The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Sarge

vulnerability announce CVE-2012-2334

LibreOffice, OpenOffice: denial of service via PowerPoint

Synthesis of the vulnerability

An attacker can create a malicious PowerPoint document, and invite the victim to open it with LibreOffice/OpenOffice, in order to stop it.
Impacted products: OpenOffice, Debian, Fedora, LibreOffice, MES, Mandriva Linux, RHEL.
Severity: 1/4.
Consequences: denial of service on client.
Provenance: document.
Creation date: 16/05/2012.
Identifiers: BID-53570, CVE-2012-2334, DSA-2487-1, FEDORA-2012-8114, MDVSA-2012:090, MDVSA-2012:091, RHSA-2012:0705-01, VIGILANCE-VUL-11632.

Description of the vulnerability

The LibreOffice/OpenOffice software can import PowerPoint documents.

However, if the PowerPoint file is malformed, a fatal error ("bad_alloc" exception) occurs in LibreOffice.

An attacker can therefore create a malicious PowerPoint document, and invite the victim to open it, in order to stop it.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2012-1149

LibreOffice, OpenOffice: integer overflow via JPEG

Synthesis of the vulnerability

An attacker can invite the victim to open a document containing a malicious JPEG image with LibreOffice/OpenOffice, in order to execute code on his computer.
Impacted products: OpenOffice, Debian, Fedora, LibreOffice, MES, Mandriva Linux, RHEL, SUSE Linux Enterprise Desktop.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 03/04/2012.
Revision date: 16/05/2012.
Identifiers: BID-53570, CERTA-2012-AVI-285, CVE-2012-1149, DSA-2473-1, DSA-2487-1, FEDORA-2012-8042, FEDORA-2012-8114, MDVSA-2012:090, MDVSA-2012:091, RHSA-2012:0705-01, SUSE-SU-2012:0457-1, SUSE-SU-2012:0481-1, VIGILANCE-VUL-11516.

Description of the vulnerability

An office document can contain an image in JPEG format.

However, when LibreOffice/OpenOffice opens this document, an integer overflow occurs.

An attacker can therefore invite the victim to open a document containing a malicious JPEG image, in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2012-2333

OpenSSL: denial of service via DTLS

Synthesis of the vulnerability

An attacker can send a malicious message during a DTLS session, in order to stop clients or servers linked with OpenSSL.
Impacted products: Debian, Fedora, HP-UX, AIX, MES, Mandriva Linux, NetBSD, OpenSSL, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: internet client.
Creation date: 11/05/2012.
Identifiers: BID-53476, c03498127, CERTA-2012-AVI-277, CERTA-2012-AVI-419, CVE-2012-2333, FEDORA-2012-7939, FEDORA-2012-8014, FEDORA-2012-8024, HPSBUX02814, MDVSA-2012:073, NetBSD-SA2012-002, RHSA-2012:0699-01, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, SSRT100930, SUSE-SU-2012:0674-1, SUSE-SU-2012:0678-1, SUSE-SU-2012:0679-1, VIGILANCE-VUL-11619.

Description of the vulnerability

The DTLS (Datagram Transport Layer Security) protocol, based on TLS, provides a cryptographic layer over the UDP protocol.

The dtls1_enc() function of file ssl/d1_enc.c processes the DTLS encryption.

However, this function does not check if the padding size and the initialization vector size match the message size. When the initialization vector is skipped, computed size becomes incorrect, and an invalid memory area is read, which stops the application.

An attacker can therefore send a malicious message during a DTLS session, in order to stop clients or servers linked with OpenSSL.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2012-1823 CVE-2012-2311 CVE-2012-2335

PHP: code execution via CGI

Synthesis of the vulnerability

When PHP is configured in CGI mode, an attacker can send parameters to the php program, in order to include remote PHP code and to execute it.
Impacted products: Debian, Fedora, HP-UX, MES, Mandriva Linux, openSUSE, PHP, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 4/4.
Consequences: user access/rights, data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 04/05/2012.
Identifiers: BID-53388, c03368475, CERTA-2012-AVI-246, CERTA-2012-AVI-267, CVE-2012-1823, CVE-2012-2311, CVE-2012-2335, CVE-2012-2336, DSA-2465-1, FEDORA-2012-7567, FEDORA-2012-7586, HPSBUX02791, MDVSA-2012:068-1, MDVSA-2012:071, openSUSE-SU-2012:0590-1, RHSA-2012:0546-0, RHSA-2012:0547-01, RHSA-2012:0568-01, RHSA-2012:0569-01, RHSA-2012:0570-01, RHSA-2012:1045-01, RHSA-2012:1046-01, RHSA-2012:1047-01, SSRT100856, SUSE-SU-2012:0598-1, SUSE-SU-2012:0598-2, SUSE-SU-2012:0604-1, SUSE-SU-2012:0721-1, SUSE-SU-2012:0840-1, VIGILANCE-VUL-11586, VU#520827.

Description of the vulnerability

The PHP interpreter can be compiled as an Apache httpd (mod_php) module, or called as a CGI program.

When PHP is configured in CGI mode, queries of clients are processed by Apache, and then transmitted as global variables to the php-cgi program.

Query parameters should not be transmitted to the CGI program. However, there is an exception in the RFC 3875 (array of strings with no '=' characters), which is incorrectly implemented in PHP.

An attacker can thus for example transmit the "-s" option to php-cgi, in order to obtain the source code of a program. He can also use the "-d" option of php-cgi, in order to define the configuration variables "allow_url_include" and "auto_prepend_file", which include and execute PHP code.

When PHP is configured in CGI mode, an attacker can therefore send parameters to the php program, in order to include remote PHP code and to execute it.

Note: the first patch was incorrect:
 - it could be bypassed with "%3D", which is the encoding of '=' (CVE-2012-2311)
 - it did not protect against options "-h" and "-T" (CVE-2012-2336)
 - it did not process invalid wrappers (CVE-2012-2335)
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2012-2152

dhcpcd: buffer overflow of get_packet

Synthesis of the vulnerability

An network attacker can send malicious DHCP packets, in order to generate an overflow in dhcpcd, which leads to a denial of service or to code execution.
Impacted products: Debian, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: LAN.
Creation date: 03/05/2012.
Identifiers: 760334, BID-53354, CVE-2012-2152, DSA-2498-1, SUSE-SU-2012:0767-1, VIGILANCE-VUL-11573.

Description of the vulnerability

The dhcpcd daemon is used to obtain an IP address from a DHCP server.

The get_packet() function of file socket.c stores received DHCP packets. However, it does not check if the size indicated in packets matches the size of the received data. A buffer overflow thus occurs.

An network attacker can therefore send malicious DHCP packets, in order to generate an overflow in dhcpcd, which leads to a denial of service or to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2012-1172

PHP: two vulnerabilities

Synthesis of the vulnerability

An attacker can use two vulnerabilities of PHP, in order to read or create files.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, HP-UX, MES, Mandriva Linux, openSUSE, PHP, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 02/05/2012.
Identifiers: BID-53403, c03368475, CERTA-2012-AVI-244, CVE-2012-1172, DSA-2465-1, FEDORA-2012-6907, FEDORA-2012-6911, HPSBUX02791, MDVSA-2012:065, MDVSA-2012:071, openSUSE-SU-2012:0551-1, RHSA-2012:1045-01, RHSA-2012:1046-01, RHSA-2012:1047-01, sol14574, SSRT100856, SUSE-SU-2012:0598-1, SUSE-SU-2012:0598-2, SUSE-SU-2012:0604-1, SUSE-SU-2012:0721-1, VIGILANCE-VUL-11572.

Description of the vulnerability

Two vulnerabilities were announced in PHP.

The $_FILES array contains information on files uploaded by users. However, if the filename contains brackets, the $_FILES array is incorrectly initialized. Depending on the script, the attacker can then for example change the destination file name where the uploaded file will be stored. [severity:2/4; BID-53403, CVE-2012-1172]

An attacker can use the readline_write_history() and readline_read_history() functions, in order to access to files located outside directories defined in open_basedir. [severity:2/4]

An attacker can therefore use two vulnerabilities of PHP, in order to read or create files.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2012-2111

Samba: changing the owner of files via RPC LSA

Synthesis of the vulnerability

An authenticated user can take ownership of files of other users, which are provided via Samba.
Impacted products: Debian, Fedora, HP-UX, Mandriva Linux, openSUSE, Solaris, RHEL, Samba, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: user account.
Creation date: 02/05/2012.
Identifiers: BID-53307, c03365218, CERTA-2012-AVI-240, CVE-2012-2111, DSA-2463-1, FEDORA-2012-6349, FEDORA-2012-6999, FEDORA-2012-7006, HPSBUX02789, MDVSA-2012:067, openSUSE-SU-2012:0583-1, RHSA-2012:0533-01, SSRT100824, SUSE-SU-2012:0573-1, SUSE-SU-2012:0575-1, SUSE-SU-2012:0591-1, VIGILANCE-VUL-11571.

Description of the vulnerability

The "net rpc rights" command is used to set privileges to a user:
 - SePrintOperatorPrivilege : manage printers
 - SeTakeOwnershipPrivilege : take ownership on files
 - etc.
These privileges are stored in the account_policy.tdb database.

The source3/rpc_server/lsa/srv_lsa_nt.c file implements RPC for LSA (Local Security Authority). However, the RPC CreateAccount, OpenAccount, AddAccountRights and RemoveAccountRights do not check if the user is allowed to alter the account_policy.tdb database.

An authenticated user can therefore take ownership of files of other users, which are provided via Samba.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2012-2133

Linux kernel: denial of service via HugeTLB

Synthesis of the vulnerability

A local attacker can use limits associated to Huge Pages, in order to force an invalid memory free, which stops the kernel.
Impacted products: Debian, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 25/04/2012.
Identifiers: 815065, BID-53233, CVE-2012-2133, DSA-2469-1, openSUSE-SU-2013:0927-1, RHSA-2012:1426-01, RHSA-2012:1491-01, RHSA-2013:0741-01, SUSE-SU-2012:0616-1, SUSE-SU-2012:0689-1, SUSE-SU-2012:1056-1, VIGILANCE-VUL-11567.

Description of the vulnerability

Memory pages usually have a size of 4kbytes. In order to limit the number of memory addresses conversions, the kernel supports large pages, with a size up to 16Mbytes. The "HugeTLB" table provides this address conversion feature.

The HugeTLBfs virtual filesystem can be used to create files based on Huge Pages.

The hugetlbfs_get_quota() and hugetlbfs_put_quota() functions process associated memory limits. However, they directly access to hugetlbfs_sb_info structures, which may have been freed by the lower layer.

A local attacker can use limits associated to Huge Pages, in order to force an invalid memory free, which stops the kernel.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2011-1187 CVE-2011-3062 CVE-2012-0467

Firefox, Thunderbird, SeaMonkey: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Firefox, Thunderbird and SeaMonkey can be used by an attacker to execute code on victim's computer.
Impacted products: Debian, Fedora, MES, Mandriva Linux, Firefox, SeaMonkey, Thunderbird, openSUSE, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 4/4.
Consequences: user access/rights, data reading, data creation/edition, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 14.
Creation date: 25/04/2012.
Identifiers: BID-53218, BID-53219, BID-53220, BID-53221, BID-53222, BID-53223, BID-53224, BID-53225, BID-53227, BID-53228, BID-53229, BID-53230, BID-53231, CERTA-2012-AVI-234, CVE-2011-1187, CVE-2011-3062, CVE-2012-0467, CVE-2012-0468, CVE-2012-0469, CVE-2012-0470, CVE-2012-0471, CVE-2012-0472, CVE-2012-0473, CVE-2012-0474, CVE-2012-0475, CVE-2012-0477, CVE-2012-0478, CVE-2012-0479, DSA-2457-1, DSA-2457-2, DSA-2464-1, DSA-2464-2, DSA-2548-1, FEDORA-2012-6610, FEDORA-2012-6622, FEDORA-2012-6738, MDVSA-2012:066, MDVSA-2012:081, MFSA 2012-20, MFSA 2012-21, MFSA 2012-22, MFSA 2012-23, MFSA 2012-24, MFSA 2012-25, MFSA 2012-26, MFSA 2012-27, MFSA 2012-28, MFSA 2012-29, MFSA 2012-30, MFSA 2012-31, MFSA 2012-32, MFSA 2012-33, openSUSE-SU-2012:0567-1, openSUSE-SU-2014:1100-1, RHSA-2012:0515-01, RHSA-2012:0516-01, SUSE-SU-2012:0580-1, SUSE-SU-2012:0688-1, VIGILANCE-VUL-11566.

Description of the vulnerability

Several vulnerabilities were announced in Firefox, Thunderbird and SeaMonkey.

Several memory corruptions lead to code execution. [severity:4/4; BID-53221, BID-53223, CVE-2012-0467, CVE-2012-0468, MFSA 2012-20]

Firefox Mobile is impacted by FreeType vulnerabilities (VIGILANCE-VUL-11407). [severity:3/4; MFSA 2012-21]

An attacker can use a freed memory area in IDBKeyRange, which leads to code execution. [severity:4/4; BID-53220, CVE-2012-0469, MFSA 2012-22]

An attacker can free an invalid memory area in gfxImageSurface, which leads to code execution. [severity:4/4; BID-53225, CVE-2012-0470, MFSA 2012-23]

An attacker can use multibytes characters, in order to generate a Cross Site Scripting. [severity:2/4; BID-53219, CVE-2012-0471, MFSA 2012-24]

An attacker can use a malicious character font, in order to generate a memory corruption in cairo-dwrite, which leads to code execution. [severity:4/4; BID-53218, CVE-2012-0472, MFSA 2012-25]

An attacker can use WebGL.drawElements FindMaxUshortElement, in order to read the memory. [severity:3/4; BID-53231, CVE-2012-0473, MFSA 2012-26]

An attacker can generate a Cross Site Scripting, when a page is loaded. [severity:2/4; BID-53228, CVE-2012-0474, MFSA 2012-27]

In some IPv6 configurations, the web browser sends invalid origin information to the server. [severity:1/4; BID-53230, CVE-2012-0475, MFSA 2012-28]

An attacker can generate a Cross Site Scripting via ISO-2022-KR/ISO-2022-CN. [severity:2/4; BID-53229, CVE-2012-0477, MFSA 2012-29]

An attacker can use WebGL texImage2D JSVAL_TO_OBJECT, in order to corrupt the memory, which leads to code execution. [severity:4/4; BID-53227, CVE-2012-0478, MFSA 2012-30]

An attacker can generate an overflow of one byte in OpenType Sanitizer, which could lead to code execution. [severity:4/4; BID-53222, CVE-2011-3062, MFSA 2012-31]

An attacker can use an HTTP redirect, in order to generate JavaScript errors, so he can obtain information. [severity:2/4; CERTA-2012-AVI-234, CVE-2011-1187, MFSA 2012-32]

An attacker can use a RSS/Atom feed, in order to spoof the identity of a site. [severity:2/4; BID-53224, CVE-2012-0479, MFSA 2012-33]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2012-2414 CVE-2012-2415 CVE-2012-2416

Asterisk: three vulnerabilities

Synthesis of the vulnerability

An attacker can use three vulnerabilities of Asterisk, in order to create a denial of service or to execute code.
Impacted products: Asterisk Open Source, Debian, Fedora.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 24/04/2012.
Identifiers: AST-2012-004, AST-2012-005, AST-2012-006, BID-53205, BID-53206, BID-53210, CERTA-2012-AVI-229, CVE-2012-2414, CVE-2012-2415, CVE-2012-2416, DSA-2460-1, FEDORA-2012-6612, FEDORA-2012-6724, VIGILANCE-VUL-11565.

Description of the vulnerability

Three vulnerabilities were announced in Asterisk.

An attacker, who is authenticated on Asterisk Manager Interface, can use the MixMonitor application, in order to execute shell commands on the server. [severity:2/4; AST-2012-004, BID-53206, CERTA-2012-AVI-229, CVE-2012-2414]

An authenticated attacker can use the Skinny protocol, to send several KEYPAD_BUTTON_MESSAGE messages, in order to generate a buffer overflow. [severity:2/4; AST-2012-005, BID-53210, CVE-2012-2415]

When "trustrpid" is configured, an unauthenticated attacker can send a SIP UPDATE query after the end of a call, in order to dereference a NULL pointer, which stops the service. [severity:2/4; AST-2012-006, BID-53205, CVE-2012-2416]

An attacker can therefore use three vulnerabilities of Asterisk, in order to create a denial of service or to execute code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Sarge: