The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Stretch

threat alert CVE-2010-1162

Linux kernel: denial of service via release_one_tty

Synthesis of the vulnerability

A local attacker can use ttys, in order to generate a resource leak in the kernel.
Severity: 1/4.
Creation date: 15/04/2010.
Identifiers: BID-39480, CVE-2010-1162, DSA-2053-1, FEDORA-2010-7779, MDVSA-2010:188, MDVSA-2010:198, openSUSE-SU-2010:0664-1, RHSA-2010:0631-01, SUSE-SA:2010:031, SUSE-SA:2010:046, VIGILANCE-VUL-9593.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The release_one_tty() function of the drivers/char/tty_io.c file is called when a tty (interface terminal) is closed.

This function calls free_tty_struct() to free the tty structure, which contains the pgrp (process group id) and session fields. However, the associated pids (process id) are not freed.

A local attacker can therefore use ttys, in order to generate a resource leak in the kernel.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2010-0436

KDE: permission change via KDM

Synthesis of the vulnerability

A local attacker can use KDM to force a file to become world writable.
Severity: 2/4.
Creation date: 14/04/2010.
Identifiers: 570613, BID-39467, CERTA-2010-AVI-187, CVE-2010-0436, DSA-2037-1, MDVSA-2010:074, RHSA-2010:0348-01, SSA:2010-110-02, SUSE-SR:2010:009, VIGILANCE-VUL-9586.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The KDM environment uses a control socket (/var/run/xdmctl/dmctl-$DISPLAY/socket).

When the user authenticates on KDM, the dmctl-$DISPLAY directory is created, and a new socket is created. The mode of the socket is then changed to 0666.

However, the user can replace the socket by a link to an arbitrary file on the system. The mode of this file thus becomes 0666.

A local attacker can therefore use KDM to force a file to become world writable. He can then acquire root privileges.
Full Vigil@nce bulletin... (Free trial)

weakness bulletin CVE-2010-0629

MIT krb5: denial of service of kadmind

Synthesis of the vulnerability

An authenticated attacker can use an API version number too high, in order to stop the kadmind daemon of MIT krb5 version 1.5 to 1.6.3.
Severity: 2/4.
Creation date: 07/04/2010.
Identifiers: 567052, BID-39247, CVE-2010-0629, DSA-2031-1, FEDORA-2010-6108, MDVSA-2010:071, MITKRB5-SA-2010-003, RHSA-2010:0343-01, SUSE-SR:2010:009, VIGILANCE-VUL-9562.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The kadmind daemon of MIT krb5 version 1.5 to 1.6.3 customizes error messages using the current context.

The kadmin client indicates the API (Application Programming Interface) version number it uses. When kadmind receives an unsupported version number, the stub init_2_svc() function generates an error message, by calling krb5_get_error_message(). However, this message uses an uninitialized context, which stops the daemon.

An authenticated attacker can therefore use an API version number too high, in order to stop the kadmind daemon of MIT krb5 version 1.5 to 1.6.3.
Full Vigil@nce bulletin... (Free trial)

computer threat announce CVE-2010-0743

iscsitarget: format string attack

Synthesis of the vulnerability

An attacker can use a malformed name, in order to generate two format string attacks in iSCSI Enterprise Target, leading to a denial of service and possibly to code execution.
Severity: 3/4.
Creation date: 02/04/2010.
Identifiers: 574935, CERTA-2002-AVI-255, CVE-2010-0743, DSA-2042-1, MDVSA-2010:131, openSUSE-SU-2010:0608-1, RHSA-2010:0362-01, SUSE-SR:2010:017, VIGILANCE-VUL-9556.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The iSCSI protocol is used to share storage devices on the network. The iSNS (Internet Storage Name Service) protocol is used to discover and administer iSCSI devices.

The iSCSI Enterprise Target product implements iSNS. The isns_attr_query() function of the usr/iscsi/isns.c file stores iSNS names in the "mgmt->name" variable. The following code is used twice:
  snprintf(mgmt->name, sizeof(mgmt->name), name);
However, the "%s" format parameter is missing, so the name is directly interpreted as a format string.

An attacker can therefore use a malformed name, in order to generate two format string attacks in iSCSI Enterprise Target, leading to a denial of service and possibly to code execution.
Full Vigil@nce bulletin... (Free trial)

threat alert CVE-2009-3555 CVE-2010-0173 CVE-2010-0174

Firefox, SeaMonkey, Thunderbird: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Firefox, SeaMonkey and Thunderbird can be used by an attacker to execute code on victim's computer.
Severity: 4/4.
Number of vulnerabilities in this bulletin: 9.
Creation date: 31/03/2010.
Identifiers: 375928, 39479, 452093, 488850, 491722, 496011, 499844, 499862, 504021, 538308, 538310, 540100, 542136, 545755, 546530, 546909, BID-36935, BID-39079, BID-39122, BID-39123, BID-39124, BID-39125, BID-39128, BID-39133, BID-39137, CERTA-2009-AVI-528, CERTA-2010-AVI-135, CERTA-2010-AVI-149, CERTA-2010-AVI-196, CERTA-2010-AVI-239, CERTA-2010-AVI-241, CERTA-2010-AVI-365, CERTA-2010-AVI-513, CERTA-2010-AVI-573, CERTA-2011-AVI-253, CERTA-2012-AVI-241, CVE-2009-3555, CVE-2010-0173, CVE-2010-0174, CVE-2010-0175, CVE-2010-0176, CVE-2010-0177, CVE-2010-0178, CVE-2010-0179, CVE-2010-0181, CVE-2010-0182, DSA-2027-1, FEDORA-2010-5561, FEDORA-2010-5840, FEDORA-2010-6204, FEDORA-2010-6236, MDVSA-2010:070, MDVSA-2010:070-1, MFSA 2010-08, MFSA 2010-16, MFSA 2010-17, MFSA 2010-18, MFSA 2010-19, MFSA 2010-20, MFSA 2010-21, MFSA 2010-22, MFSA 2010-23, MFSA 2010-24, openSUSE-SU-2014:1100-1, RHSA-2010:0332-01, RHSA-2010:0333-01, RHSA-2010:0500-01, RHSA-2010:0501-01, SSA:2010-090-02, SSA:2010-095-01, SSA:2010-095-02, SSA:2010-095-03, SUSE-SA:2010:021, SUSE-SA:2011:003, VIGILANCE-VUL-9549, VU#120541, ZDI-10-048, ZDI-10-049, ZDI-10-050.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Firefox, SeaMonkey and Thunderbird.

An attacker can generate several memory corruptions, leading to code execution. [severity:4/4; 488850, 491722, 496011, 499844, 499862, 542136, 546530, BID-39122, BID-39125, CVE-2010-0173, CVE-2010-0174, MFSA 2010-16]

An attacker can create an HTML document containing an object with a selection event. When this object is deleted, a freed memory is used in nsTreeSelection. [severity:4/4; 375928, 540100, BID-39123, CVE-2010-0175, MFSA 2010-17, ZDI-10-050]

When OPTGROUP elements are removed from an OPTION element, an invalid pointer in used in nsTreeContentView. [severity:4/4; 538308, BID-39128, CVE-2010-0176, MFSA 2010-18, ZDI-10-048]

An attacker can reload a page containing plugins, in order to corrupt the memory of window.navigator.plugins. [severity:4/4; 538310, BID-39133, CVE-2010-0177, MFSA 2010-19, ZDI-10-049]

An attacker can transform a click event to a drag-and-drop, which leads to code execution with Chrome privileges. [severity:4/4; 546909, BID-39137, CVE-2010-0178, MFSA 2010-20]

When the Firebug module is installed, an attacker can use XMLHttpRequestSpy, in order to execute privileged JavaScript code. [severity:3/4; 504021, BID-39124, CVE-2010-0179, MFSA 2010-21]

Firefox can be configured to block the vulnerability VIGILANCE-VUL-9181 (TLS renegotiation). [severity:2/4; 545755, BID-36935, CERTA-2009-AVI-528, CERTA-2010-AVI-149, CERTA-2010-AVI-196, CERTA-2010-AVI-239, CERTA-2010-AVI-241, CERTA-2010-AVI-365, CERTA-2010-AVI-513, CERTA-2010-AVI-573, CERTA-2011-AVI-253, CERTA-2012-AVI-241, CVE-2009-3555, MFSA 2010-22, VU#120541]

An attacker can use an image with a "mailto:" uri, in order to automatically open the mail composer. [severity:1/4; 452093, CVE-2010-0181, MFSA 2010-23]

The XMLDocument::load() method does not check nsIContentPolicy. [severity:2/4; 39479, CVE-2010-0182, MFSA 2010-24]

The most severe vulnerabilities lead to code execution.
Full Vigil@nce bulletin... (Free trial)

cybersecurity announce CVE-2010-1187

Linux kernel: denial of service via TIPC

Synthesis of the vulnerability

When the Linux kernel supports TIPC, a local attacker can use a TIPC socket, in order to stop the system.
Severity: 1/4.
Creation date: 30/03/2010.
Identifiers: BID-39120, CVE-2010-1187, DSA-2053-1, MDVSA-2010:188, MDVSA-2010:198, RHSA-2010:0504-01, VIGILANCE-VUL-9546, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The TIPC (Transparent Inter-Process Communication) protocol is used for the communication of processes located on different nodes of a cluster. TIPC uses the AF_TIPC socket family.

A local attacker can open an AF_TIPC socket, and before opening the session (NET_MODE) he can send a message destined to another node. In this case, the kernel dereferences the tipc_net.zones pointer, which is NULL.

When the Linux kernel supports TIPC, a local attacker can therefore use a TIPC socket, in order to stop the system.
Full Vigil@nce bulletin... (Free trial)

cybersecurity threat CVE-2010-1084

Linux kernel: memory corruption via Bluetooth

Synthesis of the vulnerability

A local attacker can create several Bluetooth sockets, in order to generate a denial of service, or possibly to execute code.
Severity: 2/4.
Creation date: 23/03/2010.
Identifiers: BID-38898, CVE-2010-1084, DSA-2053-1, RHSA-2010:0610-01, RHSA-2010:0631-01, VIGILANCE-VUL-9529, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Linux kernel implements various protocols used by Bluetooth:
 - L2CAP (Logical Link Control and Adaptation Protocol) : adaptation of application data (segmentation)
 - RFCOMM : serial port compatible RS-232
 - SCO (Synchronous Connection Oriented) : voice

Information on opened sockets are readable via sysfs (/sys), due to the following functions:
 - l2cap_sysfs_show()
 - rfcomm_dlc_sysfs_show()
 - rfcomm_sock_sysfs_show()
 - sco_sysfs_show()
These functions write information in a memory page of size PAGE_SIZE. Each socket requires a few bytes of memory. However, these functions do not check if the maximal size was reached (this situation occurs when there are too many open sockets). The kernel then writes after the end of the page.

A local attacker can therefore create several Bluetooth sockets, in order to generate a denial of service, or possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

computer weakness CVE-2009-0689 CVE-2009-2463 CVE-2009-3072

SeaMonkey, Thunderbird: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of SeaMonkey and Thunderbird can be used by an attacker to execute code on victim's computer.
Severity: 4/4.
Number of vulnerabilities in this bulletin: 6.
Creation date: 18/03/2010.
Identifiers: 487872, 506871, 511521, 516396, 516862, BID-36851, BID-36867, BID-37366, BID-38830, BID-38831, CERTA-2009-AVI-414, CERTA-2009-AVI-509, CERTA-2009-AVI-520, CERTA-2010-AVI-135, CERTA-2010-AVI-280, CVE-2009-0689, CVE-2009-1563-REJECT, CVE-2009-2463, CVE-2009-3072, CVE-2009-3075, CVE-2009-3077, CVE-2009-3376, CVE-2009-3385, CVE-2009-3983, CVE-2010-0161, CVE-2010-0163, DSA-2025-1, FEDORA-2010-7100, MDVSA-2010:071, MFSA 2009-49, MFSA 2009-59, MFSA 2009-62, MFSA 2009-68, MFSA 2010-06, MFSA 2010-07, RHSA-2010:0499-01, SSA:2010-090-03, SSA:2010-095-01, SSA:2010-095-02, SSA:2010-095-03, VIGILANCE-VUL-9521, ZDI-09-065.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in SeaMonkey and Thunderbird.

An attacker can use a XUL TreeColumns tree in order to corrupt the memory, to execute code. [severity:4/4; 506871, CVE-2009-3077, MFSA 2009-49, ZDI-09-065]

An attacker can corrupt the memory when a string is converted to a float number, which leads to code execution. [severity:4/4; 516396, 516862, BID-36851, CERTA-2009-AVI-414, CERTA-2009-AVI-509, CERTA-2009-AVI-520, CERTA-2010-AVI-280, CVE-2009-0689, CVE-2009-1563-REJECT, MFSA 2009-59]

An attacker can hide the name of a file, when characters are displayed from right to left. [severity:1/4; 511521, BID-36867, CVE-2009-3376, MFSA 2009-62]

An attacker can use NTLM authentication data, to authenticate on several sites. [severity:3/4; 487872, BID-37366, CVE-2009-3983, MFSA 2009-68]

An attacker can send an email containing a Flash object, in order to execute code in SeaMonkey Mail. [severity:3/4; BID-38830, CVE-2009-3385, MFSA 2010-06]

An attacker can generate several memory corruptions, leading to code execution. [severity:4/4; BID-38831, CVE-2009-2463, CVE-2009-3072, CVE-2009-3075, CVE-2010-0161, CVE-2010-0163, MFSA 2010-07]
Full Vigil@nce bulletin... (Free trial)

weakness announce CVE-2010-1132

SpamAssassin Milter: command execution

Synthesis of the vulnerability

When SpamAssassin Milter expands email addresses, a remote attacker can execute commands on the system.
Severity: 3/4.
Creation date: 08/03/2010.
Revision date: 16/03/2010.
Identifiers: BID-38578, CERTA-2010-AVI-135, CVE-2010-1132, DSA-2021-1, DSA-2021-2, FEDORA-2010-5096, FEDORA-2010-5112, FEDORA-2010-5176, VIGILANCE-VUL-9504.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The SpamAssassin Milter program can be installed with Sendmail/Postfix, in order to transfer emails to SpamAssassin.

The option "-x" of spamass-milter requests the expansion of email addresses, by reading the alias table for example. To check the validity of an email address, and obtain the list of aliases, SpamAssassin Milter executes via popen() :
  sendmail -bv "email@server.dom"

However, the email address is not filtered before being injected in this command. An attacker can therefore use an email address containing a shell escaping character, in order to execute a shell command.

When SpamAssassin Milter expands email addresses, a remote attacker can thus execute commands on the system.
Full Vigil@nce bulletin... (Free trial)

security note CVE-2010-0397

PHP: denial of service of xmlrpc

Synthesis of the vulnerability

The xmlrpc_decode_request() function of PHP does not validate XML data, which forces a NULL pointer dereference.
Severity: 1/4.
Creation date: 15/03/2010.
Identifiers: 573573, BID-38708, CERTA-2002-AVI-261, CERTA-2010-AVI-385, CVE-2010-0397, DSA-2018-1, MDVSA-2010:068, MDVSA-2010:139, MDVSA-2010:140, openSUSE-SU-2010:0599-1, openSUSE-SU-2010:0678-1, RHSA-2010:0919-01, SUSE-SR:2010:012, SUSE-SR:2010:013, SUSE-SR:2010:017, VIGILANCE-VUL-9514.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The xmlrpc extension of PHP is used to manage remote procedure calls, expressed as XML. For example:
  <methodCall>
    <methodName>function</methodName>
    <params>...</params>
  </methodCall>

The xmlrpc_decode_request() function decodes XML data. However, if the "methodName" block is missing, a NULL pointer is dereferenced in xmlrpc_decode_request().

An attacker is generally not allowed to send xmlrpc data (otherwise, he can execute any public method). However, if an attacker is allowed to send them, he can send malformed data, in order to stop applications using xmlrpc_decode_request().
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Stretch: