In resizing a PNG, in a textual chunk you have keywords and a text string as a value, if the keyword `profile` is used, imagemagick will try to read the associated filename (the text value for the keyword) and will load the content of the file (if it exists) into the resultant image. So in cases where a user uploaded image is resized or processed in some way by imagemagick, it may be possible to leak file content in the resulting image.
World's worst fuzzer, leading to a traditional stack overflow in the kernel.Really not much to say about the vulnerability, `copy_from_user` with no bounds check into a fixed sized buffer on the stack...
A bug was found sort of accidentally in Adreno/KGSL GPU for Android devices.The post covers a lot of background, but what's important is that userspace can map shared memory from the CPU into the GPU, and use it to pass buffers such as command buffers...
The vulnerability here isn't too interesting, just a case of user-input being reflected into a header without sanitizing new-lines (CrLf injection). What is interesting is how they leverage this header injection primitive to bypass Akamai's web application firewall.
A path traversal type issue in Kardex MLOG due to not properly handling windows path separators.The service's `GetFile`handler would check for an `/api` and `/image` slug, and if neither were present it would fall back on trying to construct a filename...
A small bug in processing/validating the entries in the Merkel tree resulting in the theft of 2 million BNB ($586 Million USD at time of the original theft).
A 19-year-old bug in XNUs Data Link Interface Layer or DLIL that lead to an out-of-bounds write on the heap.The root cause is that `ifnet_attach()` will get the next interface `index` as a 32-bit integer and downcast it to a `uint16_t` when saving the index...
A heap overflow that was found in-the-wild by Google's Threat Analysis Group (TAG) in Chrome. This bug was in the texture subsystem for webGL GLES with textures created from a shared image, which bypasses the texture manager's tracking of the `max_levels` for mipmaps.
Multiple vulnerabilities were announced in Git, the most interesting to me though are the integer overflows in parsing `.gitattributes` leading to out-of-bounds reads and writes.
Cool, yet simple finding from the DataDog security team where calls to an undocument `iamadmin` service would also not appear in CloudTrail logs but could reproduce the functionality of several standard IAM service methods.