The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Squeeze

vulnerability bulletin CVE-2010-2935 CVE-2010-2936

OpenOffice.org Impress: code execution

Synthesis of the vulnerability

An attacker can create a malicious OpenOffice.org Impress document, and invite the victim to open it, in order to execute code on his computer.
Impacted products: OpenOffice, Debian, MES, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES.
Severity: 3/4.
Creation date: 05/08/2010.
Identifiers: CERTA-2011-AVI-039, CERTA-2011-AVI-243, cpujan2011, CVE-2010-2935, CVE-2010-2936, DSA-2099-1, MDVSA-2010:221, openSUSE-SU-2010:0732-1, openSUSE-SU-2011:0336-1, openSUSE-SU-2011:0337-1, RHSA-2010:0643-01, SUSE-SR:2010:019, SUSE-SR:2010:024, SUSE-SR:2011:007, VIGILANCE-VUL-9813.

Description of the vulnerability

The OpenOffice.org Impress program is used to create presentations. It is impacted by two vulnerabilities.

A malicious document truncates an integer, which corrupts the memory. [severity:3/4; CERTA-2011-AVI-039, CERTA-2011-AVI-243, CVE-2010-2935]

A malicious document creates an integer overflow, which corrupts the memory. [severity:3/4; CVE-2010-2936]

An attacker can therefore create a malicious OpenOffice.org Impress document, and invite the victim to open it, in order to execute code on his computer.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2010-2492

Linux kernel: buffer overflow of ecryptfs_hash_buckets

Synthesis of the vulnerability

A local attacker can generate a buffer overflow in ecryptfs, in order to elevate his privileges.
Impacted products: Debian, Linux, MES, Mandriva Linux, openSUSE, RHEL, ESX.
Severity: 2/4.
Creation date: 03/08/2010.
Identifiers: BID-42237, CVE-2010-2492, DSA-2110-1, ESX400-201110001, ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110406-SG, ESX400-201110408-SG, ESX400-201110409-SG, ESX400-201110410-SG, MDVSA-2010:172, MDVSA-2010:188, MDVSA-2010:198, openSUSE-SU-2010:0664-1, RHSA-2010:0723-01, RHSA-2011:0007-01, SUSE-SA:2010:046, VIGILANCE-VUL-9808, VMSA-2011-0004.2, VMSA-2011-0009.1, VMSA-2011-0010.2, VMSA-2011-0012, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005.

Description of the vulnerability

The Linux kernel uses ecryptfs to encrypt/decrypt files on the fly.

The fs/ecryptfs/messaging.c file uses the ecryptfs_hash_buckets variable to store the number of bits of the storage area for hlist_head structures. However, ecryptfs_hash_buckets is used as if it were the number of hlist_head structures. For example, if ecryptfs_hash_buckets is set to 3, there are 8 structures (1<<3) instead of 3. As this variable is used to compute the size of a memory area to allocate with kmalloc(), the memory area is too short.

A local attacker can therefore generate a buffer overflow in ecryptfs, in order to elevate his privileges.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2010-2799

socat: buffer overflow of parameters

Synthesis of the vulnerability

When an attacker can inject long parameters on the socat command line, he can execute code with user privileges.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, MES, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Creation date: 03/08/2010.
Identifiers: BID-42112, CVE-2010-2799, DSA-2090-1, FEDORA-2010-13403, FEDORA-2010-13412, FEDORA-2011-0098, MDVSA-2010:183, SOL14919, SUSE-SU-2012:0808-1, VIGILANCE-VUL-9805.

Description of the vulnerability

The socat program is used to create and process sockets and data streams.

The socat/nestlex.c file contains a lexical analyzer to decode command line parameters. However, this analyzer does not check the size of addresses, host names or file names. When these parameters are longer than 512 bytes, a buffer overflow thus occurs.

When an attacker can inject long parameters on the socat command line, he can therefore execute code with user privileges.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2010-2524

Linux kernel: file access via CIFS DNS resolver

Synthesis of the vulnerability

A local attacker can modify his keyring, in order to force the CIFS client of the Linux kernel to connect to a malicious CIFS/SMB server.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Linux, Mandriva Linux, openSUSE, RHEL, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Creation date: 02/08/2010.
Identifiers: CERTA-2010-AVI-355, CVE-2010-2524, DSA-2264-1, FEDORA-2010-11412, FEDORA-2010-11462, MDVSA-2010:172, openSUSE-SU-2010:0664-1, RHSA-2010:0610-01, SOL16477, SUSE-SA:2010:039, SUSE-SA:2010:040, SUSE-SA:2010:046, VIGILANCE-VUL-9803, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

The Linux kernel contains a CIFS/SMB client, which is used to connect to a remote share.

In order to save IP addresses of CIFS/SMB servers, the dns_resolve_server_name_to_ip() function of the fs/cifs/dns_resolve.c file stores values in the user's keyring.

However, an attacker can save a malicious IP address in his keyring, so the kernel will use it, and will connect to the attacker's CIFS/SMB server.

A local attacker can therefore modify his keyring, in order to force the CIFS client of the Linux kernel to connect to a malicious CIFS/SMB server.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2010-2798

Linux kernel: denial of service via GFS2 rename

Synthesis of the vulnerability

A local attacker can rename a file on GFS2, in order to stop the system.
Impacted products: Debian, Fedora, Linux, MES, Mandriva Linux, openSUSE, RHEL, SLES, ESX.
Severity: 1/4.
Creation date: 02/08/2010.
Identifiers: BID-42124, CVE-2010-2798, DSA-2094-1, ESX400-201110001, ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110406-SG, ESX400-201110408-SG, ESX400-201110409-SG, ESX400-201110410-SG, FEDORA-2010-13058, FEDORA-2010-13110, MDVSA-2010:188, MDVSA-2010:198, openSUSE-SU-2010:0664-1, openSUSE-SU-2010:0895-1, openSUSE-SU-2013:0927-1, RHSA-2010:0660-01, RHSA-2010:0670-01, RHSA-2010:0723-01, SUSE-SA:2010:039, SUSE-SA:2010:040, SUSE-SA:2010:046, SUSE-SA:2010:054, VIGILANCE-VUL-9802, VMSA-2011-0004.2, VMSA-2011-0009.1, VMSA-2011-0010.2, VMSA-2011-0012, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005.

Description of the vulnerability

The Linux kernel supports GFS/GFS2 (Global File System).

When a user renames a file on GFS2, and if the length of the new file name is the same as the length of the old file name, the kernel simply replaces the entry in the directory. However, if the file to rename is located at the first entry of the directory, the gfs2_dirent_find_space() function of the fs/gfs2/dir.c file does not find this entry, and a NULL pointer is dereferenced.

A local attacker can therefore rename a file on GFS2, in order to stop the system.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2010-2284 CVE-2010-2287 CVE-2010-2994

Wireshark 1.0: two vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Wireshark can be used by a remote attacker to create a denial of service or to execute code.
Impacted products: Debian, Ethereal, Fedora, Mandriva Corporate, MES, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES, Wireshark.
Severity: 2/4.
Creation date: 30/07/2010.
Identifiers: BID-42618, CVE-2010-2284, CVE-2010-2287, CVE-2010-2994, CVE-2010-2995, DSA-2101-1, FEDORA-2010-13416, FEDORA-2010-13427, MDVSA-2010:144, openSUSE-SU-2011:0010-1, openSUSE-SU-2011:0010-2, RHSA-2010:0625-01, SUSE-SR:2011:001, SUSE-SR:2011:002, SUSE-SR:2011:007, VIGILANCE-VUL-9799.

Description of the vulnerability

The Wireshark program captures and displays network packets. Protocols are decoded by dissectors. They are impacted by several vulnerabilities.

An attacker can generate a buffer overflow in SigComp Universal Decompressor Virtual Machine. [severity:2/4; CVE-2010-2287, CVE-2010-2995]

An attacker can generate a buffer overflow in the ASN.1 BER dissector. [severity:2/4; CVE-2010-2284, CVE-2010-2994]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note 9794

TYPO3: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of TYPO3 can be used by an attacker to obtain or alter information, or to execute code.
Impacted products: Debian, TYPO3 Core, TYPO3 Extensions ~ not comprehensive.
Severity: 3/4.
Creation date: 28/07/2010.
Revision date: 30/07/2010.
Identifiers: BID-42029, BID-42032, DSA-2098-1, DSA-2098-2, TYPO3-SA-2010-012, TYPO3-SA-2010-013, TYPO3-SA-2010-014, VIGILANCE-VUL-9794.

Description of the vulnerability

Several vulnerabilities were announced in TYPO3.

An attacker can generate several Cross Site Scripting in the backend. [severity:2/4]

An attacker can redirect the victim to a malicious site. [severity:2/4]

An attacker can inject SQL data. [severity:2/4]

The fileDenyPattern directive does not filter phtml files, so an attacker can upload PHP code to be executed. [severity:3/4]

An attacker can generate an error, in order to see the error message containing the access path to the website root. [severity:1/4]

An attacker can generate a Cross Site Scripting in the Extension Manager. An authenticated attacker can use Extension Manager to read files. [severity:2/4]

The PHP uniqid() function is used to generate session cookies. However, this function is not sufficiently random on Windows. [severity:1/4]

An attacker can use the Frontend, in order to send spam emails to arbitrary email addresses. [severity:2/4]

An attacker can inject headers via the Frontend. [severity:2/4]

An attacker can redirect the victim or generate a Cross Site Scripting via the login box. [severity:2/4]

The password restoring feature uses a key which is not sufficiently random. An attacker can guess it, in order to access to the user account. [severity:2/4]

An attacker can authenticate on the Install Tool. [severity:2/4]

An attacker can generate a Cross Site Scripting in the FLUID Templating Engine. [severity:2/4]

The TYPO3 version number is included in email headers by t3lib_htmlmail. [severity:1/4]

An attacker can generate a Cross Site Scripting in the Introduction Package. [severity:2/4]

An attacker can authenticate without a password in the Front End User Registration (sr_feuser_register) extension. [severity:2/4; BID-42032, TYPO3-SA-2010-013]

An attacker can access to the database via the extension phpMyAdmin (phpmyadmin). [severity:3/4; TYPO3-SA-2010-014]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2010-1452

Apache httpd: denial of service of mod_cache and mod_dav

Synthesis of the vulnerability

An attacker can use a special uri, in order to create a denial of service in mod_cache and mod_dav.
Impacted products: Apache httpd, Debian, Fedora, HPE BAC, HP-UX, Mandriva Corporate, MES, Mandriva Linux, OpenSolaris, Solaris, RHEL, JBoss EAP by Red Hat, Slackware, SLES.
Severity: 2/4.
Creation date: 26/07/2010.
Identifiers: 966349, BID-41963, c02579879, c03236227, CERTA-2011-AVI-493, CVE-2010-1452, DSA-2298-1, DSA-2298-2, FEDORA-2010-12478, HPSBMU02753, HPSBUX02612, MDVSA-2010:152, MDVSA-2010:153, RHSA-2010:0659-01, RHSA-2011:0896-01, RHSA-2011:0897-01, SSA:2010-240-02, SSRT100345, SSRT100782, SUSE-SU-2011:1000-1, SUSE-SU-2011:1215-1, VIGILANCE-VUL-9789.

Description of the vulnerability

The Apache httpd server uses the "parsed_uri" field of the "request_rec" structure to store the decoded uri:
  scheme://user:password@hostname:port_str/path?query
The "path" field of the apr_uri_t structure can be NULL if the uri is for example:
  scheme://user:password@hostname:port_str

However, the mod_cache and mod_dav modules do not check this case, and dereference a NULL pointer.

The mod_cache module is only impacted if the CacheIgnoreURLSessionIdentifiers directive is used. The attacker has to be authenticated on mod_dav in order to exploit the vulnerability.

An attacker can therefore use a special uri, in order to create a denial of service in mod_cache and mod_dav.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2010-2547

GnuPG: memory corruption via GPGSM

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious certificate with GnuPG GPGSM, in order to corrupt the memory, leading to a denial of service or to code execution.
Impacted products: Debian, Fedora, GnuPG, Mandriva Corporate, MES, Mandriva Linux, openSUSE, RHEL, Slackware, SLES.
Severity: 3/4.
Creation date: 23/07/2010.
Identifiers: BID-41945, CERTA-2010-AVI-341, CVE-2010-2547, DSA-2076-1, FEDORA-2010-11382, FEDORA-2010-11413, MDVSA-2010:143, RHSA-2010:0603-01, SSA:2010-240-01, SUSE-SR:2010:015, SUSE-SR:2010:020, VIGILANCE-VUL-9785.

Description of the vulnerability

The GPGSM tool is an implementation of S/MIME (MIME authentication and encryption).

When GPGSM checks a signature, it automatically imports the certificate. A certificate can also be imported via the "import" option of the command line.

However, when a certificate contains more than 98 Subject Alternate Names, the array containing SAN is reallocated, but the old address is still used.

An attacker can therefore invite the victim to open a malicious certificate with GnuPG GPGSM, in order to corrupt the memory, leading to a denial of service or to code execution.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2010-2529

iputils: denial of service of ping

Synthesis of the vulnerability

A server can send a malicious ICMP reply, in order to generate an infinite loop in the ping tool.
Impacted products: Debian, Fedora, Mandriva Corporate, MES, Mandriva Linux, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Creation date: 23/07/2010.
Identifiers: BID-41911, CVE-2010-2529, DSA-2645-1, FEDORA-2010-12252, FEDORA-2010-12273, MDVSA-2010:138, VIGILANCE-VUL-9784.

Description of the vulnerability

The iputils suite contains network tools, such as ping and traceroute6.

The ping tool sends an IPv4+ICMP_Echo_Request to a remote computer, which answers with an IPv4+ICMP_Echo_Reply packet.

If the remote computer sends an answer containing an IPv4 Timestamp option, the pr_options() function of ping.c decodes its. However, this function is invalid, and an infinite loop occurs.

A server can therefore send a malicious ICMP reply, in order to generate an infinite loop in the ping tool.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Squeeze: