crontab.c in crontab in FreeBSD and Apple Mac OS X allows local users to (1) determine the existence of arbitrary files via a symlink attack on a /tmp/crontab.XXXXXXXXXX temporary file and (2) perform MD5 checksum comparisons on arbitrary pairs of files via two symlink attacks on /tmp/crontab.XXXXXXXXXX temporary files. |
|
12 |
CVE-2011-0419 |
399 |
|
DoS |
2011-05-16 |
2012-10-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd. |
|
13 |
CVE-2010-4755 |
399 |
|
DoS |
2011-03-02 |
2011-09-21 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. |
|
14 |
CVE-2010-4754 |
399 |
|
DoS |
2011-03-02 |
2011-09-21 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
The glob implementation in libc in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, and OpenBSD 4.7, and Libsystem in Apple Mac OS X before 10.6.8, allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. |
|
15 |
CVE-2010-4210 |
264 |
|
DoS Exec Code |
2010-11-22 |
2010-11-22 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The pfs_getextattr function in FreeBSD 7.x before 7.3-RELEASE and 8.x before 8.0-RC1 unlocks a mutex that was not previously locked, which allows local users to cause a denial of service (kernel panic), overwrite arbitrary memory locations, and possibly execute arbitrary code via vectors related to opening a file on a file system that uses pseudofs. |
|
16 |
CVE-2010-3014 |
200 |
|
+Info |
2010-08-20 |
2010-08-23 |
1.2 |
None |
Local |
High |
Not required |
Partial |
None |
None |
|
The Coda filesystem kernel module, as used in NetBSD and FreeBSD, when Coda is loaded and Venus is running with /coda mounted, allows local users to read sensitive heap memory via a large out_size value in a ViceIoctl struct to a Coda ioctl, which triggers a buffer over-read. |
|
17 |
CVE-2010-2693 |
264 |
|
DoS +Priv |
2010-07-13 |
2010-07-14 |
7.2 |
Admin |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
FreeBSD 7.1 through 8.1-PRERELEASE does not copy the read-only flag when creating a duplicate mbuf buffer reference, which allows local users to cause a denial of service (system file corruption) and gain privileges via the sendfile system call. |
|
18 |
CVE-2010-2530 |
189 |
|
DoS |
2010-09-29 |
2010-09-30 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Multiple integer signedness errors in smb_subr.c in the netsmb module in the kernel in NetBSD 5.0.2 and earlier, FreeBSD, and Apple Mac OS X allow local users to cause a denial of service (panic) via a negative size value in a /dev/nsmb ioctl operation, as demonstrated by a (1) SMBIOC_LOOKUP or (2) SMBIOC_OPENSESSION ioctl call. |
|
19 |
CVE-2010-2022 |
264 |
|
|
2010-05-28 |
2010-06-01 |
3.3 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
None |
|
jail.c in jail in FreeBSD 8.0 and 8.1-PRERELEASE, when the "-l -U root" options are omitted, does not properly restrict access to the current working directory, which might allow local users to read, modify, or create arbitrary files via standard filesystem operations. |
|
20 |
CVE-2010-2020 |
20 |
2
|
+Priv |
2010-05-28 |
2012-11-05 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
sys/nfsclient/nfs_vfsops.c in the NFS client in the kernel in FreeBSD 7.2 through 8.1-PRERELEASE, when vfs.usermount is enabled, does not validate the length of a certain fhsize parameter, which allows local users to gain privileges via a crafted mount request. |
|
21 |
CVE-2010-1938 |
189 |
1
|
DoS Exec Code |
2010-05-28 |
2011-07-28 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Off-by-one error in the __opiereadrec function in readrec.c in libopie in OPIE 2.4.1-test1 and earlier, as used on FreeBSD 6.4 through 8.1-PRERELEASE and other platforms, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long username, as demonstrated by a long USER command to the FreeBSD 8.0 ftpd. |
|
22 |
CVE-2010-0318 |
264 |
|
|
2010-01-15 |
2011-08-08 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The replay functionality for ZFS Intent Log (ZIL) in FreeBSD 7.1, 7.2, and 8.0, when creating files during replay of a setattr transaction, uses 7777 permissions instead of the original permissions, which might allow local users to read or modify unauthorized files in opportunistic circumstances after a system crash or power failure. |
|
23 |
CVE-2009-4358 |
264 |
|
|
2009-12-19 |
2009-12-21 |
4.7 |
None |
Local |
Medium |
Not required |
Complete |
None |
None |
|
freebsd-update in FreeBSD 8.0, 7.2, 7.1, 6.4, and 6.3 uses insecure permissions in its working directory (/var/db/freebsd-update by default), which allows local users to read copies of sensitive files after a (1) freebsd-update fetch (fetch) or (2) freebsd-update upgrade (upgrade) operation. |
|
24 |
CVE-2009-4147 |
264 |
|
+Priv |
2009-12-02 |
2009-12-03 |
7.2 |
Admin |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld-elf/rtld.c in FreeBSD 7.1 and 8.0 does not clear the (1) LD_LIBMAP, (2) LD_LIBRARY_PATH, (3) LD_LIBMAP_DISABLE, (4) LD_DEBUG, and (5) LD_ELF_HINTS_PATH environment variables, which allows local users to gain privileges by executing a setuid or setguid program with a modified variable containing an untrusted search path that points to a Trojan horse library, different vectors than CVE-2009-4146. |
|
25 |
CVE-2009-4146 |
264 |
|
+Priv |
2009-12-02 |
2009-12-07 |
7.2 |
Admin |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld-elf/rtld.c in FreeBSD 7.1, 7.2, and 8.0 does not clear the LD_PRELOAD environment variable, which allows local users to gain privileges by executing a setuid or setguid program with a modified LD_PRELOAD variable containing an untrusted search path that points to a Trojan horse library, a different vector than CVE-2009-4147. |
|
26 |
CVE-2009-3527 |
362 |
|
DoS +Priv Mem. Corr. |
2009-10-06 |
2009-10-07 |
6.9 |
Admin |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Race condition in the Pipe (IPC) close function in FreeBSD 6.3 and 6.4 allows local users to cause a denial of service (crash) or gain privileges via vectors related to kqueues, which triggers a use after free, leading to a NULL pointer dereference or memory corruption. |
|
27 |
CVE-2009-2649 |
264 |
|
DoS |
2009-07-30 |
2009-08-12 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
The IATA (ata) driver in FreeBSD 6.0 and 8.0, when read access to /dev is available, allows local users to cause a denial of service (kernel panic) via a certain IOCTL request with a large count, which triggers a malloc call with a large value. |
|
28 |
CVE-2009-2208 |
264 |
|
|
2009-06-24 |
2009-06-30 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
FreeBSD 6.3, 6.4, 7.1, and 7.2 does not enforce permissions on the SIOCSIFINFO_IN6 IOCTL, which allows local users to modify or disable IPv6 network interfaces, as demonstrated by modifying the MTU. |
|
29 |
CVE-2009-1935 |
189 |
|
Overflow Bypass |
2009-06-18 |
2009-07-01 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
Integer overflow in the pipe_build_write_buffer function (sys/kern/sys_pipe.c) in the direct write optimization feature in the pipe implementation in FreeBSD 7.1 through 7.2 and 6.3 through 6.4 allows local users to bypass virtual-to-physical address lookups and read sensitive information in memory pages via unspecified vectors. |
|
30 |
CVE-2009-1436 |
20 |
|
+Info |
2009-04-27 |
2009-06-15 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The db interface in libc in FreeBSD 6.3, 6.4, 7.0, 7.1, and 7.2-PRERELEASE does not properly initialize memory for Berkeley DB 1.85 database structures, which allows local users to obtain sensitive information by reading a database file. |
|
31 |
CVE-2009-1041 |
119 |
1
|
Overflow |
2009-03-26 |
2009-04-02 |
7.2 |
Admin |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The ktimer feature (sys/kern/kern_time.c) in FreeBSD 7.0, 7.1, and 7.2 allows local users to overwrite arbitrary kernel memory via an out-of-bounds timer value. |
|
32 |
CVE-2009-0689 |
119 |
|
DoS Exec Code Overflow |
2009-07-01 |
2010-11-15 |
6.8 |
User |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number. |
|
33 |
CVE-2009-0641 |
264 |
1
|
Exec Code Bypass |
2009-02-20 |
2009-02-21 |
9.3 |
Admin |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
sys_term.c in telnetd in FreeBSD 7.0-RELEASE and other 7.x versions deletes dangerous environment variables with a method that was valid only in older FreeBSD distributions, which might allow remote attackers to execute arbitrary code by passing a crafted environment variable from a telnet client, as demonstrated by an LD_PRELOAD value that references a malicious library. |
|
34 |
CVE-2008-5736 |
264 |
2
|
+Priv |
2008-12-26 |
2011-09-21 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Multiple unspecified vulnerabilities in FreeBSD 6 before 6.4-STABLE, 6.3 before 6.3-RELEASE-p7, 6.4 before 6.4-RELEASE-p1, 7.0 before 7.0-RELEASE-p7, 7.1 before 7.1-RC2, and 7 before 7.1-PRERELEASE allow local users to gain privileges via unknown attack vectors related to function pointers that are "not properly initialized" for (1) netgraph sockets and (2) bluetooth sockets. |
|
35 |
CVE-2008-5162 |
310 |
|
|
2008-11-26 |
2008-12-03 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The arc4random function in the kernel in FreeBSD 6.3 through 7.1 does not have a proper entropy source for a short time period immediately after boot, which makes it easier for attackers to predict the function's return values and conduct certain attacks against the GEOM framework and various network protocols, related to the Yarrow random number generator. |
|
36 |
CVE-2008-4609 |
16 |
|
DoS |
2008-10-20 |
2012-07-21 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors that manipulate information in the TCP state table, as demonstrated by sockstress. |
|
37 |
CVE-2008-4247 |
352 |
|
Exec Code CSRF |
2008-09-25 |
2012-10-22 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser. |
|
38 |
CVE-2008-3890 |
264 |
|
+Priv |
2008-09-05 |
2008-09-10 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The kernel in FreeBSD 6.3 through 7.0 on amd64 platforms can make an extra swapgs call after a General Protection Fault (GPF), which allows local users to gain privileges by triggering a GPF during the kernel's return from (1) an interrupt, (2) a trap, or (3) a system call. |
|
39 |
CVE-2008-3531 |
119 |
|
Overflow +Priv |
2008-09-05 |
2008-09-24 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Stack-based buffer overflow in sys/kern/vfs_mount.c in the kernel in FreeBSD 7.0 and 7.1, when vfs.usermount is enabled, allows local users to gain privileges via a crafted (1) mount or (2) nmount system call, related to copying of "user defined data" in "certain error conditions." |
|
40 |
CVE-2008-3530 |
20 |
|
DoS |
2008-09-05 |
2009-05-16 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
sys/netinet6/icmp6.c in the kernel in FreeBSD 6.3 through 7.1, NetBSD 3.0 through 4.0, and possibly other operating systems does not properly check the proposed new MTU in an ICMPv6 Packet Too Big Message, which allows remote attackers to cause a denial of service (panic) via a crafted Packet Too Big Message. |
|
41 |
CVE-2008-2476 |
20 |
|
DoS |
2008-10-03 |
2012-10-29 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The IPv6 Neighbor Discovery Protocol (NDP) implementation in (1) FreeBSD 6.3 through 7.1, (2) OpenBSD 4.2 and 4.3, (3) NetBSD, (4) Force10 FTOS before E7.7.1.1, (5) Juniper JUNOS, and (6) Wind River VxWorks 5.x through 6.4 does not validate the origin of Neighbor Discovery messages, which allows remote attackers to cause a denial of service (loss of connectivity) or read private network traffic via a spoofed message that modifies the Forward Information Base (FIB). |
|
42 |
CVE-2008-2464 |
189 |
|
DoS |
2008-09-10 |
2008-09-11 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
The mld_input function in sys/netinet6/mld6.c in the kernel in NetBSD 4.0, FreeBSD, and KAME, when INET6 is enabled, allows remote attackers to cause a denial of service (divide-by-zero error and panic) via a malformed ICMPv6 Multicast Listener Discovery (MLD) query with a certain Maximum Response Delay value. |
|
43 |
CVE-2008-1391 |
189 |
|
Exec Code Overflow |
2008-03-27 |
2010-06-23 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple integer overflows in libc in NetBSD 4.x, FreeBSD 6.x and 7.x, and probably other BSD and Apple Mac OS platforms allow context-dependent attackers to execute arbitrary code via large values of certain integer fields in the format argument to (1) the strfmon function in lib/libc/stdlib/strfmon.c, related to the GET_NUMBER macro; and (2) the printf function, related to left_prec and right_prec. |
|
44 |
CVE-2008-1215 |
264 |
|
Overflow +Priv |
2008-03-08 |
2008-09-05 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Stack-based buffer overflow in the command_Expand_Interpret function in command.c in ppp (aka user-ppp), as distributed in FreeBSD 6.3 and 7.0, OpenBSD 4.1 and 4.2, and the net/userppp package for NetBSD, allows local users to gain privileges via long commands containing "~" characters. |
|
45 |
CVE-2008-0777 |
264 |
|
|
2008-02-14 |
2008-09-05 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The sendfile system call in FreeBSD 5.5 through 7.0 does not check the access flags of the file descriptor used for sending a file, which allows local users to read the contents of write-only files. |
|
46 |
CVE-2008-0217 |
264 |
|
|
2008-01-15 |
2008-09-05 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The script program in FreeBSD 5.0 through 7.0-PRERELEASE invokes openpty, which creates a pseudo-terminal with world-readable and world-writable permissions when it is not run as root, which allows local users to read data from the terminal of the user running script. |
|
47 |
CVE-2008-0216 |
264 |
|
|
2008-01-15 |
2008-09-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
The ptsname function in FreeBSD 6.0 through 7.0-PRERELEASE does not properly verify that a certain portion of a device name is associated with a pty of a user who is calling the pt_chown function, which might allow local users to read data from the pty from another user. |
|
48 |
CVE-2007-6754 |
189 |
|
Overflow |
2012-07-25 |
2012-07-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The ipalloc function in libc/stdlib/malloc.c in jemalloc in libc for FreeBSD 6.4 and NetBSD does not properly allocate memory, which makes it easier for context-dependent attackers to perform memory-related attacks such as buffer overflows via a large size value, related to "integer rounding and overflow" errors. |
|
49 |
CVE-2007-6150 |
200 |
|
Bypass +Info |
2007-11-29 |
2008-11-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The "internal state tracking" code for the random and urandom devices in FreeBSD 5.5, 6.1 through 6.3, and 7.0 beta 4 allows local users to obtain portions of previously-accessed random values, which could be leveraged to bypass protection mechanisms that rely on secrecy of those values. |
|
50 |
CVE-2007-3722 |
|
|
DoS |
2007-07-12 |
2008-11-15 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The 4BSD process scheduler in the FreeBSD kernel performs scheduling based on CPU billing gathered from periodic process sampling ticks, which allows local users to cause a denial of service (CPU consumption) by performing voluntary nanosecond sleeps that result in the process not being active during a clock interrupt, as described in "Secretly Monopolizing the CPU Without Superuser Privileges." |
