The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Woody

computer vulnerability note CVE-2007-1583

PHP: activating register_globals via mb_parse_str

Synthesis of the vulnerability

An attacker can generate an error in order to activate register_globals.
Impacted products: Debian, Fedora, Mandriva Linux, openSUSE, PHP, RHEL, Slackware, TurboLinux.
Severity: 1/4.
Consequences: data flow.
Provenance: user account.
Creation date: 19/03/2007.
Identifiers: 20070501-01-P, BID-23016, CERTA-2002-AVI-088, CVE-2007-1583, DSA-1283-1, FEDORA-2007-415, FEDORA-2007-455, MDKSA-2007:088, MDKSA-2007:089, MDKSA-2007:090, MOPB-26-2007, RHSA-2007:0153-01, RHSA-2007:0155-01, RHSA-2007:0162-01, SSA:2007-127-01, SUSE-SA:2007:032, TLSA-2007-29, VIGILANCE-VUL-6659.

Description of the vulnerability

The register_globals directive indicates to convert global variables to PHP variables. This function is generally deactivated because an attacker can inject variables in an insecure script.

The mb_parse_str() function splits a string to variables. When an exception occurs in this function, the register_globals directive is incorrectly activated. This directive stays activated for other scripts started from the same Apache process.

An attacker can therefore use this vulnerability to lower the security level of a site hosting insecure scripts.

This vulnerability is similar to VIGILANCE-VUL-5318 which affects parse_str().
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2007-0002 CVE-2007-1466

libwpd, OpenOffice: integer overflows via a Word Perfect file

Synthesis of the vulnerability

An attacker can create a malicious Word Perfect file in order to execute code on computer of victims opening it with a software linked with libwpd.
Impacted products: OpenOffice, Debian, Fedora, Mandriva Linux, Windows (platform) ~ not comprehensive, openSUSE, RHEL, Slackware, TurboLinux, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 16/03/2007.
Revision date: 19/03/2007.
Identifiers: 102863, 20070501-01-P, 222808, 6520258, BID-23006, CERTA-2007-AVI-135, CERTA-2007-AVI-136, CVE-2007-0002, CVE-2007-1466, DSA-1268-1, DSA-1270-1, DSA-1270-2, FEDORA-2007-350, FEDORA-2007-351, MDKSA-2007:063, MDKSA-2007:064, RHSA-2007:0033-01, RHSA-2007:0055-01, SSA:2007-085-02, SUSE-SA:2007:023, TLSA-2007-27, VIGILANCE-VUL-6656.

Description of the vulnerability

The libwpd library implements the Word Perfect file format. This library is used by OpenOffice.

This library does not correctly check format of Word Perfect files, which leads to several integer overflows. These overflows occur in WP6GeneralTextPacket:: _readContents(), WP3TablesGroup:: _readContents() and
WP5DefinitionGroup_DefineTablesSubGroup:: WP5DefinitionGroup_DefineTablesSubGroup() functions.

An attacker can therefore create a malicious document, and invite user to open it in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2007-1343

WebCalendar: altering variables via noSet

Synthesis of the vulnerability

An attacker can modify the noSet variable to alter some global variables.
Impacted products: Debian, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 16/03/2007.
Identifiers: BID-22834, CERTA-2007-AVI-111, CVE-2007-1343, DSA-1267-1, VIGILANCE-VUL-6653.

Description of the vulnerability

The WebCalendar program is a multi-user web calendar written in PHP.

When register_globals is deactivated, WebCalendar loops on the $HTTP_GET_VARS variable and sets its contents as global variables. To protect against attacks, the webcalendar/includes/functions.php file defines an array named $noSet containing names of variables to exclude in this loop: is_admin, db_type, includedir, admin_can_add_user, etc.

However, the $noSet variable is not self-protected. An attacker can therefore set it to change sensitive variables. This permits him to include files or to change WebCalendar behaviour.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2007-1521

PHP: double free of session_regenerate_id

Synthesis of the vulnerability

An attacker can create a script using session_regenerate_id() in order to execute code with PHP rights.
Impacted products: Debian, openSUSE, PHP, Slackware.
Severity: 2/4.
Consequences: user access/rights.
Provenance: user account.
Creation date: 15/03/2007.
Identifiers: BID-22968, CERTA-2002-AVI-088, CVE-2007-1521, DSA-1282-1, DSA-1283-1, MOPB-22-2007, SSA:2007-127-01, SUSE-SA:2007:032, VIGILANCE-VUL-6650.

Description of the vulnerability

The session_regenerate_id() function regenerates the session cookie.

An attacker can interrupt this function in order to force it to free the same memory area twice. This error corrupts memory.

An attacker can therefore create a script using session_regenerate_id() in order to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2007-1473 CVE-2007-1474

Horde: several vulnerabilities

Synthesis of the vulnerability

The Horde environment has two vulnerabilities.
Impacted products: Debian, openSUSE, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights, data deletion.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 15/03/2007.
Identifiers: BID-22984, BID-22985, CVE-2007-1473, CVE-2007-1474, DSA-1406-1, SUSE-SR:2007:007, VIGILANCE-VUL-6647.

Description of the vulnerability

The Horde environment proposes features permitting web application development. It has two vulnerabilities.

An attacker can create a file with a malicious name in order to force cron temporary cleanup script to delete other files. [severity:2/4; CVE-2007-1474]

The new_lang parameter of login.php script can be used for a Cross Site Scripting attack. [severity:2/4; CVE-2007-1473]
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2007-1497

Linux kernel, netfilter: IPv6 fragments accepted as ESTABLISHED

Synthesis of the vulnerability

IPv6 fragments are incorrectly classified as ESTABLISHED.
Impacted products: Debian, Fedora, Linux, Mandriva Linux, netfilter, NLD, OES, openSUSE, RHEL, SLES.
Severity: 2/4.
Consequences: data flow.
Provenance: internet client.
Creation date: 14/03/2007.
Identifiers: BID-23976, CERTA-2002-AVI-088, CVE-2007-1497, DSA-1289-1, FEDORA-2007-335, FEDORA-2007-336, MDKSA-2007:171, MDKSA-2007:196, RHSA-2007:0347-01, SUSE-SA:2007:043, VIGILANCE-VUL-6640.

Description of the vulnerability

The conntrack module of netfilter firewall permits to track established sessions using the ESTABLISHED state. Administrator generally adds a rule to allow packets associated to an established session.

When an IPv6 fragment is received, the ipv6_conntrack_in() function of net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c does not initialize the nfctinfo field. Its value is thus zero, which is the value of IP_CT_ESTABLISHED. Packet is thus accepted as belonging to an established session.

An attacker can therefore send IPv6 fragments, which are accepted by netfilter, when rules contains a rule allowing established sessions.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2007-1387

MPlayer, xine-lib: integer overflow via DirectShow

Synthesis of the vulnerability

While playing a DirectShow file, an integer overflow can occur in MPlayer or xine-lib and lead to code execution.
Impacted products: Debian, Mandriva Linux, TurboLinux, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 14/03/2007.
Identifiers: BID-22933, CVE-2007-1387, DSA-1536-1, MDKSA-2007:061, MDKSA-2007:062, TLSA-2007-33, VIGILANCE-VUL-6636.

Description of the vulnerability

MPlayer program displays video documents. It shares code with the xine-lib library.

When a DirectShow document is read, the biSize variable is not checked in DS_VideoDecoder_Open() function, which can lead to an overflow.

This vulnerability permits a remote attacker to run code with rights of MPlayer or xine-lib users.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2007-0958

Linux kernel: reading a program via PT_INTERP

Synthesis of the vulnerability

A local attacker can read the content of an unreadable program by using PT_INTERP.
Impacted products: Debian, Linux, Mandriva Linux, RHEL.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 12/03/2007.
Identifiers: BID-22903, CERTA-2002-AVI-088, CVE-2007-0958, DSA-1286-1, DSA-1304-1, MDKSA-2007:060, MDKSA-2007:078, RHSA-2007:0099-02, RHSA-2007:0488-01, VIGILANCE-VUL-6628.

Description of the vulnerability

Programs are generally in ELF format (Executable and Linkable Format).

The VIGILANCE-VUL-4512 bulletin indicates a vulnerability (number 5) permitting to read an ELF program via PT_INTERP.

An attack variant was announced. It uses the "eph.p_memsz" field instead of "eph.p_filesz".

A local attacker can therefore still read the content of an unreadable program.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2007-0005

Linux kernel: buffer overflow of Omnikey CardMan 4040

Synthesis of the vulnerability

A local attacker can elevate his privileges if he is allowed to access the Omnikey CardMan 4040 driver.
Impacted products: Debian, Fedora, Linux, Mandriva Linux, RHEL.
Severity: 1/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 12/03/2007.
Identifiers: CERTA-2002-AVI-088, CVE-2007-0005, DSA-1286-1, FEDORA-2007-335, FEDORA-2007-336, MDKSA-2007:078, RHSA-2007:0099-02, VIGILANCE-VUL-6627.

Description of the vulnerability

The cm4040 driver permits to use a Omnikey CardMan 4040 smartcard reader.

When /dev/cmx0 receives a block of over 512 bytes, an overflow occurs in the kernel. Moreover, when a malicious reader sends over 512 bytes, an overflow occurs in the kernel.

Normally, only root can access to /dev/cmx0, however a daemon may permit user an indirect access.

Depending on context, this vulnerability can therefore lead to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-1399

PHP: buffer overflow of a ZIP uri

Synthesis of the vulnerability

An attacker can use a long uri in order to generate an overflow in the ZIP extension of PHP.
Impacted products: Debian, Mandriva Linux, Mandriva NF, openSUSE, PHP.
Severity: 2/4.
Consequences: user access/rights.
Provenance: user account.
Creation date: 09/03/2007.
Identifiers: BID-22883, CVE-2007-1399, DSA-1330-1, MDKSA-2007:187, MOPB-16-2007, SUSE-SA:2007:020, VIGILANCE-VUL-6624.

Description of the vulnerability

The ZIP extension is:
 - integrated in PHP since version 5.2.0
 - available on PECL

When a "zip://" uri is handled, its path is stored in a 1024 or 4096 bytes array, without checking its size. An attacker can therefore generate an overflow by using a long uri.

This vulnerability therefore permits an attacker to execute code with php rights.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Woody: