___        /  /\    
      /__/\      /  /::\   
      \__\:\    /  /:/\:\  
      /  /::\  /  /:/  \:\ 
   __/  /:/\/ /__/:/ \__\:\
  /__/\/:/~~  \  \:\ /  /:/
  \  \::/      \  \:\  /:/ 
   \  \:\       \  \:\/:/  
    \__\/        \  \::/   
                  \__\/    
header
This page somewhat cynically celebrates the relatively new trend of giving bugs more memorable names and logo designs.



Logo bugs

heartbleed         apr 2014 CVE-2014-0160   OpenSSL rarely used heartbeat functionality leaks memory which can include private keys
shellshock         sep 2014 CVE-2014-6271+  bash: controlling an env variable equals code execution due to parse error
GHOST              jan 2015 CVE-2015-0235   glibc gethostbyname
misfortune cookie  feb 2015 CVE-2014-9222   dsl isp router authentication bypass
venom              may 2015 CVE-2015-3456   qemu emulated floppy drive, vm escape
stagefright        jul 2015 CVE-2015-1538+  android, various bug in stagefright library, code execution when viewing untrusted media
drownattack        feb 2016 CVE-2016-0800   openssl bleichenbacher attack on sslv2 leaks private key, often same as tls key
badlock            mar 2016 CVE-2016-2118   smb/samba bug, SAMR and LSA mitm
ImageTragick       may 2016 CVE-2016-3714   ImageMagick, possible to craft files which when converted execute code
phwned             may 2016 none            privilege escalation admin->root in specific android VOIP devices.
httpoxy            jul 2016 CVE-2016-5385+  CGI HTTP_PROXY env var conflicts 
sweet32            aug 2016 CVE-2016-2183+  Birthday attacks on 64-bit block ciphers in TLS and OpenVPN
dirtycow           oct 2016 CVE-2016-5195   Linux kernel privilege escalation
blacknurse         nov 2016 none            icmp type 3 code 3 DoS attack
pwnscriptum        dec 2016 CVE-2016-10033  PHPMailer - Remote Code Execution (possibly/probably miscredited)
ticketbleed        feb 2017 CVE-2016-9244   heartbleed like vulnerability in BIG-IP appliances
shattered          feb 2017                 full sha1 collision
cloudbleed         feb 2017                 cloudflare leaking PII customer data to the internet
biterrant          mar 2017                 pointing out sha1 is used in bittorrent. The actual threat is exagerated.
riddle             mar 2017 CVE-2017-3305   mysql ssl client/server connections are mitm'able
DoubleAgent        mar 2017 CVE-2017-5567+  microsoft application verifier hijack, allowing to misappropriate AV
Ring-Road          apr 2017                 QUIC protocol leaking password length
stringbleed        apr 2017 CVE 2017-5135   SNMP auth bypass (allegedly)
antbleed           apr 2017                 miner device firmware allows remote disabling
ghostbutt          apr 2017 CVE-2017-8291   Artifex Ghostscript -dSAFER bypass (allegedly) 
rtpbleed           sep 2017                 mitm sip calls, without being in the middle due to how rtp proxies deal with NAT
ROBOT              dec 2017 CVE-2017-17428+ Bleichenbacher's Oracle, again in pcks1.5

Named bugs

named bugs without logo:
shatter         dec 2002 MS02-071      WM_TIMER Message Handling privesc
BEAST           sep 2011 CVE-2011-3389 ssl cbc weakness, made people use rc4
CRIME           sep 2012 CVE-2012-4929 ssl info leakage by using chosen plain text and compression size
lucky13         feb 2013 CVE-2013-0169 ssl cbc timing oracle (the fix caused the worse bug: CVE-2016-2107)
BREACH          aug 2013 CVE-2013-3587 ssl compression info leakage
POODLE          oct 2014 CVE-2014-3566 ssl cbc mitm force downgrade to sslv3
rc4nomore       aug 2015               stop people using rc4
FREAK           may 2015 CVE-2015-0204 ssl mitm force use "exportgrade rsa" 512 bit keys.
logjam          may 2015 CVE-2015-4000 dh a lot of software only used one of a small set of weak (<=1024 bit) primes
rowhammer       jul 2015 CVE-2015-0565 induce faults in physically nearby rows of DRAM possibly belonging to higher priv process
cachebleed      mar 2016 CVE-2016-0702 ssl sidechannel using cache-banks pre haswell cpus
badTunnel       jun 2016 CVE-2016-3236 MS16-077 massive WPAD privilege escalation
HEIST           aug 2016               BREACH/CRIME from browser using malicious javascript (allegedly)
quadrooter      aug 2016               android rooting bugs(provisional)
drammer         oct 2016 CVE-2016-6728 rowhammer for ARM/mobile
LOBSTER         nov 2016 CVE-2016-1000031 serialisation in apache remote exec 
Devil's Ivy     jul 2017 CVE-2017-9765 rce allegedly in library code from gSOAP
KRACK           nov 2017               wpa handshake problems. 
Please Stop Naming Vulnerabilities      nov 2017 Android kernel bugs

Satire bugs

This new trend, and in particular the mismatch between hype and severity of some of these bugs has drawn a lot of criticism. and spawned satirical bugs.


BACKRONYM NoToken sadlock

Please let us know if any of these are POE-days [(c) brainsmoke].

Disclamer

This list does not make any claims about the noteworthyness of these bugs. It also strongly refutes the notion that all bugs with a logo are overhyped. Some have won a pwnie for best bug, some for most overhyped bug.

The license of these logos is not always clear, it is however our understanding that the inclusion on this page falls under fair use. More importantly even intended use. However, if you own any of the rights on one of these logos and would like to see it removed contact us at blapost@gmail.com and it will be removed immediately.

The list is incomplete, and may contain flaws.

bla