The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Stretch

computer vulnerability bulletin CVE-2009-3546

LibGd, PHP: memory corruption via gdGetColors

Synthesis of the vulnerability

An attacker can use an application linked to the GD library, in order to corrupt the memory, which generates a denial of service, and can possibly leads to code execution.
Impacted products: Debian, Fedora, Mandriva Linux, Mandriva NF, openSUSE, PHP, RHEL, Slackware, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: user account.
Creation date: 15/10/2009.
Identifiers: BID-36712, CVE-2009-3546, DSA-1936-1, FEDORA-2009-12017, FEDORA-2010-0495, FEDORA-2012-9298, FEDORA-2012-9314, MDVSA-2009:284, MDVSA-2009:284-1, MDVSA-2009:285, MDVSA-2009:324, RHSA-2010:0003-01, SSA:2018-120-01, SUSE-SR:2010:005, VIGILANCE-VUL-9098.

Description of the vulnerability

The GD library is used to handle images. It is contained in PHP.

The gdGetColors() function of LibGD manages colours used by an image. However, this function does not correctly check the maximal number of colours, which creates an overflow.

An attacker can therefore use an application linked to the GD library, in order to corrupt the memory, which generates a denial of service, and can possibly lead to code execution.

In order to exploit this vulnerability in PHP, the attacker has to call the PHP imagecreatefromgd() function, and then the PHP imagecolorallocate() function.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2009-3612

Linux kernel: reading 2 bytes via tc_fill_node

Synthesis of the vulnerability

A local attacker can create a PF_NETLINK/NETLINK_ROUTE socket, in order to read two bytes coming from the kernel memory.
Impacted products: Debian, Fedora, Linux, Mandriva Linux, openSUSE, RHEL, SLES, ESX, ESXi.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 15/10/2009.
Identifiers: BID-36827, CERTA-2002-AVI-244, CVE-2009-3612, DSA-1927-1, DSA-1928-1, DSA-1929-1, FEDORA-2009-11032, FEDORA-2009-11038, FEDORA-2009-13098, MDVSA-2009:301, MDVSA-2009:329, RHSA-2009:1540-01, RHSA-2009:1670-01, SUSE-SA:2009:060, SUSE-SA:2009:061, SUSE-SA:2009:064, SUSE-SA:2010:012, VIGILANCE-VUL-9096, VMSA-2010-0004, VMSA-2010-0004.1, VMSA-2010-0004.2, VMSA-2010-0004.3, VMSA-2010-0009, VMSA-2010-0009.1.

Description of the vulnerability

The tcmsg structure is defined as:
 - 1 byte for tcm_family
 - 3 bytes for padding (alignment), composed of a char "pad1" (1 byte) and a short "pad2" (2 bytes)
 - 4 bytes for tcm_handle
This structure is used by rtnetlink routing sockets (message RTM_GETQDISC, RTM_GETTCLASS, RTM_GETTFILTER, etc.).

The tc_fill_node() function of the net/sched/sch_api.c file does not initialize the 2 "pad2" padding bytes in the tcmsg structure.

A local attacker can thus for example use RTM_GETTCLASS on a PF_NETLINK/NETLINK_ROUTE socket, in order to obtain these 2 bytes, coming from the kernel memory.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2009-3603 CVE-2009-3604 CVE-2009-3605

Xpdf: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can create a malicious PDF document leading to code execution on computer of users opening it with Xpdf, or its derivatives.
Impacted products: Debian, Fedora, Mandriva Linux, Mandriva NF, NLD, OES, OpenSolaris, openSUSE, Solaris, RHEL, Slackware, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 7.
Creation date: 15/10/2009.
Identifiers: 274030, 526637, 526877, 526893, 526911, 526915, 526924, 6904352, BID-36703, BID-36718, CERTA-2010-AVI-135, CVE-2009-3603, CVE-2009-3604, CVE-2009-3605, CVE-2009-3606, CVE-2009-3607, CVE-2009-3608, CVE-2009-3609, DSA-2028-1, DSA-2050-1, FEDORA-2009-10648, FEDORA-2009-10694, FEDORA-2009-10823, FEDORA-2009-10845, FEDORA-2010-1377, FEDORA-2010-1805, FEDORA-2010-1842, MDVSA-2009:280, MDVSA-2009:281, MDVSA-2009:282, MDVSA-2009:283, MDVSA-2009:287, MDVSA-2009:287-1, MDVSA-2009:334, MDVSA-2009:336, MDVSA-2009:346, MDVSA-2010:055, MDVSA-2010:086, MDVSA-2010:087, MDVSA-2010:094, MDVSA-2010:096, MDVSA-2011:175, oCERT-2009-016, RHSA-2009:1500-01, RHSA-2009:1501-01, RHSA-2009:1502-01, RHSA-2009:1503-01, RHSA-2009:1504-01, RHSA-2009:1513-01, RHSA-2010:0399-01, RHSA-2010:0400-01, RHSA-2010:0401-01, RHSA-2010:0755-01, SSA:2009-302-01, SSA:2009-302-02, SUSE-SR:2009:018, SUSE-SR:2009:019, SUSE-SR:2009:020, VIGILANCE-VUL-9095.

Description of the vulnerability

The Xpdf program is used to display PDF documents. Source code of this program is used in several software: gpdf, cups, poppler, etc. It is impacted by several vulnerabilities.

The SplashBitmap::SplashBitmap() method does not verify if a multiplication overflows. This lead to the allocation of a too short memory area, and then to an overflow. [severity:3/4; 526915, CVE-2009-3603]

The Splash::drawImage() method does not verify if a multiplication overflows. This lead to the allocation of a too short memory area, and then to an overflow. [severity:3/4; 526911, CVE-2009-3604]

Several integer overflows can occur in files glib/poppler-page.cc, ArthurOutputDev.cc, CairoOutputDev.cc, GfxState.cc, JBIG2Stream.cc, PSOutputDev.cc, SplashOutputDev.cc, SplashBitmap.cc, Splash.cc and SplashFTFont.cc. [severity:3/4; CVE-2009-3605]

The PSOutputDev::doImageL1Sep() method does not verify if a multiplication overflows. This lead to the allocation of a too short memory area, and then to an overflow. [severity:3/4; 526877, CVE-2009-3606]

The create_surface_from_thumbnail_data() method of Poppler does not verify if a multiplication overflows. This lead to the allocation of a too short memory area, and then to an overflow. [severity:3/4; 526924, BID-36718, CVE-2009-3607]

The ObjectStream::ObjectStream() method does not verify if a multiplication overflows. This lead to the allocation of a too short memory area, and then to an overflow. [severity:3/4; 526637, CVE-2009-3608, oCERT-2009-016]

The ImageStream::ImageStream() method does not verify if a multiplication overflows. This lead to the allocation of a too short memory area, and then to an overflow. [severity:3/4; 526893, CVE-2009-3609]

An attacker can therefore create a malicious PDF document leading to code execution on computer of users opening it with Xpdf, or its derivatives.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2009-3602

Unbound: non verification of NSEC3

Synthesis of the vulnerability

When an attacker can spoof DNS packets, he can poison the Unbound cache with fake data.
Impacted products: Debian, openSUSE, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: data creation/edition, data deletion, denial of service on service.
Provenance: internet client.
Creation date: 12/10/2009.
Identifiers: BID-37459, CVE-2009-3602, DSA-1963-1, SUSE-SR:2010:005, VIGILANCE-VUL-9082.

Description of the vulnerability

DNSSEC extensions are used to sign DNS records in order to avoid spoofed packets.

The Unbound product is a DNS server handling DNSSEC extensions.

When a DNS packet is received, the nsec3_prove_nods() function in file validator/val_nsec3.c handles NSEC3 records. However, this function does not verify the provided signature. An attacker can therefore send DNS packets with an invalid signature. Those packets are not rejected.

When an attacker can spoof DNS packets, he can thus poison the Unbound cache with fake data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2009-2909

Linux kernel: denial of service via AX.25

Synthesis of the vulnerability

A local attacker can use an AX.25 socket, in order to stop the system.
Impacted products: Debian, Fedora, Linux, openSUSE, SLES.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 08/10/2009.
Identifiers: BID-36635, CERTA-2002-AVI-244, CVE-2009-2909, DSA-1915-1, DSA-1928-1, DSA-1929-1, FEDORA-2009-11032, FEDORA-2009-11038, SA:2009:051, SUSE-SA:2009:054, SUSE-SA:2009:055, SUSE-SA:2009:056, SUSE-SU-2011:0928-1, VIGILANCE-VUL-9076.

Description of the vulnerability

The net/ax25/af_ax25.c file implements AX.25 networks, used by amateur radio operators.

The ax25_setsockopt() function does not check if the length of options is negative, which generates a call to the BUG_ON() macro, which stops the system.

A local attacker can therefore use the setsockopt() function on an AX.25 socket, in order to stop the system.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2009-2908

Linux kernel: privilege elevation via eCryptfs

Synthesis of the vulnerability

A local attacker can create a hard link on an eCryptfs file system, in order to generate a denial of service, or to execute code.
Impacted products: Debian, Fedora, Linux, Mandriva Linux, RHEL, ESX, ESXi.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: user shell.
Creation date: 07/10/2009.
Identifiers: 527534, BID-36639, CERTA-2002-AVI-244, CVE-2009-2908, DSA-1915-1, DSA-1928-1, FEDORA-2009-10525, FEDORA-2009-11032, FEDORA-2009-11038, MDVSA-2009:289, RHSA-2009:1548-01, VIGILANCE-VUL-9075, VMSA-2010-0004, VMSA-2010-0004.1, VMSA-2010-0004.2, VMSA-2010-0004.3, VMSA-2010-0009, VMSA-2010-0009.1.

Description of the vulnerability

The Linux kernel supports the eCryptfs file system since version 2.6.19.

A file can have several hard links, which are different access path to the same file.

When:
 - a file is stored on an eCryptfs file system, and
 - two hard links are available for this file, and
 - the file is opened, and
 - all links are removed, and
 - a read() or write() is done on the previously opened file,
then, a NULL pointer is dereferenced in ecryptfs_read_update_atime() (access time update). This error stops the kernel.

A local attacker can thus create a hard link on an eCryptfs file system, in order to generate a denial of service.

An attacker can also use this vulnerability with VIGILANCE-VUL-8953/VIGILANCE-VUL-8861 in order to elevate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2009-2562 CVE-2009-2563 CVE-2009-3241

Wireshark: denials of service

Synthesis of the vulnerability

Several vulnerabilities of Wireshark can be used by a remote attacker to create a denial of service.
Impacted products: Debian, Ethereal, Fedora, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES, Wireshark.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 6.
Creation date: 16/09/2009.
Revision date: 06/10/2009.
Identifiers: BID-36408, BID-36591, CERTA-2009-AVI-388, CERTA-2009-AVI-394, CERTA-2010-AVI-035, CVE-2009-2562, CVE-2009-2563, CVE-2009-3241, CVE-2009-3243, CVE-2009-3829, DSA-1942-1, FEDORA-2009-7998, FEDORA-2009-9837, MDVSA-2009:270, MDVSA-2009:292, MDVSA-2009:292-1, RHSA-2010:0360-01, SUSE-SR:2009:016, SUSE-SR:2009:020, SUSE-SR:2010:007, VIGILANCE-VUL-9026, VU#676492, wnpa-sec-2009-05, wnpa-sec-2009-06.

Description of the vulnerability

The Wireshark program captures and displays network packets. Protocols are decoded by dissectors. They are impacted by several vulnerabilities.

An attacker can stop the AFS dissector. [severity:2/4; CERTA-2009-AVI-388, CERTA-2009-AVI-394, CVE-2009-2562, wnpa-sec-2009-05]

An attacker can stop the Infiniband dissector. [severity:2/4; CERTA-2010-AVI-035, CVE-2009-2563, wnpa-sec-2009-05]

An attacker can force the OpcUa dissector to consume an excessive amount of CPU and memory resource. [severity:2/4; BID-36408, CVE-2009-3241, MDVSA-2009:270, wnpa-sec-2009-05, wnpa-sec-2009-06]

An attacker can stop the GSM A RR dissector. [severity:2/4; wnpa-sec-2009-06]

An attacker can stop the TLS dissector. [severity:2/4; CVE-2009-3243, wnpa-sec-2009-06]

An attacker can invite the victim to open a malicious ERF file, in order to generate an integer overflow. [severity:2/4; BID-36591, CVE-2009-3829, VU#676492]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2009-2910

Linux kernel: reading registers on x86_64

Synthesis of the vulnerability

On a x86_64 processor, a local attacker can read registers R8 to R11.
Impacted products: Debian, Fedora, Linux, openSUSE, RHEL, SLES, ESX, ESXi.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 02/10/2009.
Identifiers: BID-36576, CERTA-2002-AVI-244, CVE-2009-2910, DSA-1915-1, DSA-1928-1, FEDORA-2009-10525, RHSA-2009:1540-01, RHSA-2009:1671-01, RHSA-2010:0046-01, SA:2009:051, SUSE-SA:2009:054, SUSE-SA:2009:055, SUSE-SA:2009:056, SUSE-SA:2009:060, SUSE-SA:2010:012, SUSE-SU-2011:0928-1, VIGILANCE-VUL-9067, VMSA-2010-0009, VMSA-2010-0009.1.

Description of the vulnerability

An x86 32bit processor has 8 general registers (EAX, EBX, ECX, EDX, EBP, ESP, ESI, EDI). An x86_32 processor has 16 general registers (RAX, RBX, ..., RDI, R8 to R15).

On a x86_64 processor, a 32 bits process cannot access to registers R8 to R11. The kernel thus does not reinitialize them when exiting from a system call (R12 to R15 are used).

However, a local attacker can switch to 64 bit mode to read R8 to R11.

On a x86_64 processor, a local attacker can therefore read registers R8 to R11, in order to obtain the potentially sensitive information they contain.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2009-2813 CVE-2009-2906 CVE-2009-2948

Samba: several vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Samba, in order to access to files, or to generate a denial of service.
Impacted products: Debian, Fedora, HP-UX, Mandriva Linux, OpenSolaris, openSUSE, Solaris, RHEL, Samba, Slackware, SLES, ESX.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion, denial of service on service.
Provenance: user account.
Number of vulnerabilities in this bulletin: 3.
Creation date: 02/10/2009.
Identifiers: 271069, 6888097, BID-36363, BID-36572, BID-36573, c01940841, CERTA-2009-AVI-420, CVE-2009-2813, CVE-2009-2906, CVE-2009-2948, DSA-1908-1, FEDORA-2009-10172, FEDORA-2009-10180, HPSBUX02479, MDVSA-2009:277, MDVSA-2009:282-1, MDVSA-2009:320, RHSA-2009:1528-01, RHSA-2009:1529-01, RHSA-2009:1585-01, SSA:2009-276-01, SSRT090212, SUSE-SR:2009:017, VIGILANCE-VUL-9065, VMSA-2010-0006, VMSA-2010-0006.1.

Description of the vulnerability

Several vulnerabilities were announced in Samba.

When the home directory of a user in /etc/passwd is empty, his "[homes]" share uses the root of the system. This user can therefore for example read files under /etc, or create files under /tmp. [severity:2/4; BID-36363, CVE-2009-2813]

When mount.cifs is installed suid root, a local attacker can use the "--verbose" option in order to display the first line of a read protected file. [severity:1/4; BID-36572, CERTA-2009-AVI-420, CVE-2009-2948]

An authenticated attacker can use a malformed SMB query, in order to generate an infinite loop. [severity:1/4; BID-36573, CVE-2009-2906]

An attacker can therefore use several vulnerabilities of Samba, in order to access to files, or to generate a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2009-2905

Newt: buffer overflow of Textbox

Synthesis of the vulnerability

An attacker can invite the victim to display malicious text data with an application linked with Newt, in order to execute code on his computer.
Impacted products: Debian, Fedora, Mandriva Linux, Mandriva NF, openSUSE, RHEL, SLES, Unix (platform) ~ not comprehensive, ESX.
Severity: 1/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 24/09/2009.
Identifiers: BID-36515, CERTA-2010-AVI-106, CVE-2009-2905, DSA-1894-1, FEDORA-2009-9957, FEDORA-2009-9961, MDVSA-2009:249, MDVSA-2009:249-1, RHSA-2009:1463-01, SUSE-SR:2009:017, VIGILANCE-VUL-9048, VMSA-2010-0004, VMSA-2010-0004.1, VMSA-2010-0004.2, VMSA-2010-0004.3.

Description of the vulnerability

The Newt library is used to create graphical interfaces.

When the width of the window changes, the newtReflowText() function of the textbox.c file redraws text areas. However, the size of the memory needed to store the formatted text is incorrectly computed. For example, when the text is 3 characters wide, and when the text is 100 characters long, the computed size is too short of 16 bytes. A buffer overflow thus occurs.

This error mainly occurs when the text area has a small width and a big height (the number of overflowing bytes can be computed with "textsize/(windowwidth-1) - textsize/windowwidth").

An attacker can therefore invite the victim to display malicious text data with an application linked with Newt, and to resize his display, in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Stretch: