The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Squeeze

vulnerability CVE-2010-3310

Linux kernel: memory corruption via AF_ROSE

Synthesis of the vulnerability

A local attacker can use an AF_ROSE socket in order to corrupt the kernel memory, which leads to a denial of service and possibly to code execution.
Impacted products: Debian, Linux, Mandriva Corporate, MES, NLD, OES, openSUSE, SLES.
Severity: 2/4.
Creation date: 21/09/2010.
Identifiers: BID-43368, CERTA-2002-AVI-272, CVE-2010-3310, DSA-2126-1, MDVSA-2011:029, MDVSA-2011:051, openSUSE-SU-2010:0720-1, openSUSE-SU-2010:0734-1, openSUSE-SU-2010:0895-2, SUSE-SA:2010:050, SUSE-SA:2010:051, SUSE-SA:2010:054, SUSE-SA:2010:060, SUSE-SA:2011:007, SUSE-SA:2011:008, SUSE-SU-2011:0928-1, VIGILANCE-VUL-9960.

Description of the vulnerability

The AF_ROSE socket type is associated to the Rose (Amateur Radio) network protocol.

The srose_ndigis field of a Rose address indicates its size.

When the Rose protocol is used, the bind() function calls rose_bind() of the net/rose/af_rose.c file, and the connect() function calls rose_connect(). However, the rose_bind() and rose_connect() functions do not check the value of the srose_ndigis field. An integer overflow thus occurs, and leads to a memory corruption.

A local attacker can therefore use an AF_ROSE socket in order to corrupt the kernel memory, which leads to a denial of service and possibly to code execution.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2010-3067

Linux kernel: memory corruption via do_io_submit

Synthesis of the vulnerability

A local attacker can use io_submit() in order to corrupt the kernel memory, which leads to a denial of service and possibly to code execution.
Impacted products: Debian, Fedora, Linux, Mandriva Corporate, MES, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES, ESX.
Severity: 2/4.
Creation date: 21/09/2010.
Identifiers: 629441, BID-43353, CERTA-2002-AVI-272, CVE-2010-3067, DSA-2126-1, ESX400-201110001, ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110406-SG, ESX400-201110408-SG, ESX400-201110409-SG, ESX400-201110410-SG, FEDORA-2010-14832, FEDORA-2010-14878, FEDORA-2010-14890, FEDORA-2011-2134, MDVSA-2010:257, MDVSA-2011:029, MDVSA-2011:051, openSUSE-SU-2010:1047-1, openSUSE-SU-2011:0003-1, openSUSE-SU-2011:0004-1, RHSA-2010:0758-01, RHSA-2010:0779-01, RHSA-2010:0839-01, RHSA-2011:0007-01, SUSE-SA:2010:060, SUSE-SA:2011:001, SUSE-SA:2011:002, SUSE-SA:2011:007, SUSE-SA:2011:008, SUSE-SU-2011:0928-1, VIGILANCE-VUL-9959, VMSA-2011-0004.2, VMSA-2011-0009.1, VMSA-2011-0010.2, VMSA-2011-0012, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005.

Description of the vulnerability

The io_submit() system call is used to read/write asynchronously from/to a file:
  io_submit(context, size_of_array, array_of_blocks);

It calls the do_io_submit() function of the file fs/aio.c. However, this function does not check if the following multiplication overflows:
  size_of_array * size_of_a_block
When the size_of_array parameter is too large, the memory is then corrupted.

A local attacker can therefore use io_submit() in order to corrupt the kernel memory, which leads to a denial of service and possibly to code execution.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2010-0405

bzip2: integer overflow via RUNA/RUNB

Synthesis of the vulnerability

An attacker can create a malicious bz2 document, and invite the victim to open it with bzip2 or an application linked to libbzip2, in order to execute code on his computer.
Impacted products: ClamAV, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, Mandriva Corporate, MES, Mandriva Linux, NetBSD, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SLES, Unix (platform) ~ not comprehensive, ESX, ESXi, VMware vSphere, VMware vSphere Hypervisor.
Severity: 3/4.
Creation date: 20/09/2010.
Identifiers: 1993667, BID-43331, CERTA-2010-AVI-449, CERTA-2012-AVI-151, CVE-2010-0405, DSA-2112-1, FEDORA-2010-15106, FEDORA-2010-15120, FEDORA-2010-15125, FEDORA-2010-15443, FEDORA-2010-17439, FreeBSD-SA-10:08.bzip2, MDVSA-2010:185, NetBSD-SA2010-007, openSUSE-SU-2010:0684-1, RHSA-2010:0703-01, RHSA-2010:0858-03, SOL15878, SSA:2010-263-01, SUSE-SR:2010:018, VIGILANCE-VUL-9956, VMSA-2010-0019, VMSA-2010-0019.1, VMSA-2010-0019.2, VMSA-2010-0019.3.

Description of the vulnerability

The bzip2 compression algorithm encodes blocks of maximal size 900kb. It uses an RLE (Run Length Encoding) algorithm where identical sequences are indicated by their repetition number. For example :
  ab ab ab ab cdef
is encoded to:
  ab(4times) cdef
The multiplication factor (4 times in the example) in encoded with increased binary. For example, 50 is encoded as:
  RUNB(2) RUNB(2) RUNA(1) RUNA(1) RUNB(2)
which means:
  1*2 + 2*2 + 4*1 + 8*1 + 16*2 = 50
The number resulting of RUNA and RUNB multiplications should not be larger than 900k.

The libbzip2 implements the bzip2 algorithm. However, the BZ2_decompress() function of the decompress.c file does not check if the number of repetition is larger than 900k. An integer overflow thus occurs, and the memory is corrupted.

An attacker can therefore create a malicious bz2 document, and invite the victim to open it with bzip2 or an application linked to libbzip2, in order to execute code on his computer.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2010-3081

Linux kernel: privilege elevation via syscall on x86_64

Synthesis of the vulnerability

On a x86_64 architecture, a local attacker can use, among others, getsockopt() in a 32 bit process in order to elevate his privileges.
Impacted products: Debian, Fedora, Linux, Mandriva Corporate, MES, Mandriva Linux, openSUSE, RHEL, Slackware, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Creation date: 16/09/2010.
Identifiers: 634457, BID-43239, CERTA-2010-AVI-570, CVE-2010-3081, DSA-2110-1, FEDORA-2010-14832, FEDORA-2010-14878, FEDORA-2010-14890, MDVSA-2010:188, MDVSA-2010:198, MDVSA-2010:214, MDVSA-2010:247, openSUSE-SU-2010:0654-1, openSUSE-SU-2010:0655-1, openSUSE-SU-2010:0664-1, openSUSE-SU-2010:0720-1, RHSA-2010:0704-01, RHSA-2010:0705-01, RHSA-2010:0711-01, RHSA-2010:0718-01, RHSA-2010:0719-01, RHSA-2010:0758-01, RHSA-2010:0842-01, RHSA-2010:0882-01, SSA:2010-265-01, SUSE-SA:2010:043, SUSE-SA:2010:044, SUSE-SA:2010:045, SUSE-SA:2010:046, SUSE-SA:2010:047, SUSE-SA:2010:050, SUSE-SA:2011:007, SUSE-SR:2010:017, SUSE-SU-2011:0635-1, SUSE-SU-2011:0928-1, VIGILANCE-VUL-9947, VMSA-2010-0017, VMSA-2010-0017.1, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

The Linux kernel can run 32 bits programs on a x86_64 platform.

The getsockopt() function obtains information about a socket. It do a system call in order to do its task.

When a 32 bit application do a system call, a user memory buffer is allocated by the compat_alloc_user_space() function of the file kernel/compat.c. However, compat_alloc_user_space() does not properly check the size of the buffer to allocate. A portion of it can therefore be localed in the kernel space.

A local attacker can therefore use getsockopt() in a 32 bit process in order to elevate his privileges.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2010-3762

BIND: denial of service via a Trust Anchor

Synthesis of the vulnerability

When BIND uses several Trust Anchors, one of them can send an invalid answer, in order to stop BIND.
Impacted products: Debian, BIG-IP Hardware, TMOS, BIND, Mandriva Corporate, MES, Mandriva Linux, RHEL, ESX, ESXi, VMware vSphere, VMware vSphere Hypervisor.
Severity: 1/4.
Creation date: 15/09/2010.
Identifiers: BID-45385, CERTA-2003-AVI-003, CERTFR-2014-AVI-200, CVE-2010-3762, DSA-2130-1, MDVSA-2010:253, RHSA-2010:0976-01, SOL15172, VIGILANCE-VUL-9943, VMSA-2011-0004, VMSA-2011-0004.1, VMSA-2011-0004.2, VMSA-2011-0004.3, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005.

Description of the vulnerability

The DNSSEC extension authenticates DNS packets, using a signature. A Trust Anchor is an authority publishing a root signature.

ISC proposes DLV (DNSSEC Look-aside Validation) providing an alternative Trust Anchor, which is configured in the named.conf file of BIND :
  dnssec-lookaside . trust-anchor dlv.isc.org.;

BIND can be configured with several Trust Anchors. However, in this case, if a Trust Anchor sends a message with an invalid signature, an error occurs in BIND, and it stops.

When BIND uses several Trust Anchors, one of them can therefore send an invalid answer, in order to stop BIND.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2010-3089

Mailman: Cross Site Scripting via info/description

Synthesis of the vulnerability

An attacker can use the Mailman information page, in order to generate a Cross Site Scripting.
Impacted products: Debian, Fedora, Mandriva Corporate, MES, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 14/09/2010.
Identifiers: CERTA-2011-AVI-100, CVE-2010-3089, CVE-2010-3090-REJECT, DSA-2170-1, FEDORA-2010-14834, FEDORA-2010-14877, MDVSA-2010:191, openSUSE-SU-2011:0312-1, openSUSE-SU-2011:0424-1, RHSA-2011:0307-01, RHSA-2011:0308-01, SUSE-SR:2011:007, SUSE-SR:2011:009, VIGILANCE-VUL-9932.

Description of the vulnerability

The Mailman program is a mailing-list manager with a web interface.

A web page displays items about a mailing-list:
 - name
 - description
 - information
However, the "description" and "info" fields are not filtered before being displayed.

An attacker, who is allowed to alter fields of a mailing-list, can therefore use the Mailman information page, in order to generate a Cross Site Scripting.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2010-3069

Samba: buffer overflow of SID

Synthesis of the vulnerability

An attacker can send a SMB packet with a malicious Windows SID, in order to generate a buffer overflow in Samba, leading to code execution.
Impacted products: Debian, Fedora, HP-UX, Mandriva Corporate, MES, Mandriva Linux, OpenSolaris, openSUSE, Solaris, RHEL, Samba, Slackware, SLES, ESX.
Severity: 3/4.
Creation date: 14/09/2010.
Identifiers: BID-43212, c02787667, CERTA-2010-AVI-429, CERTA-2010-AVI-583, CVE-2010-3069, DSA-2109-1, FEDORA-2010-14627, FEDORA-2010-14678, FEDORA-2010-14768, HPSBUX02657, MDVSA-2010:184, openSUSE-SU-2010:0653-1, openSUSE-SU-2010:0658-1, openSUSE-SU-2010:0659-1, RHSA-2010:0697-01, RHSA-2010:0698-01, RHSA-2010:0860-02, SSA:2010-257-01, SSRT100460, SUSE-SR:2010:018, VIGILANCE-VUL-9931, VMSA-2010-0019, VMSA-2010-0019.1, VMSA-2010-0019.2, VMSA-2010-0019.3.

Description of the vulnerability

The Windows system uses SID (Security IDentifiers) to identify users and systems. For example:
  S-1-2-3456789...-1234

The sid_parse() function of the Samba/source/lib/util_sid.c file decodes SID fields contained in SMB packets, and stores them in an array. However, if the num_auths (number of entries) field is too large (superior to MAXSUBAUTHS), the array is overflowed.

An attacker can therefore send a SMB packet with a malicious Windows SID, in order to generate a buffer overflow in Samba, leading to code execution.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2010-3445

Wireshark: denial of service via ASN.1/BER

Synthesis of the vulnerability

An attacker can send a malformed SNMPv1 packet, in order to generate an infinite recursion in the ASN.1/BER module, which stops Wireshark.
Impacted products: Debian, Fedora, Mandriva Corporate, MES, Mandriva Linux, NLD, OES, OpenSolaris, openSUSE, RHEL, SLES, Wireshark.
Severity: 1/4.
Creation date: 14/09/2010.
Identifiers: BID-43197, BID-43923, CERTA-2002-AVI-272, CVE-2010-3445, DSA-2127-1, FEDORA-2011-2620, FEDORA-2011-2632, MDVSA-2010:200, openSUSE-SU-2011:0010-1, openSUSE-SU-2011:0010-2, RHSA-2010:0924-01, RHSA-2011:0370-01, SUSE-SR:2011:001, SUSE-SR:2011:002, SUSE-SR:2011:007, VIGILANCE-VUL-9930.

Description of the vulnerability

The SNMP protocol uses data in ASN.1 format, encoded as BER (Basic Encoding Rules).

The SNMPv1 dissector of Wireshark calls epan/dissectors/packet-ber.c to decode ASN.1/BER data.

The dissect_unknown_ber() function decodes malformed BER data. However, if the malformed data sequence is too long, it is called recursively.

An attacker can therefore send a malformed SNMPv1 packet, in order to generate an infinite recursion in the ASN.1/BER module, which stops Wireshark.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2010-3297

Linux kernel: memory reading via eql

Synthesis of the vulnerability

When a network device with Equalizer Load Balancer is installed, a local attacker can obtain 16 bytes coming from the kernel memory.
Impacted products: Debian, Linux, Mandriva Corporate, openSUSE, RHEL, SLES.
Severity: 1/4.
Creation date: 14/09/2010.
Identifiers: BID-43229, CERTA-2002-AVI-272, CVE-2010-3297, DSA-2126-1, MDVSA-2011:051, openSUSE-SU-2010:0655-1, openSUSE-SU-2010:0664-1, openSUSE-SU-2010:0720-1, openSUSE-SU-2010:0895-1, RHSA-2010:0771-01, SUSE-SA:2010:044, SUSE-SA:2010:046, SUSE-SA:2010:047, SUSE-SA:2010:050, SUSE-SA:2010:054, SUSE-SA:2011:007, SUSE-SU-2011:0928-1, VIGILANCE-VUL-9926.

Description of the vulnerability

The drivers/net/eql.c file implements the support of network devices with Equalizer Load Balancer.

The ioctl EQL_GETMASTRCFG retrieves the configuration of the master device. However, the eql_g_master_cfg() function does not initialize the master_config_t structure. The 16 bytes located in the "master_name" field of the structure are thus transmitted to the user.

When a network device with Equalizer Load Balancer is installed, a local attacker can therefore obtain 16 bytes coming from the kernel memory.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2010-3296

Linux kernel: memory reading via cxgb3

Synthesis of the vulnerability

When a Chelsio T3 network device is installed, a local attacker can obtain 4 bytes coming from the kernel memory.
Impacted products: Debian, Linux, openSUSE, RHEL, SLES, ESX.
Severity: 1/4.
Creation date: 14/09/2010.
Identifiers: BID-43221, CERTA-2002-AVI-272, CVE-2010-3296, DSA-2126-1, ESX400-201110001, ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110406-SG, ESX400-201110408-SG, ESX400-201110409-SG, ESX400-201110410-SG, openSUSE-SU-2010:0655-1, openSUSE-SU-2010:0664-1, openSUSE-SU-2010:0720-1, openSUSE-SU-2010:0895-1, RHSA-2011:0017-01, RHSA-2011:0421-01, SUSE-SA:2010:046, SUSE-SA:2010:047, SUSE-SA:2010:050, SUSE-SA:2010:054, SUSE-SA:2011:007, VIGILANCE-VUL-9925, VMSA-2011-0004.2, VMSA-2011-0009.1, VMSA-2011-0010.2, VMSA-2011-0012, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005.

Description of the vulnerability

The drivers/net/cxgb3/cxgb3_main.c file implements the support of Chelsio T3 network devices.

The ioctl CHELSIO_GET_QSET_NUM retrieves the value of a register of a device. However, the cxgb_extension_ioctl() function does not initialize the ch_reg structure. The 4 bytes located at the address of the "edata" field of the structure are thus transmitted to the user.

When a Chelsio T3 network device is installed, a local attacker can therefore obtain 4 bytes coming from the kernel memory.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Squeeze: