Vulnerabilities tagged "binary"

Shell in the Ghost: Ghostscript CVE-2023-28879 writeup

A pretty classic string escaping bug in GhostScript, one common and buggy edge case when escaping characters in a buffer is to not properly account for escapes that happen at the very limit of the destination buffer.As was the case here, despite checking that the limit of the buffer was not reached on every iteration, when a character was found that should be escaped, it would write to the destination buffer write, first with the escape character (`0x01`) and then again with an XOR'd version of the character to be escaped...

XNU: NFSSVC root check bypass; use after free due to insufficient locking in upcall worker threads

This was a fun authorization check bypass because when checking if higher privileges were needed the `flag` value was checked for equality with the two privileged actions.Later on however, when deciding what handler to use to handle to request, it used a bitwise operation to check if the specific bit is set...