The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Sarge

vulnerability alert CVE-2012-1183

Asterisk: denial of service via Milliwatt

Synthesis of the vulnerability

An attacker can send large data to the Milliwatt application, in order to stop Asterisk.
Impacted products: Asterisk Open Source, Debian, Fedora.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Confidence: confirmed by the editor (5/5).
Creation date: 16/03/2012.
Identifiers: AST-2012-002, BID-52523, CVE-2012-1183, DSA-2460-1, FEDORA-2012-4259, FEDORA-2012-4318, VIGILANCE-VUL-11451.

Description of the vulnerability

The Asterisk Milliwatt application generates a sound of frequency 1000 Hertz, and of power 0 dBm (1 milli Watt). It is used to test the line, for example by replying to a call.

When this application receives audio data, it uses the sample frequency, and the number of samples, in order to generate its reply and to store it in an array. However, if one of these two elements is too large, a buffer overflow occurs.

As data stored in the array are not controlled by the attacker, code execution seems difficult to achieve.

An attacker can therefore send large data to the Milliwatt application, in order to stop Asterisk.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2012-1181

Apache httpd: denial of service of mod_fcgid via FcgidMaxProcessesPerClass

Synthesis of the vulnerability

When the mod_fcgid module is enabled on Apache httpd, and when the FcgidMaxProcessesPerClass directive is located in a VirtualHost, it is not honored, so an attacker can create several processes in order to overload the computer.
Impacted products: Apache httpd, Debian.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: internet client.
Confidence: confirmed by the editor (5/5).
Creation date: 16/03/2012.
Identifiers: 49902, 615814, BID-52565, CVE-2012-1181, DSA-2436-1, VIGILANCE-VUL-11450.

Description of the vulnerability

The mod_fcgid module can be installed on Apache httpd, in order to execute CGI scripts.

The FcgidMaxProcessesPerClass directive indicates the maximal number of processes for each class (a class matches an executable program).

The VirtualHost directive contains sub-directives which are specific to an address:port pair.

However, when the FcgidMaxProcessesPerClass directive is located in a VirtualHost, it is not honored. The number of processes is thus unlimited.

An attacker can therefore create several processes, in order to overload the computer.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2011-3045

libpng: buffer overflow via png_inflate

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious PNG image with an application linked to libpng, in order to create an integer overflow, which stops the application, or leads to code execution.
Impacted products: Debian, Fedora, libpng, MES, Mandriva Linux, openSUSE, RHEL, Slackware.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 14/03/2012.
Identifiers: 799000, BID-52453, CERTA-2012-AVI-164, CERTA-2012-AVI-170, CVE-2011-3045, DSA-2439-1, FEDORA-2012-3536, FEDORA-2012-3545, FEDORA-2012-3705, FEDORA-2012-3739, MDVSA-2012:033, openSUSE-SU-2012:0432-1, openSUSE-SU-2012:0466-1, RHSA-2012:0407-01, SSA:2012-206-01, VIGILANCE-VUL-11440.

Description of the vulnerability

The libpng library processes PNG images. It is used by several applications.

The png_inflate() function of the pngrutil.c file uncompresses a PNG image. When the storage area is shorter than the available size, the size of the copy is shortened. However, the computation of this size can overflow, and leads to the copy of a large memory area.

An attacker can therefore invite the victim to open a malicious PNG image with an application linked to libpng, in order to create an overflow, which stops the application, or leads to code execution.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2012-0451 CVE-2012-0454 CVE-2012-0455

Firefox, Thunderbird, SeaMonkey: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Firefox, Thunderbird and SeaMonkey can be used by an attacker to execute code on victim's computer.
Impacted products: Debian, Fedora, MES, Mandriva Linux, Firefox, SeaMonkey, Thunderbird, openSUSE, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 4/4.
Consequences: user access/rights, client access/rights, denial of service on client.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 14/03/2012.
Identifiers: BID-52455, BID-52456, BID-52457, BID-52458, BID-52459, BID-52460, BID-52461, BID-52463, BID-52464, BID-52465, BID-52466, BID-52467, CERTA-2012-AVI-142, CVE-2012-0451, CVE-2012-0454, CVE-2012-0455, CVE-2012-0456, CVE-2012-0457, CVE-2012-0458, CVE-2012-0459, CVE-2012-0460, CVE-2012-0461, CVE-2012-0462, CVE-2012-0463, CVE-2012-0464, DSA-2433-1, DSA-2437-1, FEDORA-2012-5028, MDVSA-2012:031, MDVSA-2012:032, MDVSA-2012:032-1, MFSA 2012-12, MFSA 2012-13, MFSA 2012-14, MFSA 2012-15, MFSA 2012-16, MFSA 2012-17, MFSA 2012-18, MFSA 2012-19, openSUSE-SU-2012:0417-1, openSUSE-SU-2012:0567-1, openSUSE-SU-2014:1100-1, RHSA-2012:0387-01, RHSA-2012:0388-01, SUSE-SU-2012:0424-1, SUSE-SU-2012:0425-1, VIGILANCE-VUL-11439.

Description of the vulnerability

Several vulnerabilities were announced in Firefox, Thunderbird and SeaMonkey.

An attacker can use a freed memory area in shlwapi.dll, which leads to code execution. [severity:4/4; BID-52455, CVE-2012-0454, MFSA 2012-12]

An attacker can invite the victim to drop a "javascript:" link in a frame, in order to execute a Cross Site Scripting. [severity:2/4; BID-52458, CVE-2012-0455, MFSA 2012-13]

An attacker can create a SVG animation, which leads to a denial of service or to code execution. [severity:4/4; BID-52459, BID-52461, CVE-2012-0456, CVE-2012-0457, MFSA 2012-14]

An attacker can use several CSP (Content Security Policy) headers, in order to create a Cross Site Scripting. [severity:2/4; BID-52463, CERTA-2012-AVI-142, CVE-2012-0451, MFSA 2012-15]

An attacker can invite the victim to use a "javascript:" uri as home page, in order to generate errors, which lead to code execution in the "about:sessionrestore" context. [severity:3/4; BID-52460, CVE-2012-0458, MFSA 2012-16]

An attacker can dynamically change a cssText, in order to corrupt the memory, and to execute code. [severity:4/4; BID-52457, CVE-2012-0459, MFSA 2012-17]

An attacker can set window.fullScreen, in order to change the victim's desktop, and to deceive him. [severity:2/4; BID-52456, CVE-2012-0460, MFSA 2012-18]

An attacker can generate several memory corruptions, leading to code executions. [severity:4/4; BID-52464, BID-52465, BID-52466, BID-52467, CVE-2012-0461, CVE-2012-0462, CVE-2012-0463, CVE-2012-0464, MFSA 2012-19]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2012-1165

OpenSSL: denial of service via S/MIME and mime_param_cmp

Synthesis of the vulnerability

An attacker can send malformed S/MIME data, in order to stop applications which check the signature with the OpenSSL library.
Impacted products: Debian, Fedora, HP-UX, AIX, MES, Mandriva Linux, OpenSSL, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 13/03/2012.
Identifiers: BID-52764, c03333987, CERTA-2012-AVI-286, CERTA-2012-AVI-419, CVE-2012-1165, DSA-2454-1, FEDORA-2012-4659, FEDORA-2012-4665, HPSBUX02782, MDVSA-2012:038, openSUSE-SU-2012:0474-1, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, RHSA-2012:0426-01, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, SSRT100844, SUSE-SU-2012:0478-1, SUSE-SU-2012:0479-1, VIGILANCE-VUL-11429.

Description of the vulnerability

The S/MIME (Secure/Multipurpose Internet Mail Extensions) standard is used to sign and encrypt MIME (emails) data. The signature is for example added in a new MIME item:
  Content-Type: application/x-pkcs7-signature; name="smime.p7s"
  Content-Transfer-Encoding: base64
  [...]

The crypto/asn1/asn_mime.c file of the OpenSSL library processes these MIME data. However, if a MIME has a parameter with no name, a NULL pointer is dereferenced in the mime_param_cmp() function.

An attacker can therefore send malformed S/MIME data, in order to stop applications which check the signature with the OpenSSL library.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2012-0884

OpenSSL: Bleichenbacher attack on CMS and PKCS7

Synthesis of the vulnerability

The Bleichenbacher attack can be used against the OpenSSL implementation of CMS and PKCS#7, in order to obtain clear text information, using 2^20 messages.
Impacted products: IPSO, Debian, Fedora, FreeBSD, HP-UX, AIX, Tivoli Workload Scheduler, IVE OS, Junos Pulse, Juniper SA, MES, Mandriva Linux, OpenSSL, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: data reading.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 12/03/2012.
Identifiers: 1643316, BID-52428, c03333987, CERTA-2012-AVI-134, CERTA-2012-AVI-286, CERTA-2012-AVI-419, CVE-2012-0884, DSA-2454-1, FEDORA-2012-4659, FEDORA-2012-4665, FreeBSD-SA-12:01.openssl, HPSBUX02782, MDVSA-2012:038, openSUSE-SU-2012:0547-1, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, PSN-2012-09-712, RHSA-2012:0426-01, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, sk76360, SSRT100844, SUSE-SU-2012:0479-1, VIGILANCE-VUL-11427.

Description of the vulnerability

The PKCS#7 format is used to represent a signed or encrypted document. CMS (Cryptographic Message Syntax) is an improvement of PKCS#7. S/MIME used PKCS#7, and now uses CMS. TLS/SSL does not use PKCS#7 nor CMS.

In 1998, Daniel Bleichenbacher proposed an attack to detect if clear data belong to encrypted data in a PKCS#1 block. This attack is named "Million Message Attack" because it requires to query an oracle numerous times.

However, the Bleichenbacher attack can be used against the OpenSSL implementation of CMS and PKCS#7, in order to obtain clear text information, using 2^20 messages.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2012-0876

expat: denial of service via hash collision

Synthesis of the vulnerability

An attacker can send data generating storage collisions, in order to overload a service.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Notes, WebSphere AS Traditional, MES, Mandriva Linux, NetBSD, openSUSE, Solaris, Python, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Nessus, Unix (platform) ~ not comprehensive, ESX.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 12/03/2012.
Identifiers: 1988026, 1990421, 1990658, BID-52379, bulletinjul2016, CERTA-2012-AVI-663, CERTFR-2018-AVI-288, CVE-2012-0876, DSA-2525-1, ESX410-201211001, ESX410-201211401-SG, ESX410-201211402-SG, ESX410-201211405-SG, ESX410-201211407-SG, FEDORA-2012-5058, FEDORA-2012-6996, MDVSA-2012:041, MDVSA-2012:096, MDVSA-2012:096-1, MDVSA-2012:097, openSUSE-SU-2012:0423-1, RHSA-2012:0731-01, RHSA-2016:0062-01, SOL16949, SSA:2018-124-01, SUSE-SU-2012:0772-1, SUSE-SU-2012:0773-1, TNS-2018-08, VIGILANCE-VUL-11420, VMSA-2012-0016.

Description of the vulnerability

The bulletin VIGILANCE-VUL-11254 describes a vulnerability which can be used to create a denial of service on several applications.

This vulnerability impacts expat, a library to parse XML documents.

In order to simplify VIGILANCE-VUL-11254, which was too big, solutions for expat were moved here.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2012-1502

Python PyPAM: double memory free

Synthesis of the vulnerability

An attacker can use a malicious password, in order to create a double memory free in Python PyPAM, which leads to a denial of service and possibly to code execution.
Impacted products: Debian, openSUSE, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: intranet client.
Confidence: confirmed by the editor (5/5).
Creation date: 12/03/2012.
Identifiers: BID-52370, CVE-2012-1502, DSA-2430-1, lse-2012-03-01, openSUSE-SU-2012:0487-1, SUSE-SU-2012:0643-1, SUSE-SU-2012:0643-2, VIGILANCE-VUL-11419.

Description of the vulnerability

The PyPAM module is used by Python applications which require a PAM authentication.

When the password entered by the user contains a null character ('\0'), an error is detected and the memory area is freed in PAMmodule.c. However, it is then freed again later in v_prompt.c.

An attacker can therefore use a malicious password, in order to create a double memory free in Python PyPAM, which leads to a denial of service and possibly to code execution.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2012-1152

Perl: format string attack via YAML-LibYAML

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious YAML file, with a Perl application using the YAML-LibYAML module, in order to create a format string attack, which leads to a denial of service or possibly to code execution.
Impacted products: Debian, Fedora, openSUSE, openSUSE Leap, Perl Module ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 09/03/2012.
Identifiers: 661548, BID-52381, CVE-2012-1152, DSA-2432-1, FEDORA-2012-4997, FEDORA-2012-5035, openSUSE-SU-2012:1000-1, openSUSE-SU-2015:0319-1, openSUSE-SU-2016:1067-1, VIGILANCE-VUL-11415.

Description of the vulnerability

The Perl YAML-LibYAML module is used to read data files in YAML (YAML Ain't Markup Language) format.

When the YAML file contains errors, the module generates messages by calling the croak() and loader_error_msg() functions. However, these functions are called with no format string.

An attacker can therefore invite the victim to open a malicious YAML file, with a Perl application using the YAML-LibYAML module, in order to create a format string attack, which leads to a denial of service or possibly to code execution.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2012-1151

Perl: format string attack via DBD-Pg

Synthesis of the vulnerability

A malicious PostgreSQL server can generate a format string attack in its clients using the Perl DBD-Pg module.
Impacted products: Debian, Fedora, MES, Mandriva Linux, openSUSE, Perl Module ~ not comprehensive, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: user access/rights, denial of service on client.
Provenance: intranet client.
Confidence: confirmed by the editor (5/5).
Creation date: 09/03/2012.
Identifiers: 661536, BID-52378, CVE-2012-1151, DSA-2431-1, FEDORA-2012-10871, FEDORA-2012-10892, MDVSA-2012:112, openSUSE-SU-2012:0422-1, RHSA-2012:1116-01, SUSE-SU-2012:0791-2, VIGILANCE-VUL-11414.

Description of the vulnerability

The DBD-Pg module is used by Perl applications to access to data stored on a PostgreSQL server.

The pg_warn() function generates a warning message from data returned by the server. However, it calls the warn() function with no format string. [severity:1/4]

The dbd_st_prepare() function prepares a query from data returned by the server. However, it calls the croak() function with no format string. [severity:1/4]

A malicious PostgreSQL server can therefore generate a format string attack in its clients using the Perl DBD-Pg module.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Sarge: