The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Google Android KitKat

computer vulnerability alert CVE-2014-9731

Linux kernel: information disclosure via UDF

Synthesis of the vulnerability

A local attacker can mount a malicious UDF filesystem on Linux, in order to obtain sensitive information from the kernel memory.
Impacted products: Android OS, Linux, openSUSE, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: data reading.
Provenance: privileged console.
Creation date: 03/06/2015.
Identifiers: CERTFR-2015-AVI-357, CVE-2014-9731, openSUSE-SU-2015:1382-1, openSUSE-SU-2016:0301-1, SUSE-SU-2015:1224-1, SUSE-SU-2015:1324-1, SUSE-SU-2015:1592-1, SUSE-SU-2015:1611-1, VIGILANCE-VUL-17056.

Description of the vulnerability

The Linux kernel supports the UDF filesystem, which is used for DVD.

UDF systems support symbolic links. However, if the name is malformed, the fs/udf/symlink.c file does not detect the end of the filename, and the readlink() function thus returns the content of the kernel memory to the user.

A local attacker can therefore mount a malicious UDF filesystem on Linux, in order to obtain sensitive information from the kernel memory.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-1805

Linux kernel: memory corruption via pipe_iov_copy

Synthesis of the vulnerability

A local attacker can generate a memory corruption in pipe_iov_copy functions of the Linux kernel, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Debian, BIG-IP Hardware, TMOS, Android OS, NSM Central Manager, NSMXpress, Linux, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on server.
Provenance: user shell.
Creation date: 03/06/2015.
Identifiers: 1202855, CERTFR-2015-AVI-243, CERTFR-2015-AVI-261, CERTFR-2015-AVI-263, CERTFR-2015-AVI-318, CVE-2015-1805, DSA-3290-1, JSA10853, RHSA-2015:1042-01, RHSA-2015:1081-01, RHSA-2015:1082-01, RHSA-2015:1120-01, RHSA-2015:1137-01, RHSA-2015:1138-01, RHSA-2015:1139-01, RHSA-2015:1190-01, RHSA-2015:1199-01, RHSA-2015:1211-01, RHSA-2016:0103-01, SOL17458, SOL17462, SUSE-SU-2015:1224-1, SUSE-SU-2015:1324-1, SUSE-SU-2015:1478-1, SUSE-SU-2015:1592-1, SUSE-SU-2015:1611-1, USN-2678-1, USN-2679-1, USN-2680-1, USN-2681-1, VIGILANCE-VUL-17038.

Description of the vulnerability

The Linux kernel implements Unix pipes using the virtual PipeFS filesystem (fs/pipe.c).

The pipe reading/writing functions use pipe_iov_copy_to_user() and pipe_iov_copy_from_user() from fs/pipe.c. However, if the iovec size is incoherent, these functions perform copies on invalid memory areas.

A local attacker can therefore generate a memory corruption in pipe_iov_copy functions of the Linux kernel, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2015-3636

Linux kernel: use after free via ping_unhash

Synthesis of the vulnerability

A local attacker can force the usage of a freed memory area in ping_unhash() of the Linux kernel, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Android OS, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, denial of service on server.
Provenance: privileged shell.
Creation date: 04/05/2015.
Identifiers: CERTFR-2015-AVI-254, CERTFR-2015-AVI-261, CERTFR-2015-AVI-328, CERTFR-2015-AVI-357, CVE-2015-3636, DSA-3290-1, FEDORA-2015-7736, FEDORA-2015-8518, K17246, openSUSE-SU-2015:1382-1, openSUSE-SU-2016:0301-1, RHSA-2015:1221-01, RHSA-2015:1534-01, RHSA-2015:1564-01, RHSA-2015:1565-01, RHSA-2015:1583-01, RHSA-2015:1643-01, SOL17246, SUSE-SU-2015:1071-1, SUSE-SU-2015:1224-1, SUSE-SU-2015:1376-1, SUSE-SU-2015:1478-1, USN-2631-1, USN-2632-1, USN-2633-1, USN-2634-1, USN-2635-1, USN-2636-1, USN-2637-1, USN-2638-1, VIGILANCE-VUL-16801.

Description of the vulnerability

The Linux kernel supports sockets of type ping:
  socket(PF_INET, SOCK_DGRAM, IPPROTO_ICMP)
The access to these sockets is usually restricted.

However, if the user disconnects, and the connects the socket, the ping_unhash() function frees a memory area before reusing it.

A local attacker can therefore force the usage of a freed memory area in ping_unhash() of the Linux kernel, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2015-1863

wpa_supplicant: vulnerability

Synthesis of the vulnerability

A vulnerability of wpa_supplicant was announced.
Impacted products: Debian, Fedora, Android OS, openSUSE, openSUSE Leap, RHEL, Slackware, Ubuntu.
Severity: 1/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Creation date: 23/04/2015.
Identifiers: CVE-2015-1863, DSA-3233-1, FEDORA-2015-6860, FEDORA-2015-6952, openSUSE-SU-2015:0813-1, openSUSE-SU-2017:2896-1, RHSA-2015:1090-01, SSA:2015-132-03, USN-2577-1, VIGILANCE-VUL-16703.

Description of the vulnerability

A vulnerability of wpa_supplicant was announced.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-2922 CVE-2015-2923 CVE-2015-2924

Linux kernel, FreeBSD: denial of service via IPv6 RA Hop Limit

Synthesis of the vulnerability

An attacker on the LAN can spoof ICMPv6 RA packets with a low Hop Limit, in order to trigger a denial of service of the Linux or FreeBSD IPv6 stacks.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, Android OS, Linux, openSUSE, Solaris, pfSense, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: LAN.
Number of vulnerabilities in this bulletin: 3.
Creation date: 03/04/2015.
Identifiers: bulletinoct2015, CERTFR-2015-AVI-198, CERTFR-2015-AVI-328, CERTFR-2015-AVI-357, CVE-2015-2922, CVE-2015-2923, CVE-2015-2924, DSA-3175-1, DSA-3175-2, DSA-3237-1, FEDORA-2015-6294, FEDORA-2015-6320, FEDORA-2015-7623, FreeBSD-SA-15:09.ipv6, K51518670, openSUSE-SU-2015:1382-1, openSUSE-SU-2016:0301-1, RHSA-2015:1221-01, RHSA-2015:1534-01, RHSA-2015:1564-01, RHSA-2015:1565-01, RHSA-2015:2315-01, SOL51518670, SUSE-SU-2015:1071-1, SUSE-SU-2015:1224-1, SUSE-SU-2015:1376-1, SUSE-SU-2015:1478-1, USN-2585-1, USN-2586-1, USN-2587-1, USN-2589-1, USN-2590-1, VIGILANCE-VUL-16534.

Description of the vulnerability

On a local network, IPv6 routers send the ICMPv6 Router Advertisement message to announce their presence. This packet contains a field named "Cur Hop Limit" indicating the default value that the IPv6 client should use in his Hop Count field.

The RFC 3756 recommends to ignore "Cur Hop Limit" containing a value lower than the current value. However, the Linux and FreeBSD implementations accepts to lower the Hop Count value to 1, which forbids the transmission of packets.

An attacker on the LAN can therefore spoof ICMPv6 RA packets with a low Hop Limit, in order to trigger a denial of service of the Linux or FreeBSD IPv6 stacks.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2014-9656 CVE-2014-9657 CVE-2014-9658

FreeType: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of FreeType.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Android OS, OpenBSD, openSUSE, Solaris, RHEL, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 20.
Creation date: 20/02/2015.
Identifiers: bulletinapr2015, CVE-2014-9656, CVE-2014-9657, CVE-2014-9658, CVE-2014-9659, CVE-2014-9660, CVE-2014-9661, CVE-2014-9662, CVE-2014-9663, CVE-2014-9664, CVE-2014-9665, CVE-2014-9666, CVE-2014-9667, CVE-2014-9668, CVE-2014-9669, CVE-2014-9670, CVE-2014-9671, CVE-2014-9672, CVE-2014-9673, CVE-2014-9674, CVE-2014-9675, DSA-3188-1, DSA-3461-1, FEDORA-2015-2216, FEDORA-2015-2237, MDVSA-2015:055, MDVSA-2015:089, openSUSE-SU-2015:0627-1, RHSA-2015:0696-01, SOL16900, USN-2510-1, VIGILANCE-VUL-16229.

Description of the vulnerability

Several vulnerabilities were announced in FreeType.

An attacker can generate an integer overflow in tt_sbit_decoder_load_image, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-9656]

An attacker can force a read at an invalid address in tt_face_load_hdmx, in order to trigger a denial of service. [severity:2/4; CVE-2014-9657]

An attacker can force a read at an invalid address in tt_face_load_kern, in order to trigger a denial of service. [severity:2/4; CVE-2014-9658]

An attacker can generate a buffer overflow in cff/cf2intrp.c, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-9659]

An attacker can force a NULL pointer to be dereferenced in _bdf_parse_glyphs, in order to trigger a denial of service. [severity:2/4; CVE-2014-9660]

An attacker can force the usage of a freed memory area in type42/t42parse.c, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-9661]

An attacker can generate a buffer overflow in cff/cf2ft.c, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-9662]

An attacker can force a read at an invalid address in tt_cmap4_validate, in order to trigger a denial of service. [severity:2/4; CVE-2014-9663]

An attacker can force a read at an invalid address in type42/t42parse.c and type1/t1load.c, in order to trigger a denial of service. [severity:2/4; CVE-2014-9664]

An attacker can generate an integer overflow in Load_SBit_Png, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-9665]

An attacker can force a read at an invalid address in tt_sbit_decoder_init, in order to trigger a denial of service. [severity:2/4; CVE-2014-9666]

An attacker can force a read at an invalid address in sfnt/ttload.c, in order to trigger a denial of service. [severity:2/4; CVE-2014-9667]

An attacker can generate an integer overflow in woff_open_font, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-9668]

An attacker can generate an integer overflow in sfnt/ttcmap.c, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-9669]

An attacker can generate an integer overflow in pcf_get_encodings, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-9670]

An attacker can force a NULL pointer to be dereferenced in pcf_get_properties, in order to trigger a denial of service. [severity:2/4; CVE-2014-9671]

An attacker can force a read at an invalid address in parse_fond, in order to trigger a denial of service. [severity:2/4; CVE-2014-9672]

An attacker can generate an integer overflow in Mac_Read_POST_Resource, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-9673]

An attacker can generate a buffer overflow in Mac_Read_POST_Resource, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-9674]

An attacker can use bdf/bdflib.c, in order to obtain sensitive information on ASLR. [severity:2/4; CVE-2014-9675]
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-1465

Linux kernel: denial of service via IPv4 Forward

Synthesis of the vulnerability

An attacker located on the same subnet can request the transfer of numerous IPv4 packets through the Linux kernel, in order to trigger a denial of service.
Impacted products: Fedora, Android OS, Linux, openSUSE, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: LAN.
Creation date: 03/02/2015.
Identifiers: CERTFR-2015-AVI-121, CERTFR-2015-AVI-144, CERTFR-2015-AVI-357, CVE-2015-1465, FEDORA-2015-1657, FEDORA-2015-1672, openSUSE-SU-2015:1382-1, SUSE-SU-2015:1071-1, USN-2545-1, USN-2546-1, USN-2562-1, USN-2563-1, VIGILANCE-VUL-16100.

Description of the vulnerability

The net/ipv4/ip_forward.c file of the Linux kernel implements the IPv4 packet routing.

However, when packets have to be transmitted to numerous destinations, the routing cache management can consume up to one million entries.

An attacker located on the same subnet can therefore request the transfer of numerous IPv4 packets through the Linux kernel, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-0973

libpng: buffer overflow of png_read_IDAT_data

Synthesis of the vulnerability

An attacker can generate a buffer overflow in png_read_IDAT_data() of libpng, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Fedora, Android OS, Notes, libpng, openSUSE, Solaris, SUSE Linux Enterprise Desktop, SLES.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 12/01/2015.
Identifiers: 1698994, bulletinjul2015, CVE-2015-0973, FEDORA-2015-2830, FEDORA-2015-2863, openSUSE-SU-2015:0161-1, SUSE-SU-2015:0092-1, VIGILANCE-VUL-15944.

