The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Sarge

vulnerability CVE-2011-2700

Linux kernel: memory corruption via si4713

Synthesis of the vulnerability

A local attacker can use the radio si4713 driver, in order to corrupt the memory, which leads to a denial of service or to code execution.
Impacted products: Debian, Linux, openSUSE, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Creation date: 20/07/2011.
Identifiers: BID-48804, CVE-2011-2700, DSA-2303-1, DSA-2303-2, openSUSE-SU-2012:0799-1, openSUSE-SU-2012:1439-1, SUSE-SA:2011:038, SUSE-SU-2011:0984-1, SUSE-SU-2011:0984-2, SUSE-SU-2011:0984-3, VIGILANCE-VUL-10860.

Description of the vulnerability

The Nokia N900 phone (amongst others) has a FM emitter (88.1 to 107.9 MHz) using a Si4713 (Silicon Labs) chip.

The si4713 driver of the Linux kernel accesses to the Si4713 chip, to emit FM radio on a short distance.

The RDS (Radio Data System) protocol transmits data in parallel to the FM audio:
 - PS (Program Service) : name of the station
 - RT (Radio Text) : free text
 - etc.

The si4713_write_econtrol_string() function of the drivers/media/radio/si4713-i2c.c file can be used by a local user to indicate PS/RT fields to emit. However, this function does not check if the size of messages is negative, which corrupts the memory.

A local attacker can therefore use the radio si4713 driver, in order to corrupt the memory, which leads to a denial of service or to code execution.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2009-4067

Linux kernel: buffer overflow via auerswald_probe

Synthesis of the vulnerability

An attacker with a physical access can plug a malicious USB device, in order to create an overflow in the Auerswald driver, which creates a denial of service or leads to code execution.
Impacted products: Debian, Linux, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 18/07/2011.
Identifiers: BID-48687, CERTA-2003-AVI-005, CVE-2009-4067, DSA-2310-1, RHSA-2011:1386-01, SUSE-SA:2011:042, SUSE-SU-2011:1195-1, VIGILANCE-VUL-10845.

Description of the vulnerability

The file drivers/usb/misc/auerswald.c of the Linux kernel implements a USB driver for Auerswald PBX/System Telephones.

When a phone is connected via the USB port, the kernel calls the auerswald_probe() function which initializes the driver. This function copies the name of the USB device in the dev_desc field of a context structure.

However, if the USB device announces a name larger than AUSI_DLEN (100) bytes, a buffer overflow occurs.

An attacker with a physical access can therefore plug a malicious USB device, in order to create an overflow in the Auerswald driver, which creates a denial of service or leads to code execution.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2011-2696

libsndfile: integer overflow via PAF

Synthesis of the vulnerability

An attacker can create a malicious PAF file and invite the victim to open it, in order to create a denial of service in applications linked to libsndfile.
Impacted products: Debian, Fedora, Mandriva Corporate, MES, Mandriva Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 18/07/2011.
Identifiers: CERTA-2003-AVI-037, CVE-2011-2696, DSA-2288-1, FEDORA-2011-9319, FEDORA-2011-9325, MDVSA-2011:119, openSUSE-SU-2011:0854-1, openSUSE-SU-2011:0855-1, RHSA-2011:1084-01, SUSE-SU-2011:0856-1, VIGILANCE-VUL-10843.

Description of the vulnerability

Audio files in format Ensoniq PARIS Audio Format (PAF, Professional Audio Recording Integrated System Audio Format) have the ".PAF" extension. These files contains several audio channels.

The paf24_init() function of the file src/paf.c of the libsndfile library opens PAF files. This function reads the number of channels indicated in the PAF file header, and initializes with memset() a memory area to store information.

However, this function does not check if the number of channels is over SF_MAX_CHANNELS (256). A memory corruption (with zeros) thus occurs when memset() is called.

An attacker can therefore create a malicious PAF file and invite the victim to open it, in order to create a denial of service in applications linked to libsndfile.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2011-2526

Apache Tomcat: denial of service via sendfile

Synthesis of the vulnerability

A malicious web application can use sendfile(), in order to bypass file access restrictions, defined by SecurityManager.
Impacted products: Tomcat, Debian, HP-UX, NSM Central Manager, NSMXpress, MES, Mandriva Linux, Solaris, RHEL, JBoss EAP by Red Hat.
Severity: 2/4.
Creation date: 13/07/2011.
Identifiers: BID-48667, c03090723, CVE-2011-2526, DSA-2401-1, HPSBUX02725, MDVSA-2011:156, PSN-2012-05-584, RHSA-2011:1780-01, RHSA-2012:0041-01, RHSA-2012:0074-01, RHSA-2012:0075-01, RHSA-2012:0076-01, RHSA-2012:0077-01, RHSA-2012:0078-01, RHSA-2012:0091-01, RHSA-2012:0325-01, RHSA-2012:0679-01, RHSA-2012:0680-01, RHSA-2012:0681-01, RHSA-2012:0682-01, SSRT100627, VIGILANCE-VUL-10842.

Description of the vulnerability

The sendfile() function reads data from a file, and writes it to a socket, without using an intermediary buffer.

By default, the HTTP NIO and HTTP APR connectors use the sendfile() function. However, using sendfile() via HttpServletRequest.setAttribute("org.apache.tomcat.sendfile...") reads a file and bypasses the SecurityManager.

A malicious web application can therefore use sendfile(), in order to bypass file access restrictions, defined by SecurityManager.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2011-2527

QEMU: privileges not dropped with runas

Synthesis of the vulnerability

When QEMU is called with the "-runas" option, it continues running with root supplementary groups.
Impacted products: Debian, Fedora, openSUSE, RHEL, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 13/07/2011.
Identifiers: 807893, BID-48659, CERTA-2003-AVI-037, CVE-2011-2527, DSA-2282-1, FEDORA-2012-8592, FEDORA-2012-8604, openSUSE-SU-2012:0207-1, RHSA-2011:1531-03, VIGILANCE-VUL-10838.

Description of the vulnerability

The "-runas" option of QEMU executes the guest system with privileges of a user. For example:
  qemu -runas user image

The initgroups() function initializes supplementary group of a Unix user.

When QEMU is called with the "-runas" option, it changes to the indicated user, but it does not call initgroups().

The QEMU process thus continues running with root supplementary groups.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2011-2688

Apache httpd: SQL injection via mod_authnz_external

Synthesis of the vulnerability

When Apache httpd uses the module mod_authnz_external, an attacker can use a malicious login name, in order to inject a SQL query in the MySQL database.
Impacted products: Apache httpd, Debian.
Severity: 3/4.
Creation date: 13/07/2011.
Identifiers: BID-48653, CERTA-2003-AVI-004, CVE-2011-2688, DSA-2279-1, VIGILANCE-VUL-10836.

Description of the vulnerability

The mod_authnz_external module can be installed on Apache httpd version 2.2. It adds the support for the HTTP Basic authentication using a database (MySQL, Sybase) or a Radius directory.

The mysql/mysql-auth.pl file implements the access to a MySQL database. It uses a SQL query like:
  select username, ... from users where username='$user';
However, the user name is not filtered before being injected in this query.

When Apache httpd uses the module mod_authnz_external, an attacker can therefore use a malicious login name, in order to inject a SQL query in the MySQL database, and to bypass the Basic authentication.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2010-4554 CVE-2010-4555 CVE-2011-2023

SquirrelMail: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of SquirrelMail can be used by an attacker to access to the account of a user, or to generate a Cross Site Scripting.
Impacted products: Debian, Fedora, Mandriva Corporate, MES, RHEL, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 13/07/2011.
Identifiers: BID-48648, CERTA-2011-AVI-410, CERTA-2011-AVI-493, CVE-2010-4554, CVE-2010-4555, CVE-2011-2023, CVE-2011-2752, CVE-2011-2753, DSA-2291-1, FEDORA-2011-9309, FEDORA-2011-9311, MDVSA-2011:123, RHSA-2012:0103-01, VIGILANCE-VUL-10835.

Description of the vulnerability

The SquirrelMail program provides a mailbox access using a web browser. Several vulnerabilities were announced.

An attacker can send an email with an attachment containing JavaScript code, which is not correctly filtered in squirrelmail/functions/mime.php, and creates a Cross Site Scripting. [severity:2/4; CVE-2011-2023]

An attacker can create several Cross Site Scripting in functions/options.php, plugins/squirrelspell/modules/check_me.mod, src/empty_trash.php, src/left_main.php and src/options_order.php. [severity:2/4; CVE-2010-4555, CVE-2011-2752, CVE-2011-2753]

The HTTP X-Frame-Options header indicates if a document can be included in an HTML FRAME/IFRAME. However, if the web browser of the SquirrelMail user does not support this header (IE 6/7), an attacker can use a frame to create a clickjacking (interact with users's session). [severity:2/4; CERTA-2011-AVI-410, CVE-2010-4554]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2011-2525

Linux kernel: denial of service via tc_fill_qdisc

Synthesis of the vulnerability

A local attacker can use a RTM_GETQDISC message, in order to stop the kernel.
Impacted products: Debian, Linux, openSUSE, RHEL, ESX.
Severity: 1/4.
Creation date: 12/07/2011.
Identifiers: BID-48641, CERTA-2003-AVI-005, CVE-2011-2525, DSA-2303-1, DSA-2303-2, DSA-2310-1, openSUSE-SU-2012:0206-1, RHSA-2011:1065-01, RHSA-2011:1163-01, VIGILANCE-VUL-10830.

Description of the vulnerability

Sockets of type AF_NETLINK are used to manage the network configuration.

The NETLINK_ROUTE protocol can parameter several families: Links, Adresses, Discipline, etc. The Netlink RTM_GETQDISC message obtains the "Queueing Discipline" (priority based on delays, throughput, etc.).

However, if the Queueing Discipline is of type TCQ_F_BUILTIN, the tc_fill_qdisc() function of the file net/sched/sch_api.c dereferences a NULL pointer.

A local attacker can therefore use a RTM_GETQDISC message, in order to stop the kernel.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2011-0226

FreeType: memory corruption via t1_decoder_parse_charstrings

Synthesis of the vulnerability

An attacker can invite the victim to display a document using a malicious font with an application linked to FreeType, in order to execute code on his computer.
Impacted products: Debian, Fedora, Mandriva Corporate, MES, Mandriva Linux, openSUSE, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Creation date: 11/07/2011.
Identifiers: BID-48619, CERTA-2011-AVI-493, CVE-2011-0226, DSA-2294-1, FEDORA-2011-9525, FEDORA-2011-9542, MDVSA-2011:120, openSUSE-SU-2011:0852-1, RHSA-2011:1085-01, SUSE-SU-2011:0853-1, VIGILANCE-VUL-10827.

Description of the vulnerability

The FreeType library processes TrueType character fonts.

A "CharString" glyph of a TrueType font is composed of shapes (lines and Bezier curves) and of a program which adapts these outlines on the display grid. These programs can call functions of type SubStrings or OtherSubrs. OtherSubrs functions are defined by a number (1 : start flex feature, 2 : add flex vectors, etc.), and use arguments.

The t1_decoder_parse_charstrings() function of the src/psaux/t1decode.c file analyzes a TrueType program. However, this function does not check if the number of the OtherSubrs, or if the number of its arguments, is negative. A memory corruption thus occurs.

An attacker can therefore invite the victim to display a document using a malicious font with an application linked to FreeType, in order to execute code on his computer.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2011-2516

Apache Santuario XML Security: buffer overflow via large keys

Synthesis of the vulnerability

An attacker can use a large RSA key, in order to create a buffer overflow in C++ applications linked to Apache Santuario XML Security.
Impacted products: Apache XML Security for C++, Debian, Fedora.
Severity: 3/4.
Creation date: 11/07/2011.
Identifiers: BID-48611, CERTA-2003-AVI-004, CVE-2011-2516, DSA-2277-1, FEDORA-2011-9494, FEDORA-2011-9501, VIGILANCE-VUL-10824.

Description of the vulnerability

The W3C XMLDsig (XML Signature Syntax and Processing) recommendation indicates how to sign XML documents. The Apache Santuario XML Security library implements XMLDsig for programs written in C++ language.

The DSIGAlgorithmHandlerDefault::signToSafeBuffer() and OpenSSLCryptoKeyRSA::verifySHA1PKCS1Base64Signature() methods sign and check the signature. However, these functions use a fixed size array of 1024 bytes (8192 bit).

An attacker can therefore use a large RSA key, in order to create a buffer overflow in C++ applications linked to Apache Santuario XML Security. For example, if the application checks signatures with a key larger than 8192 bit, the attacker can stop it or execute code.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Sarge: