The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

computer weakness note CVE-2009-1784

AVG Anti-Virus: bypassing via ZIP

Synthesis of the vulnerability

An attacker can create a ZIP archive containing a virus which is not detected by AVG.
Severity: 2/4.
Creation date: 11/05/2009.
Identifiers: BID-34895, CVE-2009-1784, TZO-20-2009, VIGILANCE-VUL-8704.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

AVG products detect viruses contained in ZIP archives.

However, an attacker can create a slightly malformed archive (by changing "Filelength"), which can still be opened by Unzip tools, but which cannot be opened by the antivirus.

An attacker can therefore create a ZIP archive containing a virus which is not detected by AVG.
Full Vigil@nce bulletin... (Free trial)

computer threat 8703

qmailAdmin: several vulnerabilities

Synthesis of the vulnerability

Two vulnerabilities of qmailAdmin can be used by an attacker to execute privileged code or to create a Cross Site Scripting.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 11/05/2009.
Identifiers: VIGILANCE-VUL-8703.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The qmailAdmin program offers a web interface to manage a qmail messaging system. Two vulnerabilities were announced.

The template.c file generates HTML code containing urls, but does not filter parameters of these urls. An attacker can therefore create a Cross Site Scripting. [severity:2/4]

The main() function of qmailadmin.c does not stop the program when setuid() and setgid() functions fail. In this case, the program thus continues to run with elevated privileges. [severity:1/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 8702

qmailAdmin, vpopmail: bypassing quotas

Synthesis of the vulnerability

When the administrator defined quotas over 2Gb, they are not honoured by qmailAdmin and vpopmail.
Severity: 1/4.
Creation date: 11/05/2009.
Identifiers: VIGILANCE-VUL-8702.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The vpopmail program is used to create virtual mailboxes. The qmailAdmin program is used to manage a qmail or vpopmail messaging system.

The administrator can define a quota in qmailAdmin and vpopmail in order to limit the size of users' mailboxes.

However, these quotas are stored in a signed 32 bit integer. The maximal value is thus 2^31-1 = 2147483647 = 2Go. If the administrator defined a superior value, it is not honoured. The mailbox size is therefore not limited.

When the administrator defined quotas over 2Gb, they are thus not honoured by qmailAdmin and vpopmail.
Full Vigil@nce bulletin... (Free trial)

security threat CVE-2009-1194

Pango: integer overflow

Synthesis of the vulnerability

When Pango is used on a long text string, an integer overflow occurs and leads to a denial of service or to code execution.
Severity: 2/4.
Creation date: 11/05/2009.
Identifiers: CVE-2009-1194, DSA-1798-1, MDVSA-2009:158-1, MDVSA-2009:158-3, MDVSA-2009:175, oCERT-2009-001, RHSA-2009:0476-01, SUSE-SR:2009:012, SUSE-SR:2010:004, VIGILANCE-VUL-8701.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Pango library is used to layout and to display text. It is for example called by Firefox and Evolution.

The pango_glyph_string_set_size() function of the glyphstring.c file is used to resize a string. In order to do so, it reallocates a memory area with:
  realloc(mem, string->space * sizeof (PangoGlyphInfo));

However, this multiplication can overflow, and thus the allocated size becomes shorter than the string to store. A memory corruption then occurs.

An attacker can therefore force a software linked to Pango to use a long string in order to generate a denial of service or to execute code.
Full Vigil@nce bulletin... (Free trial)

threat CVE-2009-0793

Little CMS: denial of service via monochrome

Synthesis of the vulnerability

An image with a malicious ICC profile dereferences a NULL pointer in Little CMS.
Severity: 1/4.
Creation date: 11/05/2009.
Identifiers: CVE-2009-0793, FEDORA-2009-3425, FEDORA-2009-3426, FEDORA-2009-3914, FEDORA-2009-3967, MDVSA-2009:121-1, MDVSA-2009:137, MDVSA-2009:162, VIGILANCE-VUL-8700.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Little CMS (lcms, Color Management System) library handles images.

The ICC (International Color Consortium) profile defines color variations needed by each device in order to display identical colors. Some image types, such as JPEG or PNG, can contain ICC profiles.

The cmsBuildGrayOutputMatrixShaper() function of the src/cmsxform.c file of Little CMS reads the monochrome ICC profile of an image. When the profile is invalid, the cmsReadICCGamma() function returns a NULL pointer, which is dereferenced in cmsBuildGrayOutputMatrixShaper().

An attacker can therefore invite the victim to open a malicious image in a software using a monochrome display, in order to stop the application.
Full Vigil@nce bulletin... (Free trial)

weakness alert 8699

Linux kernel: information disclosure on a process

Synthesis of the vulnerability

A local attacker can obtain information about the memory structure of a process in order to bypass ASLR.
Severity: 1/4.
Creation date: 11/05/2009.
Identifiers: FEDORA-2009-5356, FEDORA-2009-5383, VIGILANCE-VUL-8699.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The ASLR (Address Space Layout Randomization) feature randomizes various sections (stack, heap and libraries) of a process. Attacks using assembler code are thus harder to implement.

The /proc/$PID/stat file contains information about the state of a process:
 - 27th field: start_stack (start of stack)
 - 28th field: esp (current address of the stack)
 - 29th field: eip (current instruction)
 - 34th field: wchan (waiting function, such as wait(), which can also be found in /proc/$PID/wchan)

A local attacker can sample data from this file in order to find various values. He can thus slowly reconstruct the structure of the stack and addresses of libraries.

A local attacker can therefore obtain information about the memory structure of a process in order to bypass ASLR.
Full Vigil@nce bulletin... (Free trial)

computer threat bulletin CVE-2009-1490 CVE-2009-1491

Sendmail: buffer overflow via X-Testing

Synthesis of the vulnerability

On old Sendmail versions, an attacker can use a long X-Testing header in order to generate a denial of service and possibly to execute code.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 07/05/2009.
Identifiers: BID-34944, BID-34949, CVE-2009-1490, CVE-2009-1491, VIGILANCE-VUL-8698.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A vulnerability was announced in 2009, about Sendmail versions available in 2004.

An email is composed of headers and a body. Headers can contain extensions starting by "X-".

When the first header is a long extension, Sendmail tries to split it on several lines. However, two cases can occur:
 - a computation error generates a buffer overflow
 - the end of the header can be inserted in the message body

This vulnerability can therefore lead:
 - to a denial of service or to code execution
 - to a malformed email which can bypass an antivirus.
Full Vigil@nce bulletin... (Free trial)

security announce CVE-2009-1782

F-Secure AV: bypassing via RAR and ZIP

Synthesis of the vulnerability

An attacker can create a RAR or ZIP archive containing a virus which is not detected by F-Secure products.
Severity: 2/4.
Creation date: 07/05/2009.
Identifiers: BID-34849, CVE-2009-1782, FSC-2009-1, VIGILANCE-VUL-8697.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

F-Secure products detect viruses contained in RAR and ZIP archives.

However, an attacker can create a slightly malformed archive, which can still be opened by Unrar/Unzip tools, but which cannot be opened by the antivirus.



An attacker can therefore create a RAR or ZIP archive containing a virus which is not detected by F-Secure.
Full Vigil@nce bulletin... (Free trial)

computer threat note CVE-2009-0798

acpid: denial of service

Synthesis of the vulnerability

A local attacker can connect several times to the socket of the acpid daemon in order to force it to enter in an infinite loop.
Severity: 1/4.
Creation date: 07/05/2009.
Identifiers: BID-34692, CERTA-2010-AVI-160, CVE-2009-0798, DSA-1786-1, FEDORA-2009-5578, FEDORA-2009-5608, MDVSA-2009:107, MDVSA-2009:107-1, RHSA-2009:0474-01, VIGILANCE-VUL-8696, VMSA-2010-0006, VMSA-2010-0006.1.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The acpid daemon implements ACPI (Advanced Configuration and Power Interface) for Linux, which is used to reduce the power consumption.

This daemon uses a Unix socket named /var/run/acpid.socket. Local applications can connect to this socket to obtain ACPI events.

However, the acpid daemon does not limit the number of clients. When the maximal number of sessions which can be opened by a process is reached, acpid cannot obtain a new session, and enters in an infinite loop trying to obtain a free session.

A local attacker can therefore connect several times to the socket of the acpid daemon in order to force it to enter in an infinite loop.
Full Vigil@nce bulletin... (Free trial)

threat bulletin CVE-2009-1086

ldns: buffer overflow

Synthesis of the vulnerability

An attacker can create a malicious DNS packet in order to create a denial of service or to execute code in applications linked to the ldns library.
Severity: 2/4.
Creation date: 07/05/2009.
Identifiers: CVE-2009-1086, DSA-1795-1, SUSE-SR:2009:010, VIGILANCE-VUL-8695.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The ldns library is used to implement DNS clients or servers.

A DNS record contains:
 - a name
 - a type (A, PTR, etc.)
 - a TTL
 - a class ("IN" in most cases)
 - a value

The ldns_rr_new_frm_str_internal() function of ldns allocates 11 bytes to store the class, but the ldns_bget_token() function which fills in this field uses a 16 bytes limit (LDNS_SYNTAX_DATALEN). An overflow of 5 bytes thus occurs.

An attacker can therefore create a malicious DNS packet in order to create a denial of service or to execute code in applications linked to the ldns library.
Full Vigil@nce bulletin... (Free trial)

   

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 701 721 741 761 781 801 821 822 823 824 825 826 827 828 829 830 832 834 835 836 837 838 839 840 841 842 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2861 2881 2901 2921 2930