Description of the vulnerability

The libpng library is used by applications creating or manipulating PNG (Portable Network Graphics) image files.

A PNG image is composed of a series of fragments identified by four letters:
 - IHDR : header
 - IDAT : image data
 - tEXT : text
 - etc.

However, if the size of an IDAT fragment is greater than the size of the storage array, an overflow occurs in the png_read_IDAT_data() function.

An attacker can therefore generate a buffer overflow in png_read_IDAT_data() of libpng, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2014-9529

Linux kernel: memory corruption via key_gc_unused_keys

Synthesis of the vulnerability

A local attacker can generate a memory corruption via find_keyring_by_name() on the Linux kernel, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Android OS, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on server, denial of service on service, denial of service on client.
Provenance: user shell.
Creation date: 07/01/2015.
Identifiers: CERTFR-2015-AVI-026, CERTFR-2015-AVI-081, CERTFR-2015-AVI-189, CERTFR-2015-AVI-263, CVE-2014-9529, DSA-3128-1, FEDORA-2015-0515, FEDORA-2015-0517, MDVSA-2015:027, MDVSA-2015:058, openSUSE-SU-2015:0713-1, openSUSE-SU-2015:0714-1, openSUSE-SU-2016:0301-1, openSUSE-SU-2016:0318-1, RHSA-2015:0864-01, RHSA-2015:1137-01, RHSA-2015:1138-01, RHSA-2015:1139-01, SOL17239, SUSE-SU-2015:1376-1, USN-2511-1, USN-2512-1, USN-2513-1, USN-2514-1, USN-2515-1, USN-2515-2, USN-2516-1, USN-2516-2, USN-2516-3, USN-2517-1, USN-2518-1, VIGILANCE-VUL-15912.

Description of the vulnerability

When the Linux kernel does no longer need a cryptographic key, the key_gc_unused_keys() function is called to free resources.

However, the key->user field is freed before the key is removed from the linked list. The find_keyring_by_name() function can then access to a memory address which is no longer valid.

A local attacker can therefore generate a memory corruption via find_keyring_by_name() on the Linux kernel, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2014-9420

Linux kernel: infinite loop of isofs Rock Ridge CE

Synthesis of the vulnerability

A local attacker can insert a malicious cdrom, to generate an infinite loop via isofs Rock Ridge CE on the Linux kernel, in order to trigger a denial of service.
Impacted products: BIG-IP Hardware, TMOS, Fedora, Android OS, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user console.
Creation date: 17/12/2014.
Identifiers: CERTFR-2015-AVI-054, CERTFR-2015-AVI-081, CERTFR-2015-AVI-165, CERTFR-2015-AVI-243, CERTFR-2015-AVI-263, CVE-2014-9420, FEDORA-2015-0515, FEDORA-2015-0517, MDVSA-2015:027, MDVSA-2015:058, openSUSE-SU-2015:0713-1, openSUSE-SU-2015:0714-1, RHSA-2015:1081-01, RHSA-2015:1137-01, RHSA-2015:1138-01, RHSA-2015:1139-01, SOL17543, SUSE-SU-2015:0178-1, SUSE-SU-2015:0581-1, SUSE-SU-2015:0652-1, SUSE-SU-2015:0736-1, SUSE-SU-2015:0812-1, USN-2490-1, USN-2491-1, USN-2492-1, USN-2493-1, USN-2515-1, USN-2515-2, USN-2516-1, USN-2516-2, USN-2516-3, USN-2517-1, USN-2518-1, VIGILANCE-VUL-15836.

Description of the vulnerability

The Linux kernel implements the support of isofs (cdrom) with Rock Ridge extensions.

However, if Rock Ridge data contains a chain of Continuation Entries, an infinite loop occurs.

A local attacker can therefore insert a malicious cdrom, to generate an infinite loop via isofs Rock Ridge CE on the Linux kernel, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Google Android KitKat: