Activity for Hanno Böck
-
Hanno Böck posted a comment on ticket #649
It's not an online scanner, it's scanning offline on the filesystem. I can test that even without an installation. The only issue here is that I have a database with information of the form "app X had its last security vuln Y that was fixed in Z". It seems right now there is no fixed version, so that's what I'm reporting. I can update it once you make a new release. See here how the data looks: https://git.schokokeks.org/freewvs.git/blob/master/freewvsdb/wiki.json
-
I'm not running phpwiki myself, I'm developing a tool that scans for vulnerable web applications [1]. [1] https://source.schokokeks.org/freewvs/
-
Cross Site Scripting vulnerability
-
Security vulnerabilities described on exploit-db
-
pam_mount uses deprecated openssl 1.1 features
-
Can I ask what the fix is? Your comment indicates this is an underlying thunderbird issue and can't be fixed within Enigmail.
-
I created a patch that fixes all those issues and a few more. Appart from the ones you mentioned it is also possible to achieve XSS via the formaction attribute or via svg animations (animate to attribute). I'm now adding a lot more filtering, but I believe this doesn't break any common html mails, as other webmailers apply similar filtering. I'm completely removing inline SVG (gmail does the same, so I don't think anyone uses them). Some of the filtering is now redundant, but it may help kill further...
-
I created a patch that fixes all those issues and a few more. Appart from the ones you mentioned it is also possible to achieve XSS via the formaction attribute or via svg animations (animate to attribute). I'm now adding a lot more filtering, but I believe this doesn't break any common html mails, as other webmailers apply similar filtering. I'm completely removing inline SVG (gmail does the same, so I don't think anyone uses them). Some of the filtering is now redundant, but it may help kill further...
-
asan stack trace
-
netstat IPv6 handling causes overlapping memcpy
-
I guess nobody is developing here any more, but for completeness I'm attaching a sample address sanitizer stack trace. This can be tested by compiling espeak with asan (make CXXFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address") and then simply running "espeak a".
-
Mixed content warning on https version of dosbox page
-
out of bounds heap read in dirac::VHFilter::Interleave
-
example file attached
-
heap overflow (write) in dirac::ArithCodecBase::ReadAllData
-
heap out of bounds read in convert_latin1
-
duplicate definition of _tab_page_modules
-
[lxtask] fix multiple definitions of global variables (builds with -fno-common)
-
compilation with openssl 1.1 fails
-
null pointer access / segfault in NArchive::N7z::CInArchive::ReadAndDecodePackedStreams
-
null pointer access / segfault after failing memory allocation in 7zIn.cpp
-
Can confirm fix. I think this bug report can now go public, can you change the "Private"...
-
fix delete instead of delete [] in encrypt.h
-
fix buffer overflow in SoftRasterInit
-
fix gcc compiler warning about pointer conversion in path.h
-
heap out of bounds read in NArchive::N7z::CDecoder::Decode on malformed input
-
segfault / null pointer access on malformed input file
-
errors in tests regarding string length
-
Tested again with latest git code, no change. bug still there.
-
How have you tried to reproduce it? (I wrote that this can be seen with valgrind...
-
I don't see a fix for this, this is still happening in the current git head code....
-
Invalid heap read in gif2rgb, function DumpScreen2RGB()
-
Invalid write (heap overflow) in gif2rgb with images of size 0
-
Avoid negative array access in dictionary.cpp
-
missing include in read.cpp
-
Hi, just reviewing old issues. The bug here is in the file getarg.c. The command...
-
I'm just reviewing old issues I reported, this was closed without a comment, but...
-
stack overflow / endless recursion on malformed input
-
I re-found this bug while fuzzing cramfsck, your fix works. Unfortunately it seems...
-
[lxterminal] Return value on non-void function
-
I had tested the latest release (5.8) but now I see this is quite old. However the...
-
Invalid C input file causes invalid read / heap overflow
-
heap overflow / off by one read with malformed arc file
-
Just fyi, libarchive supports rar files (and a ton of other file formats), is free...
-
segfault in giftool on malformed input file
-
malformed gif causes crash in giftool
-
malformed gif causes segfault in giffilter
-
invalid memory access in most command line tools in util
-
malformed input causes endless loop
-
Probably something like this: a) export AFL_HARDEN=1; export AFL_USE_ASAN=1 b) compiled...
-
An upper bound for the comments doesn't seem like a clean solution There's something...
-
This was my fuzzing input
-
malformed .flac file causes crash / segfault
-
Secure ZIP encryption should be default, warn about or disable insecure encryption
1