README.md

A list of publicly known but unfixed security bugs

Please submit a pull request if you have corrections or know about any other unfixed security bugs.

tar

• rmt filename support makes tar vulnerable to "phishing" attacks

Chrome

• CSS mix-blend-mode is bad for your browsing history (demo)

Pretty much every terminal emulator

• Multi-line pastes from an untrusted source (e.g. browser) can automatically execute something you did not intend to copy

sudo

• When running sudo -u non-root-user as root, TIOCSTI allows the command in sudo -u non-root-user command to execute anything as root. Can be fixed with Defaults use_pty in sudoers. More notes.

• sudo credential caching (generally enabled by default; disabled with Defaults timestamp_timeout=0) allows any process in a TTY to do a passwordless sudo within the timeout period, not just commands that you've prefixed with sudo in the shell.

VirtualBox

• Unlike VMware Workstation, VirtualBox clipboard sharing gives guests continuous access to the host clipboard, instead of just when the VM is focused.

virt-manager/spice-gtk

• Unlike VMware Workstation, virt-manager/spice-gtk clipboard sharing gives guests continuous access to the host clipboard, instead of just when the VM is focused. This clipboard sharing feature is unconditionally enabled without warning. A compromised guest with no need for clipboard access can install spice-vdagent and start continuously sniffing the host clipboard.

Xorg

• Any program connected to the server can sniff another program's keystrokes. Solved in Wayland.

Node

• node climbs up to look for node_modules in directories that can be written to by other users

Erlang/OTP

• You can crash a distributed Erlang node by making ~1M connections with an invalid security cookie

• Check for null bytes in binaries / strings when opening files (to be fixed in OTP 21.0)

• Stored XSS vulnerability in mod_dir

• HTTP content injection in httpc:request

Twisted

• Credentials materials are compared unsafely throughout Twisted, still open due to the difficulty of measuring whether the constant-time compare function actually fixes anything.

• twisted.web has no protection against HTTP response-splitting attacks

• twisted.web server has no way to limit size of request body

WeeChat

• WeeChat relays allows clients to execute code on the relay

phantomjs, libqtwebkit4, libqt5webkit5

• These packages exist in a state of permanent insecurity because they don't keep up with the ~6-week browser update cycle. (e.g. take any one of the many WebKit security bugs fixed after the last release of these packages, which could be a ~year old.)

Windows

• Windows Defender's malware emulator is unsandboxed and runs with SYSTEM privileges

• Various methods of automatically bypassing UAC (see "Unfixed methods in upcoming Windows 10 RS2 release")

Packages in your Linux distribution

• Debian stable
• Debian testing
• Debian unstable
• Ubuntu main archive
• Ubuntu universe archive
• Ubuntu partner archive
• Arch Linux

On your LineageOS device

• CVE Tracker