A list of publicly known but unfixed security bugs
Please submit a pull request if you have corrections or know about any other unfixed security bugs.
tar
Chrome
Pretty much every terminal emulator
sudo
- sudo TTY tickets (generally enabled by default) allow any subprocess to do a passwordless sudo within the timeout period, not just commands you've typed into the shell.
VirtualBox
- Unlike VMware Workstation, VirtualBox clipboard sharing gives guests continuous access to the clipboard, instead of just when the VM is focused.
Xorg
- Any program connected to the server can sniff another program's keystrokes. Solved in Wayland.
Node
Erlang/OTP
-
You can crash a distributed Erlang node by making ~1M connections with an invalid security cookie
-
Check for null bytes in binaries / strings when opening files
Twisted
-
Credentials materials are compared unsafely throughout Twisted, still open due to the difficulty of measuring whether the constant-time compare function actually fixes anything.
-
twisted.web has no protection against HTTP response-splitting attacks
alchemist-server
alchemist.vim
WeeChat
phantomjs, libqtwebkit4, libqt5webkit5
- These packages exist in a state of permanent insecurity because they don't keep up with the ~6-week browser update cycle. (e.g. take any one of the many WebKit security bugs fixed after the last release of these packages, which could be a ~year old.)
Windows 7 through 10
- Various methods of automatically bypassing UAC (see "Unfixed methods in upcoming Windows 10 RS2 release")