The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Stretch

vulnerability alert CVE-2009-1895

Linux kernel: privilege elevation via PER_CLEAR_ON_SETID

Synthesis of the vulnerability

A local attacker can use personalities in a suid root program in order to elevate his privileges.
Impacted products: Debian, Fedora, Linux, Mandriva Corporate, MES, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES, ESX, ESXi, VMware Server, vCenter Server, VirtualCenter.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 15/07/2009.
Revisions dates: 17/07/2009, 18/08/2009.
Identifiers: BID-35647, CVE-2009-1895, DSA-1844-1, DSA-1845-1, FEDORA-2009-10165, FEDORA-2009-8144, FEDORA-2009-8264, MDVSA-2009:289, MDVSA-2011:051, RHSA-2009:1193-01, RHSA-2009:1438-01, RHSA-2009:1540-01, RHSA-2009:1550-01, RHSA-2010:0079-01, SUSE-SA:2009:045, VIGILANCE-VUL-8861, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5, VMSA-2010-0010.

Description of the vulnerability

System calls (select(), poll(), etc.) and memory layout are different between systems. For example, a program conceived to use the select() of Solaris may not work with the Linux select() because of minor behavior changes.

Personalities (or execution domains) indicate how the kernel has to behave:
 - PER_LINUX: normal mode for Linux
 - PER_SOLARIS: emulate the Solaris kernel
 - PER_IRIX32: emulate the IRIX kernel
 - etc.

The PER_CLEAR_ON_SETID macro defines personalities related to setuid() and setgid() calls.

A process with the CAP_SYS_RAWIO capability is allowed to bypass the inferior limit defined by the vm.mmap_min_addr sysctl. A suid root process can therefore mmap memory pages with a low address. Moreover, as the PER_CLEAR_ON_SETID macro does not contain MMAP_PAGE_ZERO, it can even mmap the page zero.

A local attacker can therefore use a suid root program (such as pulseaudio) in order to mmap the page at address zero, and thus exploit a NULL pointer dereference.

This error cannot be directly exploited (it is similar to VIGILANCE-VUL-8953), but it can be used to exploit other vulnerabilities.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2009-2695

Linux kernel: privilege elevation via SELinux

Synthesis of the vulnerability

When SELinux is enabled, a local attacker can bypass mmap_min_addr to exploit a NULL pointer dereference.
Impacted products: Debian, Fedora, Linux, RHEL, ESX, ESXi.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 18/08/2009.
Identifiers: 18042, BID-36051, CERTA-2002-AVI-252, CVE-2009-2695, DSA-1915-1, DSA-2004-1, FEDORA-2009-9044, RHSA-2009:1540-01, RHSA-2009:1548-01, RHSA-2009:1587-01, RHSA-2009:1672-01, VIGILANCE-VUL-8953, VMSA-2010-0004, VMSA-2010-0004.1, VMSA-2010-0004.2, VMSA-2010-0004.3, VMSA-2010-0009, VMSA-2010-0009.1.

Description of the vulnerability

The sysctl vm.mmap_min_addr, added in version 2.6.23, defines the minimal memory address that the system can mmap.

Due to a conception choice of SELinux, unconfined domains (such as unconfined_t or initrc_t) do not honour mmap_min_addr.

A local attacker can therefore mmap the page at address zero, in order to exploit a NULL pointer dereference.

This error cannot be directly exploited (it is similar to VIGILANCE-VUL-8861), but it can be used to exploit other vulnerabilities.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2009-2415

memcached: integer overflows

Synthesis of the vulnerability

An attacker, allowed to connect to the port of memcached, can generate a denial of service and possibly execute code.
Impacted products: Debian, Fedora, Mandriva Corporate, MES, Mandriva Linux, NLD, OES, openSUSE, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: administrator access/rights, user access/rights, denial of service on service.
Provenance: intranet client.
Creation date: 17/08/2009.
Identifiers: BID-35989, CVE-2009-2415, DSA-1853-1, FEDORA-2009-12552, MDVSA-2009:202, SUSE-SR:2009:013, VIGILANCE-VUL-8951.

Description of the vulnerability

The memcached daemon provides distributed memory caching. It listens on the port 11211/tcp.

Several integer overflows impact memcached:
 - in the function process_update_command() of the file memcached.c (version 1.1.x and 1.2.x)
 - in the function item_init() of the file items.c (version 1.1.x)
 - in the function slabs_clsid() of the file slabs.c (version 1.1.x)

An attacker, allowed to connect to the port of memcached, can therefore generate a denial of service and possibly execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2009-2692

Linux kernel: privilege elevation via sock_sendpage, SOCKOPS_WRAP, proto_ops

Synthesis of the vulnerability

A local attacker can use some types of sockets, in order to obtain root privileges.
Impacted products: Debian, Fedora, Linux, Mandriva Corporate, MES, Mandriva Linux, Mandriva NF, NLD, OES, openSUSE, RHEL, Slackware, SLES, TurboLinux, ESX, ESXi, VMware Server, vCenter Server, VirtualCenter.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: user shell.
Creation date: 14/08/2009.
Identifiers: 516949, BID-36038, CERTA-2009-AVI-337, CVE-2009-2692, DSA-1862-1, DSA-1864-1, DSA-1865-1, FEDORA-2009-10165, FEDORA-2009-8647, FEDORA-2009-8649, MDVSA-2009:205, MDVSA-2009:233, RHSA-2009:1233-01, RHSA-2009:1239-01, RHSA-2009:1239-02, RHSA-2009:1457-01, RHSA-2009:1469-01, SSA:2009-230-01, SSA:2009-231-01, SUSE-SA:2009:045, SUSE-SR:2009:015, SUSE-SU-2011:0928-1, TLSA-2009-28, VIGILANCE-VUL-8950, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5, VMSA-2010-0010.

Description of the vulnerability

Each socket type is associated to a proto_ops structure, which indicates functions implementing accept(), bind(), etc. When a socket type does not support a function, it has to point to sock_no_accept(). The SOCKOPS_WRAP macro initializes these function pointers. However, the SOCKOPS_WRAP macro does not initialize the sendpage field of the proto_ops structure. Impacted protocols are PF_APPLETALK, PF_IPX, PF_IRDA, PF_X25, PF_AX25, PF_BLUETOOTH, PF_IUCV, PF_INET6 (IPPROTO_SCTP), PF_PPPOX and PF_ISDN.

Moreover, the sock_sendpage() function does not check if the pointer is invalid. It thus calls the function at the indicated null address, which stops the system. However, if the VIGILANCE-VUL-8861 vulnerability is not corrected, an attacker can mmap the memory address zero and store there a malicious function. This function then runs with kernel privileges.

A local attacker can thus call a function (such as sendfile()) which calls sock_sendpage() on some types of sockets, in order to obtain root privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2009-2417

cURL: truncation of X.509 with null

Synthesis of the vulnerability

An attacker can invite the victim to connect to a SSL site using a X.509 certificate with a field containing a null character, in order to deceive the victim.
Impacted products: curl, Debian, Mandriva Corporate, MES, Mandriva Linux, Mandriva NF, openSUSE, RHEL, Slackware, SLES, ESX, ESXi, VMware Server, vCenter Server, VirtualCenter.
Severity: 2/4.
Consequences: data reading.
Provenance: internet server.
Creation date: 12/08/2009.
Identifiers: BID-36032, CERTA-2009-AVI-338, CVE-2009-2417, DSA-1869-1, MDVSA-2009:203, MDVSA-2009:203-1, RHSA-2009:1209-01, SSA:2009-226-01, SUSE-SR:2009:014, VIGILANCE-VUL-8947, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5.

Description of the vulnerability

The cURL (libcurl) program implements a SSL/TLS client.

When a X.509 certificate contains a null character in the CN (Common Name) field, cURL truncates this field. This vulnerability is similar to VIGILANCE-VUL-8908, even if the vulnerable source code is different.

An attacker can therefore invite the victim to connect to a SSL site using a X.509 certificate with a field containing a null character, in order to deceive the victim.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2009-2730

GnuTLS: truncation of X.509 with null

Synthesis of the vulnerability

An attacker can invite the victim to connect to a SSL site using a X.509 certificate with a field containing a null character, in order to deceive the victim.
Impacted products: Debian, Fedora, Mandriva Corporate, MES, Mandriva Linux, NLD, OES, openSUSE, RHEL, Slackware, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: data reading.
Provenance: internet server.
Creation date: 11/08/2009.
Identifiers: CERTA-2009-AVI-336, CVE-2009-2730, DSA-1935-1, FEDORA-2009-8565, FEDORA-2009-8622, GNUTLS-SA-2009-4, MDVSA-2009:210, MDVSA-2009:308, RHSA-2009:1232-01, SSA:2009-290-01, SUSE-SR:2009:015, SUSE-SR:2010:004, VIGILANCE-VUL-8935.

Description of the vulnerability

The GnuTLS library implements the SSL/TLS protocol, and the X.509 certificate handling. It is used by several software.

When a X.509 certificate contains a null character in the CN (Common Name) or SAN (Subject Alt Name) field, GnuTLS truncates this field. This vulnerability is similar to VIGILANCE-VUL-8908, even if the vulnerable source code is different.

An attacker can therefore invite the victim to connect to a SSL site using a X.509 certificate with a field containing a null character, in order to deceive the victim.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2009-2691

Linux kernel: information disclosure via maps and smaps

Synthesis of the vulnerability

A local attacker can read the /proc/pid/maps and /proc/pid/smaps files when a program is loading.
Impacted products: Debian, Fedora, Linux, RHEL.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 11/08/2009.
Identifiers: BID-36019, CERTA-2002-AVI-252, CVE-2009-2691, DSA-2004-1, FEDORA-2009-9044, RHSA-2009:1540-01, VIGILANCE-VUL-8934.

Description of the vulnerability

The /proc/pid/maps and /proc/pid/smaps files indicates the memory layout of a process (such as base addresses of dynamic libraries, for example).

The ASLR (Address Space Layout Randomization) feature of the kernel randomizes these addresses, so the exploitation of vulnerabilities is harder to implement.

However, when a ELF program is loading, a local attacker can read the associated /proc/pid/maps and /proc/pid/smaps files. He can thus for example obtain information on a suid program, in order to facilitate his attack on this program.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2009-2663

libVorbis: memory corruption

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious OGG file, in order to generate a denial of service or to execute code in libVorbis.
Impacted products: Debian, Fedora, openSUSE, RHEL, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 11/08/2009.
Identifiers: 500254, 516259, BID-36018, CVE-2009-2663, DSA-1939-1, FEDORA-2009-8445, RHSA-2009:1219-01, SUSE-SR:2010:014, SUSE-SR:2010:015, VIGILANCE-VUL-8931.

Description of the vulnerability

The libVorbis library opens audio files in the OGG Vorbis format.

The vorbis_book_decodevv_add() function of the vorbis_codebook.c file decodes OGG headers. However, if the header indicates segments with a null size, a memory corruption occurs in vorbis_book_decodevv_add().

An attacker can therefore invite the victim to open a malicious OGG file, in order to generate a denial of service or to execute code in libVorbis.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2009-2414 CVE-2009-2416

libxml, libxml2: denials of service

Synthesis of the vulnerability

An attacker can create malformed XML data, in order to generate a denial of service in applications linked to libxml.
Impacted products: Debian, Fedora, libxml, Mandriva Corporate, MES, Mandriva Linux, Windows (platform) ~ not comprehensive, NLD, OES, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, SLES, Unix (platform) ~ not comprehensive, ESX, ESXi, VMware Server, vCenter Server, VirtualCenter.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 11/08/2009.
Identifiers: 266088, 266688, 6872373, 6872499, BID-36010, CERTA-2009-AVI-335, CVE-2009-2414, CVE-2009-2416, DSA-1859-1, DSA-1861-1, FEDORA-2009-8491, FEDORA-2009-8498, FEDORA-2009-8580, FEDORA-2009-8582, FEDORA-2009-8594, FICORA #245608, MDVSA-2009:200, MDVSA-2009:200-1, RHSA-2009:1206-01, SUSE-SR:2009:013, SUSE-SR:2009:015, VIGILANCE-VUL-8930, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5.

Description of the vulnerability

The libxml/libxml2 library implements a XML parser. It is impacted by two vulnerabilities.

A malicious DTD document generates an infinite recursion, which fills the stack, and stop the application. This vulnerability is different from VIGILANCE-VUL-8926. [severity:2/4; CERTA-2009-AVI-335, CVE-2009-2414]

An XML document, containing Notation and Enumeration attribute types, forces the usage of freed memory, which stops the application. [severity:2/4; CVE-2009-2416]

An attacker can therefore create malformed XML data, in order to generate a denial of service in applications linked to libxml.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2009-2626

PHP: memory reading via ini_restore

Synthesis of the vulnerability

A PHP script can use the ini_restore() function, in order to obtain fragments of the memory of the process.
Impacted products: Debian, Mandriva Corporate, MES, Mandriva Linux, Mandriva NF, openSUSE, PHP, SLES.
Severity: 1/4.
Consequences: data reading.
Provenance: user account.
Creation date: 10/08/2009.
Identifiers: BID-36009, CVE-2009-2626, DSA-1940-1, MDVSA-2010:007, MDVSA-2010:008, SUSE-SR:2010:005, VIGILANCE-VUL-8929.

Description of the vulnerability

The ini_restore() function restores the value of a configuration option.

However, this function does not check if the variable was modified, and returns a memory area coming from the current process.

A PHP script can thus use the ini_restore() function, in order to obtain fragments of the memory of the process.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Stretch: