The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Wheezy

vulnerability alert CVE-2007-4850 CVE-2008-0599 CVE-2008-0674

PHP 5: several vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP in order to create a denial of service or to execute code.
Impacted products: Debian, Fedora, HP-UX, Mandriva Linux, Mandriva NF, openSUSE, PHP, RHEL, Slackware, SLES, TurboLinux.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 7.
Creation date: 05/05/2008.
Revisions dates: 06/05/2008, 07/05/2008.
Identifiers: BID-27413, BID-27786, BID-28392, BID-29009, c01756421, c01905287, CERTA-2008-AVI-084, CERTA-2008-AVI-225, CERTA-2008-AVI-239, CERTA-2008-AVI-388, CERTA-2009-AVI-309, CVE-2007-4850, CVE-2008-0599, CVE-2008-0674, CVE-2008-1384, CVE-2008-2050, CVE-2008-2051, CVE-2008-2107, CVE-2008-2108, DSA-1572-1, DSA-1578-1, DSA-1789-1, emr_na-c01476437, FEDORA-2008-3606, FEDORA-2008-3864, HPSBUX02342, HPSBUX02431, HPSBUX02465, MDVSA-2008:125, MDVSA-2008:126, MDVSA-2008:127, MDVSA-2008:128, MDVSA-2008:129, MDVSA-2008:130, MDVSA-2009:021, MDVSA-2009:022, MDVSA-2009:023, MDVSA-2009:024, RHSA-2008:0505-01, RHSA-2008:0544-01, RHSA-2008:0545-01, RHSA-2008:0546-01, RHSA-2008:0582-01, SE-2008-02, SE-2008-03, SSA:2008-128-01, SSRT080063, SSRT090085, SSRT090192, SUSE-SR:2008:014, TLSA-2008-27, TLSA-2009-2, VIGILANCE-VUL-7791, VU#147027.

Description of the vulnerability

Several vulnerabilities were announced in PHP.

An attacker can create a stack overflow in the FastCGI SAPI in order to execute code or to create a denial of service. [severity:3/4; CVE-2008-2050]

An attacker, allowed to upload a malicious PHP script, can execute code via printf() functions (VIGILANCE-VUL-7692). [severity:2/4; BID-28392, CVE-2008-1384]

An error in the computation of path_translated size creates an overflow, which can lead to code execution depending on the context. [severity:3/4; CERTA-2008-AVI-225, CVE-2008-0599, VU#147027]

A local attacker can use cURL functions to read files by bypassing safe mode restrictions (VIGILANCE-VUL-7524). [severity:1/4; BID-27413, CERTA-2008-AVI-388, CVE-2007-4850]

The escapeshellcmd()/escapeshellarg() function can be bypassed by using multibytes characters. [severity:2/4; CVE-2008-2051, SE-2008-03]

When attacker can change the PCRE regular expression, he can corrupt its memory in order for example to execute code (VIGILANCE-VUL-7593). [severity:1/4; BID-27786, CERTA-2008-AVI-084, CERTA-2009-AVI-309, CVE-2008-0674]

Random generators are initialized by GENERATE_SEED(), which can be predicted in some cases. [severity:1/4; CVE-2008-2107, CVE-2008-2108, SE-2008-02]

These vulnerabilities are local or remote depending on the context.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2008-1669

Linux kernel: denial of service via fcntl_setlk/close

Synthesis of the vulnerability

On a SMP computer, a local attacker can execute two processes simultaneously in order to create a denial of service.
Impacted products: Debian, Fedora, Linux, Mandriva Linux, openSUSE, RHEL, SLES, ESX.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 07/05/2008.
Identifiers: BID-29076, CERTA-2008-AVI-239, CVE-2008-1669, DSA-1575-1, FEDORA-2008-3873, FEDORA-2008-3949, FEDORA-2008-4043, MDVSA-2008:104, MDVSA-2008:105, MDVSA-2008:167, RHSA-2008:0211-01, RHSA-2008:0233-01, RHSA-2008:0237-01, SUSE-SA:2008:030, SUSE-SA:2008:032, SUSE-SA:2008:035, SUSE-SA:2008:038, VIGILANCE-VUL-7798, VMSA-2008-00011, VMSA-2008-00011.1, VMSA-2008-00011.2.

Description of the vulnerability

The fcntl() function manages the state of a file descriptor. The close() function closes a file descriptor.

On a SMP computer, when two programs simultaneously use the fcntl_setlk() lock and close(), an error occurs in the handling of the file descriptor table.

A local attacker can thus create a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2007-6282

Linux kernel: denial of service of IPSec

Synthesis of the vulnerability

An attacker can send a fragmented IPSec ESP packet in order to stop the kernel.
Impacted products: Debian, Linux, NLD, openSUSE, RHEL, SLES.
Severity: 3/4.
Consequences: denial of service on server.
Provenance: internet client.
Creation date: 07/05/2008.
Identifiers: BID-29081, CERTA-2002-AVI-206, CVE-2007-6282, DSA-1630-1, RHSA-2008:0237-01, RHSA-2008:0275-01, RHSA-2008:0585-01, RHSA-2008:0849-5, SUSE-SA:2008:030, SUSE-SA:2008:031, SUSE-SA:2008:032, SUSE-SU-2011:0928-1, VIGILANCE-VUL-7797.

Description of the vulnerability

An IPSec packet starts with:
 - an ESP header of 8 bytes
 - an Initialization Vector (IV) of 8/16/etc. bytes depending on the algorithm (3DES-CBC/AES-CBC/etc.)

The IP protocol fragments data of packets by multiples of 8 bytes. An attacker can therefore split an ESP packet in two parts: 8 bytes of header then the other bytes containing the IV. However, when the Linux kernel receives the first fragment, the esp_input()/esp6_input() function tries to access to the IV, which stops the kernel via BUG().

An attacker can therefore send a fragmented ESP packet in order to create a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2008-1294

Linux kernel: bypassing RLIMIT_CPU

Synthesis of the vulnerability

A local attacker can bypass the limit imposed by RLIMIT_CPU.
Impacted products: Debian, Linux, RHEL, SLES.
Severity: 1/4.
Consequences: data creation/edition.
Provenance: user shell.
Creation date: 05/05/2008.
Identifiers: 107209, 419706, BID-29004, CVE-2008-1294, DSA-1565-1, RHSA-2008:0612-01, SUSE-SA:2009:017, VIGILANCE-VUL-7795.

Description of the vulnerability

The administrator can limit resources granted to users:
 - RLIMIT_STACK: limit stack size
 - RLIMIT_CPU: limit CPU time
 - etc.

However, due to a change in kernel 2.6.17, a local attacker can bypass RLIMIT_CPU by choosing a zero value. Indeed, a zero value is interpreted as if no restriction was applied.

A local attacker can therefore bypass the CPU execution time limit.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2008-1375

Linux kernel: sending a signal

Synthesis of the vulnerability

A local attacker can use a race condition between fcntl() and close() in order to create an error which can be used to send a signal to an arbitrary process.
Impacted products: Debian, Fedora, Linux, Mandriva Linux, NLD, openSUSE, RHEL, SLES, ESX.
Severity: 1/4.
Consequences: data creation/edition.
Provenance: user shell.
Creation date: 05/05/2008.
Identifiers: BID-29003, CVE-2008-1375, DSA-1565-1, FEDORA-2008-3873, FEDORA-2008-3949, MDVSA-2008:104, MDVSA-2008:105, MDVSA-2008:167, RHSA-2008:0211-01, RHSA-2008:0233-01, RHSA-2008:0237-01, SUSE-SA:2008:030, SUSE-SA:2008:031, SUSE-SA:2008:032, SUSE-SU-2011:0928-1, VIGILANCE-VUL-7792, VMSA-2008-00011, VMSA-2008-00011.1, VMSA-2008-00011.2.

Description of the vulnerability

The fcntl() and close() functions work on file descriptors.

A local attacker can create a race condition between these functions to force a dnotify_struct structure to be inserted in a bad location in a linked list. This structure can thus never be deleted. Attacker can then fill the pointed memory area with data indicating signals or processes numbers of his choice. This signal is then sent by send_sigio().

A local attacker can therefore force the system to send a signal to a chosen process.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2008-1927

Perl: double free via UTF-8

Synthesis of the vulnerability

When attacker can change the regular expression used by a Perl program, he can corrupt its memory in order for example to execute code.
Impacted products: Debian, Fedora, Mandriva Linux, Mandriva NF, openSUSE, Perl Core, RHEL, ESX, ESXi.
Severity: 1/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Creation date: 25/04/2008.
Identifiers: 454792, 48156, BID-28928, CERTA-2002-AVI-203, CERTA-2008-AVI-327, CVE-2008-1927, DSA-1556-1, DSA-1556-2, FEDORA-2008-3392, FEDORA-2008-3399, MDVSA-2008:100, RHSA-2008:0522-01, RHSA-2008:0532-01, RHSA-2010:0602-02, SUSE-SR:2008:017, VIGILANCE-VUL-7783, VMSA-2008-0013.1, VMSA-2008-0013.2, VMSA-2008-0013.3.

Description of the vulnerability

To handle regular expressions, Perl compiles them and creates a decision tree.

However, when the same data is stored as UTF-8 in two branches of this tree, a double memory free occurs. This error corrupts the memory.

When attacker can change the regular expression used by a Perl program, he can thus create a denial of service and possibly execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2008-1878 CVE-2008-1964

xine-lib: buffer overflow of NSF

Synthesis of the vulnerability

An attacker can create a malicious MP3 file in order to create an overflow during the NSF analysis.
Impacted products: Debian, Fedora, openSUSE, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 17/04/2008.
Revision date: 24/04/2008.
Identifiers: BID-28816, BID-28908, CVE-2008-1878, CVE-2008-1964, DSA-1586-1, FEDORA-2008-3326, FEDORA-2008-3353, SUSE-SR:2008:012, VIGILANCE-VUL-7773.

Description of the vulnerability

The src/demuxers/demux_nsf.c file of xine-lib decodes data in NES Music File Format. It has two vulnerabilities.

The demux_nsf_send_chunk() function stores the title in a 100 bytes array, without checking data size. [severity:2/4; BID-28816, CVE-2008-1878]

The demux_nsf_send_headers() function stores the copyright in a 100 bytes array, without checking data size. [severity:1/4; BID-28908, CVE-2008-1964]

An attacker can create a MP3 file containing a long NSF title, then invite the victim to open it with an application linked to xine-lib. An overflow thus occurs and leads to a denial of service or to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2008-1974

Horde: Cross Site Scripting of Kronolith

Synthesis of the vulnerability

An attacker can generate a Cross Site Scripting in the Horde Kronolith application.
Impacted products: Debian, Fedora, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 24/04/2008.
Identifiers: BID-28898, CVE-2008-1974, DSA-1560-1, FEDORA-2008-3460, VIGILANCE-VUL-7782.

Description of the vulnerability

The Kronolith application is the web calendar of Horde suite.

The kronolith/addevent.php script adds a task in this calendar. However, its "url" parameter is not filtered before being displayed.

An attacker can therefore create a Cross Site Scripting to execute Javascript code in the context of victim's web browser.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2008-1924

phpMyAdmin: file disclosure

Synthesis of the vulnerability

An attacker can use a HTTP POST query in order to read files of the computer where phpMyAdmin is installed.
Impacted products: Debian, openSUSE, phpMyAdmin, SLES.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 23/04/2008.
Identifiers: BID-28906, CERTA-2002-AVI-203, CVE-2008-1924, DSA-1557-1, MDVSA-2008:131, PMASA-2008-3, SUSE-SR:2008:026, SUSE-SR:2009:003, VIGILANCE-VUL-7781.

Description of the vulnerability

The phpMyAdmin program is used to administer a MySQL database.

The setLocalSelectedFile() method of File class (phpMyAdmin/libraries/File.class.php) concatenates the name of the upload directory and the requested name (simplified):
  function setLocalSelectedFile($name) {
    $result_name = $GLOBALS['cfg']['UploadDir'] . PMA_securePath($name);
    ...
However, when an attacker uses POST data, the $GLOBALS['cfg']['UploadDir'] variable can be empty. The name of the result file is thus only equivalent to the name of the requested file.

An attacker can thus read files with rights of the web server. Attacker has to create a table to exploit this vulnerability.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2008-1897 CVE-2008-1923

Asterisk: denial of service of IAX2

Synthesis of the vulnerability

An attacker can spoof IAX2 messages in order to force Asterisk to send audio data.
Impacted products: Asterisk Open Source, Debian, Fedora.
Severity: 2/4.
Consequences: denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 23/04/2008.
Identifiers: AST-2008-006, BID-28901, CVE-2008-1897, CVE-2008-1923, DSA-1563-1, FEDORA-2008-3365, FEDORA-2008-3390, VIGILANCE-VUL-7779.

Description of the vulnerability

An IAX2 session is established via a handshake using NEW and ACK messages. If guest user is allowed, IAX2 sessions are not authenticated.

No random mechanism associates the ACK message to its NEW message. An attacker can spoof a NEW message and then an ACK message in order to force the creation of a new session.

An attacker can thus spoof the address of the victim in order to force Asterisk to send him audio data. This attack leads to a denial of service on victim's network.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Wheezy: