Skip to content

openbsd-libexec

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

openbsd-libexec

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
001-malformed-challenge-attribute-causes-backwards-parser-walk.md
001-malformed-challenge-attribute-causes-backwards-parser-walk.md
 
 
001-malformed-challenge-attribute-causes-backwards-parser-walk.patch
001-malformed-challenge-attribute-causes-backwards-parser-walk.patch
 
 
002-oversized-state-attribute-leaks-stack-bytes.md
002-oversized-state-attribute-leaks-stack-bytes.md
 
 
002-oversized-state-attribute-leaks-stack-bytes.patch
002-oversized-state-attribute-leaks-stack-bytes.patch
 
 
003-unterminated-response-scans-past-stack-buffer.md
003-unterminated-response-scans-past-stack-buffer.md
 
 
003-unterminated-response-scans-past-stack-buffer.patch
003-unterminated-response-scans-past-stack-buffer.patch
 
 
004-yubikey-counter-check-updates-non-atomically.md
004-yubikey-counter-check-updates-non-atomically.md
 
 
004-yubikey-counter-check-updates-non-atomically.patch
004-yubikey-counter-check-updates-non-atomically.patch
 
 
005-negative-quota-id-leaks-uninitialized-quota-reply-fields.md
005-negative-quota-id-leaks-uninitialized-quota-reply-fields.md
 
 
005-negative-quota-id-leaks-uninitialized-quota-reply-fields.patch
005-negative-quota-id-leaks-uninitialized-quota-reply-fields.patch
 
 
006-remote-feed-can-force-unbounded-decompression.md
006-remote-feed-can-force-unbounded-decompression.md
 
 
006-remote-feed-can-force-unbounded-decompression.patch
006-remote-feed-can-force-unbounded-decompression.patch
 
 
007-signed-division-overflow-in-if-evaluator.md
007-signed-division-overflow-in-if-evaluator.md
 
 
007-signed-division-overflow-in-if-evaluator.patch
007-signed-division-overflow-in-if-evaluator.patch
 
 
008-signed-remainder-overflow-in-if-evaluator.md
008-signed-remainder-overflow-in-if-evaluator.md
 
 
008-signed-remainder-overflow-in-if-evaluator.patch
008-signed-remainder-overflow-in-if-evaluator.patch
 
 
009-malformed-ldap-control-dereferences-missing-child-elements.md
009-malformed-ldap-control-dereferences-missing-child-elements.md
 
 
009-malformed-ldap-control-dereferences-missing-child-elements.patch
009-malformed-ldap-control-dereferences-missing-child-elements.patch
 
 
010-malformed-page-control-dereferences-absent-value-element.md
010-malformed-page-control-dereferences-absent-value-element.md
 
 
010-malformed-page-control-dereferences-absent-value-element.patch
010-malformed-page-control-dereferences-absent-value-element.patch
 
 
011-invalid-encoded-page-control-dereferences-failed-ber-parse.md
011-invalid-encoded-page-control-dereferences-failed-ber-parse.md
 
 
011-invalid-encoded-page-control-dereferences-failed-ber-parse.patch
011-invalid-encoded-page-control-dereferences-failed-ber-parse.patch
 
 
012-elf-program-headers-read-past-fixed-header-buffer.md
012-elf-program-headers-read-past-fixed-header-buffer.md
 
 
012-elf-program-headers-read-past-fixed-header-buffer.patch
012-elf-program-headers-read-past-fixed-header-buffer.patch
 
 
013-elf-program-headers-are-read-past-the-header-buffer.md
013-elf-program-headers-are-read-past-the-header-buffer.md
 
 
013-elf-program-headers-are-read-past-the-header-buffer.patch
013-elf-program-headers-are-read-past-the-header-buffer.patch
 
 
014-elf-without-load-segments-dereferences-null-load-list.md
014-elf-without-load-segments-dereferences-null-load-list.md
 
 
014-elf-without-load-segments-dereferences-null-load-list.patch
014-elf-without-load-segments-dereferences-null-load-list.patch
 
 
017-client-controlled-response-address-enables-udp-reflection.md
017-client-controlled-response-address-enables-udp-reflection.md
 
 
017-client-controlled-response-address-enables-udp-reflection.patch
017-client-controlled-response-address-enables-udp-reflection.patch
 
 
018-unchecked-elf-relocation-type-indexes-static-tables.md
018-unchecked-elf-relocation-type-indexes-static-tables.md
 
 
018-unchecked-elf-relocation-type-indexes-static-tables.patch
018-unchecked-elf-relocation-type-indexes-static-tables.patch
 
 
019-legacy-rusers-reply-uses-wrong-xdr-type.md
019-legacy-rusers-reply-uses-wrong-xdr-type.md
 
 
019-legacy-rusers-reply-uses-wrong-xdr-type.patch
019-legacy-rusers-reply-uses-wrong-xdr-type.patch
 
 
README.md
README.md
 
 

README.md

OpenBSD libexec Audit Findings

Security audit of programs shipped under OpenBSD's libexec tree. These are not user-facing tools but helper binaries invoked by other parts of the system: BSD authentication helpers, the dynamic linker, RPC services, mail and spam infrastructure, and the traditional C preprocessor. Each finding includes a detailed write-up and a patch.

Summary

Total findings: 17 -- High: 3, Medium: 14

Findings

BSD authentication helpers

# Finding Severity
001 Malformed challenge attribute causes backwards parser walk High
002 Oversized State attribute leaks stack bytes Medium
003 Unterminated response scans past stack buffer Medium
004 YubiKey counter check updates non-atomically High
009 Malformed LDAP control dereferences missing child elements Medium
010 Malformed page control dereferences absent value element Medium
011 Invalid encoded page control dereferences failed BER parse Medium

Dynamic linker (ld.so)

# Finding Severity
012 ELF program headers read past fixed header buffer Medium
013 ELF program headers are read past the header buffer Medium
014 ELF without load segments dereferences null load list Medium
018 Unchecked ELF relocation type indexes static tables Medium

RPC services

# Finding Severity
005 Negative quota id leaks uninitialized quota reply fields High
019 Legacy rusers reply uses wrong XDR type Medium

Spam and mail infrastructure

# Finding Severity
006 Remote feed can force unbounded decompression Medium

Network daemons

# Finding Severity
017 Client-controlled response address enables UDP reflection Medium

Traditional C preprocessor

# Finding Severity
007 Signed division overflow in #if evaluator Medium
008 Signed remainder overflow in #if evaluator Medium