The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Stretch

computer vulnerability bulletin CVE-2009-2687

PHP: several vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP in order to create a denial of service or to execute code.
Impacted products: Debian, HP-UX, Mandriva Corporate, MES, Mandriva Linux, openSUSE, PHP, RHEL, SLES.
Severity: 2/4.
Consequences: user access/rights, data reading, denial of service on service.
Provenance: internet client.
Confidence: confirmed by the editor (5/5).
Creation date: 19/06/2009.
Identifiers: 45997, 48378, BID-35435, BID-35440, c02247738, CVE-2009-2687, DSA-1940-1, HPSBUX02543, MDVSA-2009:145, MDVSA-2009:167, MDVSA-2009:324, RHSA-2009:1461-01, RHSA-2010:0040-01, SSRT100152, SUSE-SR:2009:017, SUSE-SR:2010:005, VIGILANCE-VUL-8808.

Description of the vulnerability

Several vulnerabilities were announced in PHP 5.

A JPEG image containing malicious EXIF data generates a memory corruption in the exif_read_data() function. [severity:2/4; 48378, BID-35440, CVE-2009-2687]

Under Windows, a script can execute all commands (despite the "Safe Mode") by prefixing them by a '\' character. [severity:2/4; 45997, BID-35435]

These vulnerabilities are local or remote depending on the context.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin 8798

Apache httpd: bypassing AllowOverride

Synthesis of the vulnerability

A local attacker can create a .htaccess file in order to bypass restrictions of AllowOverride.
Impacted products: Apache httpd, Debian.
Severity: 1/4.
Consequences: data reading, data creation/edition.
Provenance: user account.
Confidence: confirmed by the editor (5/5).
Creation date: 16/06/2009.
Identifiers: 44262, DSA-1816-1, VIGILANCE-VUL-8798.

Description of the vulnerability

The AllowOverride directive of the Apache httpd configuration file indicates if directives located in a .htaccess file are honoured. For example:
  AllowOverride None : nothing is allowed
  AllowOverride All : everything is allowed
  AllowOverride Option : directives changing directory options are allowed

Since Apache httpd version 2.2, the Option parameter of the AllowOverride directive can restrict the list of allowed options. For example:
  AllowOverride Options=Indexes,IncludesNOEXEC

However, due to a logic error, when at least one option is indicated in AllowOverride, they are all allowed (as it was the case before Apache httpd < 2.2).

An attacker can therefore for example enable the "Includes" option in a .htaccess file in order to use "#exec cmd" and "#exec cgi" commands.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2009-1392 CVE-2009-1832 CVE-2009-1833

Firefox, Thunderbird, SeaMonkey: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Firefox, Thunderbird and SeaMonkey can be used by an attacker to obtain information, to create a denial of service or to execute code on victim's computer.
Impacted products: Debian, Fedora, Mandriva Corporate, Mandriva Linux, Firefox, SeaMonkey, Thunderbird, openSUSE, RHEL, Slackware, SLES, TurboLinux.
Severity: 4/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 12/06/2009.
Identifiers: 495057, BID-35326, BID-35360, BID-35370, BID-35371, BID-35372, BID-35373, BID-35377, BID-35380, BID-35383, BID-35386, BID-35388, BID-35391, BID-35461, CERTA-2009-AVI-233, CERTA-2009-AVI-251, CVE-2009-1392, CVE-2009-1832, CVE-2009-1833, CVE-2009-1834, CVE-2009-1835, CVE-2009-1836, CVE-2009-1837, CVE-2009-1838, CVE-2009-1839, CVE-2009-1840, CVE-2009-1841, CVE-2009-2210, DSA-1820-1, DSA-1830-1, FEDORA-2009-7567, FEDORA-2009-7614, FEDORA-2009-8535, MDVSA-2009:134, MDVSA-2009:141, MFSA 2009-24, MFSA 2009-25, MFSA 2009-26, MFSA 2009-27, MFSA 2009-28, MFSA 2009-29, MFSA 2009-30, MFSA 2009-31, MFSA 2009-32, MFSA 2009-33, RHSA-2009:1095-01, RHSA-2009:1096-01, RHSA-2009:1125-01, RHSA-2009:1126-01, RHSA-2009:1134-01, SSA:2009-167-01, SSA:2009-176-01, SSA:2009-178-01, SUSE-SA:2009:034, TLSA-2009-18, TLSA-2009-20, VIGILANCE-VUL-8792.

Description of the vulnerability

Several vulnerabilities were announced in Firefox, Thunderbird and SeaMonkey.

Several memory corruptions lead to code execution. [severity:4/4; BID-35370, BID-35371, BID-35372, CERTA-2009-AVI-233, CERTA-2009-AVI-251, CVE-2009-1392, CVE-2009-1832, CVE-2009-1833, MFSA 2009-24]

Some invalid Unicode characters are displayed as spaces in the address bar, which can deceive the victim. [severity:1/4; BID-35388, CVE-2009-1834, MFSA 2009-25]

An attacker can invite the victim to open a local file in order to read all his cookies. [severity:2/4; BID-35391, CVE-2009-1835, MFSA 2009-26]

An attacker can intercept a CONNECT query to a proxy and send an answer different than 200-Ok in order to inject code in victim's web browser (VIGILANCE-VUL-8806). [severity:3/4; BID-35380, CVE-2009-1836, MFSA 2009-27]

An attacker can create an HTML page containing a Java applet using a freed memory in NPObjWrapper_NewResolve(). [severity:4/4; BID-35360, CVE-2009-1837, MFSA 2009-28]

After the garbage collection, JavaScript code can run with chrome privileges. [severity:4/4; BID-35383, CVE-2009-1838, MFSA 2009-29]

An attacker can invite the victim to open a local file in order to execute JavaScript code in the context of the previous page. [severity:2/4; BID-35386, CVE-2009-1839, MFSA 2009-30]

The security policy is not checked when loading a file containing JavaScript code. [severity:1/4; CVE-2009-1840, MFSA 2009-31]

An attacker can use the Sidebar or FeedWriter to execute code with chrome privileges. [severity:4/4; BID-35373, BID-35377, CVE-2009-1841, MFSA 2009-32]

An email in the MIME multipart/alternative format containing a text/enhanced part corrupts the memory. [severity:3/4; 495057, BID-35461, CVE-2009-2210, MFSA 2009-33]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2009-1389

Linux kernel: denial of service via rtl8169

Synthesis of the vulnerability

An attacker can send a long packet in order to stop systems with the rtl8169 driver.
Impacted products: XenServer, Debian, Fedora, Linux, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES, ESX, ESXi, VMware Server, vCenter Server, VirtualCenter.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: LAN.
Confidence: confirmed by the editor (5/5).
Creation date: 10/06/2009.
Identifiers: BID-35281, CERTA-2010-AVI-031, CTX123192, CTX123453, CTX123673, CVE-2009-1389, DSA-1844-1, DSA-1865-1, FEDORA-2009-6768, FEDORA-2009-6846, FEDORA-2009-6883, MDVSA-2009:148, openSUSE-SU-2010:0664-1, RHSA-2009:1157-01, RHSA-2009:1193-01, RHSA-2009:1211-01, RHSA-2009:1457-01, RHSA-2009:1469-01, SUSE-SA:2009:038, SUSE-SA:2009:045, SUSE-SA:2010:031, SUSE-SA:2010:036, SUSE-SA:2010:046, SUSE-SU-2011:0928-1, VIGILANCE-VUL-8786, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5.

Description of the vulnerability

The rtl8169 driver implements the support of network adapters of the Realtek RTL81xx suite. These adapters can receive Ethernet frames with a size of 16383 bytes (jumbo frames).

However, the rtl8169 driver only supports 1500 bytes. Longer frames generate an overflow.

An attacker located on a network supporting jumbo frames can therefore send a long frame in order to generate a denial of service, and possibly to execute code.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2009-1932

GStreamer Good Plug-ins: integer overflows of PNG

Synthesis of the vulnerability

An attacker can create a malicious PNG image in order to create a denial of service or to execute code with rights of the application using GStreamer Good Plug-ins.
Impacted products: Debian, Mandriva Linux, RHEL, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 08/06/2009.
Identifiers: BID-35172, CVE-2009-1932, DSA-1839-1, MDVSA-2009:130, MDVSA-2009:130-1, RHSA-2009:1123-01, VIGILANCE-VUL-8769.

Description of the vulnerability

The GStreamer product offers development framework for creating multimedia applications. GStreamer Good Plug-ins are modules whose quality level is estimated to be good by developers.

The libpng/gstpngdec.c file implements the support of images in PNG format. The user_info_callback(), user_endrow_callback() and gst_pngdec_task() functions allocate memory areas, whose size is the result of multiplications. However, these multiplications can overflow, and then the allocated memory area is shorter than the stored data.

An attacker can therefore create a malicious PNG image in order to create a denial of service or to execute code with rights of the application using GStreamer Good Plug-ins.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2009-0023

Apache APR-util: denial of service via apr_strmatch

Synthesis of the vulnerability

An attacker can create a denial of service in applications using apr_strmatch of APR-util.
Impacted products: APR-util, Apache httpd, Debian, Fedora, HP-UX, WebSphere AS Traditional, NSM Central Manager, NSMXpress, Mandriva Corporate, Mandriva Linux, Mandriva NF, NLD, OES, openSUSE, Solaris, RHEL, Slackware, SLES.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Confidence: confirmed by the editor (5/5).
Creation date: 05/06/2009.
Identifiers: BID-35221, c02579879, CERTA-2009-AVI-244, CERTA-2009-AVI-408, CERTA-2009-AVI-471, CERTA-2012-AVI-023, CVE-2009-0023, DSA-1812-1, FEDORA-2009-5969, FEDORA-2009-6014, FEDORA-2009-6261, HPSBUX02612, MDVSA-2009:131, MDVSA-2009:131-1, MDVSA-2009:314, PK87176, PK88341, PK88342, PK91361, PK99477, PK99478, PK99480, PSN-2012-11-767, RHSA-2009:1107-01, RHSA-2009:1108-01, RHSA-2009:1160-01, RHSA-2010:0602-02, SSA:2009-167-02, SSA:2009-214-01, SSRT100345, SUSE-SR:2009:013, VIGILANCE-VUL-8766.

Description of the vulnerability

The Apache APR-util library offers the strmatch module which searches a pattern in a string, using the Boyer-Moore-Horspool algorithm.

This algorithm uses a shift related to the offset of a character from the end of the pattern. For example, if the pattern is "cherche":
 - the shift of 'e' is 4 (chErche, the last 'e' is ignored)
 - the shift of 'h' is 1 (chercHe)
 - the shift of 'c' is 2 (cherChe)
 - the shift of 'r' is 3 (cheRche)

The strmatch module uses an array of 256 characters indicating the shift of each character (shift['e']=4, etc.). However, the character is stored in a signed "char". When the character is superior to 127, the index in the shift table is negative, which forces a read at an invalid address.

An attacker can therefore use a pattern containing characters superior to 127 in order to stop applications linked to Apache APR-util.

For example, following applications are vulnerable:
 - Apache httpd via a .htaccess file
 - mod_dav_svn if the "SVNMasterURI" directive is used
 - mod_apreq2
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2009-1955

Apache APR-util: denial of service via XML

Synthesis of the vulnerability

An attacker can construct complex XML data in order to generate a denial of service in applications linked to APR-util.
Impacted products: APR-util, Apache httpd, Debian, Fedora, HP-UX, NSM Central Manager, NSMXpress, Mandriva Corporate, Mandriva Linux, Mandriva NF, NLD, OES, openSUSE, Solaris, RHEL, Slackware, SLES.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Confidence: confirmed by the editor (5/5).
Creation date: 04/06/2009.
Identifiers: BID-35253, c02579879, CVE-2009-1955, DSA-1812-1, FEDORA-2009-5969, FEDORA-2009-6014, FEDORA-2009-6261, HPSBUX02612, MDVSA-2009:131, MDVSA-2009:131-1, MDVSA-2009:314, PSN-2012-11-767, RHSA-2009:1107-01, RHSA-2009:1108-01, RHSA-2009:1160-01, RHSA-2010:0602-02, SSA:2009-167-02, SSA:2009-214-01, SSRT100345, SUSE-SR:2009:013, SUSE-SR:2010:011, VIGILANCE-VUL-8761.

Description of the vulnerability

The Apache APR-util library implements an XML parser.

An XML entity (such as "&abc;") is used to define an alias of a character or of a text string.

An attacker can create an entity built with several entities, which are also built on several entities, etc. The equivalent entity is thus very complex and very large. When the XML parser of APR-util analyzes this entity, it consumes a large amount of resources.

An attacker can therefore construct complex XML data in order to generate a denial of service in applications linked to APR-util. The mod_webdav module is for example impacted.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2009-1914

Linux kernel: denial of service on Sparc64

Synthesis of the vulnerability

On a Sparc64 processor, a local attacker can stop the system.
Impacted products: Debian, Linux.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Confidence: confirmed by the editor (5/5).
Creation date: 03/06/2009.
Identifiers: BID-35415, CVE-2009-1914, DSA-1844-1, VIGILANCE-VUL-8758.

Description of the vulnerability

Each adapter on a Sparc64 system has its own memory address range for its direct input/output. For example:
 - 1ff80020000-1ff8003ffff : video adapter
 - 1ff82000000-1ff82000fff : network adapter
These addresses are indicated in the /proc/iomem file.

The pci_register_iommu_region() function requests a memory area for a PCI device, and allocates a structure named "resource". However, the allocated structure is not initialized, and thus its usage generates an error and stops the kernel.

On a Sparc64 processor, a local attacker can then read the content of the /proc/iomem file in order to stop the system.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2009-1385

Linux kernel: denial of service via e1000

Synthesis of the vulnerability

An attacker can send a long packet in order to stop systems with the e1000 driver.
Impacted products: Debian, Fedora, Linux, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES, ESX, ESXi, VMware Server, vCenter Server, VirtualCenter.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: LAN.
Confidence: confirmed by the editor (5/5).
Creation date: 03/06/2009.
Identifiers: BID-35185, CERTA-2009-AVI-256, CVE-2009-1385, DSA-1844-1, DSA-1865-1, FEDORA-2009-6768, FEDORA-2009-6846, FEDORA-2009-6883, MDVSA-2009:135, MDVSA-2009:148, RHSA-2009:1132-01, RHSA-2009:1157-01, RHSA-2009:1193-01, RHSA-2009:1550-01, RHSA-2010:0079-01, SUSE-SA:2009:038, SUSE-SA:2009:045, VIGILANCE-VUL-8757, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5, VMSA-2010-0010.

Description of the vulnerability

The e1000 driver implements the support of Intel PRO/100, 1000 and 10GbE network adapters.

An Ethernet frame ends with 4 bytes of CRC check. The e1000_clean_rx_irq() function of the driver thus subtracts 4 bytes in order to obtain the real size of data.

When a network frame is too large (jumbo frames), the adapter stores it in several buffers. The e1000 driver does not support this case, however its detection is invalid and thus the last buffer is nonetheless used.

The size of the last buffer can be inferior to 4. Thus, after subtracting 4, the e1000_clean_rx_irq() function works on a negative size, which generates an error.

An attacker can therefore send an Ethernet frame slightly superior to the card buffer in order to generate a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2009-1961

Linux kernel: denial of service via splice

Synthesis of the vulnerability

A local attacker can create a denial of service on a process using splice().
Impacted products: Debian, Linux, Mandriva Linux, openSUSE, RHEL, SLES.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: user shell.
Confidence: confirmed by the editor (5/5).
Creation date: 03/06/2009.
Identifiers: BID-35143, CVE-2009-1961, DSA-1844-1, MDVSA-2009:135, MDVSA-2009:148, RHSA-2009:1157-01, SUSE-SA:2009:030, SUSE-SA:2009:031, SUSE-SA:2009:038, VIGILANCE-VUL-8756.

Description of the vulnerability

The splice() system call moves data between two file descriptors:
  splice(fd_in, off_in, fd_out, off_out, len, flags);
Two locks are used to handle concurrent access.

When the first descriptor is a pipe, the write locking sequence is invalid, so an interlocking occurs. The file associated to the second descriptor then becomes unusable.

A local attacker, allowed to write to a file, can therefore block accesses to this file. This creates a denial of service on programs using this file.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Stretch: