The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

computer vulnerability announce CVE-2011-1782

Gimp: buffer overflow via PSP

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious PSP image with Gimp, in order to generate an overflow, leading to code execution.
Impacted products: Debian, Fedora, GIMP, Mandriva Linux, openSUSE, SUSE Linux Enterprise Desktop.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 07/06/2011.
Identifiers: 704512, BID-48277, CVE-2011-1782, DSA-2426-1, FEDORA-2011-7371, FEDORA-2011-7393, FEDORA-2011-7397, MDVSA-2011:103, openSUSE-SU-2011:0586-1, SUSE-SU-2011:0589-1, VIGILANCE-VUL-10717.

Description of the vulnerability

The Gimp program is used to edit images in PSP (Paint Shop Pro) format.

A PSP image is compressed with the RLE (Run Length Encoding) algorithm. The read_channel_data() function of the plug-ins/common/file-psp.c file extracts RLE data. However, this function does not check if the cursor is after the end of the image.

An attacker can therefore invite the victim to open a malicious PSP image with Gimp, in order to generate an overflow, leading to code execution.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2011-1178

Gimp: integer overflow via PCX

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious PCX image with Gimp, in order to generate an integer overflow, leading to code execution.
Impacted products: GIMP, Mandriva Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 07/06/2011.
Identifiers: 689831, BID-48057, CVE-2011-1178, MDVSA-2011:110, openSUSE-SU-2011:0586-1, RHSA-2011:0837-01, RHSA-2011:0838-01, RHSA-2011:0839-01, SUSE-SU-2011:0589-1, VIGILANCE-VUL-10716.

Description of the vulnerability

The Gimp program is used to edit images in PCX (Personal Computer eXchange) format.

The load_image() function of the plug-ins/common/file-pcx.c file loads images in the PCX format. In order to do so, it allocates memory areas which size is the result of the multiplication between the width and the height of the image. However, this multiplication can overflow, which forces Gimp to store data in a memory area which is too short.

An attacker can therefore invite the victim to open a malicious PCX image with Gimp, in order to generate an integer overflow, leading to code execution.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2011-2183

Linux kernel: denial of service via ksm_do_scan

Synthesis of the vulnerability

A local attacker can use the KSM feature, in order to stop the kernel.
Impacted products: Debian, Fedora, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 07/06/2011.
Identifiers: BID-48101, CVE-2011-2183, DSA-2389-1, FEDORA-2011-9130, openSUSE-SU-2011:1222-1, RHSA-2011:1189-01, RHSA-2011:1253-01, SUSE-SA:2011:031, SUSE-SU-2011:0832-1, VIGILANCE-VUL-10715.

Description of the vulnerability

The MADV_MERGEABLE attribute can be set on a memory page with "madvise(memory_address, memory_size, MADV_MERGEABLE)". In this case, the KSM (Kernel Samepage Merging) feature of the Linux kernel searches pages with a content which is identical to the content of another page, and then suppresses the duplicate.

The ksm_do_scan() function of the mm/ksm.c file calls scan_get_next_rmap_item() to walk through mergeable memory pages, which are stored in a linked list. However, if the linked list was already processed, a NULL pointer is dereferenced.

A local attacker can therefore use the KSM feature, in order to stop the kernel.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2011-2184

Linux kernel: denial of service via key_replace_session_keyring

Synthesis of the vulnerability

A local attacker can use the keyctl() system call, in order to create a denial of service.
Impacted products: Linux.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 06/06/2011.
Identifiers: BID-48059, CVE-2011-2184, VIGILANCE-VUL-10714.

Description of the vulnerability

The keyctl() system call processes user's keys. The KEYCTL_SESSION_TO_PARENT parameter indicates to give the keyring to the parent process.

The key_replace_session_keyring() function of the security/keys/process_keys.c file replaces the keyring of a process. This function is called when KEYCTL_SESSION_TO_PARENT is used. However, this function does not initialize the "user_ns" field. A read is then done at an invalid memory address.

A local attacker can therefore use the keyctl() system call, in order to create a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2011-2182

Linux kernel: buffer overflow via ldm_frag_add

Synthesis of the vulnerability

An attacker can mount a device with a malicious Windows Logical Disk Manager partition, in order to corrupt the kernel memory, which leads to a denial of service or to code execution.
Impacted products: Debian, Linux, openSUSE, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on server.
Provenance: user console.
Creation date: 06/06/2011.
Identifiers: BID-52334, CVE-2011-2182, DSA-2264-1, openSUSE-SU-2011:0860-1, openSUSE-SU-2011:0861-1, SUSE-SA:2011:031, SUSE-SA:2011:034, SUSE-SA:2011:040, SUSE-SU-2011:0832-1, SUSE-SU-2011:0899-1, SUSE-SU-2011:0928-1, SUSE-SU-2011:1058-1, VIGILANCE-VUL-10713.

Description of the vulnerability

The fs/partitions/ldm.c file implements the support of Windows Logical Disk Manager partitions. These partitions are automatically read when a user connects/mounts a device formatted with LDM.

The ldm_frag_add() function adds VBLK fields of a LDM partition to a linked list. The VBLK field is put in an allocated memory area. The memory size for the first fragment is correctly computed since VIGILANCE-VUL-10397. However, starting from the second fragment, an overflow can still occur.

An attacker can therefore mount a device with a malicious Windows Logical Disk Manager partition, in order to corrupt the kernel memory, which leads to a denial of service or to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2011-1946

libgnomesu: privilege elevation

Synthesis of the vulnerability

A local attacker can use /usr/lib/libgnomesu/gnomesu-pam-backend, in order to elevate his privileges.
Impacted products: openSUSE, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 06/06/2011.
Identifiers: 695627, CVE-2011-1946, openSUSE-SU-2011:0694-1, SUSE-SU-2011:0697-1, SUSE-SU-2011:0726-1, VIGILANCE-VUL-10712.

Description of the vulnerability

The setuid() system call is used by a privileged program to change the current user.

The /usr/lib/libgnomesu/gnomesu-pam-backend suid root program is used by the "su" command with PAM and Gnome. This program uses setuid() to change from root to the requested user. However, this program does not check if the setuid() system call failed. A local attacker can therefore create this error condition, in order to force gnomesu-pam-backend to continue running with root privileges.

A local attacker can therefore use /usr/lib/libgnomesu/gnomesu-pam-backend, in order to elevate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2011-2194

VLC: integer overflow via XSPF

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious XSPF file with VLC, in order to execute code on his computer.
Impacted products: Debian, VLC.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 06/06/2011.
Revision date: 09/06/2011.
Identifiers: BID-48171, CVE-2011-2194, DSA-2257-1, VideoLAN-SA-1104, VIGILANCE-VUL-10711.

Description of the vulnerability

The VideoLAN VLC program displays multimedia documents.

An XSPF (XML Shareable Playlist Format) file stores a list of multimedia documents.

The parse_track_node() function of the modules/demux/playlist/xspf.c file allocates a memory area to store XML elements. However, if the identifier of an XML node is too high, an integer overflow occurs, and a short memory area is allocated.

An attacker can therefore invite the victim to open a malicious XSPF file with VLC, in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2011-2107

Adobe Flash: Cross Site Scripting

Synthesis of the vulnerability

An attacker can invite the victim to visit a site which uses Adobe Flash Player, in order to execute JavaScript code on another site.
Impacted products: Flash Player, Acrobat, OpenSolaris, openSUSE, Solaris, RHEL, SUSE Linux Enterprise Desktop.
Severity: 3/4.
Consequences: client access/rights.
Provenance: internet server.
Creation date: 06/06/2011.
Identifiers: APSB11-13, APSB11-16, BID-48107, CERTA-2011-AVI-332, CVE-2011-2107, openSUSE-SU-2011:0612-1, RHSA-2011:0850-01, SUSE-SU-2011:0614-1, VIGILANCE-VUL-10710.

Description of the vulnerability

A script running on a web site (for example http://www.attacker.com/) is not allowed to access to another site (http://www.company.com/).

However, Adobe Flash Player does not honor this barrier.

An attacker can therefore invite the victim to visit a site which uses Adobe Flash Player, in order to execute JavaScript code on another site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2011-1224

WebSphere MQ: allowance of revoked certificates

Synthesis of the vulnerability

The WebSphere MQ product does not reject revoked SSL certificates, so an attacker can continue to access to the service.
Impacted products: WebSphere MQ.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: intranet client.
Creation date: 06/06/2011.
Revision date: 12/07/2011.
Identifiers: 68229, BID-48636, CVE-2011-1224, IZ92813, swg27007069, VIGILANCE-VUL-10709, websphere-mq-cdb-security-bypass.

Description of the vulnerability

The WebSphere MQ product uses SSL certificates, to authenticate:
 - a client
 - a queue manager
 - an application

The SSL CDP (CRL Distribution Point) extension is used to download CRL (Certificate Revocation List) indicating the list of revoked certificates.

However, WebSphere MQ does not implement CDP.

The WebSphere MQ product therefore does not reject revoked SSL certificates, so an attacker can continue to access to the service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2011-2217

VMware Infrastructure: memory corruption of VI Client

Synthesis of the vulnerability

An attacker can instantiate the VI Client ActiveX provided by VMware Infrastructure 3, in order to execute code in Internet Explorer.
Impacted products: ESX, ESXi, VMware Player, VMware vSphere, VMware vSphere Hypervisor, VMware Workstation.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet server.
Creation date: 06/06/2011.
Identifiers: CVE-2011-2217, VIGILANCE-VUL-10708, VMSA-2011-0009.

Description of the vulnerability

The VMware Infrastructure 3 product installs the VI Client ActiveX.

However, this ActiveX does not correctly check its parameters. This corrupts the memory.

An attacker can therefore instantiate the VI Client ActiveX provided by VMware Infrastructure 3, in order to execute code in Internet Explorer.
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 701 721 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2861 2881 2892