The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Woody

computer vulnerability announce CVE-2006-4334 CVE-2006-4335 CVE-2006-4336

gzip: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities have been discovered in gzip, permitting to generate a denial of service or to run code on the system.
Impacted products: Debian, Fedora, FreeBSD, Tru64 UNIX, HP-UX, Mandriva Corporate, Mandriva Linux, Mandriva NF, openSUSE, Solaris, Trusted Solaris, RHEL, ProPack, TurboLinux, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: privileged access/rights, denial of service on server.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 20/09/2006.
Identifiers: 102766, 20061001-01-P, 6470484, c00797077, c00874667, CERTA-2006-AVI-413, CVE-2006-4334, CVE-2006-4335, CVE-2006-4336, CVE-2006-4337, CVE-2006-4338, DSA-1181-1, FEDORA-2006-989, FEDORA-2007-557, FLSA:211760, FreeBSD-SA-06:21.gzip, HPSBTU02168, HPSBUX02195, MDKSA-2006:167, RHSA-2006:0667-01, SSRT061237, SUSE-SA:2006:056, TLSA-2006-31, VIGILANCE-VUL-6167, VU#381508, VU#554780, VU#596848, VU#773548, VU#933712.

Description of the vulnerability

Several vulnerabilities have been discover in gzip (and derived programs such as lha):

A null pointer dereference that may lead to denial of service if gzip is used in an automated manner. [severity:3/4; CERTA-2006-AVI-413, CVE-2006-4334, VU#933712]

A check error, permitting to modify the execution stack, and thus to run arbitrary code on the system. [severity:3/4; CVE-2006-4335, VU#381508]

A buffer overflow in the managing of "pack" archives. [severity:3/4; CVE-2006-4336, VU#554780]

A buffer overflow in the managing of "LZH" archives. [severity:3/4; CVE-2006-4337, VU#773548]

An infinite loop that may lead to denial of service if gzip is used in an automated manner. [severity:3/4; CVE-2006-4338, VU#596848]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2006-4253 CVE-2006-4339 CVE-2006-4340

Thunderbird: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities were announced in Thunderbird, worst leading to code execution.
Impacted products: Debian, Fedora, Mandriva Corporate, Mandriva Linux, Thunderbird, openSUSE, RHEL, TurboLinux.
Severity: 4/4.
Consequences: privileged access/rights, data flow, denial of service on service.
Provenance: internet server.
Confidence: confirmed by the editor (5/5).
Creation date: 15/09/2006.
Identifiers: BID-19488, BID-19849, BID-20042, CERTA-2006-AVI-384, CERTA-2006-AVI-391, CERTA-2006-AVI-412, CERTA-2006-AVI-454, CERTA-2007-AVI-546, CVE-2006-4253, CVE-2006-4339, CVE-2006-4340, CVE-2006-4565, CVE-2006-4566, CVE-2006-4567, CVE-2006-4570, CVE-2006-4571, CVE-2006-4790, DSA-1191-1, FEDORA-2006-977, MDKSA-2006:169, MFSA2006-57, MFSA2006-58, MFSA2006-59, MFSA2006-60, MFSA2006-63, MFSA2006-64, RHSA-2006:0677-01, SUSE-SA:2006:054, TLSA-2006-25, TLSA-2006-30, VIGILANCE-VUL-6161, VU#141528, VU#845620.

Description of the vulnerability

Several vulnerabilities were announced in Thunderbird.

An attacker can spoof the official auto-update server if referenced on the system as a trusted site via SSL certificate. [severity:4/4; CVE-2006-4567, MFSA2006-58]
An attacker can generate a denial of service by using a JavaScript script. This vulnerability was not correctly corrected and lead to VIGILANCE-VUL-6160. [severity:4/4; BID-19488, CVE-2006-4253, MFSA2006-59]
Several vulnerabilities permitting to generate a denial of service or to run code on the system. [severity:4/4; MFSA2006-64]
An attacker can potentially run code by using a JavaScript regular expression ending by a backslash inside an unterminated character set. [severity:4/4; CVE-2006-4565, CVE-2006-4566, MFSA2006-57, VU#141528]
An attacker can bypass RSA signature verification (VIGILANCE-VUL-6140). [severity:4/4; BID-19849, CERTA-2006-AVI-384, CERTA-2006-AVI-412, CERTA-2007-AVI-546, CVE-2006-4339, CVE-2006-4340, CVE-2006-4790, MFSA2006-60, VU#845620]
An attacker can run JavaScript code even if the execution of script is disabled, by inserting code inside a XBL file. [severity:4/4; CVE-2006-4570, MFSA2006-63]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2006-4253 CVE-2006-4339 CVE-2006-4340

Firefox: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities were announced in Firefox, the worst one leading to code execution.
Impacted products: Debian, Fedora, HP-UX, Mandriva Corporate, Mandriva Linux, Firefox, openSUSE, RHEL.
Severity: 4/4.
Consequences: privileged access/rights, data flow, denial of service on service.
Provenance: internet server.
Confidence: confirmed by the editor (5/5).
Creation date: 15/09/2006.
Identifiers: BID-19488, BID-19849, BID-20042, c00771742, CERTA-2006-AVI-384, CERTA-2006-AVI-391, CERTA-2006-AVI-412, CERTA-2006-AVI-454, CERTA-2007-AVI-546, CVE-2006-4253, CVE-2006-4339, CVE-2006-4340, CVE-2006-4565, CVE-2006-4566, CVE-2006-4567, CVE-2006-4568, CVE-2006-4569, CVE-2006-4571, CVE-2006-4790, DSA-1192-1, DSA-1210-1, FEDORA-2006-976, HPSBUX02153, MDKSA-2006:168, MFSA2006-57, MFSA2006-58, MFSA2006-59, MFSA2006-60, MFSA2006-61, MFSA2006-62, MFSA2006-64, RHSA-2006:0675-01, SSRT061181, SUSE-SA:2006:054, VIGILANCE-VUL-6160, VU#141528, VU#845620.

Description of the vulnerability

Several vulnerabilities were announced in Firefox.

An attacker can spoof the official auto-update server if referenced on the system as a trusted site via SSL certificate. [severity:4/4; CVE-2006-4567, MFSA2006-58]
An attacker can generate a denial of service by using a JavaScript script. This vulnerability was not correctly corrected and lead to VIGILANCE-VUL-6160. [severity:4/4; BID-19488, CVE-2006-4253, MFSA2006-59]
Several vulnerabilities permitting to generate a denial of service or to run code on the system. [severity:4/4; MFSA2006-64]
An attacker can potentially run code by using a JavaScript regular expression ending by a backslash inside an unterminated character set. [severity:4/4; CVE-2006-4565, CVE-2006-4566, MFSA2006-57, VU#141528]
An attacker can injec content inside a frame of a web site using the targetWindow.frames[n].document.open() function. [severity:4/4; CVE-2006-4568, MFSA2006-61]
An attacker can use a cross-site scripting attack in a pop-up window. [severity:4/4; CVE-2006-4569, MFSA2006-62]
An attacker can bypass RSA signature verification (VIGILANCE-VUL-6140). [severity:4/4; BID-19849, CERTA-2006-AVI-384, CERTA-2006-AVI-412, CERTA-2007-AVI-546, CVE-2006-4339, CVE-2006-4340, CVE-2006-4790, MFSA2006-60, VU#845620]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2006-4339 CVE-2006-4340 CVE-2006-4790

OpenSSL / GnuTLS / NSS: bypassing a PKCS#1 signature check

Synthesis of the vulnerability

An attacker can create a malicious PKCS #1 signature which will be accepted as valid by OpenSSL, GnuTLS or NSS.
Impacted products: CiscoWorks, Cisco CSS, Cisco IPS, Cisco Prime Central for HCS, Secure ACS, WebNS, Debian, Fedora, FreeBSD, Tru64 UNIX, HP-UX, BIND, Mandriva Corporate, Mandriva Linux, Mandriva NF, NetBSD, OpenSSL, openSUSE, Oracle Directory Server, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Java Oracle, Solaris, Trusted Solaris, RHEL, ProPack, Slackware, Sun AS, Sun Messaging, ASE, InterScan VirusWall, TurboLinux, WindRiver Linux.
Severity: 2/4.
Consequences: data flow.
Provenance: internet client.
Confidence: confirmed by the editor (5/5).
Creation date: 05/09/2006.
Revisions dates: 07/09/2006, 14/09/2006, 15/09/2006.
Identifiers: 102622, 102648, 102686, 102696, 102722, 102744, 102759, 102781, 102970, 10332, 20060901-01-P, 200708, 201255, 6378707, 6466389, 6467218, 6469236, 6469538, 6472033, 6473089, 6473494, 6488248, 6499438, 6567841, 6568090, BID-19849, c00794048, c00849540, c00967144, cisco-sr-20061108-openssl, CSCek57074, CSCsg09619, CSCsg24311, CSCsg58599, CSCsg58607, CSCtx20378, CVE-2006-4339, CVE-2006-4340, CVE-2006-4790, DSA-1173-1, DSA-1174-1, DSA-1182-1, emr_na-c01070495-1, FEDORA-2006-953, FEDORA-2006-974, FEDORA-2006-979, FreeBSD-SA-06:19.openssl, HPSBTU02207, HPSBUX02165, HPSBUX02186, HPSBUX02219, MDKSA-2006:161, MDKSA-2006:166, MDKSA-2006:207, NetBSD-SA2006-023, RHSA-2006:0661, RHSA-2006:0680-01, RHSA-2008:0264-01, RHSA-2008:0525-01, RT #16460, secadv_20060905, SSA:2006-310-01, SSRT061213, SSRT061239, SSRT061266, SSRT061273, SSRT071299, SSRT071304, SUSE-SA:2006:055, SUSE-SA:2006:061, SUSE-SR:2006:023, SUSE-SR:2006:026, TLSA-2006-29, VIGILANCE-VUL-6140, VU#845620.

Description of the vulnerability

The RSA Algorithm uses the following principle:
  Cipher = Message^e (mod n)
  Cipher^d (mod n) = Message
With:
 - n is the product of two big prime numbers
 - e is the public exponent, generally 3, 17 or 65537

The PKCS #1 standard defines features and usage of RSA algorithm.

The crypto/rsa/rsa_sign.c file contains the RSA_verify() function. This function does not correctly manage long paddings. When the public exponent is small (3, or 17 if modulo uses 4096 bits), this error leads to validation of invalid signatures.

This vulnerability permits an attacker to create a malicious PKCS #1 signature which will be accepted as valid by OpenSSL, GnuTLS or NSS.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2006-3739 CVE-2006-3740

Xfree86: integer overflows in the management of CID font files

Synthesis of the vulnerability

A local attacker can run code on the system by using integer overflows in functions managing CID font files.
Impacted products: Debian, Mandriva Corporate, Mandriva Linux, NetBSD, openSUSE, Solaris, RHEL.
Severity: 2/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: user shell.
Confidence: confirmed by the editor (5/5).
Creation date: 13/09/2006.
Identifiers: 102780, 6464170, 6464172, CERTA-2006-AVI-397, CERTA-2006-AVI-454, CERTA-2007-AVI-154, CVE-2006-3739, CVE-2006-3740, DSA-1193-1, MDKSA-2006:164, NetBSD-SA2006-021, RHSA-2006:0665-01, RHSA-2006:0666-01, SUSE-SR:2006:023, VIGILANCE-VUL-6154.

Description of the vulnerability

The CID font format is a format used by Adobe products for fonts with large character sets. Xfree86 can be configured to used this kind of font. Two integer overflow vulnerabilities have been dicovered in Xfree86.

An integer overflow in the handling of AFM (Adobe Font Metrics) files in the CIDAFM() function. The size calculated to store data can be larger than the maximum size of an integer variable. [severity:2/4; CERTA-2006-AVI-397, CERTA-2007-AVI-154, CVE-2006-3739]

An integer overflow when managing "CMap" and "CIDFont" data in the scan_cidfont() function. The vm_alloc() function implementation makes it possible to write in memory before the allocated region [severity:2/4; CVE-2006-3740]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2006-4538

Linux kernel: denial of service via ELF under ia64/Sparc

Synthesis of the vulnerability

A local attacker can run a malicious ELF program in order to stop a system on a ia64 or Sparc processor.
Impacted products: Debian, Linux, Mandriva Corporate, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user console.
Confidence: confirmed by the editor (5/5).
Creation date: 07/09/2006.
Identifiers: CVE-2006-4538, DSA-1233-1, DSA-1237-1, MDKSA-2007:060, RHSA-2007:0014-01, RHSA-2007:1049-01, RHSA-2008:0787-01, SUSE-SA:2006:079, VIGILANCE-VUL-6144.

Description of the vulnerability

Executable programs generally use ELF format (Executable and Linkable Format).

The sys_ia64.c and sys_sparc.c files implement the ia64_mmap_check() and sparc_mmap_check() functions which check memory maps. However, these functions do not correctly manage overlapping memory areas. This error, which stops kernel, can be generated by a corrupted ELF file.

This vulnerability therefore permits a local attacker to conduct a denial of service by creating a malicious ELF file.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2006-4542

Webmin, Usermin: source code disclosure and Cross Site Scripting

Synthesis of the vulnerability

An attacker can obtain Webmin/Usermin source code or create a Cross Site Scripting attack.
Impacted products: Debian, Mandriva Corporate, Mandriva Linux, Usermin, Webmin.
Severity: 1/4.
Consequences: client access/rights, data reading.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 01/09/2006.
Revision date: 07/09/2006.
Identifiers: BID-19820, CERTA-2006-AVI-382, CERTA-2006-AVI-454, CVE-2006-4542, DSA-1199-1, MDKSA-2006:170, SNS Advisory No.89, VIGILANCE-VUL-6136.

Description of the vulnerability

Two vulnerabilities were announced in Webmin and Usermin.

An attacker can obtain the Perl/CGI source code. As source code is publicly available, this vulnerability only affects installations with custom modules. [severity:1/4]

An attacker can create a special url leading to Javascript code execution in context of users clicking on the link. [severity:1/4]

Both vulnerabilities are related to a bad filter on the null character (%00).
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2006-3120

Osiris: format string attacks

Synthesis of the vulnerability

An attacker can generate several format string attacks in Osiris client and daemon.
Impacted products: Debian, Windows (platform) ~ not comprehensive, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: intranet client.
Confidence: confirmed by the editor (5/5).
Creation date: 28/07/2006.
Revision date: 06/09/2006.
Identifiers: BID-19213, CVE-2006-3120, DSA-1129-1, VIGILANCE-VUL-6048.

Description of the vulnerability

The Osiris program monitors changes occurring on a system.

Its source code uses the syslog() function to log its events. However, the format parameter in not used:
  syslog(..., message);
instead of:
  syslog(..., "%s", message);
An attacker can thus generate several format string attacks in Osiris client and daemon.

These vulnerabilities lead to a denial of service or to code execution.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2006-4095 CVE-2006-4096

BIND: denials of service of RRSet SIG and of recursivity

Synthesis of the vulnerability

An attacker can generate a denial of service of BIND by requesting RRSet SIG or by sending recursive queries.
Impacted products: Debian, Fedora, FreeBSD, AIX, BIND, Mandriva Corporate, Mandriva Linux, Mandriva NF, NetBSD, openSUSE, TurboLinux.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Confidence: confirmed by the editor (5/5).
Creation date: 06/09/2006.
Identifiers: BID-19859, CERTA-2006-AVI-385, CVE-2006-4095, CVE-2006-4096, DSA-1172-1, FEDORA-2006-966, FreeBSD-SA-06:20.bind, IY89169, IY89178, MDKSA-2006:163, NetBSD-SA2006-022, SUSE-SR:2006:024, TLSA-2006-27, VIGILANCE-VUL-6142, VU#697164, VU#915404.

Description of the vulnerability

Two denials of service have been announced in BIND.

When several Resource Record have the same label, class and type, they can be grouped in a RRSet. For example, "example.dom IN A" can indicate several IP addresses which are grouped in the same RRSet.
SIG type records are used to sign a RRSet, and contain a field named "covered" indicating signed RR types.
When the DNS server has to return several RRSet and their SIG signatures (for example, as a result of a zone apex), an assertion error is triggered in BIND.
An attacker can thus generate a denial of service on a recursive DNS server by querying a DNS server with several RRSet. He can also generate a denial of service on an authoritative server with several RRSet. [severity:2/4; CERTA-2006-AVI-385, CVE-2006-4095, VU#915404]

A DNS server can manage several recursive queries at the same time.
The INSIST() macro is used to verify a condition in the source code of BIND.
An INSIST error is triggered when all the clients which have done recursive queries to the DNS server are unreachable when BIND tries to send them an answer.
An attacker can thus generate a denial of service on BIND by sending several recursive queries to BIND, then by becoming unreachable before receiving all answers. [severity:2/4; CVE-2006-4096, VU#697164]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2006-2941 CVE-2006-3636 CVE-2006-4624

Mailman: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities permit an attacker to conduct cross-site scripting, phishing and denial of service attacks.
Impacted products: Debian, Fedora, Mandriva Corporate, Mandriva Linux, openSUSE, RHEL, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 04/09/2006.
Identifiers: BID-19831, CERTA-2006-AVI-426, CVE-2006-2941, CVE-2006-3636, CVE-2006-4624, DSA-1188-1, FEDORA-2006-1013, MDKSA-2006:165, RHSA-2006:0600, RHSA-2007:0779-02, SUSE-SR:2006:025, VIGILANCE-VUL-6138.

Description of the vulnerability

Three vulnerabilities were announced in Mailman.

Several cross-site scripting attacks have been identified in mailman. [severity:2/4; CERTA-2006-AVI-426, CVE-2006-3636]

The RFC 2231 defines MIME header formats in order to split long lines. An implementation error in mailman can lead to a denial of service when this type of MIME header is used. [severity:2/4; CVE-2006-2941]

An attacker can ask for a specific URL in order to force the logging of data which will be interpreted as another URL when administrator will read the error log file. [severity:2/4; CVE-2006-4624]
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Woody: