The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Woody

computer vulnerability alert CVE-2005-2701 CVE-2005-2702 CVE-2005-2703

Mozilla, Firefox, Thunderbird, Netscape: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Mozilla suite permits a remote attacker to execute code or conduct a denial of service.
Impacted products: Debian, Fedora, Mandriva Corporate, Mandriva Linux, Firefox, Mozilla Suite, Thunderbird, Netscape Navigator, openSUSE, Solaris, Trusted Solaris, RHEL, RedHat Linux, ProPack, Slackware, TurboLinux.
Severity: 3/4.
Creation date: 21/09/2005.
Revision date: 23/09/2005.
Identifiers: 101952, 20050903-01-U, 307185, 6281360, 6282170, 6282190, 6284465, BID-14888, BID-14916, BID-14917, BID-14918, BID-14919, BID-14920, BID-14921, BID-14923, BID-14924, CERTA-2005-AVI-346, CERTA-2005-AVI-358, CERTA-2005-AVI-369, CVE-2005-2701, CVE-2005-2702, CVE-2005-2703, CVE-2005-2704, CVE-2005-2705, CVE-2005-2706, CVE-2005-2707, CVE-2005-2871, CVE-2005-2968, CVE-2005-3089, DSA-837-1, DSA-838-1, DSA-866-1, DSA-868-1, FEDORA-2005-926, FEDORA-2005-927, FEDORA-2005-928, FEDORA-2005-929, FEDORA-2005-930, FEDORA-2005-931, FEDORA-2005-932, FEDORA-2005-933, FEDORA-2005-934, FEDORA-2005-962, FEDORA-2005-963, FLSA-2006:168375, MDKSA-2005:169, MDKSA-2005:170, MDKSA-2005:174, MFSA2005-57, MFSA2005-58, MFSA2005-59, RHSA-2005:785, RHSA-2005:785-01, RHSA-2005:789, RHSA-2005:789-01, RHSA-2005:791, RHSA-2005:791-01, SSA:2005-269-01, SSA:2005-278-01, SUSE-SA:2005:058, SUSE-SA:2006:022, TLSA-2005-93, VIGILANCE-VUL-5206, VU#914681.

Description of the vulnerability

Softwares of Mozilla suite contain 4 vulnerabilities.

An attacker can create a buffer overflow using an url containing soft dash characters (VIGILANCE-VUL-5186, CAN-2005-2871).

Under Unix, an attacker can run commands using '`' characters in an url. This vulnerability impacts programs calling browser from a command line (for example a shell script, or a system() call) (CAN-2005-2968).

An overflow can occur during XBM image processing (CAN-2005-2701).

Unicode "zero-width non-joiner" character permits to corrupt memory (CAN-2005-2702).

An attacker can use a XMLHttpRequest request with malicious headers, in order to disturb HTTP proxies (CAN-2005-2703).

An attacker can spoof an object using "implements" directive of XBL (CAN-2005-2704).

An integer overflow can occur in Javascript engine (CAN-2005-2705).

An attacker can use "about:" to load privileged pages (CAN-2005-2706).

An attacker can spoof a chrome interface (CAN-2005-2707).

Several regression errors are related to PAC (Proxy Auto-Config) files or InstallTrigger.getVersion().
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2005-2662 CVE-2005-2663

MasqMail: obtaining mail privileges

Synthesis of the vulnerability

A local attacker can run code or corrupt a file with mail user privileges.
Impacted products: Debian, Mandriva NF.
Severity: 1/4.
Creation date: 21/09/2005.
Identifiers: BID-14890, CVE-2005-2662, CVE-2005-2663, DSA-848-1, MDKSA-2005:168, VIGILANCE-VUL-5207.

Description of the vulnerability

Program MasqMail is a mail server for computers which are not permanently connected to Internet. This program has two vulnerabilities.

When sending an error message back, email address is not correctly filtered, which permits a local attacker to execute code with the rights of mail user (CAN-2005-2662).

A local attacker can replace logfile by a symbolic link in order to corrupt a file with the rights of mail user (CAN-2005-2663).
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2005-2919 CVE-2005-2920

ClamAV: buffer overflow of UPX and denial of service of FSG

Synthesis of the vulnerability

An attacker can create malicious UPX or FSG programs in order to run code or lead to a denial of service.
Impacted products: ClamAV, Debian, Mandriva Corporate, Mandriva Linux, openSUSE.
Severity: 3/4.
Creation date: 19/09/2005.
Identifiers: BID-14866, BID-14867, CERTA-2005-AVI-348, CVE-2005-2919, CVE-2005-2920, DSA-824-1, MDKSA-2005:166, SUSE-SA:2005:055, VIGILANCE-VUL-5201, VU#363713.

Description of the vulnerability

Programs can be packed in order to shrink their size and make their analyze more complex. ClamAV supports several packers, such as UPX (Ultimate Packer for eXecutables) and FSG (Fast Small Good).

A program compacted with UPX can lead to a buffer overflow in libclamav/upx.c.

A program compacted with FSG can lead to an infinite loop in libclamav/fsg.c.

An attacker can therefore send a compacted program in order to run code or to conduct a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2005-2917

Squid: denial of service by changing authentication type

Synthesis of the vulnerability

An attacker can change authentication type in order to stop Squid-cache.
Impacted products: Debian, Fedora, Mandriva Corporate, Mandriva Linux, Mandriva NF, openSUSE, RHEL, RedHat Linux, ProPack, Squid, TurboLinux.
Severity: 2/4.
Creation date: 16/09/2005.
Identifiers: 1391, 20060401-01-U, BID-14977, CERTA-2005-AVI-371, CVE-2005-2917, DSA-828-1, FLSA-2006:152809, MDKSA-2005:181, RHSA-2006:004, RHSA-2006:0045-01, RHSA-2006:005, RHSA-2006:0052-01, SUSE-SR-2005:027, TLSA-2005-101, VIGILANCE-VUL-5200.

Description of the vulnerability

Proxy Squid-cache supports several authentication types:
 - Basic: login and password are sent encoded in base64
 - NTLM: a NTLM (Microsoft) authentication is used

A NTLM authentication needs a challenge and a response:
 - client asks an access to the resource
 - server returns a 401 error, and "WWW-Authenticate: NTLM"
 - client sends "Authorization: NTLM first_part"
 - server returns a 401 error, and "WWW-Authenticate: NTLM challenge"
 - client sends "Authorization: NTLM second_part"

An attacker can start a NTLM authentication, then send a basic authentication instead of second part. In this case, an error occurs and proxy stops.

This vulnerability therefore permits an attacker to conduct a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2005-2657

common-lisp-controller: compiled code execution

Synthesis of the vulnerability

A local attacker can cache a compiled code, which will be run by next user.
Impacted products: Debian.
Severity: 1/4.
Creation date: 14/09/2005.
Identifiers: BID-14829, CVE-2005-2657, DSA-811-1, DSA-811-2, VIGILANCE-VUL-5195.

Description of the vulnerability

Package common-lisp-controller compiles Common Lisp source code. Compiled code can be cached in a directory.

On first execution of a Common Lisp code, cached code is used. However, this code may have been compiled by a local attacker.

An attacker can therefore compile malicious code, which will be run by next user.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2005-3256

Enigmail: encryption for an unspecified recipient

Synthesis of the vulnerability

When user keyring contains a key with an empty uid, this key is selected to encrypt the message.
Impacted products: Debian, Mandriva Corporate, Mandriva Linux, Mozilla Suite, Thunderbird, Netscape Navigator, openSUSE.
Severity: 3/4.
Creation date: 13/09/2005.
Identifiers: BID-15155, CVE-2005-3256, DSA-889-1, MDKSA-2005:226, SUSE-SR:2005:028, VIGILANCE-VUL-5194, VU#805121.

Description of the vulnerability

Enigmail extension signs and encrypts emails with GnuPG.

User keyring contains publics keys for other users. When user encrypts a message, a dialog box may appear asking him to select recipient keys.

However, if a key has an empty uid field, it is selected by default. User may not see it has been selected if his keyring contains many keys.

An attacker can therefore convince user to add a key in his keyring, then capture sent messages in order to decrypt them.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2005-2876

util-linux: increase of privileges with umount

Synthesis of the vulnerability

An attacker can mount a device, containing for example suid programs, in order to increase his privileges.
Impacted products: Debian, Fedora, Mandriva Corporate, Mandriva Linux, Mandriva NF, openSUSE, RHEL, RedHat Linux, ProPack, Slackware, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Creation date: 13/09/2005.
Identifiers: 20051003-01-U, 20051003-02-U, BID-14816, CERTA-2005-AVI-359, CVE-2005-2876, DSA-823-1, DSA-825-1, FEDORA-2005-886, FEDORA-2005-887, FLSA:168326, FLSA-2005:168326, MDKSA-2005:167, RHSA-2005:782, RHSA-2005:782-01, SSA:2005-255-02, SUSE-SR:2005:021, VIGILANCE-VUL-5193.

Description of the vulnerability

Package util-linux contains several utilities: fdisk, ipcs, more, mount, shutdown, etc.

Command umount detaches a filesystem from its mount point. If filesystem is in use, this operation fails. In this case, if '-r' option is specified, umount tries to remount the system read-only.

However, flags (nosuid, nodev, etc.) are not reused for read-only remounting. So, if an attacker is allowed to remount a filesytem containing suid root programs, these programs will be fully operational.

A local attacker can therefore increase his privileges by remounting a filesystem containing suid or sgid programs.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2005-2495

XFree86: integer overflows of pixmap images

Synthesis of the vulnerability

A malicious pixmap image leads to several overflows in XFree86.
Impacted products: Debian, Fedora, HP-UX, Mandriva Corporate, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL, RedHat Linux, ProPack, Slackware.
Severity: 2/4.
Creation date: 13/09/2005.
Identifiers: 101926, 166859, 20051004-01-U, 20060403-01-U, 594, 6316436, 6316438, BID-14807, c00732238, CERTA-2005-AVI-345, CERTA-2005-AVI-375, CVE-2005-2495, DSA-816-1, FEDORA-2005-893, FEDORA-2005-894, FLSA-2006:168264-1, FLSA-2006:168264-2, HPSBUX02137, MDKSA-2005:164, RHSA-2005:329, RHSA-2005:329-01, RHSA-2005:396-01, RHSA-2005:501, RHSA-2005:501-01, SSA:2005-269-02, SSRT051024, SUSE-SA:2005:056, SUSE-SR:2005:023, VIGILANCE-VUL-5192, VU#102441.

Description of the vulnerability

Graphic library of XFree86 supports pixmap images.

This implementation does not correctly check size of images. Indeed, the product height by width can overflow and lead to a short memory allocation. Memory will be corrupted during data copy.

Other integer overflows have been announced, but their technical details are unknown.

An attacker can therefore run code if user opens a malicious pixmap.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2005-2490

Linux kernel: memory corruption with sendmsg

Synthesis of the vulnerability

A local attacker can change a structure in order to increase his privileges.
Impacted products: Debian, Fedora, Linux, Mandriva Corporate, Mandriva Linux, Mandriva NF, openSUSE, RHEL, RedHat Linux.
Severity: 2/4.
Creation date: 12/09/2005.
Identifiers: BID-14785, CERTA-2002-AVI-006, CVE-2005-2490, DSA-1017-1, FEDORA-2005-905, FEDORA-2005-906, FLSA:157459-2, FLSA-2006:157459-1, FLSA-2006:157459-2, FLSA-2006:157459-3, MDKSA-2005:171, MDKSA-2005:219, MDKSA-2005:220, MDKSA-2005:235, RHSA-2005:514, RHSA-2005:514-01, RHSA-2005:663-01, SUSE-SA:2005:068, VIGILANCE-VUL-5189.

Description of the vulnerability

Function sendmsg() sends a message (msghdr structure) to a program listening on a socket.

Field msg_control of msghdr structure indicates control information. This field is checked on its first use, but not checked for subsequent uses.

An attacker can therefore use a second thread changing structure content after first check, in order to force kernel to use a bad value. Memory is then corrupted.

This vulnerability permits a local attacker to obtain root privileges.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2005-2494

KDE: administrator privileges with kcheckpass

Synthesis of the vulnerability

A local attacker can obtain root privileges using kcheckpass program.
Impacted products: Debian, Mandriva Corporate, Mandriva Linux, RHEL, Slackware, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Creation date: 05/09/2005.
Revision date: 08/09/2005.
Identifiers: advisory-20050905-1, BID-14736, CERTA-2005-AVI-360, CVE-2005-2494, DSA-815-1, MDKSA-2005:160, RHSA-2006:058, RHSA-2006:0582-01, SSA:2005-251-01, VIGILANCE-VUL-5171.

Description of the vulnerability

Program kcheckpass permits to check password of a user. This program is suid root, and uses /var/lock/kcheckpass._uid_ file to protect against brute force attacks.

During its execution, this program creates a lock under /var/lock.

However, on systems where /var/lock directory is world writeable, an attacker can create a symlink. File pointed by this symlink will be created, and will be world writable.

This vulnerability then permits a local attacker to increase its privileges, by creating a system file.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Woody: