The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

weakness note CVE-2008-1110

xine-lib: buffer overflow via ASF

Synthesis of the vulnerability

An attacker can create an ASF header indicating a long size in order to execute code in applications linked to xine-lib.
Severity: 3/4.
Creation date: 29/01/2008.
Identifiers: CVE-2008-1110, FEDORA-2008-1043, FEDORA-2008-1047, VIGILANCE-VUL-7533.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

ASF files (Advanced Systems Format, created for Windows Media) contain audio and video data. The xine-lib library implements several multimedia formats such as ASF.

The asf_read_header() function of xine-lib/src/demuxers/demux_asf.c file parses headers of ASF files and allocates a storage area. However, no check is performed on header size. An attacker can use a long header in order to create a buffer overflow.

An attacker can therefore create a malicious ASF file, and invite victims to read it, in order to execute code in applications linked to xine-lib.
Full Vigil@nce bulletin... (Free trial)

computer threat announce CVE-2007-5837

Yarssr: command execution

Synthesis of the vulnerability

An attacker can provide a malicious RSS feed in order to execute commands on computer of victims aggregating them with Yarssr.
Severity: 3/4.
Creation date: 28/01/2008.
Identifiers: BID-26273, CERTA-2002-AVI-197, CVE-2007-5837, DSA-1477-1, VIGILANCE-VUL-7532.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Yarssr program (Yet Another RSS Reader) is a RSS aggregator.

When user reads a message, the web browser is called in the lib/Yarssr/GUI.pm file, via a command like (this code uses the exec from Perl which interprets its parameter as a shell command line):
  exec(browser "url");
However, the url is not filtered. An attacker can thus use escapes in order to execute a shell command.

An attacker can therefore provide a malicious RSS feed in order to execute commands on computer of victims aggregating them with Yarssr.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2008-0008

PulseAudio: privilege elevation

Synthesis of the vulnerability

The PulseAudio program does not correctly lose its privileges, which can permit a local attacker to obtain root privileges.
Severity: 1/4.
Creation date: 28/01/2008.
Identifiers: CERTA-2002-AVI-197, CVE-2008-0008, DSA-1476-1, FEDORA-2008-0963, FEDORA-2008-0994, MDVSA-2008:027, VIGILANCE-VUL-7531.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The PulseAudio (/usr/bin/pulseaudio) program is a sound server, installed suid root.

It uses functions of the setuid() family to lose root privileges. However, the return code of these functions is not checked. A local attacker can for example, on a limited environment, create several processes in order to force a failure in these functions. The PulseAudio program thus continues to run with root privileges.

A local attacker can then use a PulseAudio vulnerability in order to elevate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer weakness alert CVE-2007-4770 CVE-2007-4771

ICU: denial of service via a regular expression

Synthesis of the vulnerability

When attacker can change the regular expression used by a ICU program, he can create a denial of service.
Severity: 1/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 25/01/2008.
Identifiers: 233922, 6661352, CERTA-2002-AVI-195, CERTA-2008-AVI-123, CERTA-2008-AVI-218, CVE-2007-4770, CVE-2007-4771, DSA-1511-1, FEDORA-2008-1036, FEDORA-2008-1076, MDVSA-2008:026, RHSA-2008:0090-01, SUSE-SR:2008:005, VIGILANCE-VUL-7530.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The regular expression implementation in the ICU/libicu (International Components for Unicode) library has two vulnerabilities.

A regular expression containing "\0" can corrupt the memory. [severity:1/4; CERTA-2008-AVI-123, CERTA-2008-AVI-218, CVE-2007-4770]

Memory used for backtracking is not limited. [severity:1/4; CVE-2007-4771]

An attacker can therefore create a denial of service in applications linked to libicu.
Full Vigil@nce bulletin... (Free trial)

computer weakness bulletin CVE-2007-3920

GNOME screensaver: bypass with Compiz

Synthesis of the vulnerability

When GNOME screensaver is enabled with Compiz, an attacker can execute commands with privileges of user who locked his session.
Severity: 1/4.
Creation date: 25/01/2008.
Identifiers: BID-26188, CVE-2007-3920, FEDORA-2008-0930, FEDORA-2008-0956, RHSA-2008:0485-02, SUSE-SA:2008:027, VIGILANCE-VUL-7529.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Compiz window manager provides a workspace with 3D animations.

When the screen of a Compiz session is locked by GNOME screensaver, an attacker can press Alt-Tab to access applications opened in user's X session.

This vulnerability therefore permits attacker to access to windows, in order for example to run shell commands with rights of connected user.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2007-5764 CVE-2008-0584 CVE-2008-0585

AIX 5.2, 5.3: several vulnerabilties

Synthesis of the vulnerability

Several vulnerabilities of AIX 5.2 and 5.3 permit a local attacker to elevate his privileges or to obtain information.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 7.
Creation date: 24/01/2008.
Revision date: 25/01/2008.
Identifiers: BID-27428, BID-27429, BID-27430, BID-27431, BID-27432, BID-27433, BID-27434, CERTA-2008-AVI-038, CVE-2007-5764, CVE-2008-0584, CVE-2008-0585, CVE-2008-0586, CVE-2008-0587, CVE-2008-0588, CVE-2008-0589, IY96095, IY96101, IY97257, IY98331, IY98340, IY99537, IZ00559, IZ06260, IZ06261, IZ06488, IZ06489, IZ06620, IZ06621, IZ10828, IZ10840, IZ10841, IZ10842, IZ10844, IZ11242, IZ11243, IZ11244, IZ12745, VIGILANCE-VUL-7528.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities affect AIX 5.2 and 5.3

A buffer overflow in the /usr/lib/lpd/pio/etc/pioout or /usr/lib/lpd/pio/etc/piomkpq command permits a local attacker to elevate his privileges. [severity:2/4; BID-27428, CERTA-2008-AVI-038, CVE-2007-5764, IZ10840, IZ10841, IZ10842, IZ10844]

A local attacker can use /usr/bin/ps to obtain sensitive information on processes. [severity:1/4; BID-27434, CVE-2008-0589, IZ11242, IZ11243, IZ11244, IZ12745]

A buffer overflow in the /usr/lpp/diagnostics/bin/uspchrp command permits a local attacker, member of "system" group, to elevate his privileges. [severity:1/4; BID-27429, CVE-2008-0587, IZ06261, IZ06489, IZ06621]

A buffer overflow in the /usr/lpp/diagnostics/bin/utape command permits a local attacker, member of "system" group, to elevate his privileges. [severity:1/4; BID-27430, CVE-2008-0588, IZ06260, IZ06488, IZ06620]

The /usr/sbin/lchangevg, /usr/sbin/ldeletepv, /usr/sbin/putlvodm, /usr/sbin/lvaryoffvg, /usr/sbin/lvgenminor and /usr/sbin/tellclvmd commands of LVM (Logical Volume Manager, bos.rte.lvm, bos.clvm.enh) are installed suid root. Several overflows in these commands can be used by a local attacker member of system group to elevate his privileges. [severity:1/4; BID-27431, CVE-2008-0586, IY98331, IY98340, IY99537, IZ00559, IZ10828]

Some files of Web-based System Manager (WebSM) Remote Client under Linux are installed world writable. An attacker, on the Linux system, can therefore alter them. [severity:1/4; BID-27433, CVE-2008-0585, IY97257]

A local attacker can use /usr/sbin/swap, /usr/sbin/swapon and /usr/sbin/swapoff commands, which are suid root and limited to members of system group, in order to execute privileged commands. [severity:1/4; BID-27432, CVE-2008-0584, IY96095, IY96101]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2007-5764 CVE-2008-0589

AIX 6.1: two vulnerabilities

Synthesis of the vulnerability

Two vulnerabilities of AIX 6.1 permit a local attacker to elevate his privileges or to obtain information.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 24/01/2008.
Identifiers: BID-27428, BID-27434, CERTA-2008-AVI-038, CVE-2007-5764, CVE-2008-0589, IZ10840, IZ10841, IZ10842, IZ10844, IZ11242, IZ11243, IZ11244, IZ12745, VIGILANCE-VUL-7527.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Two vulnerabilities affect AIX 6.1.

A buffer overflow in the /usr/lib/lpd/pio/etc/pioout or /usr/lib/lpd/pio/etc/piomkpq command permits a local attacker to elevate his privileges. [severity:2/4; BID-27428, CERTA-2008-AVI-038, CVE-2007-5764, IZ10840, IZ10841, IZ10842, IZ10844]

A local attacker can use /usr/bin/ps to obtain sensitive information on processes. [severity:1/4; BID-27434, CVE-2008-0589, IZ11242, IZ11243, IZ11244, IZ12745]
Full Vigil@nce bulletin... (Free trial)

security vulnerability CVE-2008-0028

Cisco PIX, ASA: denial of service via TTL

Synthesis of the vulnerability

When "decrement-ttl" is enabled, an attacker can send a malicious packet in order to stop the product.
Severity: 3/4.
Creation date: 23/01/2008.
Identifiers: 100314, BID-27418, CERTA-2008-AVI-037, cisco-sa-20080123-asa, CSCsk48199, CVE-2008-0028, VIGILANCE-VUL-7526.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The "set connection decrement-ttl" command (of "policy-map", "class") indicates to decrement the TTL of packets. This option is disabled by default.

When this option is enabled, an attacker can send a special IP packet in order to reload the device.

This vulnerability is related to packets arriving with a low TTL.
Full Vigil@nce bulletin... (Free trial)

threat alert CVE-2007-6425

HP-UX: denial of service of ARPA

Synthesis of the vulnerability

A remote attacker can generate a denial of service by using the ARPA (TCP/IP) protocol.
Severity: 2/4.
Creation date: 23/01/2008.
Identifiers: c01328657, CERTA-2008-AVI-036, CVE-2007-6425, HPSBUX02306, SSRT071463, VIGILANCE-VUL-7525.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A remote attacker can generate a denial of service by using the ARPA (TCP/IP) protocol.
Full Vigil@nce bulletin... (Free trial)

weakness announce CVE-2007-4850

PHP: file reading with cURL

Synthesis of the vulnerability

A local attacker can use cURL functions to read files by bypassing safe mode restrictions.
Severity: 1/4.
Creation date: 23/01/2008.
Identifiers: BID-27413, CVE-2007-4850, MDVSA-2009:021, MDVSA-2009:022, MDVSA-2009:023, MDVSA-2009:024, MDVSA-2009:065, VIGILANCE-VUL-7524.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The cURL extension is used to download documents from a PHP script.

However, a local attacker can use a null character to bypass the safe_mode directive.

An attacker can therefore read some files located on the system.
Full Vigil@nce bulletin... (Free trial)

   

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 701 711 712 713 714 715 716 717 718 719 721 723 724 725 726 727 728 729 730 731 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2861 2881 2901 2921 2922