-
Notifications
You must be signed in to change notification settings - Fork 0
Documentation
asn10038 edited this page Aug 13, 2019
·
2 revisions
- (curl-buggy-1)
- Link: https://github.com/curl/curl/pull/3365
- General Description: The patch deals with fixing parsing of url and semicolons, and adds a test case
- Buggy version: 4258dc02d86e7e4de9f795a1af3a0bc6732d4ab5
- Patch version: d8607da1a68f2482302ccdbb7cf457210b9ccfc9
- CVE: No
- Input: [0:0:0:0:0:0:0:1]: (simply pings local host)
- (curl-buggy-2)
- Link: https://github.com/curl/curl/pull/3381
- General Description: This bug corrects behavior where curl -J will append to the output file instead of creating a new file -- Weak example of type 5 in the design section
- Buggy version: f097669248a877dece74fdb525e82bfe1b69df90
- Patch version: 4849267197682e69cfa056c2bd7a44acd123a917
- CVE: No
- Input: -JO --location https://github.com/curl/curl/releases/download/curl-7_63_0/curl-7.63.0.tar.xz.asc SIZE = curl-7.63.0.tar.xz.asc
- (curl-buggy-5)
- Link: https://curl.haxx.se/docs/CVE-2017-1000101.html
- General Description: URL globbing out of bounds read
- Buggy version: 0966b324d911423c81351fb12e9219f71cd63be8
- Patch version: 5ca96cb84410270e233c92bf1b2583cba40c3fad
- CVE: CVE-2017-1000101
- Input: http://ur%20[0-60000000000000000000
- (curl-buggy-6)
- Link: https://github.com/curl/curl/pull/3433
- General Description: Related to CVE-2018-20483, when using --xattr flag, the file system could save the information about user name and password
- Buggy version: afeb8d99022255279ee63125f2fa0f69810ce9c3
- Patch version: 98e6629154044e4ab1ee7cff8351c7ebcb131e88
- CVE: CVE-2018-20483
- Input: http://testcurlbug:[email protected] -o file --xattr; \getfattr file;\getfattr -n user.xdg.origin.url file
- (curl-buggy-7)
- Link: https://github.com/curl/curl/commit/d353af001420574210605ba132dfd31a0e3876a5
- General Description: configure: add basic test of --with-ssl prefix
- Buggy version: 09d16af
- Patch version: d353af0
- CVE: No
- Input: ./configure --with-ssl=/path/to/libressl
- (curl-buggy-8)
- Link: https://github.com/curl/curl/commit/e50a2002bd450a4800a165d2874ed79c95b33a07
- General Description: FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output
- Buggy version: b55e85d
- Patch version: e50a200
- CVE: No
- Input: ./src/curl --head file:///usr/share/dict/words
- (curl-buggy-9)
- Link: https://github.com/curl/curl/commit/2c5ec339ea67f43ac370ae77636a0f915cc5fbeb
- General Description: Curl_follow: accept non-supported schemes for "fake" redirects
- Buggy version: a4653a7
- Patch version: 2c5ec33
- CVE: No
- Input: ./src/curl -v http://cmake.org
- (curl-buggy-10)
- Link: https://github.com/curl/curl/pull/3219
- General Description: URL: fix IPv6 numeral address parser
- Buggy version: 6987e37
- Patch version: b280948
- CVE: No
- Input: ./src/curl http://[2600::]
- (curl-buggy-11)
- Link: https://github.com/curl/curl/issues/3251
- General Description: curl --local-port does not try last port in range
- Buggy version: 27cb384
- Patch version: fcf3f13
- CVE: No
- Input:
- (curl-buggy-12)
- Link: https://curl.haxx.se/docs/CVE-2016-8624.html
- General Description: curl doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use a URL parser that follows the RFC to check for allowed domains before using curl to request them.
