The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Woody

vulnerability alert CVE-2005-4605

Linux kernel: reading memory with procfs

Synthesis of the vulnerability

An attacker can read memory contents using some files under procfs.
Impacted products: Debian, Fedora, Linux, Mandriva Linux, openSUSE, RHEL.
Severity: 1/4.
Creation date: 28/12/2005.
Identifiers: BID-16284, CERTA-2002-AVI-006, CVE-2005-4605, DSA-1017-1, FEDORA-2005-013, FLSA-2006:157459-3, FLSA-2006:157459-4, MDKSA-2006:040, RHSA-2006:010, RHSA-2006:0101-01, SUSE-SA:2006:006, SUSE-SA:2006:012, VIGILANCE-VUL-5461.

Description of the vulnerability

The procfs filesystem (/proc) can be used to set or read system information. The reading function has following prototype (read_proc_t):
  int f(char *page, char **start, off_t off, int count, int *eof, void *data);
With:
  page: memory area
  off: starting offset of data to read
  count: size to read
  data: private opaque data
  start: pointer on data start (page+off)
  return value: read size
  eof: indicator of end of data

In several places of kernel, eof indicator is set when off+count is greater to data size kernel expects to return. However, this sum can overflow, and eof indicator is not set. In this case, read continues without stopping.

A local attacker can therefore use this vulnerability to read memory contents.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2005-3343

tkdiff: file corruption

Synthesis of the vulnerability

A local attacker can alter a file during tkdiff usage.
Impacted products: Debian, Mandriva Linux.
Severity: 1/4.
Creation date: 28/12/2005.
Identifiers: BID-16064, CVE-2005-3343, DSA-927-1, DSA-927-2, MDKSA-2006:001, VIGILANCE-VUL-5458.

Description of the vulnerability

The tkdiff program is used to compare two files.

This program creates a temporary file in an insecure manner (its name is composed of predictable items: tmpdir username pid number).

A local attacker can therefore create a symlink in order to alter a file with rights of tkdiff user.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2005-3341

dhis-tools-dns: file corruption

Synthesis of the vulnerability

A local attacker can alter a file during usage of scripts from dhis-tools-dns.
Impacted products: Debian.
Severity: 1/4.
Creation date: 28/12/2005.
Identifiers: BID-16065, CVE-2005-3341, DSA-928-1, VIGILANCE-VUL-5457.

Description of the vulnerability

The dhis-tools-dns suite contains tools used by Dynamic Host Information system.

The register-p.sh script uses temporary files in an insecure manner (/etc/dhis/temp/pass.$$, id.$$, nsupdate.$$).
The register-q.sh script uses temporary files in an insecure manner (/etc/dhis/temp/keys.$$, id.$$, nsupdate.$$).
These scripts are run with root rights.

A local attacker can therefore create a symlink in order to alter a system file with root rights.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2005-3534

nbd: buffer overflow

Synthesis of the vulnerability

An attacker can send a long request in order to generate an overflow in nbd server.
Impacted products: Debian, Fedora, openSUSE, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 22/12/2005.
Identifiers: BID-16029, CVE-2005-3354-ERROR, CVE-2005-3534, DSA-924-1, FEDORA-2011-1097, FEDORA-2011-1108, SUSE-SR:2006:001, VIGILANCE-VUL-5446.

Description of the vulnerability

The nbd program (Network Block Device) creates a virtual block device on a remote computer. The client can then access it like for a local hard drive.

When server receives a request, it checks its size, but without checking header's size. An attacker can thus send a long request leading to an overflow.

This vulnerability therefore permits a remote attacker to run code on computer.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2005-4348

fetchmail: denial of service in multidrop mode

Synthesis of the vulnerability

A malicious server can serve a message without headers in order to stop fetchmail.
Impacted products: Debian, Fedora, Mandriva Corporate, Mandriva Linux, openSUSE, RHEL, RedHat Linux, Slackware, TurboLinux, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Creation date: 20/12/2005.
Identifiers: BID-15987, CERTA-2006-AVI-003, CVE-2005-4348, DSA-939-1, FEDORA-2005-1186, FEDORA-2005-1187, fetchmail-SA-2005-03, FLSA:164512, FLSA-2006:164512, MDKSA-2005:236, RHSA-2007:0018-01, SSA:2006-045-01, SUSE-SR:2007:004, TLSA-2007-3, VIGILANCE-VUL-5438.

Description of the vulnerability

The fetchmail program is used to transfer emails via POP3 or IMAP protocols.

The multidrop mode analyzes headers in order to obtain and separate recipients.

When a server serves a message without headers to fetchmail, an error occurs and it stops. This kind of message is invalid, so only a malicious server can serve it.

This vulnerability therefore permits an attacker to conduct a denial of service, when fetchmail is configured in multidrop mode.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2005-4178

Dropbear: memory corruption

Synthesis of the vulnerability

An attacker can conduct a denial of service, and could execute code in Dropbear.
Impacted products: Debian, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 19/12/2005.
Identifiers: BID-15923, CVE-2005-4178, DSA-923-1, VIGILANCE-VUL-5433.

Description of the vulnerability

The Dropbear program implements a SSHv2 client/server.

The svr-chansession.c file contains a function which increases size of storage for child processes information, when this storage is filled. This is done using m_realloc function to reallocate a bigger memory area.

However, the new allocated size is incorrectly computed because of missing parenthesis.

An attacker can therefore use several connections to generate this error. It leads to daemon stop. Code execution seems to be difficult.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2005-4048

FFmpeg: buffer overflow of libavcodec

Synthesis of the vulnerability

An overflow can occur in libavcodec when a small PNG image is opened.
Impacted products: Debian, Mandriva Corporate, Mandriva Linux, Slackware, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 15/12/2005.
Identifiers: BID-15743, CERTA-2005-AVI-499, CVE-2005-4048, DSA-1004-1, DSA-1005-1, DSA-992-1, MDKSA-2005:228, MDKSA-2005:229, MDKSA-2005:230, MDKSA-2005:231, MDKSA-2005:232, SSA:2006-207-04, VIGILANCE-VUL-5427.

Description of the vulnerability

The libavcodec library of FFmpeg implements video/audio encoders/decoders.

The avcodec_default_get_buffer() does not allocate sufficient memory to store color palette when image size is small.

An attacker can therefore use a small PNG image to corrupt memory with its palette content.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2005-3352

Apache: Cross Site Scripting of mod_imap

Synthesis of the vulnerability

An attacker can invite user to click on a link located on a malicious website in order to conduct a Cross Site Scripting attack in mod_imap.
Impacted products: Apache httpd, Debian, Fedora, HPE NMC, OpenView, OpenView NNM, HP-UX, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL, RedHat Linux, ProPack, Slackware, TurboLinux.
Severity: 1/4.
Creation date: 14/12/2005.
Identifiers: 102662, 102663, 170383, 171756, 175602, 175720, 20060101-01-U, 6423037, 6452767, 6452773, BID-15834, c00760969, c00797078, c01428449, CERTA-2005-AVI-490, CERTA-2007-AVI-057, CERTA-2008-AVI-148, CERTA-2008-AVI-214, CERTA-2008-AVI-278, CVE-2005-3352, DSA-1167-1, FEDORA-2006-052, FLSA-2006:175406, HPSBMA02328, HPSBUX02145, HPSBUX02172, MDKSA-2006:007, RHSA-2006:015, RHSA-2006:0158-01, RHSA-2006:0159-01, RHSA-2008:0523-02, SSA:2006-129-01, SSA:2006-130-01, SSRT061202, SSRT061269, SSRT071293, SUSE-SR:2006:004, SUSE-SR:2007:011, TLSA-2006-1, VIGILANCE-VUL-5425.

Description of the vulnerability

The mod_imap module can be used to create links in various parts of an image.

The Referer header of HTTP protocol indicates document uri where user clicked to access current document. The mod_imap module can use Referer as base.

However, the mod_imap module uses the Referer without sanitizing it using ap_escape_html() function.

An attacker can therefore create a page having a malicious url, and containing an image associated to mod_imap. When user clicks on this image, the malicious url is sent as Referer to mod_imap. Depending on configuration, this can lead to a Cross Site Scripting attack.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2005-4189

Horde: several Cross Site Scripting

Synthesis of the vulnerability

Several Cross Site Scripting permit an attacker to run script in the context of a Horde user.
Impacted products: Debian, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 12/12/2005.
Identifiers: BID-15806, BID-15810, CVE-2005-4189, DSA-970-1, SEC Consult SA-20051211-0, VIGILANCE-VUL-5421.

Description of the vulnerability

The Horde environment proposes features permitting web application development.

Several Cross Site Scripting attacks can be done in Horde:
 - in the calendar
 - in the preferences templates
 - in the data import templates

An attacker can therefore inject script which will be executed in the context of web client connecting to Horde.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2005-3651

Ethereal: buffer overflow of OSPF

Synthesis of the vulnerability

An attacker can send malicious OSPF packets in order to conduct a denial of service or to run code in Ethereal.
Impacted products: Debian, Ethereal, Fedora, Mandriva Linux, openSUSE, RHEL, ProPack.
Severity: 2/4.
Creation date: 12/12/2005.
Identifiers: 20060201-01-U, BID-15794, CERTA-2005-AVI-487, CVE-2005-3651, DSA-920-1, ENPA-SA-00022, FEDORA-2005-000, iDefense Security Advisory 12.09.05, MDKSA-2005:227, MDKSA-2006:002, RHSA-2006:015, RHSA-2006:0156-01, SUSE-SR:2006:004, VIGILANCE-VUL-5420.

Description of the vulnerability

Ethereal sniffs packets, in order to help administrator solving network problems. This program is run with root privileges.

The dissect_ospf_v3_address_prefix() function of OSPF dissector does not check if prefix size is over 128 characters. An overflow thus occurs.

This vulnerability therefore permits an attacker to send an OSPF packet to stop Ethereal or to run code.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Woody: