The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Woody

vulnerability alert CVE-2006-0855 CVE-2006-1269

zoo: buffer overflow via long pathnames

Synthesis of the vulnerability

An attacker can create a ZOO archive containing long directory and file names in order to execute code on user's computer.
Impacted products: Debian, openSUSE, Slackware, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 23/02/2006.
Identifiers: BID-16790, BID-17126, CERTA-2006-AVI-115, CVE-2006-0855, CVE-2006-1269, DSA-991-1, SSA:2006-142-02, SUSE-SR:2006:005, SUSE-SR:2006:006, VIGILANCE-VUL-5641.

Description of the vulnerability

The zoo command supports archives compressed in ZOO format (based on Lempel-Ziv).

The fullpath() function of misc.c concatenates the directory name and the filename to obtain the full path. However, this path is stored in a twice shorter array.

An attacker can thus create an archive containing long names in order to generate an overflow.

This vulnerability therefore permits an attacker to run code on computer of users opening a malicious ZOO archive.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2006-0300

GNU tar: buffer overflow via a pax header

Synthesis of the vulnerability

An attacker can create a malicious tar archive in order to run code on user's computer.
Impacted products: Debian, Fedora, Mandriva Linux, OpenSolaris, openSUSE, Solaris, RHEL, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Creation date: 22/02/2006.
Identifiers: 241646, 6407045, BID-16764, CERTA-2006-AVI-092, CVE-2006-0300, DSA-987-1, FLSA:183571-2, FLSA-2006:183571-2, MDKSA-2006:046, RHSA-2006:023, RHSA-2006:0232-01, SUSE-SR:2006:005, VIGILANCE-VUL-5636.

Description of the vulnerability

The "tar" archive format has several extensions:
 - ustar: supports devices and names of more than 255 characters (IEEE Std. 1003.1)
 - pax: an additional header is added to ustar in order to support files over 8GB
 - etc.

When a tar archive contains a malicious pax header, an overflow occurs in GNU tar.

This overflow leads to tar stop, and eventually to code execution.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2006-0709

Metamail: buffer overflow using long boundaries

Synthesis of the vulnerability

An attacker can create an email containing long boundaries in order to run code in Metamail.
Impacted products: Debian, Mandriva Linux, openSUSE, RHEL, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Creation date: 21/02/2006.
Identifiers: 352482, BID-16611, CERTA-2006-AVI-109, CVE-2006-0709, DSA-995-1, MDKSA-2006:047, RHSA-2006:021, RHSA-2006:0217-01, SUSE-SR:2006:005, VIGILANCE-VUL-5635.

Description of the vulnerability

The Metamail program analyzes emails containing multimedia data stored as MIME.

The MIME format is used to group several documents in one email. An email containing a text and an image has the following format (empty lines removed) :
 MIME-Version: 1.0
 Content-Type: multipart/Mixed; boundary="BOUNDARY"
 --BOUNDARY
 Content-Type: text/plain; charset="iso-8859-1"
 Content-Transfer-Encoding: 7bit
 HERE TEXT
 --BOUNDARY
 Content-Type: image/gif;
 Content-Transfer-Encoding: base64
 HERE AN IMAGE ENCODED IN BASE64
 --BOUNDARY--

However, Metamail does not check boundaries sizes before storing them in a fixed size array.

This overflow leads to Metamail stop, and eventually to code execution.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2006-0806

PHP: several Cross Site Scripting of ADOdb

Synthesis of the vulnerability

The ADODB_Pager class does not correctly check its data, which leads to Cross Site Scripting attacks.
Impacted products: Debian, PHP.
Severity: 2/4.
Creation date: 20/02/2006.
Identifiers: BID-16720, CERTA-2002-AVI-001, CERTA-2002-AVI-009, CVE-2006-0806, DSA-1029-1, DSA-1030-1, DSA-1031-1, VIGILANCE-VUL-5632.

Description of the vulnerability

The ADOdb module proposes generic features to access databases from PHP.

The ADODB_Pager class uses data coming from user in order to display them in result page. These data are not previously sanitized.

An attacker can therefore conduct Cross Site Scripting attacks on PHP websites using ADODB_Pager.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2006-0746 CVE-2006-1244

Xpdf, kpdf: integer overflow in gmem.c et SplashXPathScanner.cc

Synthesis of the vulnerability

An attacker can create a malicious PDF file leading to memory corruption, and eventually to code execution.
Impacted products: Debian, Mandriva Corporate, Mandriva Linux, RHEL, Slackware, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 20/02/2006.
Identifiers: advisory-20060310-1, BID-16748, BID-17039, CERTA-2002-AVI-006, CERTA-2006-AVI-104, CVE-2006-0746, CVE-2006-1244, DSA-1008-1, DSA-1019-1, DSA-979-1, DSA-982-1, DSA-983-1, DSA-984-1, DSA-998-1, MDKSA-2006:054, RHSA-2006:026, RHSA-2006:0262-01, SSA:2006-072-01, VIGILANCE-VUL-5629.

Description of the vulnerability

The Xpdf program displays PDF documents.

The new Xpdf version corrects in particular two errors:
 - an integer overflow in goo/gmem.c
 - an integer overflow in splash/SplashXPathScanner.cc

An attacker can thus invite a user to open a malicious file in order to stop Xpdf or to run code on the computer.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2006-0670

bluez-hcidump: denial of service of L2CAP

Synthesis of the vulnerability

An attacker can use a malicious L2CAP packet in order to stop bluez-hcidump.
Impacted products: Debian, Mandriva Corporate, Mandriva Linux, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Creation date: 20/02/2006.
Identifiers: CVE-2006-0670, DSA-990-1, MDKSA-2006:041, VIGILANCE-VUL-5626.

Description of the vulnerability

The BlueZ project implements the Bluetooth protocol for Linux. The hcidump program captures and displays Bluetooth data.

When hcidump receives malicious L2CAP data (Logical Link Control and Adaptation Protocol), an error occurs and program stops.

An attacker can therefore send malicious Bluetooth data in order to generate a denial of service on hcidump.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2006-0677

Heimdal: denial of service of telnetd

Synthesis of the vulnerability

A network attacker can stop telnetd daemon by forcing usage of a NULL pointer.
Impacted products: Debian, openSUSE, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Creation date: 16/02/2006.
Identifiers: BID-16676, CVE-2006-0677, DSA-977-1, SUSE-SA:2006:010, SUSE-SA:2006:011, VIGILANCE-VUL-5625.

Description of the vulnerability

The Heimdal suite proposes kerberized tools.

The telnetd daemon of Heimdal has an error. Indeed, the get_slc_defaults() function is called too late. Some data are thus used before being initialized (usage of a NULL pointer). An unauthenticated user can generate this error.

A network attacker can therefore conduct a denial of service of telnetd.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2006-0455

GnuPG: false positive of signature verification

Synthesis of the vulnerability

When a detached signature is checked, the return value from "gpg --verify" incorrectly indicates a success.
Impacted products: Debian, Fedora, GnuPG, Mandriva Corporate, Mandriva Linux, Mandriva NF, NLD, OES, openSUSE, RHEL, RedHat Linux, ProPack, Slackware, SLES.
Severity: 3/4.
Creation date: 15/02/2006.
Identifiers: 20060401-01-U, BID-16663, CERTA-2006-AVI-086, CVE-2006-0455, DSA-978-1, FEDORA-2006-116, FLSA:185355, FLSA-2006:185355, MDKSA-2006:043, RHSA-2006:026, RHSA-2006:0266-01, SSA:2006-072-02, SUSE-SA:2006:009, SUSE-SA:2006:013, SUSE-SR:2006:005, VIGILANCE-VUL-5619.

Description of the vulnerability

When a document is signed, its signature is:
 - either detached, which means stored in a separate file,
 - either at the end of a new file containing the signed data.

The gpgv ("gpg --verify") command checks the signature. This command displays a message and returns an error code to the shell (0 means no error occurred).

However, when a detached signature, containing arbitrary data, is checked, the error code is always 0 and no message is displayed. An user can notice this abnormal behavior. However, a shell script does not detect the error and concludes the signature is good.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2005-3893 CVE-2005-3894 CVE-2005-3895

OTRS: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of OTRS permit an attacker to inject SQL code or to conduct Cross Site Scripting attacks.
Impacted products: Debian, OTRS Help Desk.
Severity: 2/4.
Creation date: 15/02/2006.
Identifiers: BID-15537, CVE-2005-3893, CVE-2005-3894, CVE-2005-3895, DSA-973-1, OSA-2005-01, SA0007, VIGILANCE-VUL-5617.

Description of the vulnerability

The Open Ticket Request System is used to manage support tickets. It has several vulnerabilities grouped in 3 categories.

An attacker can use the UNION SQL command to inject SQL code (CVE-2005-3893).

An attacker can conduct Cross Site Scripting attacks because parameters are not correctly sanitized (CVE-2005-3894).

An attacker can run Javascript code when an attachment is opened (CVE-2005-3895).
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2005-3342

Noweb: use of insecure files

Synthesis of the vulnerability

A noweb script use predictable temporary file names, which permits an attacker to corrupt these data.
Impacted products: Debian.
Severity: 1/4.
Creation date: 13/02/2006.
Identifiers: CVE-2005-3342, DSA-968-1, VIGILANCE-VUL-5604.

Description of the vulnerability

The noweb tool implements a literate programming language.

A noweb script uses temporary files with a predictable name:
  /tmp/pstopbm$$
  /tmp/totex$$.awk
  /tmp/text$$.tmp
  ...

A local attacker can thus corrupt data on the system by creating symbolic links in place of temporary files used by noweb.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Woody: