The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Squeeze

computer vulnerability announce CVE-2010-0408 CVE-2010-0425

Apache httpd: denials of service of of modules

Synthesis of the vulnerability

An attacker can generate a denial of service in mod_proxy_ajp and mod_isapi modules of Apache httpd.
Impacted products: Apache httpd, Debian, Fedora, HP-UX, Mandriva Corporate, MES, Mandriva Linux, OpenSolaris, openSUSE, Solaris, RHEL, Slackware, SLES, VMware ACE.
Severity: 2/4.
Creation date: 03/03/2010.
Revision date: 08/03/2010.
Identifiers: BID-38491, BID-38494, c02160663, CERTA-2010-AVI-112, CERTA-2010-AVI-122, CVE-2010-0408, CVE-2010-0425, DSA-2035-1, FEDORA-2010-6055, FEDORA-2010-6131, HPSBUX02531, MDVSA-2010:053, RHSA-2010:0168-01, RHSA-2010:0396-01, SOS-10-002, SSA:2010-067-01, SSRT100108, SUSE-SR:2010:010, VIGILANCE-VUL-9487, VMSA-2010-0014, VMSA-2010-0014.1, VU#280613.

Description of the vulnerability

Two denials of service were announced in Apache httpd.

The mod_proxy_ajp module is used with Tomcat. When the client uses the Content-Length header, but does not send a body, the ap_proxy_ajp_request() function returns the error HTTP_INTERNAL_SERVER_ERROR, instead of HTTP_BAD_REQUEST. A timeout is then started, which creates a denial of service. [severity:2/4; BID-38491, CVE-2010-0408]

The mod_isapi module is used on Windows. However, by interrupting a query, this module is unloaded too soon, which forces the usage of an invalid pointer, and stops the service. [severity:2/4; CERTA-2010-AVI-112, CERTA-2010-AVI-122, CVE-2010-0425, SOS-10-002, VU#280613]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2010-0393

CUPS: privilege elevation via lppasswd

Synthesis of the vulnerability

A local attacker can modify the LOCALEDIR environment variable, in order to generate a format string attack in lppasswd, leading to the execution of privileged code.
Impacted products: CUPS, Debian, Mandriva Corporate, MES, Mandriva Linux, openSUSE, SLES.
Severity: 2/4.
Creation date: 04/03/2010.
Identifiers: BID-38524, CERTA-2002-AVI-252, CERTA-2010-AVI-110, CERTA-2010-AVI-182, CVE-2010-0393, DSA-2007-1, MDVSA-2010:072, MDVSA-2010:073, MDVSA-2010:073-1, SUSE-SR:2010:007, VIGILANCE-VUL-9494.

Description of the vulnerability

The lppasswd command defines the password of users accessing to the CUPS printing system. This program is installed suid root.

The LOCALEDIR environment variable defines the directory where messages are translated. The _cupsLangprintf() function uses these translated messages.

A local attacker can change LOCALEDIR, in order to force lppasswd to display attacker's messages with _cupsLangprintf(). As some messages contain format characters, an attacker can thus directly generate a format string attack, with lppasswd which runs with root privileges.

A local attacker can therefore modify the LOCALEDIR environment variable, in order to generate a format string attack in lppasswd, leading to the execution of privileged code.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2010-0434

Apache httpd: information disclosure via SubRequest

Synthesis of the vulnerability

When Apache httpd uses a SubRequest and a multi-threaded MPM, session data can be returned to another user.
Impacted products: Apache httpd, Debian, Fedora, HP-UX, Mandriva Corporate, MES, Mandriva Linux, OpenSolaris, openSUSE, Solaris, RHEL, SLES, VMware ACE.
Severity: 2/4.
Creation date: 03/03/2010.
Identifiers: 48359, BID-38494, BID-38580, c02160663, CVE-2010-0434, DSA-2035-1, FEDORA-2010-6055, FEDORA-2010-6131, HPSBUX02531, MDVSA-2010:057, RHSA-2010:0168-01, RHSA-2010:0175-01, RHSA-2010:0396-01, RHSA-2010:0602-02, SSRT100108, SUSE-SR:2010:010, VIGILANCE-VUL-9490, VMSA-2010-0014, VMSA-2010-0014.1.

Description of the vulnerability

The MPM (Multi-Processing Module) feature of Apache httpd 2 defines how clients sessions are handled. Several modules are available:
 - prefork: multi-process, but no thread (similar to httpd 1.3)
 - worker: multi-process and multi-thread
 - mpm_winnt : multi-thread optimized for Windows
 - mpmt_os2: multi-process and multi-thread optimized for OS/2
 - etc.
The administrator choses the module during Apache server compilation.

Apache uses "SubRequest" to simulate a new client query. SubRequests are for example used for error management or for url rewriting.

When Apache manages a SubRequest, it copies references to headers, instead of copying headers. If a multi-threaded MPM is used, these reference can then point to data belonging to another session.

When Apache httpd uses a SubRequest and a multi-threaded MPM, session data can therefore be returned to another user.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2010-1087

Linux kernel: denial of service via NFS

Synthesis of the vulnerability

An attacker can truncate a NFS file, in order to stop the kernel, and possibly to execute code.
Impacted products: Debian, Linux, openSUSE, RHEL, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Creation date: 03/03/2010.
Identifiers: BID-39569, CVE-2010-1087, DSA-2053-1, openSUSE-SU-2010:0664-1, RHSA-2010:0504-01, RHSA-2010:0631-01, SUSE-SA:2010:031, SUSE-SA:2010:035, SUSE-SA:2010:046, VIGILANCE-VUL-9489, VMSA-2010-0016, VMSA-2010-0016.1, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

The nfs_wait_on_request() function of the fs/nfs/pagelist.c file waits for the end of a query on a NFS filesystem.

When a file is truncated, this function can be prematurely interrupted, which forces a write in an invalid memory page.

An attacker can therefore truncate a NFS file, in order to stop the kernel, and possibly to execute code.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2010-0205

libpng: denial of service during the decompression

Synthesis of the vulnerability

An attacker can create an extremely compressed image, and invite the victim to open it with libpng, in order to generate a denial of service on his computer.
Impacted products: Debian, Fedora, libpng, Mandriva Corporate, MES, Mandriva Linux, Mandriva NF, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, SLES, VMware Player, VMware Workstation.
Severity: 2/4.
Creation date: 03/03/2010.
Identifiers: BID-38478, CVE-2010-0205, DSA-2032-1, FEDORA-2010-2988, FEDORA-2010-3375, FEDORA-2010-3414, FEDORA-2010-4616, FEDORA-2010-4673, FEDORA-2010-4683, MDVSA-2010:063, MDVSA-2010:064, RHSA-2010:0534-01, SUSE-SR:2010:011, SUSE-SR:2010:012, SUSE-SR:2010:013, VIGILANCE-VUL-9488, VMSA-2010-0014, VMSA-2010-0014.1, VU#576029.

Description of the vulnerability

A PNG image can contain ancillary chunks:
 - zTXt : compressed text
 - iTXt : international text, which can be compressed
 - iCCP : name of the color correction profile, which can be compressed
 - etc.

When libpng analyzes a PNG image containing compressed chunks, the png_decompress_chunk() function does not enforce limits on the uncompressed size, nor on the used CPU resources. For example, a compressed zTXt chunk of 17 kb can be uncompressed to 5 Mb, and a compressed iCCP chunk of 50 kb can be uncompressed to 60 Mb.

An attacker can therefore create an extremely compressed image, and invite the victim to open it with libpng, in order to generate a denial of service on his computer.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2010-1086

Linux kernel: denial of service via DVB

Synthesis of the vulnerability

An attacker can send a malformed DVB/MPEG2-TS frame, in order to block the system.
Impacted products: Debian, Linux, RHEL, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 1/4.
Creation date: 01/03/2010.
Identifiers: BID-38479, CVE-2010-1086, DSA-2053-1, RHSA-2010:0394-01, RHSA-2010:0398-01, RHSA-2010:0631-01, SUSE-SA:2010:019, SUSE-SA:2010:023, VIGILANCE-VUL-9481, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

The Linux kernel supports DVB (Digital Video Broadcasting). MPEG2 video data are for example received via a satellite dish, the cable or a digital terrestrial television.

The MPEG2-TS (Transport Stream) protocol for example manages the error correction, and it is used by DVB.

The RFC 4326 defines ULE (Unidirectional Lightweight Encapsulation), which is used to transport IP packets on MPEG2-TS.

However, when the ULE Payload Pointer field is 182 or 183, an infinite loop occurs in the dvb_net_ule() function of the drivers/media/dvb/dvb-core/dvb_net.c file.

An attacker can therefore send a malformed DVB/MPEG2-TS frame, in order to block the system.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2010-1451

Linux kernel: executable page on Sparc

Synthesis of the vulnerability

On a Sparc processor, memory pages tagged as non executable are actually executable.
Impacted products: Debian, Linux.
Severity: 2/4.
Creation date: 24/02/2010.
Identifiers: BID-38393, CVE-2010-1451, DSA-2053-1, VIGILANCE-VUL-9472.

Description of the vulnerability

The Sparc SUN4U assembler uses signed constants of 13 bits:
  or %reg1, constant, %result (result = reg1 OR constant)
  and %reg1, constant, %result (result = reg1 AND constant)
  etc.
The special "sethi" instruction is used to set the 22 MSB (most significant bit) of a register, before an instruction:
  sethi %hi(constant), %result
  or %reg1, %lo(constant), %result

The Linux kernel uses the _PAGE_EXEC_4U (0x1000) constant, which is the flag for executable pages. However, it does not use sethi during the test, so the mask is extended (signed) to 0xFFFFF000, so the test becomes positive because of other bits.

On a Sparc processor, memory pages tagged as non executable are therefore actually executable. Protections, such as a non executable stack, are then inefficient.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2010-1088

Linux kernel: denial of service via automount

Synthesis of the vulnerability

A local attacker can use automount, in order to generate a denial of service.
Impacted products: Debian, Linux, MES, Mandriva Linux, RHEL, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 1/4.
Creation date: 24/02/2010.
Identifiers: CVE-2010-1088, DSA-2053-1, MDVSA-2010:088, MDVSA-2010:188, MDVSA-2010:198, RHSA-2010:0504-01, RHSA-2010:0631-01, SUSE-SA:2010:019, SUSE-SA:2010:023, SUSE-SA:2010:036, SUSE-SU-2011:0928-1, VIGILANCE-VUL-9471, VMSA-2010-0016, VMSA-2010-0016.1, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

The automatic file system mounting (automount) uses:
 - symbolic links (NFS), or
 - AutoFS

When symbolic links are used, directory links are not followed with LOOKUP_FOLLOW. This error leads to a denial of service.

Technical details are unknown.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2010-0427

sudo: group elevation

Synthesis of the vulnerability

When the /etc/sudoers file contains "runas_default", a local attacker can execute a command with privileges of root's groups.
Impacted products: Debian, MES, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES, Unix (platform) ~ not comprehensive, ESX, ESXi.
Severity: 2/4.
Creation date: 23/02/2010.
Identifiers: CERTA-2002-AVI-252, CVE-2010-0427, DSA-2006-1, MDVSA-2010:052, RHSA-2010:0122-01, SUSE-SR:2010:006, VIGILANCE-VUL-9469, VMSA-2010-0009, VMSA-2010-0009.1.

Description of the vulnerability

The "runas_default" directive of the /etc/sudoers file defines a default user. For example, if the file contains:
  Defaults runas_default=test
the user can enter:
  sudo command
instead of:
  sudo -u test command

However, when this option is used, the user stays a member of root's groups (root, bin, daemon, sys, adm, disk, wheel), instead of becoming a member of groups of user "test".

When the /etc/sudoers file contains "runas_default", a local attacker can therefore execute a command with privileges of root's groups.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2010-0426

sudo: privilege elevation via sudoedit

Synthesis of the vulnerability

A local attacker, allowed to execute sudoedit, can execute commands with root privileges.
Impacted products: Debian, Fedora, Mandriva Corporate, MES, Mandriva Linux, NLD, OES, openSUSE, RHEL, Slackware, SLES, Unix (platform) ~ not comprehensive, ESX, ESXi.
Severity: 2/4.
Creation date: 23/02/2010.
Identifiers: CERTA-2002-AVI-252, CVE-2010-0426, DSA-2006-1, FEDORA-2010-3352, FEDORA-2010-3359, FEDORA-2010-3415, MDVSA-2010:049, RHSA-2010:0122-01, SSA:2010-110-01, SUSE-SR:2010:006, VIGILANCE-VUL-9468, VMSA-2010-0009, VMSA-2010-0009.1.

Description of the vulnerability

The sudo program is used to allow users to execute some commands with privileges of other users. For example, to allow the edition of a file with root privileges:
  user ALL = sudoedit filename
The sudoedit command does not have a full path (/bin/sudoedit), because it is a pseudo-command, which is interpreted especially.

However, since sudo version 1.6.9, if a program is named sudoedit, this rule is also applied. This program is thus run with root privileges.

A local attacker, allowed to execute sudoedit, can therefore execute commands with root privileges.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Squeeze: