Vulnerability CVE-2014-1909


Published: 2014-05-13   Modified: 2014-05-14

Description:
Integer signedness error in system/core/adb/adb_client.c in Android Debug Bridge (ADB) for Android 4.4 in the Android SDK Platform Tools 18.0.1 allows ADB servers to execute arbitrary code via a negative length value, which bypasses a signed comparison and triggers a stack-based buffer overflow.

Type:

CWE-189

(Numeric Errors)

Vendor: Google
Product: Android sdk platform tools 
Version: 18.0.1;
Product: Android debug bridge 
Vendor: Novell
Product: Opensuse 
Version: 13.1; 12.3;

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://xforce.iss.net/xforce/xfdb/91291
http://www.securityfocus.com/bid/65403
http://seclists.org/oss-sec/2014/q1/291
http://lists.opensuse.org/opensuse-updates/2014-05/msg00039.html
http://lists.opensuse.org/opensuse-updates/2014-05/msg00038.html

Related CVE
CVE-2016-9961
game-music-emu before 0.6.1 mishandles unspecified integer values.
CVE-2016-9960
game-music-emu before 0.6.1 allows local users to cause a denial of service (divide by zero and process crash).
CVE-2017-8386
git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain pr...
CVE-2016-9842
The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.
CVE-2016-9843
The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.
CVE-2016-9840
inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
CVE-2016-9841
inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
CVE-2016-5178
Multiple unspecified vulnerabilities in Google Chrome before 53.0.2785.143 allow remote attackers to cause a denial of service or possibly have other impact via unknown vectors.

Copyright 2017, cxsecurity.com