- Buggy version: 164ee10b0
- Patch version: 3bb273db7
- CVE: CVE-2016-8624
- Input: ./src/curl -v http://example.com#@127.0.0.1/x.txt
- (libpng-buggy-1)
- Link: https://bugzilla.redhat.com/show_bug.cgi?id=1599943
- General Description: Integer overflow and resultant divide-by-zero in pngrutil.c:png_check_chunk_length() allows for denial of service
- Buggy version: cde1e1fe79974a37d7ef255a44dae3bfd1b34a0f
- Patch version: 8a05766cb74af05c04c53e6c9d60c13fc4d59bf2
- CVE: CVE-2018-13785
- Input: ./libpng-fixed/pngimage crash1.png
- (libpng-buggy-2)
- Link: https://sourceforge.net/p/libpng/bugs/270/
- General Description: libpng-1.6.32 rejects valid PNG images with "IDAT: chunk data is too large"
- Buggy version: 47aa798
- Patch version: eb2f42a
- CVE: No
- Input: ./libpng-buggy/pngimage idat_too_large.png
- Link: https://github.com/openssl/openssl/pull/7359
- General Description: Potential Use after free vulnerability
- Buggy version: 23d221b771348e3e3ee316cd1190a4a344d145fc
- Patch version: da84249be6492ccfc5ecad32ac367fd06e9bdbef
- CVE: No?
- Input:
Coreutils: https://github.com/coreutils/coreutils (mirrored from git://git.sv.gnu.org/coreutils)
- (wc-buggy-1)
- Link: https://github.com/coreutils/coreutils/commit/a5202bd58531923ea9f93cc35ddeec5e3a8e0189
- General Description: the visible output of this printf is "how are you". In either case, wc does not recognize the second space as white space, resulting in an incorrect word count
- Bug#34524: wc: word count incorrect when words separated only by no-break space
- Buggy version: 2ab2f7a422652a9ec887e08ca8935b44e9629505
- Patch version: a5202bd58531923ea9f93cc35ddeec5e3a8e0189
- CVE: No
- Input: printf 'how are\xC2\xA0you\n' | LC_ALL=en_US.utf8 coreutils-wc-bug1/src/wc -w
- (wc-buggy-2)
- Link: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=23073
- General Description: wc reports wrong byte counts when using '--from-files0=-'
- Buggy version: f071b04afaeefbf6c37a00986fec02b8df5e9560
- Patch version: 9944e4763bb178852727812e8b188540772384e2
- CVE: No
- Input: touch wc.small; \seq 10000 > wc.big; \printf '%s\0' wc.big wc.small | src/wc -c --files0-from=-
- (yes-buggy-1)
- Link: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=33468
- General Description: For select programs which accept only --help and --version options (in addition to non-option arguments), process these options before any other options.
- Buggy version: 36b99b611309d8ef9634376d87149724850074a8
- Patch version: 44af84263ed9398418f8366d08a1c20f3aed367e
- CVE: No
- Input: ./src/yes me --help
- (shred-buggy-1)
- Link: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28507
- General Description: shred --remove will again repeatedly rename files with shortening names to attempt to hide the original length of the file name
- Buggy version: 4cb3f4faa435820dc99c36b30ce93c7d01501f65
- Patch version: c34f8d5c787e6f7f7a0fdcd5f8c8bcf845081584
- CVE: No
- Input: touch tset; ./src/shred -vu test
- (ls-buggy-1)
- Link: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=30963
- General Description: ls -aA shows . and .. in an empty directory; Fix: 'ls -aA' is now equivalent to 'ls -A', since -A now overrides -a
- Buggy version: 49b126bfc5ae78c8fd913699aa645c10187af1c5
- Patch version: 8d6acfd853fe78f9b47fe3a317b55d904278f89f
- CVE: No
- Input: mkdir temp && cd temp; ../src/ls -aA;
- (cp-buggy-1)
- Link: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=31335
- General Description: Don't fail immediately upon getting ELOOP when running stat() on the destination, rather proceeding if -f specified, allowing the link to be removed. If the loop is not in the final component of the destination path, we still fail but at the subsequent unlink() stage
- Buggy version: 694d10b71e418ef4ea68847185b73544fe03eae2
- Patch1 version: a391007511cebe4a1731d85b4808499293c67173
- Patch2 version: c732388fa1a47376c28bc4a55eadd73944ab711d
- CVE: No
- Input: ln -s self self; cat self; touch a; ./src/cp a self; ./src/cp -f a self;
- (mv-buggy-1)
- Link: https://github.com/coreutils/coreutils/commit/7e244891b0c41bbf9f5b5917d1a71c183a8367ac
- General Description: 'cp -n -u' and 'mv -n -u' now consistently ignore the -u option. Previously, this option combination suffered from race conditions that caused -u to sometimes override -n
- Buggy version: 3f9b1b86b18777b996c81d40c64e1e3ede8ecbef
- Patch version: 7e244891b0c41bbf9f5b5917d1a71c183a8367ac
- CVE: No
- Input: touch b && echo 'hello' >> b; touch a && echo 'world' >> a; ./src/mv -n -u a b;
- (df-buggy-1)
- Link: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=29038
- General Description: df no longer hangs when given a fifo argument
- Buggy version: f89c20bdf7ccc033cbc22662e932fae7761754fc
- Patch version: b04ce61958c1f1fc264950f8d3b6058f640ee491
- CVE: No
- Input: mkfifo p; ./src/df p
- (b2sum-buggy-1)
- Link: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28860
- General Description: Running b2sum with --check option, and simply providing a string "BLAKE2" with no trailing character raises segFault
- Buggy version: f926f7ce0e0a224ef3a37a82e60fd3d7aaca906e
- Patch version: cc19f63be3ad0f27c9ea7f223883b75917fda7fb
- CVE: No
- Input: ./src/b2sum --check <<< BLAKE2
- (wget-buggy-1)
- Link: https://github.com/mirror/wget/commit/7ddcebd61e170fb03d361f82bf8f5550ee62a1ae
- General Description: Simple fix stops creating the log when using -O and -q in the background
- Buggy version: 2f451dbf4e83c751f6bbba7ed26d90bf275fcbf7
- Patch version: 7ddcebd61e170fb03d361f82bf8f5550ee62a1ae
- CVE: No
- Input: ./wget-buggy-1-obj/bin/wget -bq -O - www.google.com
- (wget-buggy-2)
- Link: https://nvd.nist.gov/vuln/detail/CVE-2017-6508
- General Description: potential clrf attack with input link
- Buggy version: 63c2aea2557b84640272629c7dc0caccab66ab6d
- Patch version: 4d729e322fae359a1aefaafec1144764a54e8ad4
- CVE: CVE-2017-6508
- Input: ./wget-buggy-2-obj/bin/wget http://127.0.0.1%0d%0aCookie%3a hi%0a/
Nginx: https://nginx.org/download
- Link: https://trac.nginx.org/nginx/ticket/1557
- General Description: Nginx Bug parsing config file, if nginx.conf contains more than 300 lines of 20 blanks, test conf will fail
- Buggy version: nginx-1.14.0
- Patch version: nginx-1.15.6
- CVE: No
- Input: cp nginx1.conf nginx-1.14.0/conf/nginx.conf; ./nginx-1.14.0/objs/nginx -c $($(shell pwd))/nginx-1.15.6/conf/nginx.conf -t
- (nginx-buggy-3) (not reproducible)
- Link: https://trac.nginx.org/nginx/ticket/1464
- General Description: deals with a crashing bug when a certain config file is used
- Buggy version: nginx-1.13.0
- Patch version: nginx-1.15.6
- CVE: No
- Input: ./nginx-1.13.0/objs/nginx -c $(current_dir)/nginx3.conf;
curl -k https://example.com;
- (sqlite-buggy-1)
- Link: https://github.com/mackyle/sqlite/commit/59fa2969625bd593a601562e8416a6047f6f5142
- General Description: Fix a potential problem with "INSERT INTO ... SELECT * FROM" (or VACUUM)
- Buggy version: 0ae3371797d89deb80f729e56c5af6851518e6bd
- Patch version: b9338e8475463b29b7f05fb28c78c3f35a7ce814
- CVE: No
- Buggy Input: ./sqlite_bug_reproduce_1.sh
- Patch Input: ./sqlite_bug_patch_1.sh
-
NOTE: build depends on tclsh
apt install tclsh
- (redis-buggy-1)
- Link: https://github.com/antirez/redis/commit/e2c1f80b464a3a6dde961bb30bff9a39c17c6b29
- General Description: Fixed a serverPanic when sending an invalid command to a monitor client
- Buggy version: 46a51cdcdc0bd92473163068c2ec3bef4dffe63c
- Patch version: e2c1f80b464a3a6dde961bb30bff9a39c17c6b29
- CVE: No
- Buggy Input: ./redis_bug.sh
- Patch Input: ./redis_fix.sh