OL CVE Issue Summary:

A crafted SNMPv1 trap with an oversized enterprise OID can cause an out-of-bounds write in snmptrapd when the handler builds the trap OID. Specifically, unvalidated enterprise_length values can make memcpy copy more OIDs than the fixed trapOid buffer can hold, leading to a stack buffer overflow and process abort.

OL CVE Issue Summary:

xmlSchemaIDCFillNodeTables() in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.
 

OL CVE Issue Summary:

The tarfile module implementation processes tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted archives, which can lead to a denial of service.

OL CVE Issue Summary:

`cvtClump()` in rgb2ycbcr in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the `-v` option to `-1`. `_TIFFFax3fillruns()` in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.`DumpModeDecode()` could be exploited to cause denial-of-service via a crafted Tiff image. A heap-based buffer overflow in the `t2p_write_pdf()` in `tools/tiff2pdf.c`. This heap overflow could lead to various damages. For example, a crafted TIFF document can lead to an out-of-bounds read in `TIFFCleanup()`, an invalid free in `TIFFClose()` or `t2p_free()`, memory corruption in `t2p_readwrite_pdf_image()`, or a double free in `t2p_free()`. Given these possibilities, it probably could result in arbitrary code execution. This affects `TIFFReadRGBATileExt()` in `libtiff/tif_getimage.c`. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public. The identifier VDB-213549 was assigned to this vulnerability.

OL CVE Issue Summary:

xmlSnprintfElementContent() in valid.c is supposed to recursively dump the element content definition into a char buffer buf of size size. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then
(i) the content->prefix is appended to buf (if it actually fits) 
whereupon: 
(ii)content->name is written to the buffer 
However, the check is whether the content->name actually fits also uses len rather than the updated buffer length strlen(buf). This allows writing about "size" many bytes beyond the allocated memory. 

`c-ares` is an asynchronous resolver library. `ares_inet_net_pton()` isvulnerable to a buffer underflow for certain IPv6 addresses, in particular`0::00:00:00/2` was found to cause an issue. `c-ares` only uses this functioninternally for configuration purposes which would require an administrator toconfigure such an address via `ares_set_sortlist()`. However, users mayexternally use `ares_inet_net_pton()` for other purposes and thus be vulnerableto more severe issues.

OL CVE Issue Summary:

Malformed data in a terminfo database file can trigger security-relevant memory corruption when ncurses is used by a setuid application. Local users can exploit this flaw via terminfo databases found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.
 

OL CVE Issue Summary:

heap-based buffer overflow in `utf_ptr2char()` in `mbyte.c`
Heap use-after-free in `nv_replace()`
Heap use-after-free in `nv_replace()`
Illegal memory access when C-indenting
heap-buffer-overflow in `inc()` (`misc2.c`).

OL CVE Issue Summary:

Invoking `XML_Parse` before `rand()` results in non-random, predictable output
Little entropy used for hash initialization
Integer overflow in `doProlog()`
`XML_ParseBuffer()` in `xmlparse.c` does not reject a negative length.