The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Woody

vulnerability CVE-2005-3302 CVE-2005-4470

Blender: code execution

Synthesis of the vulnerability

An attacker can create a malicious file or script in order to run code on user's computer.
Impacted products: Debian.
Severity: 2/4.
Creation date: 24/04/2006.
Identifiers: BID-15981, CERTA-2002-AVI-001, CVE-2005-3302, CVE-2005-4470, DSA-1039-1, VIGILANCE-VUL-5790.

Description of the vulnerability

The Blender software is used to create 3D objects or animations. It has two vulnerabilities.

An attacker can create a ".bvh" file leading to code execution via eval() in bvh_import.py (CVE-2005-3302).

An attacker can create a ".blend" file leading to an overflow in get_bhead() file of readfile.c (CVE-2005-4470).

An attacker can therefore invite user to open malicious documents in order to lead to code execution.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2006-1057

GDM: disclosure of ICEauthority cookies

Synthesis of the vulnerability

A local attacker can obtain cookies stored in ".ICEauthority" file.
Impacted products: Debian, Fedora, Mandriva Linux, RHEL, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Creation date: 20/04/2006.
Identifiers: 338358, BID-17635, CERTA-2002-AVI-144, CVE-2006-1057, DSA-1040-1, FEDORA-2006-338, MDKSA-2006:083, RHSA-2007:0286-02, VIGILANCE-VUL-5788.

Description of the vulnerability

The file indicated by $ICEAUTHORITY variable, generally "~/.ICEauthority", contains cookies for ICE protocol (Inter Client Exchange), used by DCOP (Desktop COmmunication Protocol).

A vulnerability was announced related to permissions and ownership of this file. Technical details are unknown.

This vulnerability could permit an attacker to read file to obtain cookies.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2006-1056

AMD K7/K8 processors: information disclosure during arithmetic operations

Synthesis of the vulnerability

Some operating systems, on some AMD processors, permit a local attacker to obtain information during arithmetic operations.
Impacted products: Debian, Fedora, FreeBSD, Linux, NetBSD, openSUSE, RHEL, SLES.
Severity: 1/4.
Creation date: 19/04/2006.
Identifiers: BID-17600, CERTA-2002-AVI-035, CVE-2006-1056, DSA-1097-1, DSA-1103-1, FEDORA-2006-421, FEDORA-2006-423, FreeBSD-SA-06:14.fpu, NetBSD-SA2006-015, RHSA-2006:043, RHSA-2006:0437-01, RHSA-2006:057, RHSA-2006:0575-01, RHSA-2006:0579-01, SUSE-SA:2006:028, SUSE-SU-2014:0446-1, VIGILANCE-VUL-5784.

Description of the vulnerability

The Floating Point Unit (FPU, x87) is used during floating point arithmetic operations. The FPU contains 3 debug registers: FOP, FIP and FDP. The FSAVE/FSTOR or FXSAVE/FXSTOR instructions save and restore these registers.

During a context switch, kernel has to call these instructions. However, on AMD K7/K8 processors (AMD Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, Sempron) these instructions do not swap information (whereas Intel do). This behavior is documented by AMD.

This particular case has to be treated. It was not on Linux and FreeBSD system (and perhaps others).

Thus, a process can access to FOP, FIP and FDP values associated to another process.

A local attacker can therefore obtain information related to current arithmetic operations, for example during cryptographic keys computation.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2006-1525

Linux kernel: denial of service during multicast route retrieval

Synthesis of the vulnerability

A local attacker can request a multicast route in order to stop kernel.
Impacted products: Debian, Fedora, Linux, Mandriva Corporate, Mandriva Linux, Mandriva NF, openSUSE, RHEL.
Severity: 1/4.
Creation date: 19/04/2006.
Identifiers: 6388, BID-17593, CERTA-2002-AVI-035, CVE-2006-1525, DSA-1097-1, DSA-1103-1, FEDORA-2006-421, FEDORA-2006-423, MDKSA-2006:086, MDKSA-2006:116, RHSA-2006:049, RHSA-2006:0493-01, SUSE-SA:2006:028, VIGILANCE-VUL-5783.

Description of the vulnerability

The "ip route get ..." command obtains route used to reach an IP address. The inet_rtm_getroute() and ip_route_input() functions are then called to obtain information.

However, when IP address is multicast, the ip_route_input() function dereferences a NULL pointer. This stops kernel.

A local attacker can therefore conduct a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2006-1524

Linux kernel: memory corruption via madvise_remove

Synthesis of the vulnerability

A local attacker can use madvise_remove() in order to free some memory pages.
Impacted products: Debian, Fedora, Linux, openSUSE.
Severity: 1/4.
Creation date: 18/04/2006.
Identifiers: CERTA-2002-AVI-035, CERTA-2006-AVI-161, CVE-2006-1524, DSA-1097-1, DSA-1103-1, FEDORA-2006-421, FEDORA-2006-423, SUSE-SA:2006:028, VIGILANCE-VUL-5780.

Description of the vulnerability

The mm/madvise.c file implements the madvise system call, used by developers to indicate kernel how to manage memory.

The MADV_REMOVE parameter calls madvise_remove() internal function, which frees a page range.

However, madvise_remove() does not check if user is allowed to achieve this operation.

A local attacker can therefore corrupt memory to conduct a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2006-1753

Debian: file corruption via fcheck

Synthesis of the vulnerability

A local attacker can alter a system file during execution of fcheck.
Impacted products: Debian.
Severity: 1/4.
Creation date: 18/04/2006.
Identifiers: BID-17524, CERTA-2002-AVI-001, CVE-2006-1753, DSA-1035-1, VIGILANCE-VUL-5778.

Description of the vulnerability

The fcheck package contains tools to check integrity of files.

During cron execution of one of these checks, a temporary file is created in an insecure manner.

A local attacker can therefore create a symbolic link in order to corrupt a system file.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2006-0292 CVE-2006-0293 CVE-2006-0296

Thunderbird 1.0: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities were announced in Thunderbird 1.0, the worst one leading to code execution.
Impacted products: Debian, Fedora, Tru64 UNIX, HP-UX, Mandriva Corporate, Mandriva Linux, Mozilla Suite, Thunderbird, Netscape Navigator, openSUSE, Solaris, Trusted Solaris, RHEL, RedHat Linux, ProPack, Slackware.
Severity: 3/4.
Creation date: 18/04/2006.
Identifiers: 102550, 20060404-01-U, 228526, 6424579, c00672120, c00679472, CERTA-2002-AVI-144, CERTA-2006-AVI-156, CVE-2006-0292, CVE-2006-0293, CVE-2006-0296, CVE-2006-0748, CVE-2006-0749, CVE-2006-1538, CVE-2006-1727, CVE-2006-1728, CVE-2006-1730, CVE-2006-1731, CVE-2006-1732, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1737, CVE-2006-1739, CVE-2006-1742, DSA-1046-1, DSA-1051-1, FEDORA-2006-486, FEDORA-2006-487, FEDORA-2006-488, FEDORA-2006-489, FEDORA-2006-490, FEDORA-2006-491, FEDORA-2006-492, FEDORA-2006-493, FEDORA-2006-494, FEDORA-2006-495, FLSA:189137-1, FLSA:189672, FLSA-2006:189137-1, FLSA-2006:189672, HPSBTU02118, HPSBUX02122, MDKSA-2006:076, MDKSA-2006:078, MFSA2006-01, MFSA2006-05, MFSA2006-10, MFSA2006-11, MFSA2006-14, MFSA2006-15, MFSA2006-16, MFSA2006-17, MFSA2006-18, MFSA2006-19, MFSA2006-22, MFSA2006-24, MFSA2006-25, MFSA2006-27, RHSA-2006:032, RHSA-2006:0329-01, RHSA-2006:033, RHSA-2006:0330-01, SSA:2006-114-01, SSRT061145, SSRT061158, SUSE-SA:2006:022, VIGILANCE-VUL-5775, ZDI-06-009, ZDI-06-010, ZDI-06-011.

Description of the vulnerability

Several vulnerabilities were announced in Thunderbird 1.0.

An attacker can invite user to run a malicious Javascript code to conduct a denial of service or to run code (MFSA 2006-01, CVE-2006-0292, CVE-2006-0293, VIGILANCE-VUL-5578).

An attacker can inject Javascript code to be run on starting (MFSA 2006-05, CVE-2006-0296, VIGILANCE-VUL-5581).

An attacker can corrupt memory during garbage collection (MFSA 2006-10, CVE-2006-1742).

Several memory corruptions lead to code execution (MFSA 2006-11, CVE-2006-1739, CVE-2006-1538, CVE-2006-1737).

An attacker can elevate his privileges using XBL.method.eval (MFSA 2006-14, CVE-2006-1735).

An attacker can run privileged Javascript with Object.watch() (MFSA 2006-15, CVE-2006-1734).

An attacker can install a malicious program via valueOf.call() (MFSA 2006-16, CVE-2006-1733).

An attacker can conduct a Cross Site Scripting attack via window.controllers (MFSA 2006-17, CVE-2006-1732).

An attacker can corrupt memory by changing tag order (MFSA 2006-18, CVE-2006-0749).

An attacker can conduct a Cross Site Scripting attack via valueOf.call() (MFSA 2006-19, CVE-2006-1731).

An integer overflow occurs in CSS letter-spacing property (MFSA 2006-22, CVE-2006-1730).

An attacker can increase his privileges using crypto.generateCRMFRequest (MFSA 2006-24, CVE-2006-1728).

An attacker can obtain chrome privileges using Print Preview (MFSA 2006-25, CVE-2006-1727).

An attacker can corrupt memory by changing tag order (MFSA 2006-27, CVE-2006-0748).
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2006-0292 CVE-2006-0293 CVE-2006-0296

Firefox 1.0: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities were announced in Firefox, the worst one leading to code execution.
Impacted products: Debian, Fedora, Tru64 UNIX, HP-UX, Mandriva Corporate, Mandriva Linux, Firefox, Mozilla Suite, Netscape Navigator, openSUSE, Solaris, Trusted Solaris, RHEL, RedHat Linux, ProPack, Slackware.
Severity: 4/4.
Creation date: 14/04/2006.
Identifiers: 102550, 20060404-01-U, 228526, 6424579, BID-17516, c00672120, c00679472, CERTA-2002-AVI-144, CERTA-2006-AVI-156, CVE-2006-0292, CVE-2006-0293, CVE-2006-0296, CVE-2006-0748, CVE-2006-0749, CVE-2006-1727, CVE-2006-1728, CVE-2006-1729, CVE-2006-1730, CVE-2006-1731, CVE-2006-1732, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1736, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1740, CVE-2006-1741, CVE-2006-1742, DSA-1044-1, DSA-1046-1, FEDORA-2006-410, FEDORA-2006-486, FEDORA-2006-487, FEDORA-2006-488, FEDORA-2006-489, FEDORA-2006-490, FEDORA-2006-491, FEDORA-2006-492, FEDORA-2006-493, FEDORA-2006-494, FEDORA-2006-495, FLSA:189137-1, FLSA:189137-2, FLSA-2006:189137-1, FLSA-2006:189137-2, HPSBTU02118, HPSBUX02122, MDKSA-2006:075, MDKSA-2006:076, MFSA2006-01, MFSA2006-03, MFSA2006-05, MFSA2006-09, MFSA2006-10, MFSA2006-11, MFSA2006-12, MFSA2006-13, MFSA2006-14, MFSA2006-15, MFSA2006-16, MFSA2006-17, MFSA2006-18, MFSA2006-19, MFSA2006-22, MFSA2006-23, MFSA2006-24, MFSA2006-25, MFSA2006-27, RHSA-2006:032, RHSA-2006:0328-01, RHSA-2006:0329-01, SSA:2006-114-01, SSRT061145, SSRT061158, SUSE-SA:2006:021, VIGILANCE-VUL-5771, ZDI-06-009, ZDI-06-010, ZDI-06-011.

Description of the vulnerability

Several vulnerabilities were announced in Firefox 1.0.

An attacker can invite user to run a malicious Javascript code to conduct a denial of service or to run code (MFSA 2006-01, CVE-2006-0292, CVE-2006-0293, VIGILANCE-VUL-5578).

An attacker can generate an overflow in history.dat (MFSA 2006-03, CVE-2005-4134, VIGILANCE-VUL-5417).

An attacker can inject Javascript code to be run on starting (MFSA 2006-05, CVE-2006-0296, VIGILANCE-VUL-5581).

An attacker can inject Javascript code using events handler (MFSA 2006-09, CVE-2006-1741).

An attacker can corrupt memory during garbage collection (MFSA 2006-10, CVE-2006-1742).

Several memory corruptions lead to code execution (MFSA 2006-11, CVE-2006-1739, CVE-2006-1538, CVE-2006-1737).

An attacker can spoof secure site indicator (MFSA 2006-12, CVE-2006-1740).

An attacker can store an executable program on user's computer by inviting him to download an image (MFSA 2006-13, CVE-2006-1736).

An attacker can elevate his privileges using XBL.method.eval (MFSA 2006-14, CVE-2006-1735).

An attacker can run privileged Javascript with Object.watch() (MFSA 2006-15, CVE-2006-1734).

An attacker can install a malicious program via valueOf.call() (MFSA 2006-16, CVE-2006-1733).

An attacker can conduct a Cross Site Scripting attack via window.controllers (MFSA 2006-17, CVE-2006-1732).

An attacker can corrupt memory by changing tag order (MFSA 2006-18, CVE-2006-0749).

An attacker can conduct a Cross Site Scripting attack via valueOf.call() (MFSA 2006-19, CVE-2006-1731).

An integer overflow occurs in CSS letter-spacing property (MFSA 2006-22, CVE-2006-1730).

An attacker can obtain a file located on user's computer using a text form (MFSA 2006-23, CVE-2006-1729).

An attacker can increase his privileges using crypto.generateCRMFRequest (MFSA 2006-24, CVE-2006-1728).

An attacker can obtain chrome privileges using Print Preview (MFSA 2006-25, CVE-2006-1727).

An attacker can corrupt memory by changing tag order (MFSA 2006-27, CVE-2006-0748).
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2006-0744

Linux kernel: privilege elevation during an exception

Synthesis of the vulnerability

On a x86_64 processor, a local attacker can elevate his privileges during an exception.
Impacted products: Debian, Fedora, Linux, Mandriva Corporate, Mandriva Linux, Mandriva NF, OES, openSUSE, RHEL, SLES.
Severity: 1/4.
Creation date: 13/04/2006.
Identifiers: BID-17541, CERTA-2002-AVI-035, CVE-2006-0744, DSA-1103-1, FEDORA-2006-421, FEDORA-2006-423, MDKSA-2006:086, MDKSA-2006:150, RHSA-2006:043, RHSA-2006:0437-01, RHSA-2006:049, RHSA-2006:0493-01, SUSE-SA:2006:028, SUSE-SA:2006:042, SUSE-SA:2006:047, VIGILANCE-VUL-5767.

Description of the vulnerability

System calls are implemented using SYSENTER/SYSEXIT or SYSCALL/SYSRET instructions. The SYSCALL instruction saves RIP (64 bit instruction pointer) in RCX (64 bit version of ECX). The SYSRET instruction restores RCX value to RIP.

The IRET instruction returns from a interruption handler (SS:RSP), while RET returns from a simple procedure (RSP).

When a system call returns an uncanonical address, an exception occurs in SYSRET, due to bugs in AMD and Intel processors. The interruption handler is then run with an invalid GS segment value. Kernel then has to call IRET to restore system, in case user changed RIP. However, a simple return is done.

This error leads to a denial of service, and optionally to code execution in a privileged context.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2006-1711

Plone: portrait modification

Synthesis of the vulnerability

An unauthenticated attacker can change portraits of Plone users.
Impacted products: Debian, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 12/04/2006.
Identifiers: CERTA-2002-AVI-001, CVE-2006-1711, DSA-1032-1, Plone Hotfix 2006-04-10, VIGILANCE-VUL-5763.

Description of the vulnerability

The Plone environment is a CMS (Content Management System).

Three Plone methods are not protected:
 - changeMemberPortrait
 - deletePersonalPortrait
 - testCurrentPassword

An attacker can therefore use the two first to alter the portrait of any user. The result of usage of third method is unknown.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Woody: