| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them. |
|
 |
|
|
Computer vulnerabilities of Debian Woody
zoo: buffer overflow via long pathnames
Synthesis of the vulnerability
An attacker can create a ZOO archive containing long directory and file names in order to execute code on user's computer.
Impacted products: Debian, openSUSE, Slackware, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 23/02/2006.
Identifiers: BID-16790, BID-17126, CERTA-2006-AVI-115, CVE-2006-0855, CVE-2006-1269, DSA-991-1, SSA:2006-142-02, SUSE-SR:2006:005, SUSE-SR:2006:006, VIGILANCE-VUL-5641.
Description of the vulnerability
The zoo command supports archives compressed in ZOO format (based on Lempel-Ziv).
The fullpath() function of misc.c concatenates the directory name and the filename to obtain the full path. However, this path is stored in a twice shorter array.
An attacker can thus create an archive containing long names in order to generate an overflow.
This vulnerability therefore permits an attacker to run code on computer of users opening a malicious ZOO archive.
Complete Vigil@nce bulletin.... (Free trial) |
GNU tar: buffer overflow via a pax header
Synthesis of the vulnerability
An attacker can create a malicious tar archive in order to run code on user's computer.
Impacted products: Debian, Fedora, Mandriva Linux, OpenSolaris, openSUSE, Solaris, RHEL, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Creation date: 22/02/2006.
Identifiers: 241646, 6407045, BID-16764, CERTA-2006-AVI-092, CVE-2006-0300, DSA-987-1, FLSA:183571-2, FLSA-2006:183571-2, MDKSA-2006:046, RHSA-2006:023, RHSA-2006:0232-01, SUSE-SR:2006:005, VIGILANCE-VUL-5636.
Description of the vulnerability
The "tar" archive format has several extensions:
- ustar: supports devices and names of more than 255 characters (IEEE Std. 1003.1)
- pax: an additional header is added to ustar in order to support files over 8GB
- etc.
When a tar archive contains a malicious pax header, an overflow occurs in GNU tar.
This overflow leads to tar stop, and eventually to code execution.
Complete Vigil@nce bulletin.... (Free trial) |
Metamail: buffer overflow using long boundaries
Synthesis of the vulnerability
An attacker can create an email containing long boundaries in order to run code in Metamail.
Impacted products: Debian, Mandriva Linux, openSUSE, RHEL, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Creation date: 21/02/2006.
Identifiers: 352482, BID-16611, CERTA-2006-AVI-109, CVE-2006-0709, DSA-995-1, MDKSA-2006:047, RHSA-2006:021, RHSA-2006:0217-01, SUSE-SR:2006:005, VIGILANCE-VUL-5635.
Description of the vulnerability
The Metamail program analyzes emails containing multimedia data stored as MIME.
The MIME format is used to group several documents in one email. An email containing a text and an image has the following format (empty lines removed) :
MIME-Version: 1.0
Content-Type: multipart/Mixed; boundary="BOUNDARY"
--BOUNDARY
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
HERE TEXT
--BOUNDARY
Content-Type: image/gif;
Content-Transfer-Encoding: base64
HERE AN IMAGE ENCODED IN BASE64
--BOUNDARY--
However, Metamail does not check boundaries sizes before storing them in a fixed size array.
This overflow leads to Metamail stop, and eventually to code execution.
Complete Vigil@nce bulletin.... (Free trial) |
PHP: several Cross Site Scripting of ADOdb
Synthesis of the vulnerability
The ADODB_Pager class does not correctly check its data, which leads to Cross Site Scripting attacks.
Impacted products: Debian, PHP.
Severity: 2/4.
Creation date: 20/02/2006.
Identifiers: BID-16720, CERTA-2002-AVI-001, CERTA-2002-AVI-009, CVE-2006-0806, DSA-1029-1, DSA-1030-1, DSA-1031-1, VIGILANCE-VUL-5632.
Description of the vulnerability
The ADOdb module proposes generic features to access databases from PHP.
The ADODB_Pager class uses data coming from user in order to display them in result page. These data are not previously sanitized.
An attacker can therefore conduct Cross Site Scripting attacks on PHP websites using ADODB_Pager.
Complete Vigil@nce bulletin.... (Free trial) |
Xpdf, kpdf: integer overflow in gmem.c et SplashXPathScanner.cc
Synthesis of the vulnerability
An attacker can create a malicious PDF file leading to memory corruption, and eventually to code execution.
Impacted products: Debian, Mandriva Corporate, Mandriva Linux, RHEL, Slackware, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 20/02/2006.
Identifiers: advisory-20060310-1, BID-16748, BID-17039, CERTA-2002-AVI-006, CERTA-2006-AVI-104, CVE-2006-0746, CVE-2006-1244, DSA-1008-1, DSA-1019-1, DSA-979-1, DSA-982-1, DSA-983-1, DSA-984-1, DSA-998-1, MDKSA-2006:054, RHSA-2006:026, RHSA-2006:0262-01, SSA:2006-072-01, VIGILANCE-VUL-5629.
Description of the vulnerability
The Xpdf program displays PDF documents.
The new Xpdf version corrects in particular two errors:
- an integer overflow in goo/gmem.c
- an integer overflow in splash/SplashXPathScanner.cc
An attacker can thus invite a user to open a malicious file in order to stop Xpdf or to run code on the computer.
Complete Vigil@nce bulletin.... (Free trial) |
bluez-hcidump: denial of service of L2CAP
Synthesis of the vulnerability
An attacker can use a malicious L2CAP packet in order to stop bluez-hcidump.
Impacted products: Debian, Mandriva Corporate, Mandriva Linux, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Creation date: 20/02/2006.
Identifiers: CVE-2006-0670, DSA-990-1, MDKSA-2006:041, VIGILANCE-VUL-5626.
Description of the vulnerability
The BlueZ project implements the Bluetooth protocol for Linux. The hcidump program captures and displays Bluetooth data.
When hcidump receives malicious L2CAP data (Logical Link Control and Adaptation Protocol), an error occurs and program stops.
An attacker can therefore send malicious Bluetooth data in order to generate a denial of service on hcidump.
Complete Vigil@nce bulletin.... (Free trial) |
Heimdal: denial of service of telnetd
Synthesis of the vulnerability
A network attacker can stop telnetd daemon by forcing usage of a NULL pointer.
Impacted products: Debian, openSUSE, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Creation date: 16/02/2006.
Identifiers: BID-16676, CVE-2006-0677, DSA-977-1, SUSE-SA:2006:010, SUSE-SA:2006:011, VIGILANCE-VUL-5625.
Description of the vulnerability
The Heimdal suite proposes kerberized tools.
The telnetd daemon of Heimdal has an error. Indeed, the get_slc_defaults() function is called too late. Some data are thus used before being initialized (usage of a NULL pointer). An unauthenticated user can generate this error.
A network attacker can therefore conduct a denial of service of telnetd.
Complete Vigil@nce bulletin.... (Free trial) |
GnuPG: false positive of signature verification
Synthesis of the vulnerability
When a detached signature is checked, the return value from "gpg --verify" incorrectly indicates a success.
Impacted products: Debian, Fedora, GnuPG, Mandriva Corporate, Mandriva Linux, Mandriva NF, NLD, OES, openSUSE, RHEL, RedHat Linux, ProPack, Slackware, SLES.
Severity: 3/4.
Creation date: 15/02/2006.
Identifiers: 20060401-01-U, BID-16663, CERTA-2006-AVI-086, CVE-2006-0455, DSA-978-1, FEDORA-2006-116, FLSA:185355, FLSA-2006:185355, MDKSA-2006:043, RHSA-2006:026, RHSA-2006:0266-01, SSA:2006-072-02, SUSE-SA:2006:009, SUSE-SA:2006:013, SUSE-SR:2006:005, VIGILANCE-VUL-5619.
Description of the vulnerability
When a document is signed, its signature is:
- either detached, which means stored in a separate file,
- either at the end of a new file containing the signed data.
The gpgv ("gpg --verify") command checks the signature. This command displays a message and returns an error code to the shell (0 means no error occurred).
However, when a detached signature, containing arbitrary data, is checked, the error code is always 0 and no message is displayed. An user can notice this abnormal behavior. However, a shell script does not detect the error and concludes the signature is good.
Complete Vigil@nce bulletin.... (Free trial) |
OTRS: several vulnerabilities
Synthesis of the vulnerability
Several vulnerabilities of OTRS permit an attacker to inject SQL code or to conduct Cross Site Scripting attacks.
Impacted products: Debian, OTRS Help Desk.
Severity: 2/4.
Creation date: 15/02/2006.
Identifiers: BID-15537, CVE-2005-3893, CVE-2005-3894, CVE-2005-3895, DSA-973-1, OSA-2005-01, SA0007, VIGILANCE-VUL-5617.
Description of the vulnerability
The Open Ticket Request System is used to manage support tickets. It has several vulnerabilities grouped in 3 categories.
An attacker can use the UNION SQL command to inject SQL code (CVE-2005-3893).
An attacker can conduct Cross Site Scripting attacks because parameters are not correctly sanitized (CVE-2005-3894).
An attacker can run Javascript code when an attachment is opened (CVE-2005-3895).
Complete Vigil@nce bulletin.... (Free trial) |
Noweb: use of insecure files
Synthesis of the vulnerability
A noweb script use predictable temporary file names, which permits an attacker to corrupt these data.
Impacted products: Debian.
Severity: 1/4.
Creation date: 13/02/2006.
Identifiers: CVE-2005-3342, DSA-968-1, VIGILANCE-VUL-5604.
Description of the vulnerability
The noweb tool implements a literate programming language.
A noweb script uses temporary files with a predictable name:
/tmp/pstopbm$$
/tmp/totex$$.awk
/tmp/text$$.tmp
...
A local attacker can thus corrupt data on the system by creating symbolic links in place of temporary files used by noweb.
Complete Vigil@nce bulletin.... (Free trial) |
Our database contains other pages. You can request a free trial to read them.
Display information about Debian Woody:
|