The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Sarge

computer vulnerability bulletin CVE-2011-1585

Linux kernel: reuse of CIFS session

Synthesis of the vulnerability

A local attacker can reuse the CIFS session of another user, in order to access to his data.
Impacted products: Debian, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 15/04/2011.
Identifiers: BID-47381, CVE-2011-1585, DSA-2240-1, openSUSE-SU-2011:0861-1, RHSA-2011:1253-01, RHSA-2011:1386-01, SUSE-SA:2011:026, SUSE-SA:2011:027, SUSE-SA:2011:031, SUSE-SA:2011:034, SUSE-SA:2011:040, SUSE-SU-2011:0512-1, SUSE-SU-2011:0711-1, SUSE-SU-2011:0737-1, SUSE-SU-2011:0832-1, SUSE-SU-2011:0899-1, SUSE-SU-2011:1058-1, SUSE-SU-2015:0812-1, VIGILANCE-VUL-10568.

Description of the vulnerability

The kernel implements a CIFS client to access to resources shared with CIFS/SMB.

The cifs_find_smb_ses() function of the fs/cifs/connect.c file returns information about the user of the CIFS client (who mounted a network share). However, if a local attacker uses an empty password, this function returns parameters of the first user.

A local attacker can therefore reuse the CIFS session of another user, in order to access to his data.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2011-1577

Linux kernel: denial of service via EFI

Synthesis of the vulnerability

An attacker can mount a device with a malicious EFI partition, in order to stop the system.
Impacted products: Debian, Fedora, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 1/4.
Creation date: 13/04/2011.
Identifiers: BID-47343, CVE-2011-1577, DSA-2264-1, FEDORA-2011-7823, openSUSE-SU-2011:0416-1, openSUSE-SU-2011:0861-1, PRE-SA-2011-03, RHSA-2011:0833-01, RHSA-2011:1253-01, RHSA-2011:1465-01, SUSE-SA:2011:021, SUSE-SA:2011:026, SUSE-SA:2011:027, SUSE-SA:2011:031, SUSE-SU-2011:0512-1, SUSE-SU-2011:0711-1, SUSE-SU-2011:0737-1, SUSE-SU-2011:0832-1, SUSE-SU-2011:0928-1, SUSE-SU-2011:1150-1, SUSE-SU-2012:0364-1, VIGILANCE-VUL-10565.

Description of the vulnerability

The fs/partitions/efi.c file implements the support of EFI partitions (Extensible Firmware Interface). These partitions are automatically read when a user connects/mounts a device formatted with EFI.

The is_gpt_valid() function computes the CRC32 of the EFI GPT (GUID Partition Table). However, the is_gpt_valid() function does not check if size is too large, and then tries to read at an invalid memory address.

An attacker can therefore mount a device with a malicious EFI partition, in order to stop the system.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2009-5022 CVE-2010-4665

LibTIFF: two vulnerabilities

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious TIFF image, in order to generate a denial of service or to execute code in applications linked to LibTIFF.
Impacted products: Debian, Fedora, LibTIFF, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL, SLES.
Severity: 2/4.
Creation date: 13/04/2011.
Identifiers: 1999, 2218, 599475, 682871, 687441, 687442, BID-47338, CVE-2009-5022, CVE-2010-4665, DSA-2256-1, DSA-2552-1, FEDORA-2011-5304, MDVSA-2011:078, openSUSE-SU-2011:0405-1, openSUSE-SU-2011:0409-1, RHSA-2011:0452-01, SUSE-SR:2011:008, SUSE-SR:2011:009, VIGILANCE-VUL-10560.

Description of the vulnerability

The LibTIFF library is used to manage TIFF images. Several vulnerabilities were announced in LibTIFF.

An attacker can generate a buffer overflow in libtiff/tif_ojpeg.c. [severity:2/4; 1999, CVE-2009-5022]

An attacker can generate an integer overflow in tools/tiffdump.c. [severity:2/4; 2218, CVE-2010-4665]

An attacker can therefore invite the victim to open a malicious TIFF image, in order to generate a denial of service or to execute code in applications linked to LibTIFF.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2011-1518

OTRS: Cross Site Scripting

Synthesis of the vulnerability

An attacker can generate several Cross Site Scripting in OTRS, in order to execute JavaScript code in the web browser of visitors.
Impacted products: Debian, openSUSE, OTRS Help Desk, SLES.
Severity: 2/4.
Creation date: 12/04/2011.
Identifiers: BID-47323, CERTA-2011-AVI-220, CVE-2011-1518, DSA-2231-1, openSUSE-SU-2011:0464-1, OSA-2011-01, SUSE-SR:2011:009, VIGILANCE-VUL-10544.

Description of the vulnerability

The OPRS service is used to manage incident tickets via a web site.

However, several OTRS pages do not correctly filter their parameters before displaying them:
 - Kernel/Output/HTML/Layout.pm
 - Kernel/Output/HTML/Lite/Warning.dtl
 - Kernel/Output/HTML/Standard/CustomerError.dtl
 - Kernel/Output/HTML/Standard/CustomerFooter.dtl
 - Kernel/Output/HTML/Standard/CustomerTicketSearchResultShort.dtl
 - Kernel/Output/HTML/Standard/CustomerWarning.dtl
 - Kernel/Output/HTML/Standard/Error.dtl
 - Kernel/Output/HTML/Standard/FooterJS.dtl
 - Kernel/Output/HTML/Standard/Warning.dtl

An attacker can therefore generate several Cross Site Scripting in OTRS, in order to execute JavaScript code in the web browser of visitors.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2011-1684

VLC: buffer overflow via MP4

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious MP4 file with VLC, in order to execute code on his computer.
Impacted products: Debian, VLC.
Severity: 3/4.
Creation date: 12/04/2011.
Identifiers: BID-47293, CERTA-2011-AVI-218, CVE-2011-1684, DSA-2218-1, VideoLAN-SA-1103, VIGILANCE-VUL-10540.

Description of the vulnerability

The VideoLAN VLC program displays multimedia documents.

The MP4_ReadBox_skcr() function of the modules/demux/mp4/libmp4.c file decodes a MP4 block in a MP4_Box_data_frma_t structure (of 4 bytes). However, this function should use a MP4_Box_data_skcr_t structure (12 bytes). The 8 bytes located after the end of MP4_Box_data_frma_t are thus overwritten.

An attacker can therefore invite the victim to open a malicious MP4 file with VLC, in order to execute code on his computer.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2011-4824

Cacti: several vulnerabilities

Synthesis of the vulnerability

Several Cross Site Scripting and SQL Injections of Cacti can be used by an attacker in order to execute JavaScript/SQL code in the context of the web site.
Impacted products: Cacti, Debian, Fedora, MES.
Severity: 2/4.
Creation date: 12/04/2011.
Identifiers: BID-47363, BID-50671, CVE-2011-4824, DSA-2384-1, DSA-2384-2, FEDORA-2011-15032, FEDORA-2011-15071, FEDORA-2011-15110, MDVSA-2012:010, VIGILANCE-VUL-10535.

Description of the vulnerability

The Cacti product uses a MySQL database and RRDtool (Round Robin Database), to store information. Graphs are displayed on an Apache+PHP web site.

However, several PHP scripts do not filter their data before displaying them:
 - data_input.php : id
 - graph_templates.php : id
 - graphs.php : host_id
 - host.php : drp_action and host_status
 - templates_export.php : key
 - tree.php : id

Moreover, the tree.php script does not filter the id and tree_id parameters before using them in a SQL query.

An attacker can therefore execute JavaScript/SQL code in the context of the Cacti web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2011-1574

libmodplug: buffer overflow via ReadS3M

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious S3M file with an application linked to libmodplug, in order to execute code on his computer.
Impacted products: Debian, Fedora, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES, Unix (platform) ~ not comprehensive, VLC.
Severity: 3/4.
Creation date: 08/04/2011.
Identifiers: 20110407-0, CERTA-2003-AVI-001, CERTA-2011-AVI-196, CVE-2011-1574, DSA-2226-1, FEDORA-2011-5204, MDVSA-2011:085, openSUSE-SU-2011:0350-1, RHSA-2011:0477-01, SUSE-SR:2011:007, VideoLAN-SA-1104, VIGILANCE-VUL-10529.

Description of the vulnerability

The STM (Scream Tracker Music) and S3M (Scream Tracker Music version 3) formats are composed of:
 - a header
 - instruments
 - voices/patterns
 - samples (often used in loops)

The libmodplug library supports the S3M format. It is for example used by sound applications such as PyModPlug, UModPlayer and VideoLAN.

However, libmodplug does not check if the number of instruments (nins) and patterns (npat) is superior to their storage size. A buffer overflow thus occurs in the CSoundFile::ReadS3M() function of src/load_s3m.cpp.

An attacker can therefore invite the victim to open a malicious S3M file with an application linked to libmodplug, in order to execute code on his computer.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce 10527

SPIP: denial of service via an update

Synthesis of the vulnerability

An attacker with SPIP author privileges can start an update procedure, in order to create a denial of service.
Impacted products: Debian, SPIP.
Severity: 1/4.
Creation date: 07/04/2011.
Identifiers: BID-47302, CERTA-2003-AVI-001, CERTA-2011-AVI-196, DSA-2229-1, VIGILANCE-VUL-10527.

Description of the vulnerability

The ecrire/exec/upgrade.php page is used to update the installed SPIP version. Only the administrator should be allowed to access to this page.

However, an author is also allowed to call upgrade.php. The procedure fails, but SPIP is left in a nonfunctional state.

An attacker with SPIP author privileges can therefore start an update procedure, in order to create a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2011-0465

xrdb: shell command injection

Synthesis of the vulnerability

An attacker owning a malicious DHCP server or using XDMCP can use a special hostname, in order to inject a shell command in xrdb.
Impacted products: Debian, Fedora, Mandriva Corporate, MES, Mandriva Linux, NetBSD, NLD, OES, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SLES, Unix (platform) ~ not comprehensive, XOrg Bundle ~ not comprehensive.
Severity: 2/4.
Creation date: 06/04/2011.
Identifiers: CERTA-2011-AVI-191, CVE-2011-0465, DSA-2213-1, FEDORA-2011-4871, FEDORA-2011-4879, MDVSA-2011:076, openSUSE-SU-2011:0298-1, RHSA-2011:0432-01, RHSA-2011:0433-01, SSA:2011-096-01, SUSE-SA:2011:016, VIGILANCE-VUL-10524.

Description of the vulnerability

The xrdb program manages the access to X graphical resources.

However this program does not filter special shell characters contained in the computer name, before using this name in a shell command run by root. For example, an attacker can use a computer name like:
  beginName`command`endName
  beginName;command;endName

In order to exploit this vulnerability, the attacker can define a malicious name for the computer:
 - via DHCP : attack similar to VIGILANCE-VUL-10522 ou VIGILANCE-VUL-10530
 - via XDMCP (X Display Manager Control Protocol) : attack by changing the client name

An attacker owning a malicious DHCP server or using XDMCP can therefore use a special hostname, in order to inject a shell command in xrdb.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2011-1494 CVE-2011-1495

Linux kernel: vulnerabilities of mpt2sas

Synthesis of the vulnerability

A local attacker, who is allowed to connect to /dev/mpt2ctl, can send a special query, in order to read the kernel memory, to create a denial of service or to execute code.
Impacted products: Debian, Fedora, Linux, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 1/4.
Creation date: 06/04/2011.
Identifiers: CVE-2011-1494, CVE-2011-1495, DSA-2240-1, ESX400-201110001, ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110406-SG, ESX400-201110408-SG, ESX400-201110409-SG, ESX400-201110410-SG, FEDORA-2011-6447, FEDORA-2011-6541, RHSA-2011:0542-01, RHSA-2011:0833-01, RHSA-2011:0883-01, RHSA-2011:1253-01, SUSE-SA:2011:034, SUSE-SU-2011:0899-1, SUSE-SU-2015:0812-1, VIGILANCE-VUL-10523, VMSA-2011-0004.2, VMSA-2011-0009.1, VMSA-2011-0010.2, VMSA-2011-0012, VMSA-2011-0012.1, VMSA-2011-0012.3, VMSA-2011-0013, VMSA-2011-0013.2, VMSA-2012-0005.

Description of the vulnerability

The mpt2sas driver implements the support of LSI MPT Serial Attached SCSI devices. It installs the /dev/mpt2ctl device which controls the SCSI features. The access to this device is by default restricted to root, but some installations allow users to connect. Two vulnerabilities impact the mpt2sas driver.

The _ctl_do_mpt_command() function of the drivers/scsi/mpt2sas/mpt2sas_ctl.c file processes commands received on /dev/mpt2ctl. However, is does not check the size of the received commands, before copying them in an array, which creates a buffer overflow. [severity:1/4; CVE-2011-1494]

The _ctl_diag_read_buffer() function of the drivers/scsi/mpt2sas/mpt2sas_ctl.c file does not check if the memory area requested by the user is too large. An attacker can thus read the kernel memory. [severity:1/4; CVE-2011-1495]

A local attacker, who is allowed to connect to /dev/mpt2ctl, can therefore send a special query, in order to read the kernel memory, to create a denial of service or to execute code.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Sarge: