The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Sarge

vulnerability alert CVE-2012-2812 CVE-2012-2813 CVE-2012-2814

libexif: several vulnerabilities

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious JPEG/TIFF/RIFF file, with an application linked to libexif, in order to create a denial of service or to execute code.
Impacted products: Debian, Fedora, Mandriva Linux, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights, data reading, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 8.
Creation date: 13/07/2012.
Identifiers: BID-54437, CERTA-2012-AVI-392, CVE-2012-2812, CVE-2012-2813, CVE-2012-2814, CVE-2012-2836, CVE-2012-2837, CVE-2012-2840, CVE-2012-2841, CVE-2012-2845, DSA-2559-1, FEDORA-2012-10819, FEDORA-2012-10854, FEDORA-2013-1244, FEDORA-2013-1257, MDVSA-2012:106, MDVSA-2012:107, MDVSA-2013:035, MDVSA-2013:036, openSUSE-SU-2012:0914-1, RHSA-2012:1255-01, SSA:2012-200-01, SUSE-SU-2012:0902-1, SUSE-SU-2012:0903-1, VIGILANCE-VUL-11771.

Description of the vulnerability

The EXIF (Exchangeable Image File Format) format stores additional information in an image or an audio file. A JPEG, TIFF or RIFF document can contain EXIF data. The libexif library decodes these data. It is impacted by several vulnerabilities.

An attacker can force the exif_entry_get_value() function to read after the end of the storage area, so he can obtain a fragment of the process memory, or he can stop the application. [severity:1/4; CVE-2012-2812]

An attacker can force the exif_convert_utf16_to_utf8() function to read after the end of the storage area, so he can obtain a fragment of the process memory, or he can stop the application. [severity:1/4; CVE-2012-2813]

An attacker can generate a buffer overflow in the exif_entry_format_value() function, in order to execute code. [severity:3/4; CVE-2012-2814]

An attacker can force the exif_data_load_data() function to read after the end of the storage area, so he can obtain a fragment of the process memory, or he can stop the application. [severity:1/4; CVE-2012-2836]

An attacker can generate a division be zero in the mnote_olympus_entry_get_value() function, which stops the application. [severity:1/4; CVE-2012-2837]

An attacker can generate an overflow of one byte in the exif_convert_utf16_to_utf8() function, in order to stop the application, or to execute code. [severity:2/4; CVE-2012-2840]

An attacker can generate a buffer overflow in the exif_entry_get_value() function, in order to execute code. [severity:3/4; CVE-2012-2841]

An attacker can force the jpeg_data_load_data() function to read after the end of the storage area, so he can obtain a fragment of the process memory, or he can stop the application. [severity:1/4; CVE-2012-2845]

An attacker can therefore invite the victim to open a malicious JPEG/TIFF/RIFF file, with an application linked to libexif, in order to create a denial of service or to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2012-3404 CVE-2012-3405 CVE-2012-3406

glibc: buffer overflow via printf

Synthesis of the vulnerability

When an attacker can change the format parameter of functions in the printf family, he can generate an overflow, in order to create a denial of service or to execute code.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, ESXi, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 11/07/2012.
Identifiers: 12445, 13446, 826943, BID-54374, CERTA-2012-AVI-759, CVE-2012-3404, CVE-2012-3405, CVE-2012-3406, DSA-3169-1, ESXi500-201212101, ESXi510-201304101-SG, FEDORA-2012-11508, MDVSA-2013:162, MDVSA-2015:168, RHSA-2012:1097-01, RHSA-2012:1098-01, RHSA-2012:1185-01, RHSA-2012:1200-01, SOL16364, SUSE-SU-2012:1488-1, SUSE-SU-2012:1666-1, SUSE-SU-2012:1667-1, VIGILANCE-VUL-11764, VMSA-2012-0018, VMSA-2012-0018.2, VMSA-2013-0001.3, VMSA-2013-0004.1.

Description of the vulnerability

The glibc implements functions of the printf family, which are used to generate or display formated strings. These functions are impacted by three vulnerabilities.

The syntax "%i$" is used to change the order of parameters. However, when these parameters are repeated, a memory corruption occurs. [severity:2/4; 12445, CVE-2012-3404]

The register_printf_function() function changes the formatting mode. However, if more than 64 parameters are then requested to printf(), a buffer overflow occurs. [severity:2/4; 13446, CVE-2012-3405]

When numerous positional parameters are used (if patch1.txt is applied to correct the first vulnerability), limits of the alloca() function are not checked, so the memory is corrupted. [severity:2/4; 826943, CVE-2012-3406]

When an attacker can change the format parameter of functions in the printf family, he can therefore generate an overflow, in order to create a denial of service or to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2012-3358

OpenJPEG: buffer overflow via JPEG2000 Tile

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious JPEG2000 image, in order to create a denial of service or to execute code in applications linked to OpenJPEG.
Impacted products: Debian, Fedora, Mandriva Linux, RHEL, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 11/07/2012.
Identifiers: 681075, BID-54373, CVE-2012-3358, DSA-2629-1, FEDORA-2013-8953, MDVSA-2012:104, MDVSA-2013:110, RHSA-2012:1068-01, VIGILANCE-VUL-11763.

Description of the vulnerability

The OpenJPEG library is used by applications which decode JPEG images.

A JPEG2000 image is composed of tiles (rectangles). The JPEG header indicates the number of tiles.

The libopenjpeg/j2k.c file implements the format JPEG2000. However, the j2k_read_sot() function does not check if the number of tiles is too large or negative. A buffer overflow then occurs.

An attacker can therefore invite the victim to open a malicious JPEG2000 image, in order to create a denial of service or to execute code in applications linked to OpenJPEG.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2012-3812 CVE-2012-3863

Asterisk: two denial of service

Synthesis of the vulnerability

An authenticated attacker can use two vulnerabilities of Asterisk, in order to stop it.
Impacted products: Asterisk Open Source, Debian, Fedora.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: user account.
Number of vulnerabilities in this bulletin: 2.
Creation date: 06/07/2012.
Identifiers: AST-2012-010, AST-2012-011, BID-54317, BID-54327, CERTA-2012-AVI-371, CVE-2012-3812, CVE-2012-3863, DSA-2550-1, DSA-2550-2, FEDORA-2012-10324, VIGILANCE-VUL-11746.

Description of the vulnerability

Two denials of service were announced in Asterisk.

An authenticated attacker can force Asterisk to resend a SIP INVITE message, then he can reply with provisional data, and close the session. However, Asterisk does not free resources and the port used. If an attacker repeats this operation, he can progressively create a denial of service. [severity:1/4; AST-2012-010, BID-54327, CVE-2012-3863]

An attacker can connect twice to the same voicemail account, in order to force a double memory free. This error stops Asterisk, and may lead to code execution. [severity:2/4; AST-2012-011, BID-54317, CVE-2012-3812]

An authenticated attacker can therefore use two vulnerabilities of Asterisk, in order to stop it.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2012-2113

libtiff: integer overflow of tiff2pdf

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious TIFF image with tiff2pdf, in order to create a denial of service or to execute code.
Impacted products: Debian, Fedora, LibTIFF, Mandriva Linux, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 20/06/2012.
Identifiers: BID-54076, CERTA-2012-AVI-343, CVE-2012-2113, DSA-2552-1, FEDORA-2012-10081, FEDORA-2012-10089, MDVSA-2012:101, MDVSA-2013:046, openSUSE-SU-2012:0829-1, RHSA-2012:1054-01, SSA:2013-290-01, SUSE-SU-2012:0894-1, VIGILANCE-VUL-11725.

Description of the vulnerability

The tiff2pdf tool of the libtiff suite is used to convert a TIFF image to a PDF document.

The t2p_read_tiff_size() function of the tools/tiff2pdf.c file reads the size of the TIFF image. This function computes several multiplications and additions. However, these operations can overflow, and lead to the allocation of a short memory area.

An attacker can therefore invite the victim to open a malicious TIFF image with tiff2pdf, in order to create a denial of service or to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2012-2751

ModSecurity: bypassing rules with PHP

Synthesis of the vulnerability

An attacker can use a special HTTP multipart/form-data query, in order to bypass security rules of ModSecurity.
Impacted products: Debian, Fedora, Mandriva Linux, openSUSE, Solaris, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: data flow.
Provenance: internet client.
Creation date: 18/06/2012.
Identifiers: BID-54156, CVE-2012-2751, DSA-2506-1, FEDORA-2012-9824, MDVSA-2012:118, MDVSA-2012:182, openSUSE-SU-2013:1331-1, openSUSE-SU-2013:1336-1, openSUSE-SU-2013:1342-1, VIGILANCE-VUL-11719.

Description of the vulnerability

The ModSecurity module can be installed on Apache httpd. It contains security rules, in order to block malicious queries.

An HTTP query can use the MIME multipart/form-data format to store data coming from a form entered by the user.

When PHP is installed on Apache httpd, it accepts multipart/form-data queries containing a quote character inside parameters. However, ModSecurity does not recognize this invalid parameter format, and thus does not block a potential attack contained in the HTTP query.

An attacker can therefore use a special HTTP multipart/form-data query, in order to bypass security rules of ModSecurity.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2012-0217

Xen, Citrix XenServer, BSD, Windows: privilege elevation in PV 64 bit Intel

Synthesis of the vulnerability

An administrator in a guest ParaVirtualized 64 bit system can use the SYSRET instruction with an invalid RIP, in order to execute code on the host system with a 64 bit Intel processor.
Impacted products: XenServer, Debian, Fedora, FreeBSD, Windows 2003, Windows 2008 R2, Windows 7, Windows XP, NetBSD, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: user shell.
Creation date: 12/06/2012.
Revisions dates: 12/06/2012, 13/06/2012.
Identifiers: 2711167, CERTA-2012-AVI-328, CERTA-2012-AVI-334, CTX133161, CVE-2012-0217, DSA-2501-1, DSA-2508-1, FEDORA-2012-9386, FEDORA-2012-9399, FEDORA-2012-9430, FreeBSD-SA-12:04.sysret, MS12-042, NetBSD-SA2012-003, openSUSE-SU-2012:0886-1, RHSA-2012:0720-01, RHSA-2012:0721-01, SUSE-SU-2012:0730-1, VIGILANCE-VUL-11693, VU#649219, XSA-7, XSA-8.

Description of the vulnerability

The SYSCALL/SYSRET assembler instruction is used to manage the enter and the return from a system call.

The RIP 64 bit register indicates the instruction pointer (the address which contains the code to execute).

A 64 bit processor uses "canonical" virtual addresses located between 0 and 0x7FFF FFFF FFFF ((1<<47) - 1) (for the low part).

However, an attacker can store a SYSCALL instruction at address (1<<47)-2, and then skip to this address. During the SYSRET call, the address of the next instruction becomes (1<<47), which is not canonical anymore. A General Protection Fault thus occurs, and data located at the RSP (Stack Pointer) address are overwritten by values stored in registers.

An administrator in a guest ParaVirtualized 64 bit system can therefore use the SYSRET instruction with an invalid RIP, in order to execute code on the host system with a 64 bit Intel processor.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2012-0551 CVE-2012-1711 CVE-2012-1713

Java JRE/JDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JRE/JDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Impacted products: Debian, Fedora, HP-UX, IBM IMS, Tivoli System Automation, WebSphere MQ, Mandriva Linux, Windows (platform) ~ not comprehensive, Java OpenJDK, openSUSE, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, ESX, vCenter Server.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 14.
Creation date: 13/06/2012.
Identifiers: BID-53946, BID-53947, BID-53948, BID-53949, BID-53950, BID-53951, BID-53952, BID-53953, BID-53954, BID-53956, BID-53958, BID-53959, BID-53960, c03441075, CERTA-2012-AVI-331, CERTA-2012-AVI-452, CERTA-2012-AVI-607, CERTA-2012-AVI-666, CVE-2012-0551, CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1720, CVE-2012-1721, CVE-2012-1722, CVE-2012-1723, CVE-2012-1724, CVE-2012-1725, CVE-2012-1726, DSA-2507-1, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, FEDORA-2012-9541, FEDORA-2012-9545, FEDORA-2012-9590, FEDORA-2012-9593, HPSBUX02805, IC87301, javacpujun2012, MDVSA-2012:095, openSUSE-SU-2012:0828-1, PM65379, RHSA-2012:0729-01, RHSA-2012:0730-01, RHSA-2012:0734-01, RHSA-2012:1009-01, RHSA-2012:1019-01, RHSA-2012:1238-01, RHSA-2012:1243-01, RHSA-2012:1245-01, RHSA-2012:1289-01, RHSA-2012:1332-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT100919, SUSE-SU-2012:0762-1, SUSE-SU-2012:1177-1, SUSE-SU-2012:1177-2, SUSE-SU-2012:1204-1, SUSE-SU-2012:1231-1, SUSE-SU-2012:1264-1, SUSE-SU-2012:1265-1, SUSE-SU-2012:1475-1, swg21615246, swg21617572, swg21632667, swg21632668, swg21633991, swg21633992, VIGILANCE-VUL-11703, VMSA-2012-0003.1, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013.1, ZDI-12-142, ZDI-12-189.

Description of the vulnerability

Several vulnerabilities were announced in Java JRE/JDK. The most severe vulnerabilities lead to code execution.

An attacker can use a vulnerability of 2D (BasicService.showDocument), in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53946, CVE-2012-1713, ZDI-12-142]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53959, CVE-2012-1721, ZDI-12-189]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53953, CVE-2012-1722]

An attacker can use a vulnerability of Hotspot, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53960, CVE-2012-1723]

An attacker can use a vulnerability of Hotspot, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53954, CVE-2012-1725]

An attacker can use a vulnerability of Swing, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53947, CVE-2012-1716]

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53949, CVE-2012-1711]

An attacker can use a vulnerability of Libraries, in order to obtain or alter information. [severity:2/4; BID-53948, CVE-2012-1726]

An attacker can use a vulnerability of Deployment, in order to obtain information, or to create a denial of service. [severity:2/4; CVE-2012-0551]

An attacker can use a vulnerability of CORBA, in order to alter information. [severity:2/4; BID-53950, CVE-2012-1719]

An attacker can use a vulnerability of CVE-2012-1724, in order to create a denial of service. [severity:2/4; BID-53958, CVE-2012-1724]

An attacker can use a vulnerability of Security, in order to create a denial of service. [severity:2/4; BID-53951, CVE-2012-1718]

An attacker can use a vulnerability of Networking, in order to obtain information, to alter information, or to create a denial of service. [severity:2/4; BID-53956, CVE-2012-1720]

An attacker can use a vulnerability of JRE, in order to obtain information. [severity:1/4; BID-53952, CVE-2012-1717]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2012-2934

Xen, Citrix XenServer: denial of service via AMD

Synthesis of the vulnerability

An attacker in a guest ParaVirtualized 64 bit system can use a vulnerability of some AMD processors, in order to stop the host system.
Impacted products: Debian, Fedora, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 12/06/2012.
Identifiers: BID-53961, CERTA-2012-AVI-328, CVE-2012-2934, DSA-2501-1, FEDORA-2012-9386, FEDORA-2012-9399, FEDORA-2012-9430, openSUSE-SU-2012:0886-1, openSUSE-SU-2012:1572-1, openSUSE-SU-2012:1573-1, RHSA-2012:0721-01, SUSE-SU-2012:0730-1, VIGILANCE-VUL-11695, XSA-9.

Description of the vulnerability

AMD announced a bug in its processors, in the following case:
 - the processor is in 64 bit mode
 - the code segment limit is 0xFFFF FFFF
 - the last byte of the current instruction is located at 0x7FFF FFFF FFFF
 - the next instruction is located at 0x8000 0000 0000
In this case, a General Protection Exception occurs.

An attacker in a guest ParaVirtualized 64 bit system can therefore use a vulnerability of some AMD processors, in order to stop the host system.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2012-0218

Xen, Citrix XenServer: denial of service via GPF

Synthesis of the vulnerability

An attacker in a ParaVirtualized guest system can use the SYSENTER/SYSCALL instruction, in order to force the host to send a General Protection Fault to the guest.
Impacted products: XenServer, Debian, Fedora, openSUSE, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service.
Provenance: user shell.
Creation date: 12/06/2012.
Identifiers: BID-53955, CERTA-2012-AVI-328, CTX133161, CVE-2012-0218, DSA-2501-1, FEDORA-2012-9386, FEDORA-2012-9399, FEDORA-2012-9430, openSUSE-SU-2012:0886-1, SUSE-SU-2012:0730-1, VIGILANCE-VUL-11694, XSA-7, XSA-8.

Description of the vulnerability

The SYSENTER/SYSCALL assembler instruction is used to manage the enter to a system call.

An attacker in a ParaVirtualized guest system can use the SYSENTER/SYSCALL instruction, in order to force the host to send a General Protection Fault to the guest.

An unprivileged attacker can therefore stop the guest system.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Sarge: