| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them. |
|
 |
|
|
Computer vulnerabilities of Debian Wheezy
OpenOffice: code execution via WMF/EMF
Synthesis of the vulnerability
Two vulnerabilities of OpenOffice.org can be used by an attacker to execute code on computer of victims opening a malicious WMF/EMF document.
Impacted products: OpenOffice, Debian, Fedora, Mandriva Linux, Windows (platform) ~ not comprehensive, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 29/10/2008.
Identifiers: 242627, 243226, 6749452, 6751941, BID-31962, CERTA-2008-AVI-530, CVE-2008-2237, CVE-2008-2238, DSA-1661-1, FEDORA-2008-9313, FEDORA-2008-9333, MDVSA-2009:006, RHSA-2008:0939-00, SUSE-SR:2008:026, VIGILANCE-VUL-8208.
Description of the vulnerability
Two vulnerabilities of OpenOffice.org can be used by an attacker to execute code on computer of victims opening a malicious WMF/EMF document.
An attacker can create a malicious WML (Windows Metafile) image and invite the victim to open it in order to create a buffer overflow. [severity:3/4; CERTA-2008-AVI-530, CVE-2008-2237]
An attacker can create an EMF (Enhanced Metafile) image containing malicious EMR records and invite the victim to open it in order to create a buffer overflow. [severity:3/4; CVE-2008-2238]
Full Vigil@nce bulletin... (Free trial) |
Linux kernel: privilege elevation via ftruncate
Synthesis of the vulnerability
A local attacker can create a sgid file in order to obtain privileges of a group.
Impacted products: Debian, Linux, NLD, OES, openSUSE, RHEL, SLES, ESX, ESXi, VMware Server, vCenter Server, VirtualCenter.
Severity: 2/4.
Consequences: privileged access/rights.
Provenance: user shell.
Creation date: 24/09/2008.
Revision date: 28/10/2008.
Identifiers: BID-31368, CERTA-2002-AVI-192, CVE-2008-4210, DSA-1653-1, MDVSA-2008:220, MDVSA-2008:220-1, RHSA-2008:0957-02, RHSA-2008:0972-01, RHSA-2008:0973-03, RHSA-2009:0001-01, SUSE-SA:2008:051, SUSE-SA:2008:056, SUSE-SA:2008:057, SUSE-SR:2008:025, SUSE-SU-2011:0928-1, VIGILANCE-VUL-8132, VMSA-2009-0014, VMSA-2009-0014.1, VMSA-2009-0014.2.
Description of the vulnerability
Each file/directory has a owner and a group. The sgid bit (octal 02000) has the following meaning:
- on a file: when the file is executed, the process has the privileges of the group of the file (instead of the group of the user executing the file)
- on a directory: when a file is created in this directory, its group is the group of the directory (instead of the group of the user creating the file) (compatible BSD semantic)
The open() and creat() functions have a parameter to indicate the requested mode when a file is created. A local attacker can therefore create a file with the sgid bit in a directory which also has this bit. The file then has the group of the directory and the sgid bit. The attacker can then use the ftruncate() and mmap() functions to convert this program to a binary file (he cannot use write() because this function removes the sgid bit).
A local attacker can therefore create a sgid program in order to obtain the privileges of the group. To exploit this vulnerability, a sgid directory has to exist on the system.
Full Vigil@nce bulletin... (Free trial) |
GNU Enscript: buffer overflow via escape font
Synthesis of the vulnerability
An attacker can invite the victim to convert a malicious file with GNU Enscript in order to execute code on his computer.
Impacted products: Debian, Fedora, Mandriva Linux, RHEL, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 23/10/2008.
Identifiers: BID-31858, CERTA-2002-AVI-207, CVE-2008-4306, DSA-1670-1, FEDORA-2008-9351, FEDORA-2008-9372, MDVSA-2008:243, RHSA-2008:1016-01, RHSA-2008:1021-02, VIGILANCE-VUL-8197.
Description of the vulnerability
The GNU Enscript program converts a text file to PostScript, HTML or RTF.
The "-e" option of enscript enables the support of special patterns escaped by the null character (by default). For example, a text document can contain:
\x00bgcolor{r g b} : indicates the background color
\x00font{fontname} : indicates the font to use
etc.
The read_special_escape() function of the src/psgen.c file analyses these special patterns. When the "font' pattern is used, the font name (its size can be up to 4096 bytes) is copied to a 512 bytes array, which creates an overflow.
An attacker can therefore create a text file containing a malicious "font" pattern, and invite the victim to open it with "enscript -e" in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial) |
libspf2: buffer overflow via SPF
Synthesis of the vulnerability
An attacker can use a malicious SPF field in order to execute code on messaging servers linked with libspf2.
Impacted products: Debian, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 22/10/2008.
Revision date: 23/10/2008.
Identifiers: BID-31881, CERTA-2002-AVI-192, CERTA-2008-AVI-526, CVE-2008-2469, DSA-1659-1, VIGILANCE-VUL-8192, VU#183657.
Description of the vulnerability
The SPF (Sender Policy Framework) protocol defines the list of messaging servers allowed to send emails for a domain. For example:
- the administrator of the example1.dom domain adds in his DNS server a TXT record indicating "v=spf1 mx ~all", which means that only MX servers of example1.dom are allowed to send emails
- a user of the domain sends an email to example2.dom
- the SMTP server of example2.dom queries the DNS server of example1.dom (because the mail sender used an email address like @example1.dom), to check if the mail comes from an allowed server
The libspf2 library implements SPF, and can be installed on messaging servers such as Sendmail.
When libspf2 queries the DNS server of the mail sender, received data are stored in a 2048 bytes array, without correctly checking the data size.
An attacker can therefore:
- configure the DNS server of attacker.dom with a long SPF record
- send an email to victim.dom
- wait for the SMTP server of victim.dom to connect to the DNS server of attacker.dom, and for the overflow to occur.
An attacker can therefore use a malicious SPF field in order to execute code on messaging servers linked with libspf2.
Full Vigil@nce bulletin... (Free trial) |
Linux kernel: denial of service of SCTP
Synthesis of the vulnerability
An attacker can create an error in the SCTP protocol in order to panic the kernel.
Impacted products: Debian, Linux, openSUSE, RHEL.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 22/10/2008.
Identifiers: BID-31848, CERTA-2002-AVI-217, CVE-2008-4618, DSA-1681-1, RHSA-2009:0009-02, SUSE-SA:2008:053, VIGILANCE-VUL-8194.
Description of the vulnerability
The SCTP protocol (Stream Control Transmission Protocol) can be used to send one or several streams.
When an error occurs in SCTP, the sctp_sf_abort_violation() function is called to interrupt the session. However, its parameters are incorrectly handled, which creates an error and stops the computer.
An attacker can therefore create an error in the SCTP protocol in order to panic the kernel.
Full Vigil@nce bulletin... (Free trial) |
VLC: memory corruptions via TY
Synthesis of the vulnerability
An attacker can create a malformed TiVo file in order to create a denial of service or to execute code on computers of VLC users.
Impacted products: Debian, VLC.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 20/10/2008.
Revision date: 22/10/2008.
Identifiers: BID-31813, BID-31867, CERTA-2008-AVI-528, CVE-2008-4654, CVE-2008-4686, DSA-1819-1, TKADV2008-010, VideoLAN-SA-0809, VIGILANCE-VUL-8183.
Description of the vulnerability
The VideoLAN VLC program displays multimedia documents.
The libty_plugin can be used to open TiVo files. It has two vulnerabilities.
If the TV file contains long data, a buffer overflow occurs in parse_master(). [severity:2/4; CERTA-2008-AVI-528, CVE-2008-4654, TKADV2008-010, VideoLAN-SA-0809]
A malformed file can create several integer overflows. [severity:2/4; BID-31867, CVE-2008-4686]
An attacker can therefore create a malformed TiVo file in order to create a denial of service or to execute code on computers of VLC users.
Full Vigil@nce bulletin... (Free trial) |
Ruby: multiple vulnerabilites
Synthesis of the vulnerability
Several vulnerabilities have been discovered in Ruby.
Impacted products: Debian, Fedora, Mandriva Linux, openSUSE, RHEL, Slackware, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 6.
Creation date: 08/08/2008.
Revision date: 22/10/2008.
Identifiers: 415678, CERTA-2002-AVI-192, CERTA-2008-AVI-353, CERTA-2008-AVI-358, CERTA-2008-AVI-359, CERTA-2008-AVI-360, CERTA-2008-AVI-375, CERTA-2008-AVI-402, CVE-2008-1447, CVE-2008-3443, CVE-2008-3655, CVE-2008-3656, CVE-2008-3657, CVE-2008-3905, DSA-1651-1, DSA-1652-1, DSA-1695-1, FEDORA-2008-8736, FEDORA-2008-8738, MDVSA-2008:226, RHSA-2008:0895-02, RHSA-2008:0896-01, RHSA-2008:0897-01, RHSA-2008:0981-02, SSA:2008-334-01, SUSE-SR:2008:017, VIGILANCE-VUL-8005.
Description of the vulnerability
Several vulnerabilities have been discovered in Ruby.
Safe Level is a variable which determines a level of paranoia in a program. In Ruby several functions are executed with an insufficient level of checking (Safe level too low) [severity:1/4; CVE-2008-3655]
The "dl" library doesn't normalise requests received. It can be used to execute code. [severity:3/4; CVE-2008-3657]
"WEBrick::HTTP::DefaultFileHandler" module uses an exponential delay to treat requests, this is due to the utilisation of a regular expression in "WEBrick::HTTPUtils.split_header_value" algorithm. [severity:2/4; CVE-2008-3656]
The "resolv.rb" can be used by an attacker to spoof DNS answers. [severity:2/4; CERTA-2008-AVI-353, CERTA-2008-AVI-358, CERTA-2008-AVI-359, CERTA-2008-AVI-360, CERTA-2008-AVI-375, CERTA-2008-AVI-402, CVE-2008-1447]
An attacker can send several data to a socket in order to create a denial of service. [severity:2/4; CVE-2008-3443]
DNS identifiers are sequentials, so an attacker can predict them to send fake DNS answers. [severity:2/4; CVE-2008-3905]
Full Vigil@nce bulletin... (Free trial) |
Wireshark: denials of service
Synthesis of the vulnerability
Several vulnerabilities of Wireshark can be used by a remote attacker to create a denial of service.
Impacted products: Debian, Ethereal, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES, Wireshark.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 7.
Creation date: 21/10/2008.
Identifiers: BID-31838, CERTA-2002-AVI-207, CVE-2008-4680, CVE-2008-4681, CVE-2008-4682, CVE-2008-4683, CVE-2008-4684, CVE-2008-4685, DSA-1673-1, MDVSA-2008:215, RHSA-2009:0313-01, SUSE-SR:2009:001, VIGILANCE-VUL-8187, wnpa-sec-2008-06.
Description of the vulnerability
The Wireshark/Ethereal program captures packets, in order to help administrator solving network problems. Protocols are decoded by dissectors. They have several vulnerabilities.
An attacker can send Bluetooth ACL data in order to stop Wireshark. [severity:1/4; CVE-2008-4683]
An attacker can send Q.931 data in order to stop Wireshark. [severity:1/4; CVE-2008-4685]
An attacker can invite the administrator to open a Tamos CommView capture in order to stop Wireshark. [severity:1/4; CVE-2008-4682]
A local attacker can send USB data in order to stop Wireshark. [severity:1/4; CVE-2008-4680]
An attacker can send Bluetooth RFCOMM data in order to stop Wireshark. [severity:1/4; CVE-2008-4681]
An attacker can send PRP data in order to stop Wireshark. [severity:1/4; CVE-2008-4684]
An attacker can send MATE data in order to stop Wireshark. [severity:1/4; CVE-2008-4684]
Full Vigil@nce bulletin... (Free trial) |
RealVNC: vulnerability of VNC Viewer
Synthesis of the vulnerability
An attacker can create a malicious VNC server and invite the victim to connect to it with VNC Viewer in order to execute code on the computer.
Impacted products: Debian, Fedora, OpenSolaris, Solaris, RealVNC, RHEL.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet server.
Creation date: 20/10/2008.
Identifiers: 248526, 6777095, BID-31832, CERTA-2002-AVI-229, CERTA-2009-AVI-035, CVE-2008-4770, DSA-1716-1, FEDORA-2009-0991, FEDORA-2009-1001, RHSA-2009:0261-01, VIGILANCE-VUL-8186.
Description of the vulnerability
VNC uses the RFB protocol (Remote FrameBuffer) to access to the remote host.
The RealVNC product is composed of two modules:
- VNC Server: to be installed on the computer to administer
- VNS Viewer: to be installed on the client
The CMsgReader::readRect() function of the common/rfb/CMsgReader.cxx file, used in VNC Viewer, does not correctly check received messages.
An attacker can therefore create a malicious VNC server and invite the victim to connect to it with VNC Viewer in order to execute code on the computer.
Full Vigil@nce bulletin... (Free trial) |
Linux kernel: denial of service with Intel G33/i915
Synthesis of the vulnerability
When the system has an Intel mother board with an i915 graphic chipset, a local attacker can fill the memory with zeros.
Impacted products: Debian, Fedora, Linux, Mandriva Linux, OpenSolaris, openSUSE, RHEL.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 20/10/2008.
Identifiers: 245846, 6754496, BID-31792, CVE-2008-3831, DSA-1655-1, FEDORA-2008-8929, FEDORA-2008-8980, MDVSA-2008:224, MDVSA-2008:224-1, RHSA-2008:1017-01, RHSA-2009:0009-02, SUSE-SA:2009:003, VIGILANCE-VUL-8184.
Description of the vulnerability
The drivers/gpu/drm/i915/i915_dma.c file implements the driver for i915 graphic chipsets.
The DRM_I915_HWS_ADDR ioctl calls i915_set_status_page() to change information about the driver. However, all users can call this ioctl, whereas it should be restricted to root only.
A local attacker can therefore use this ioctl to reset memory fragments.
Full Vigil@nce bulletin... (Free trial) |
Our database contains other pages. You can request a free trial to read them.
Display information about Debian Wheezy:
|