The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Woody

security alert CVE-2007-3670 CVE-2007-3734 CVE-2007-3735

Thunderbird: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities were announced in Thunderbird, the worst one leading to code execution.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 18/07/2007.
Identifiers: CVE-2007-3670, CVE-2007-3734, CVE-2007-3735, DSA-1339-1, DSA-1391-1, FEDORA-2007-1146, FEDORA-2007-1157, FEDORA-2007-1180, FEDORA-2007-1181, FEDORA-2007-641, MDVSA-2007:047, MFSA2007-18, MFSA2007-23, RHSA-2007:0723-01, SSA:2007-205-01, SSA:2007-205-02, SUSE-SA:2007:049, VIGILANCE-VUL-7017.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Thunderbird.

Around thirty memory corruptions can lead to code execution. [severity:3/4; CVE-2007-3734, CVE-2007-3735, MFSA2007-18]

An attacker can use FirefoxURL and FirefoxHTML uris to inject chrome commands under Windows (VIGILANCE-VUL-6995). [severity:3/4; CVE-2007-3670, MFSA2007-23]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-3089 CVE-2007-3285 CVE-2007-3656

Firefox: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities were announced in Firefox, the worst one leading to code execution.
Severity: 4/4.
Number of vulnerabilities in this bulletin: 8.
Creation date: 18/07/2007.
Identifiers: 103177, 20070701-01-P, 201516, 6582544, 6619093, BID-24286, BID-24831, BID-24946, CERTA-2007-AVI-318, CVE-2007-3089, CVE-2007-3285, CVE-2007-3656, CVE-2007-3670, CVE-2007-3734, CVE-2007-3735, CVE-2007-3736, CVE-2007-3737, CVE-2007-3738, DSA-1336-1, DSA-1337-1, DSA-1338-1, DSA-1339-1, FEDORA-2007-1138, FEDORA-2007-1142, FEDORA-2007-1143, FEDORA-2007-1144, FEDORA-2007-1145, FEDORA-2007-1155, FEDORA-2007-1159, FEDORA-2007-1181, FEDORA-2007-642, MFSA2007-18, MFSA2007-19, MFSA2007-20, MFSA2007-21, MFSA2007-22, MFSA2007-23, MFSA2007-24, MFSA2007-25, RHSA-2007:0722-01, RHSA-2007:0724-01, SSA:2007-200-01, SSA:2007-205-02, SUSE-SA:2007:049, TLSA-2007-37, VIGILANCE-VUL-7016, VU#143297.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Firefox.

Around thirty memory corruptions can lead to code execution. [severity:3/4; CVE-2007-3734, CVE-2007-3735, MFSA2007-18]

An attacker can exploit a Cross Site Scripting via addEventListener or setTimeout. [severity:4/4; CVE-2007-3736, MFSA2007-19]

An attacker can inject Javascript code in the IFRAME of another web site (VIGILANCE-VUL-6882). [severity:4/4; BID-24286, CERTA-2007-AVI-318, CVE-2007-3089, MFSA2007-20, VU#143297]

An element outside of a document can call an event handler in order to execute code. [severity:4/4; CVE-2007-3737, MFSA2007-21]

An attacker can use an url containing %00 in order to change extension analysis. [severity:4/4; CVE-2007-3285, MFSA2007-22]

An attacker can use FirefoxURL and FirefoxHTML uris to inject chrome commands under Windows (VIGILANCE-VUL-6995). [severity:3/4; CVE-2007-3670, MFSA2007-23]

Cached data can be reached via a redirection to a wyciwyg uri (VIGILANCE-VUL-6975). [severity:4/4; BID-24831, CVE-2007-3656, MFSA2007-24]

An attacker can use XPCNativeWrapper in order to execute code. [severity:4/4; CVE-2007-3738, MFSA2007-25]
Full Vigil@nce bulletin... (Free trial)

security note CVE-2007-3641 CVE-2007-3644 CVE-2007-3645

libarchive: several vulnerabilities

Synthesis of the vulnerability

A malicious tar or cpio archive can generate a denial of service or code execution on libarchive tools.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 12/07/2007.
Identifiers: BID-24885, CERTA-2007-AVI-313, CVE-2007-3641, CVE-2007-3644, CVE-2007-3645, DSA-1455-1, FreeBSD-SA-07:05.libarchive, SUSE-SR:2007:015, VIGILANCE-VUL-7006, VU#970849.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The libarchive library is used by several tools such as tar and cpio. It has several vulnerabilities.

When pax headers are malformed, an infinite loop occurs. [severity:2/4; CVE-2007-3644, VU#970849]

When pax headers are malformed, a NULL pointer is dereferenced. [severity:2/4; CVE-2007-3645]

When pax headers are malformed, a buffer overflow occurs, which can lead to code execution. [severity:2/4; CERTA-2007-AVI-313, CVE-2007-3641]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2007-2691 CVE-2007-2692 CVE-2007-3780

MySQL 5.0: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of MySQL permit an attacker to elevate his privileges.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 5.
Creation date: 12/07/2007.
Identifiers: 23667, 25578, 27337, 27515, 27878, 28984, BID-24011, BID-24016, BID-25017, CERTA-2007-AVI-222, CERTA-2008-AVI-162, CERTA-2008-AVI-492, CVE-2007-2691, CVE-2007-2692, CVE-2007-3780, CVE-2007-3781, CVE-2007-3782, DSA-1413-1, DSA-1451-1, MDKSA-2007:177, MDKSA-2007:243, RHSA-2007:0875-01, RHSA-2007:0894-01, RHSA-2008:0364-01, RHSA-2008:0768-01, SUSE-SR:2007:019, SUSE-SR:2008:003, VIGILANCE-VUL-7000.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in MySQL.

A local attacker can clone a table structure with CREATE TABLE LIKE. [severity:2/4; 23667, 25578, CVE-2007-3781]

An attacker can use a view to obtain update privilege on tables of another database. [severity:2/4; 27878, CVE-2007-3782]

An attacker can execute a procedure with INVOKER attribute in order to elevate his privileges in another database (VIGILANCE-VUL-6825). [severity:2/4; 27337, BID-24011, CVE-2007-2692]

An attacker can rename a table even if he does not have the DROP privilege (VIGILANCE-VUL-6826). [severity:2/4; 27515, BID-24016, CERTA-2007-AVI-222, CERTA-2008-AVI-492, CVE-2007-2691]

A non authenticated attacker can use malformed password packets in order to stop server. [severity:2/4; 28984, CERTA-2008-AVI-162, CVE-2007-3780]
Full Vigil@nce bulletin... (Free trial)

security bulletin CVE-2007-3725

ClamAV, unrar: denial of service

Synthesis of the vulnerability

An attacker can create a malicious RAR archive in order to stop ClamAV or unrar.
Severity: 2/4.
Creation date: 11/07/2007.
Identifiers: BID-24866, CERTA-2002-AVI-136, CERTA-2007-AVI-306, CVE-2007-3725, DSA-1340-1, MDKSA-2007:150, SUSE-SR:2007:015, VIGILANCE-VUL-6991.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The ClamAV antivirus and the unrar tool share the same vulnerability.

The execute_standard_filter() function of unrarvm.c does not check if one of the sizes indicated in the RAR file is too small. This error forces ClamAV to read data at an invalid address, which leads to a segmentation error.

An attacker can therefore create a malicious RAR archive in order to stop ClamAV or unrar.
Full Vigil@nce bulletin... (Free trial)

security threat CVE-2007-3564

curl: non rejected SSL certificates

Synthesis of the vulnerability

The date field in SSL certificates is not correctly checked by libcurl.
Severity: 1/4.
Creation date: 11/07/2007.
Identifiers: BID-24938, CVE-2007-3564, DSA-1333-1, VIGILANCE-VUL-6985.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The libcurl library can be compiled with OpenSSL or GnuTLS.

When GnuTLS is used, libcurl does not check date of certificates. Thus, a certificate not yet valid, or an expired certificate are not detected.

An attacker can therefore for example use an old certificate without being detected by curl.
Full Vigil@nce bulletin... (Free trial)

cybersecurity threat CVE-2006-4519

GIMP: several integer overflows

Synthesis of the vulnerability

An attacker can create malicious images leading to a denial of service or to code execution on computer of victim opening them with GIMP.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 7.
Creation date: 10/07/2007.
Identifiers: BID-24835, CERTA-2007-AVI-290, CVE-2006-4519, DSA-1335-1, FEDORA-2007-1044, FEDORA-2007-1099, FEDORA-2007-627, MDKSA-2007:170, RHSA-2007:0513-01, VIGILANCE-VUL-6977.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several integer overflows can occur when a malicious image is opened.

A malicious DICOM image generates an integer overflow in g_new0(). [severity:2/4]

A malicious PNM image generates three integer overflows in g_new(). [severity:2/4]

A malicious PSD image generates an integer overflow in g_new(). [severity:2/4]

A malicious PSP image generates an integer overflow in g_malloc0(). [severity:2/4]

A malicious Sun RAS image generates four integer overflows in g_malloc(). [severity:2/4]

A malicious XBM image generates an integer overflow in g_malloc(). [severity:2/4]

A malicious XWD image generates six integer overflows in g_malloc() and g_new(). [severity:2/4]

An attacker can therefore create malicious images in order to execute code on computers of GIMP users accepting to open them.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2007-3642

Linux kernel: denial of service of nf_conntrack_h323

Synthesis of the vulnerability

An attacker can use malicious H.323 packets in order to generate a denial of service in Netfilter.
Severity: 2/4.
Creation date: 09/07/2007.
Identifiers: BID-24818, CVE-2007-3642, DSA-1356-1, FEDORA-2007-1130, FEDORA-2007-655, MDKSA-2007:195, VIGILANCE-VUL-6974.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The H.323 protocol encodes its data via ASN.1. The ASN.1 language supports several types: INTEGER, BOOLEAN, CHOICE, etc.

The decode_choice() function of net/netfilter/nf_conntrack_h323_asn1.c file decodes the CHOICE type. However, this function does not check if index is too big. This error leads to a NULL pointer dereference.

An attacker can therefore send a malicious H.323 packet in order to stop kernel.
Full Vigil@nce bulletin... (Free trial)

weakness CVE-2007-2839

gfax: privilege elevation

Synthesis of the vulnerability

A local attacker can force gfax to add malicious entries in the /etc/crontab file.
Severity: 2/4.
Creation date: 06/07/2007.
Identifiers: 431893, BID-24780, CVE-2007-2839, DSA-1329-1, VIGILANCE-VUL-6971.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The gfax program is a frontend for fax tools.

During its execution, it copies /etc/crontab to /tmp/crontab, modifies this copy, and copy it back to /etc/crontab. However, if attacker previously created the /tmp/crontab file, he owns it and can thus edit it before the second copy.

Attacker can therefore force gfax to modify /etc/crontab. By adding malicious commands, attacker can thus obtain root privileges.
Full Vigil@nce bulletin... (Free trial)

threat CVE-2007-2293 CVE-2007-2294 CVE-2007-2297

Asterisk: several vulnerabilities

Synthesis of the vulnerability

Three vulnerabilities of Asterisk permit a remote attacker to generate a denial of service or to execute code.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 25/04/2007.
Revision date: 05/07/2007.
Identifiers: ASA-2007-010, ASA-2007-011, ASA-2007-012, BID-23648, BID-23649, CVE-2007-2293, CVE-2007-2294, CVE-2007-2297, DSA-1358-1, NGS00497, SUSE-SA:2007:034, VIGILANCE-VUL-6764.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Asterisk telephony software implements SIP. It has three vulnerabilities.

Support of T.38 (fax over SIP) is activated with the "t38_udptl" directive of sip.conf. The process_sdp() function of chan_sip.c uses sscanf() to retrieve T38FaxRateManagement and T38FaxUdpEC parameters of SDP. However, no check is done on size of these parameters. An unauthenticated attacker can therefore send a malicious INVITE message to execute code. [severity:2/4; ASA-2007-010, BID-23648, CVE-2007-2293, NGS00497]

Vulnerability VIGILANCE-VUL-6674 (denial of service via a zero error code) was not fully corrected. [severity:2/4; ASA-2007-011, CVE-2007-2297]

When a manager.conf user has an empty password, he can connect using a MD5 authentication, which generates a NULL pointer dereference and stops Asterisk. [severity:2/4; ASA-2007-012, BID-23649, CVE-2007-2294]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Woody: