Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
ListGrid
Loading...
  ID Type  Status  Priority  Milestone  Owner  Summary + Labels ...
  1 ---- Invalid ---- ---- cevans@google.com This is a test  
  9 ---- Fixed ---- ---- cevans@google.com Safari sandbox logic error enables reading of arbitrary files  
  10 ---- Fixed ---- ---- cevans@google.com Safari sandbox IPC memory corruption with WebEvent::Wheel  
  11 ---- Fixed ---- ---- cevans@google.com Safari sandbox IPC memory corruption with WebEvent::Char  
  12 ---- Fixed ---- ---- cevans@google.com launchd heap corruption due to integer overflow in launch_data_unpack  
  13 ---- Fixed ---- ---- cevans@google.com launchd heap corruption due to incorrect rounding in launch_data_unpack  
  14 ---- Fixed ---- ---- cevans@google.com launchd heap overflow in log_forward  
  15 ---- Fixed ---- ---- cevans@google.com Lack of bounds checking in notifyd CCProjectZeroMembers  
  16 ---- Fixed ---- ---- cevans@google.com launchd heap corruption due to unchecked strcpy in init_session MIG ipc  
  17 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to lack of bounds checking in IOAccel2DContext2::blit  
  18 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel memory disclosure due to lack of bounds checking in AGPMClient::getPstatesOccupancy  
  19 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to unchecked pointer parameter in IGAccelCLContext::unmap_user_memory  
  20 ---- Fixed ---- ---- cevans@google.com OS X IOKit Multiple exploitable kernel NULL dereferences (x4)  
  21 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel memory disclosure due to lack of bounds checking in IOUSBControllerUserClient::ReadRegister  
  22 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to incorrect bounds checking in Intel GPU driver ( x2 )  
  23 ---- Fixed ---- ---- cevans@google.com OS X kASLR defeat using sgdt  
  24 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to NULL pointer dereference in IOThunderboltFamily  
  28 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to lack of bounds checking in GPU command buffers  
  29 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to off-by-one error in IGAccelGLContext::processSidebandToken  
  30 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel multiple exploitable memory safety issues in token parsing in IGAccelVideoContextMedia (x5)  
  31 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to NULL pointer dereference in IOAccelContext2::clientMemoryForType  
  32 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to lack of bounds checking in IGAccelVideoContextMain::process_token_ColorSpaceConversion  
  33 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to lack of bounds checking in IOAccelDisplayPipeTransaction2::set_plane_gamma_table  
  34 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to multiple bounds checking issues in IGAccelGLContext token parsing (x3)  
  35 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to controlled kmem_free size in IOSharedDataQueue  
  36 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to lack of bounds checking in AppleMultitouchIODataQueue  
  37 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to bad free in IOBluetoothFamily  
  38 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to integer overflow in IOBluetoothDataQueue (root only)  
  39 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to integer overflow in IODataQueue::enqueue  
  40 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to heap overflow in IOHIKeyboardMapper::parseKeyMapping  
  41 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to NULL pointer dereference in IOHIKeyboardMapper::stickyKeysfree  
  42 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel memory disclosure due to lack of bounds checking in IOHIKeyboardMapper::modifierSwapFilterKey  
  43 ---- Fixed ---- ---- cevans@google.com Flash leak of uninitialized data whilst rendering JPEGs  
  44 ---- Fixed ---- ---- cevans@google.com Flash leak of uninitialized data whilst rendering a 2-component JPEG  
  45 ---- Fixed ---- ---- cevans@google.com Flash leak of uninitialized memory when rendering valid(?) 1bpp image  
  46 ---- Fixed ---- ---- cevans@google.com Flash heap buffer overflow calling copyPixelsToByteArray() on a large ByteArray CCProjectZeroMembers  
  47 ---- Fixed ---- ---- cevans@google.com Flash leak of uninitialized data when image zlib stream ends prematurely CCProjectZeroMembers  
  48 ---- Fixed ---- ---- cevans@google.com Flash leak of uninitialized data when JPEG image alpha channel zlib stream ends prematurely CCProjectZeroMembers  
  71 ---- Fixed ---- ---- cevans@google.com Flash out-of-bounds read in uploadCompressedTextureFromByteArray() CCProjectZeroMembers  
  75 ---- Fixed ---- ---- cevans@google.com Flash out-of-bounds read with empty ID3 tag CCProjectZeroMembers  
  76 ---- Fixed ---- ---- cevans@google.com Flash memory corruption (double free?) with RTMP packet that aborts itself CCProjectZeroMembers  
  77 ---- Duplicate ---- ---- cevans@google.com WebKit JavaScriptCore integer truncation vulnerability  
  78 ---- Fixed ---- ---- cevans@google.com Flash memory corruption (integer overflow?) concatenating strings to ~4GB in size CCProjectZeroMembers  
  79 ---- Fixed ---- ---- cevans@google.com Flash out-of-bounds read with large string length in RTMP packet CCProjectZeroMembers  
  80 ---- Fixed ---- ---- cevans@google.com OS X coresymbolicationd multiple user to root privilege escalations due to XPC type confusion CCProjectZeroMembers  
  82 ---- Fixed ---- ---- cevans@google.com Flash out-of-bounds read in uploadCompressedTextureFromByteArray() [CubeTexture variant] CCProjectZeroMembers  
  84 ---- Fixed ---- ---- groebert@google.com Out-of-bounds read in php_parserr with user-supplied dlen CCProjectZeroMembers  
  88 ---- Fixed ---- ---- cevans@google.com Linux kernel stack overflow when mounting ISO9660 image, including via a USB stick CCProjectZeroMembers  
  89 ---- Fixed ---- ---- hawkes@google.com Linux kernel hid-logitech-dj.c device_index arbitrary kfree CCProjectZeroMembers  
  90 ---- Fixed ---- ---- hawkes@google.com Linux kernel hid-logitech-dj.c logi_dj_ll_raw_request heap overflow CCProjectZeroMembers  
  91 ---- Fixed ---- ---- hawkes@google.com Linux kernel HID report fixup multiple off-by-one issues CCProjectZeroMembers  
  92 ---- Fixed ---- ---- cevans@google.com OS X sandbox escape due to XPC type confusion in networkd CCProjectZeroMembers  
  93 ---- Fixed ---- ---- cevans@google.com Flash memory corruption in Actionscript 2 Array.join CCProjectZeroMembers  
  94 ---- Fixed ---- ---- forshaw@google.com Windows Acrobat Reader 11 Sandbox Escape in NtSetInformationFile CCProjectZeroMembers  
  95 ---- Fixed ---- ---- forshaw@google.com IE11 ImmutableApplicationSettings EPM Privilege Escalation CCProjectZeroMembers  
  96 ---- Fixed ---- ---- cevans@google.com glibc off-by-one NUL byte heap overflow in gconv_translit_find CCProjectZeroMembers  
  97 ---- Fixed ---- ---- forshaw@google.com IE11 EPM Parent Process DACL Sandbox Escape CCProjectZeroMembers  
  98 ---- Fixed ---- ---- forshaw@google.com Linux Kernel Buffer Overflow in Whiteheat USB Serial Driver CCProjectZeroMembers  
  99 ---- Fixed ---- ---- forshaw@google.com IE11 AudioSrv RegistryKey EPM Privilege Escalation CCProjectZeroMembers  
  100 ---- Fixed ---- ---- scvitti@google.com Magic Mouse HID device driver overflow CCProjectZeroMembers  
  101 ---- Fixed ---- ---- scvitti@google.com PicoLCD HID device driver pool overflow CCProjectZeroMembers  
  103 ---- Fixed ---- ---- forshaw@google.com Windows Acrobat Reader 11 Sandbox Escape in MoveFileEx IPC Hook CCProjectZeroMembers  
  106 ---- Fixed ---- ---- cevans@google.com Flash logic error in bytecode verifier CCProjectZeroMembers  
  107 ---- Fixed ---- ---- hawkes@google.com Microsoft Office 2007 TTDeleteEmbeddedFont handle double delete CCProjectZeroMembers  
  108 ---- Fixed ---- ---- hawkes@google.com Microsoft Office 2007 lcbPlcffndTxt/fcPlfguidUim memory corruption CCProjectZeroMembers  
  109 ---- Fixed ---- ---- cevans@google.com Flash heap overflow in bytecode verifier CCProjectZeroMembers  
  110 ---- Fixed ---- ---- hawkes@google.com Microsoft Office 2007 PapxFkp rgbx bOffset memory corruption CCProjectZeroMembers  
  111 ---- Fixed ---- ---- hawkes@google.com Microsoft Office 2007 VBA ExtendedControl use-after-free CCProjectZeroMembers  
  112 ---- Fixed ---- ---- cevans@google.com Adobe Flash incorrect jit optimization with op_pushwith CCProjectZeroMembers  
  113 ---- Fixed ---- ---- fjserna@google.com Flash 14 on IE11, readAV crash on xmm instruction CCProjectZeroMembers  
  114 ---- Fixed ---- ---- cevans@google.com Adobe Flash incorrect jit optimization with op_pushscope CCProjectZeroMembers  
  115 ---- Fixed ---- ---- cevans@google.com Adobe Flash incorrect jit optimization with op_setglobalslot CCProjectZeroMembers  
  116 ---- Fixed ---- ---- cevans@google.com Flash heap buffer overflow calling Camera.copyToByteArray() with a large ByteArray CCProjectZeroMembers  
  117 ---- Fixed ---- ---- hawkes@google.com Microsoft Office 2007 MsoDrawingGroup rgChildRec invalid GlobalFree CCProjectZeroMembers  
  118 ---- Fixed ---- ---- forshaw@google.com Windows: Elevation of Privilege in ahcache.sys/NtApphelpCacheControl CCProjectZeroMembers  
  119 ---- Fixed ---- ---- hawkes@google.com Microsoft Office 2007 BoundSheet dt use-after-free CCProjectZeroMembers  
  120 ---- Fixed ---- ---- cevans@google.com Type Confusion in Setting Microphone Codec CCProjectZeroMembers  
  121 ---- Fixed ---- ---- cevans@google.com OS X privilege escalation due to XPC type confusion in sysmond (with exploit) CCProjectZeroMembers  
  122 ---- Fixed ---- ---- cevans@google.com Flash memory corruption in the G711 codec with 4-byte samples CCProjectZeroMembers  
  123 ---- Fixed ---- ---- forshaw@google.com Windows Elevation of Privilege in User Profile Service CCProjectZeroMembers  
  124 ---- Fixed ---- ---- cevans@google.com Flash memory corruption when upper casing malformed Unicode CCProjectZeroMembers  
  125 ---- Fixed ---- ---- cevans@google.com Flash corruption after corrupting pre-validated bytecode CCProjectZeroMembers  
  126 ---- Invalid ---- ---- cevans@google.com OS X kASLR defeat due to kernel pointers in IOKit registry CCProjectZeroMembers  
  127 ---- WontFix ---- ---- forshaw@google.com Windows 7: Admin Check Bypass in NtPowerInformation CCProjectZeroMembers  
  128 ---- Fixed ---- ---- forshaw@google.com Windows: Impersonation Check Bypass With CryptProtectMemory and CRYPTPROTECTMEMORY_SAME_LOGON flag CCProjectZeroMembers  
  129 ---- Fixed ---- ---- hawkes@google.com Microsoft Office 2007 dispatch table out-of-bounds function call CCProjectZeroMembers  
  130 ---- Fixed ---- ---- cevans@google.com OS X networkd "effective_audit_token" XPC type confusion sandbox escape (with exploit) CCProjectZeroMembers  
  131 ---- Fixed ---- ---- cevans@google.com Flash write crash at NULL + 0x2b288 (on 64-bit) CCProjectZeroMembers  
  132 ---- Fixed ---- ---- hawkes@google.com Microsoft Office 2007 shape drawing object use-after-free CCProjectZeroMembers  
  135 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel code execution due to NULL pointer dereference in IntelAccelerator CCProjectZeroMembers  
  136 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel memory corruption due to bad bzero in IOBluetoothDevice CCProjectZeroMembers  
  137 ---- Fixed ---- ---- forshaw@google.com Windows: Impersonation Check Bypass with MRXDAV CCProjectZeroMembers  
  138 ---- WontFix ---- ---- forshaw@google.com Windows: SMBv2 Symlink to Local File Vulnerability CCProjectZeroMembers  
  139 ---- Fixed ---- ---- mjurczyk@google.com Adobe Reader X and XI for Windows out-of-bounds write in AGM.dll CCProjectZeroMembers  
  140 ---- Fixed ---- ---- mjurczyk@google.com Adobe Reader X for Windows out-of-bounds read/write in CoolType.dll CCProjectZeroMembers  
  141 ---- Fixed ---- ---- mjurczyk@google.com Adobe Reader X and XI for Windows object use-after-free in AcroForm.api CCProjectZeroMembers  
  142 ---- Fixed ---- ---- mjurczyk@google.com Adobe Reader X for Windows out-of-bounds read in AGM.dll CCProjectZeroMembers  
  143 ---- Fixed ---- ---- mjurczyk@google.com Adobe Reader X and XI for Windows out-of-bounds read in AcroRd32.dll CCProjectZeroMembers  
  144 ---- Fixed ---- ---- mjurczyk@google.com Adobe Reader X and XI for Windows out-of-bounds write in CoolType.dll CCProjectZeroMembers  
  145 ---- Fixed ---- ---- mjurczyk@google.com Adobe Reader X for Windows out-of-bounds write in AcroRd32.dll CCProjectZeroMembers