The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Woody

computer vulnerability note CVE-2006-1523

Linux kernel: denial of service via group_complete_signal

Synthesis of the vulnerability

An attacker can generate an error case in __group_complete_signal() function.
Impacted products: Debian, Linux.
Severity: 1/4.
Creation date: 27/06/2006.
Identifiers: BID-17640, CERTA-2002-AVI-035, CVE-2006-1523, DSA-1103-1, VIGILANCE-VUL-5959.

Description of the vulnerability

Linux kernel defines 3 macros that can be used by developers when:
 - BUG() : a point should not be reached (displays a message then generates a panic)
 - BUG_ON(condition) : a condition should not be true (displays a message then generates a panic)
 - WARN_ON(condition) : a condition should not be true (displays a message)

The __group_complete_signal() function of kernel/signal.c check groups and call BUG_ON() when they are different. However, this case can legitimately occur when locks are used.

A local attacker can therefore create this situation and force kernel to self stop.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2006-0558

Linux kernel: denial of service of perfmon.c

Synthesis of the vulnerability

An attacker can generate an error case in perfmon.c after a call to pfm_context_create().
Impacted products: Debian, Linux, RHEL.
Severity: 1/4.
Creation date: 27/06/2006.
Identifiers: BID-17482, CERTA-2002-AVI-035, CVE-2006-0558, DSA-1103-1, RHSA-2007:0774-01, VIGILANCE-VUL-5958.

Description of the vulnerability

Linux kernel defines 3 macros that can be used by developers when:
 - BUG() : a point should not be reached (displays a message then generates a panic)
 - BUG_ON(condition) : a condition should not be true (displays a message then generates a panic)
 - WARN_ON(condition) : a condition should not be true (displays a message)

After a call to pfm_context_create(), and when another process accesses to mm_struct, a call to BUG_ON() is done.

A local attacker can therefore create this situation and force kernel to self stop.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2006-0456

Linux kernel: incorrect size returned by strnlen_user

Synthesis of the vulnerability

On a s390 processor, the strnlen_user() function sometimes returns a short size, which may lead to a short memory allocation.
Impacted products: Debian, Linux, RHEL.
Severity: 2/4.
Creation date: 27/06/2006.
Identifiers: BID-18687, CERTA-2002-AVI-035, CVE-2006-0456, DSA-1103-1, RHSA-2006:057, RHSA-2006:0575-01, VIGILANCE-VUL-5957.

Description of the vulnerability

The strnlen_user() function returns the size of a string including the '\0' terminator:
  long strnlen_user(const char *s, long n);
If size of s is greater than n, the value n+1 has to be returned.

However, the implementation of this function in arch/s390/lib/uaccess.S never returns n+1. Thus, the error case related to long s strings is never reached.

When a program uses the value returned by strnlen_user() to allocate a memory area to store s, the memory area is too short, which leads to an overflow when s is copied in this area.

Depending on usage, this vulnerability leads to a denial of service or to code execution.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2006-3242

Mutt: buffer overflow of browse_get_namespace

Synthesis of the vulnerability

An attacker with an IMAP server can execute code on Mutt clients connecting to it.
Impacted products: Debian, Fedora, Mandriva Corporate, Mandriva Linux, openSUSE, RHEL, ProPack, Slackware, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 26/06/2006.
Identifiers: 20060701-01-U, BID-18642, CERTA-2002-AVI-035, CERTA-2006-AVI-268, CVE-2006-3242, DSA-1108-1, FEDORA-2006-1061, FEDORA-2006-1063, FEDORA-2006-760, FEDORA-2006-761, MDKSA-2006:115, RHSA-2006:057, RHSA-2006:0577-01, SSA:2006-207-01, SUSE-SR:2006:016, VIGILANCE-VUL-5955.

Description of the vulnerability

The namespace indicates how an IMAP server represents the directory tree for user's mailbox (RFC 2342).

When Mutt client connects to an IMAP server, it uses the NAMESPACE command to obtain the namespace. The browse_get_namespace() function does not check size of returned namespace, and an overflow can occur.

When an attacker owns an IMAP server, he can thus generate code execution on Mutt clients connecting to this server.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2006-3081

MySQL: denial of service of str_to_date

Synthesis of the vulnerability

An authenticated attacker can use the str_to_date() function to stop MySQL.
Impacted products: Debian, Mandriva Linux, MySQL Community, MySQL Enterprise, RHEL.
Severity: 1/4.
Creation date: 26/06/2006.
Identifiers: BID-18439, CERTA-2002-AVI-034, CERTA-2006-AVI-265, CVE-2006-3081, DSA-1112-1, MDKSA-2006:111, RHSA-2007:0083-01, VIGILANCE-VUL-5953.

Description of the vulnerability

The str_to_date() function converts a string to a date. For example:
  str_to_date('10/01/2006', '%d/%m/%Y')

However, when the second parameters, which indicates format, is NULL, an error occurs and stops mysqld.

A local attacker can therefore generate a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2006-2659

Courier: denial of service via equal character

Synthesis of the vulnerability

An attacker can send an email using an address containing the equal character in order to overload Courier.
Impacted products: Debian, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 23/06/2006.
Identifiers: 368834, BID-18345, CERTA-2002-AVI-035, CERTA-2006-AVI-270, CVE-2006-2659, DSA-1101-1, VIGILANCE-VUL-5946.

Description of the vulnerability

The VERP algorithm (Variable Envelope Return Path) changes the sender address of message depending on recipient address. For example, an email for "user@domain.dom" will have "sender-user=domain.dom@sender.dom" as sender. This algorithm is frequently used by mailing-list managers in order to deal with bounces.

The verp_encode() function of Courier MTA encodes recipient address, by replacing special characters (@, :, %, etc.) by their hexadecimal value. However, the equal (=) character is incorrectly ignored.

An attacker can thus chose an address with an equal character in order to force Courier to generate a bad address. This error leads to a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2006-4246

Usermin: deactivating root's shell

Synthesis of the vulnerability

A local attacker can change root's shell, using Usermin interface.
Impacted products: Debian, Usermin.
Severity: 1/4.
Creation date: 22/06/2006.
Identifiers: BID-18574, CVE-2006-4246, DSA-1177-1, VIGILANCE-VUL-5944.

Description of the vulnerability

The chsh command permits each user to change his shell:
  chsh -s /bin/newshell username

User can also change his shell via Usermin interface. However, if shell field is left empty, following command is run with root rights:
  chsh -s username
Thus, root's shell becomes "username", and administrator then can not connect to system.

This vulnerability therefore permits an attacker to generate a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2006-2802

xine-lib: buffer overflow of HTTP plugin

Synthesis of the vulnerability

An attacker can setup a malicious web server generating an overflow in connecting xine clients.
Impacted products: Debian, Mandriva Corporate, Mandriva Linux, openSUSE, Slackware, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 20/06/2006.
Identifiers: BID-18187, CERTA-2002-AVI-035, CVE-2006-2802, DSA-1105-1, MDKSA-2006:108, SSA:2006-207-04, SUSE-SR:2006:014, VIGILANCE-VUL-5936.

Description of the vulnerability

The xine-lib library is used by xine front-ends: xine-ui, kaffeine, gxine, etc. Its HTTP plugin, xineplug_inp_http, downloads documents located on a web server.

However, this plugin does not check size of data returned by server. A malicious server can thus send approximately 10000 bytes to generate an overflow.

This vulnerability therefore permits an attacker to create a denial of service or to execute code on xine clients connecting to the malicious server.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2006-3082

GnuPG: denial of service of parse-packet

Synthesis of the vulnerability

An attacker can create a file leading to a denial of service in parse-packet.c of GnuPG.
Impacted products: Debian, Fedora, GnuPG, Mandriva Corporate, Mandriva Linux, Mandriva NF, openSUSE, RHEL, ProPack, Slackware.
Severity: 1/4.
Creation date: 20/06/2006.
Identifiers: 20060701-01-U, BID-18554, CERTA-2002-AVI-034, CERTA-2002-AVI-035, CERTA-2006-AVI-267, CVE-2006-3082, DSA-1107-1, DSA-1115-1, FEDORA-2006-755, FEDORA-2006-757, MDKSA-2006:110, RHSA-2006:057, RHSA-2006:0571-01, SSA:2006-178-02, SUSE-SR:2006:015, SUSE-SR:2006:018, VIGILANCE-VUL-5933.

Description of the vulnerability

The --armor option of GnuPG indicates to use ASCII data on 7 bits, whereas the --no-armor option indicates to use binary data.

When GnuPG uses the --no-armor option to open a file containing a malicious header, a big memory area can be allocated. This error generally leads to a denial of service, and could lead to code execution.

This vulnerability for example permits an attacker to generate a denial of service on applications opening GnuPG files coming from untrusted sources.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2006-2197

wv: memory corruption

Synthesis of the vulnerability

An attacker can create a malicious Word document generating an overflow in wv.
Impacted products: Debian, Mandriva Corporate, Mandriva Linux, openSUSE, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Creation date: 15/06/2006.
Identifiers: BID-18437, CERTA-2002-AVI-035, CVE-2006-2197, DSA-1100-1, MDKSA-2006:109, SUSE-SR:2006:015, VIGILANCE-VUL-5929.

Description of the vulnerability

The wv library is used to access Microsoft Word documents.

The word_helper.h file uses a value coming from the Word file as an array index. However, this index is not checked and can overflow, leading to a memory corruption.

An attacker can therefore create a malicious Word document generating a denial of service or code execution in softwares using wv.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Woody: