In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua).

@@ -0,0 +1,107 @@ " Test for "rvim" or "vim -Z"  
source shared.vim  
func Test\_restricted() let cmd \= GetVimCommand('Xrestricted') if cmd \== '' return endif  
call writefile(\[ \\ "silent !ls", \\ "call writefile(\[v:errmsg\], 'Xrestrout')", \\ "qa!", \\ \], 'Xrestricted') call system(cmd . ' -Z') call assert\_match('E145:', join(readfile('Xrestrout')))  
call delete('Xrestricted') call delete('Xrestrout') endfunc  
func Run\_restricted\_test(ex\_cmd, error) let cmd \= GetVimCommand('Xrestricted') if cmd \== '' return endif  
call writefile(\[ \\ a:ex\_cmd, \\ "call writefile(\[v:errmsg\], 'Xrestrout')", \\ "qa!", \\ \], 'Xrestricted') call system(cmd . ' -Z') call assert\_match(a:error, join(readfile('Xrestrout')))  
call delete('Xrestricted') call delete('Xrestrout') endfunc  
func Test\_restricted\_lua() if !has('lua') throw 'Skipped: Lua is not supported' endif call Run\_restricted\_test('lua print("Hello, Vim!")', 'E981:') call Run\_restricted\_test('luado return "hello"', 'E981:') call Run\_restricted\_test('luafile somefile', 'E981:') call Run\_restricted\_test('call luaeval("expression")', 'E145:') endfunc  
func Test\_restricted\_mzscheme() if !has('mzscheme') throw 'Skipped: MzScheme is not supported' endif call Run\_restricted\_test('mzscheme statement', 'E981:') call Run\_restricted\_test('mzfile somefile', 'E981:') call Run\_restricted\_test('call mzeval("expression")', 'E145:') endfunc  
func Test\_restricted\_perl() if !has('perl') throw 'Skipped: Perl is not supported' endif " TODO: how to make Safe mode fail? " call Run\_restricted\_test('perl system("ls")', 'E981:') " call Run\_restricted\_test('perldo system("hello")', 'E981:') " call Run\_restricted\_test('perlfile somefile', 'E981:') " call Run\_restricted\_test('call perleval("system(\\"ls\\")")', 'E145:') endfunc  
func Test\_restricted\_python() if !has('python') throw 'Skipped: Python is not supported' endif call Run\_restricted\_test('python print "hello"', 'E981:') call Run\_restricted\_test('pydo return "hello"', 'E981:') call Run\_restricted\_test('pyfile somefile', 'E981:') call Run\_restricted\_test('call pyeval("expression")', 'E145:') endfunc  
func Test\_restricted\_python3() if !has('python3') throw 'Skipped: Python3 is not supported' endif call Run\_restricted\_test('py3 print "hello"', 'E981:') call Run\_restricted\_test('py3do return "hello"', 'E981:') call Run\_restricted\_test('py3file somefile', 'E981:') call Run\_restricted\_test('call py3eval("expression")', 'E145:') endfunc  
func Test\_restricted\_ruby() if !has('ruby') throw 'Skipped: Ruby is not supported' endif call Run\_restricted\_test('ruby print "Hello"', 'E981:') call Run\_restricted\_test('rubydo print "Hello"', 'E981:') call Run\_restricted\_test('rubyfile somefile', 'E981:') endfunc  
func Test\_restricted\_tcl() if !has('tcl') throw 'Skipped: Tcl is not supported' endif call Run\_restricted\_test('tcl puts "Hello"', 'E981:') call Run\_restricted\_test('tcldo puts "Hello"', 'E981:') call Run\_restricted\_test('tclfile somefile', 'E981:') endfunc

CVE-2019-20807: patch 8.1.0881: can execute shell commands in rvim through interfaces · vim/vim@8c62a08

In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2020-13361: security - CVE-2020-13361 QEMU: es1370: OOB access due to incorrect frame count leads to DoS

A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the homedir path. This flaw allows an attacker to leverage this issue by creating a symlink point to a target folder, which then has its ownership transferred to the new home directory's unprivileged user.

 Overview  Files  Commits  Branches  Forks  Releases

    CVE-2020-10737: defer setting permissions on newly-created home directories
    
    mkhomedir: add a patch from Matthias Gerstner of the SUSE security team
    to defer setting permissions on newly-created home directories until
    after we've finished populating them, to prevent possible interference
    and attacks from the user who will eventually be given access to the new
    home directory, while it's still being populated (CVE-2020-10737).
    
    Author: Matthias Gerstner
    Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>

CVE-2020-10737: Commit - oddjob - 10b8aaa1564b723a005b53acc069df71313f4cac

A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element. This vulnerability affects Firefox < 76.

**Mozilla Foundation Security Advisory 2020-16**

Announced

May 5, 2020

Impact

critical

Products

Firefox

Fixed in

*   Firefox 76

**#CVE-2020-12387: Use-after-free during worker shutdown**

Reporter

Looben Yang

Impact

critical

**Description**

A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash.

**References**

*   Bug 1545345

**#CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens**

Reporter

James Forshaw of Google Project Zero

Impact

critical

**Description**

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape.  
_Note: this issue only affects Firefox on Windows operating systems._

**References**

*   Bug 1618911

**#CVE-2020-12389: Sandbox escape with improperly separated process types**

Reporter

Niklas Baumstark

Impact

high

**Description**

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape.  
_Note: this issue only affects Firefox on Windows operating systems._

**References**

*   Bug 1554110

**#CVE-2020-6831: Buffer overflow in SCTP chunk input validation**

Reporter

Natalie Silvanovich of Google Project Zero

Impact

high

**Description**

A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1632241

**#CVE-2020-12390: Incorrect serialization of nsIPrincipal.origin for IPv6 addresses**

Reporter

Giorgio Maone

Impact

moderate

**Description**

Incorrect origin serialization of URLs with IPv6 addresses could lead to incorrect security checks

**References**

*   Bug 1141959

**#CVE-2020-12391: Content-Security-Policy bypass using object elements**

Reporter

Giorgio Maone

Impact

moderate

**Description**

Documents formed using `data:` URLs in an `object` element failed to inherit the CSP of the creating context. This allowed the execution of scripts that should have been blocked, albeit with a unique opaque origin.

**References**

*   Bug 1457100

**#CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'**

Reporter

Ophir LOJKINE

Impact

moderate

**Description**

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of local files.

**References**

*   Bug 1614468

**#CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection**

Reporter

David Yesland

Impact

moderate

**Description**

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution.  
_Note: this issue only affects Firefox on Windows operating systems._

**References**

*   Bug 1615471

**#CVE-2020-12394: URL spoofing in location bar when unfocussed**

Reporter

Kestrel

Impact

low

**Description**

A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element.

**References**

*   Bug 1628288

**#CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8**

Reporter

Mozilla developers and community

Impact

critical

**Description**

Mozilla developers and community members Alexandru Michis, Jason Kratzer, philipp, Ted Campbell, Bas Schouten, André Bargull, and Karl Tomlinson reported memory safety bugs present in Firefox 75 and Firefox ESR 68.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8

**#CVE-2020-12396: Memory safety bugs fixed in Firefox 76**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Frederik Braun, Andrew McCreight, C.M.Chang, and Dan Minor reported memory safety bugs present in Firefox 75. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 76

CVE-2020-12394: Security Vulnerabilities fixed in Firefox 76

In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.

CVE-2020-11076: puma/History.md at master · puma/puma

A denial of service vulnerability exists when .NET Core or .NET Framework improperly handles web requests, aka '.NET Core & .NET Framework Denial of Service Vulnerability'.

CVE-2020-1108

An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system, aka 'Windows Print Spooler Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1070.

CVE-2020-1048

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1143.

CVE-2020-1054

libmariadb/mariadb_lib.c in MariaDB Connector/C before 3.1.8 does not properly validate the content of an OK packet received from a server. NOTE: although mariadb_lib.c was originally based on code shipped for MySQL, this issue does not affect any MySQL components supported by Oracle.

@@ -81,6 +81,8 @@ #define ASYNC\_CONTEXT\_DEFAULT\_STACK\_SIZE (4096\*15) #define MA\_RPL\_VERSION\_HACK "5.5.5-"  
#define CHARSET\_NAME\_LEN 64  
#undef max\_allowed\_packet #undef net\_buffer\_length extern ulong max\_allowed\_packet; /\* net.c \*/ @@ -2139,17 +2141,22 @@ mysql\_send\_query(MYSQL\* mysql, const char\* query, unsigned long length)  
int ma\_read\_ok\_packet(MYSQL \*mysql, uchar \*pos, ulong length) { uchar \*end= mysql->net.read\_pos+length; size\_t item\_len; mysql->affected\_rows\= net\_field\_length\_ll(&pos); mysql->insert\_id\= net\_field\_length\_ll(&pos); mysql->server\_status\=uint2korr(pos); pos+=2; mysql->warning\_count\=uint2korr(pos); pos+=2; if (pos < mysql->net.read\_pos+length) if (pos > end) goto corrupted; if (pos < end) { if ((item\_len= net\_field\_length(&pos))) mysql->info\=(char\*) pos; if (pos + item\_len > end) goto corrupted;  
/\* check if server supports session tracking \*/ if (mysql->server\_capabilities & CLIENT\_SESSION\_TRACKING) @@ -2160,23 +2167,26 @@ int ma\_read\_ok\_packet(MYSQL \*mysql, uchar \*pos, ulong length) if (mysql->server\_status & SERVER\_SESSION\_STATE\_CHANGED) { int i; if (pos < mysql->net.read\_pos + length) if (pos < end) { LIST \*session\_item; MYSQL\_LEX\_STRING \*str= NULL; enum enum\_session\_state\_type si\_type; uchar \*old\_pos= pos; size\_t item\_len= net\_field\_length(&pos); /\* length for all items \*/  
item\_len= net\_field\_length(&pos); /\* length for all items \*/ if (pos + item\_len > end) goto corrupted; end= pos + item\_len;  
/\* length was already set, so make sure that info will be zero terminated \*/ if (mysql->info) \*old\_pos= 0;  
while (item\_len > 0) while (pos < end) { size\_t plen; char \*data; old\_pos= pos; si\_type= (enum enum\_session\_state\_type)net\_field\_length(&pos); switch(si\_type) { case SESSION\_TRACK\_SCHEMA: @@ -2186,16 +2196,14 @@ int ma\_read\_ok\_packet(MYSQL \*mysql, uchar \*pos, ulong length) if (si\_type != SESSION\_TRACK\_STATE\_CHANGE) net\_field\_length(&pos); /\* ignore total length, item length will follow next \*/ plen= net\_field\_length(&pos); if (pos + plen > end) goto corrupted; if (!(session\_item= ma\_multi\_malloc(0, &session\_item, sizeof(LIST), &str, sizeof(MYSQL\_LEX\_STRING), &data, plen, NULL))) { ma\_clear\_session\_state(mysql); SET\_CLIENT\_ERROR(mysql, CR\_OUT\_OF\_MEMORY, SQLSTATE\_UNKNOWN, 0); return -1; } goto oom; str->length\= plen; str->str\= data; memcpy(str->str, (char \*)pos, plen); @@ -2218,41 +2226,40 @@ int ma\_read\_ok\_packet(MYSQL \*mysql, uchar \*pos, ulong length) if (!strncmp(str->str, "character\_set\_client", str->length)) set\_charset= 1; plen= net\_field\_length(&pos); if (pos + plen > end) goto corrupted; if (!(session\_item= ma\_multi\_malloc(0, &session\_item, sizeof(LIST), &str, sizeof(MYSQL\_LEX\_STRING), &data, plen, NULL))) { ma\_clear\_session\_state(mysql); SET\_CLIENT\_ERROR(mysql, CR\_OUT\_OF\_MEMORY, SQLSTATE\_UNKNOWN, 0); return -1; } goto oom; str->length\= plen; str->str\= data; memcpy(str->str, (char \*)pos, plen); pos+= plen; session\_item->data\= str; mysql->extension\->session\_state\[si\_type\].list\= list\_add(mysql->extension\->session\_state\[si\_type\].list, session\_item); if (set\_charset && if (set\_charset && str->length < CHARSET\_NAME\_LEN && strncmp(mysql->charset\->csname, str->str, str->length) != 0) { char cs\_name\[64\]; MARIADB\_CHARSET\_INFO \*cs\_info; char cs\_name\[CHARSET\_NAME\_LEN\]; const MARIADB\_CHARSET\_INFO \*cs\_info; memcpy(cs\_name, str->str, str->length); cs\_name\[str->length\]= 0; if ((cs\_info = (MARIADB\_CHARSET\_INFO \*)mysql\_find\_charset\_name(cs\_name))) if ((cs\_info = mysql\_find\_charset\_name(cs\_name))) mysql->charset\= cs\_info; } } break; default: /\* not supported yet \*/ plen= net\_field\_length(&pos); if (pos + plen > end) goto corrupted; pos+= plen; break; } item\_len-= (pos - old\_pos); } } for (i= SESSION\_TRACK\_BEGIN; i <= SESSION\_TRACK\_END; i++) @@ -2267,6 +2274,16 @@ int ma\_read\_ok\_packet(MYSQL \*mysql, uchar \*pos, ulong length) else if (mysql->server\_capabilities & CLIENT\_SESSION\_TRACKING) ma\_clear\_session\_state(mysql); return(0);  
oom: ma\_clear\_session\_state(mysql); SET\_CLIENT\_ERROR(mysql, CR\_OUT\_OF\_MEMORY, SQLSTATE\_UNKNOWN, 0); return -1;  
corrupted: ma\_clear\_session\_state(mysql); SET\_CLIENT\_ERROR(mysql, CR\_MALFORMED\_PACKET, SQLSTATE\_UNKNOWN, 0); return -1; }  
int mthd\_my\_read\_query\_result(MYSQL \*mysql)

CVE-2020-13249: sanity checks for client-supplied OK packet content · mariadb-corporation/mariadb-connector-c@2759b87

An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated in SyncRes::processAnswer, allowing an attacker to bypass DNSSEC validation.

**PowerDNS Security Advisory 2020-02: Insufficient validation of DNSSEC signatures¶**

*   CVE: CVE-2020-12244
*   Date: May 19th 2020
*   Affects: PowerDNS Recursor from 4.1.0 up to and including 4.3.0
*   Not affected: 4.3.1, 4.2.2, 4.1.16
*   Severity: Medium
*   Impact: Denial of existence spoofing
*   Exploit: This problem can be triggered by an attacker in position of man-in-the-middle
*   Risk of system compromise: No
*   Solution: Upgrade to a non-affected version
*   Workaround: None

An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated in SyncRes::processAnswer. This would allow an attacker in position of man-in-the-middle to send a NXDOMAIN answer for a name that does exist, bypassing DNSSEC validation.

This issue has been assigned CVE-2020-12244.

PowerDNS Recursor from 4.1.0 up to and including 4.3.0 is affected.

Please note that at the time of writing, PowerDNS Authoritative 4.0 and below are no longer supported, as described in https://doc.powerdns.com/authoritative/appendices/EOL.html.

We would like to thank Matt Nordhoff for finding and subsequently reporting this issue!

Tag

#perl