The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of OES

vulnerability announce CVE-2011-2501 CVE-2011-2691

libpng: denial of service of png_format_buffer

Synthesis of the vulnerability

An attacker can invite the victim to display a malformed PNG image, in order to stop applications linked to libpng.
Impacted products: Debian, Fedora, libpng, Mandriva Linux, NLD, OES, openSUSE, Solaris, Trusted Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 28/06/2011.
Identifiers: BID-48474, BID-48660, CERTA-2003-AVI-037, CVE-2011-2501, CVE-2011-2691, DSA-2287-1, FEDORA-2011-8844, FEDORA-2011-8867, FEDORA-2011-8868, FEDORA-2011-8874, FEDORA-2011-9336, FEDORA-2011-9343, MDVSA-2011:151, openSUSE-SU-2011:0915-1, RHSA-2011:1105-01, SUSE-SU-2011:0916-1, SUSE-SU-2011:0919-1, VIGILANCE-VUL-10782.

Description of the vulnerability

The libpng library is used to process PNG (Portable Network Graphics) images.

The png_chunk_error() and png_chunk_warning() functions create error messages to indicate that an image is invalid. These functions call the png_format_buffer() function. This function contains the following code:
  png_memcpy(buffer+iout, error_message, PNG_MAX_ERROR_TEXT(64));
This function thus always concatenate 64 bytes into the buffer.

However, if the message length is only 10 bytes, 64 bytes are copied, so the processor accesses to 54 bytes located after the message character string. If these bytes are located in a different memory page, a segmentation error occurs.

An attacker can therefore invite the victim to display a malformed PNG image, in order to stop applications linked to libpng.

This vulnerability is a regression of VIGILANCE-VUL-4148.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2011-0786 CVE-2011-0788 CVE-2011-0802

Java JRE/JDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JRE/JDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Impacted products: Debian, Fedora, HPE NNMi, HP-UX, NSMXpress, Mandriva Linux, NLD, OES, Java OpenJDK, openSUSE, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX, vCenter Server.
Severity: 4/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, client access/rights, data creation/edition, data deletion, data flow, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 17.
Creation date: 08/06/2011.
Identifiers: BID-48133, BID-48134, BID-48135, BID-48136, BID-48137, BID-48138, BID-48139, BID-48140, BID-48141, BID-48142, BID-48143, BID-48144, BID-48145, BID-48146, BID-48147, BID-48148, BID-48149, c02945548, c03316985, c03358587, c03405642, CERTA-2003-AVI-005, CERTA-2011-AVI-336, CERTA-2012-AVI-286, CERTA-2012-AVI-395, CVE-2011-0786, CVE-2011-0788, CVE-2011-0802, CVE-2011-0814, CVE-2011-0815, CVE-2011-0817, CVE-2011-0862, CVE-2011-0863, CVE-2011-0864, CVE-2011-0865, CVE-2011-0866, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871, CVE-2011-0872, CVE-2011-0873, DSA-2311-1, DSA-2358-1, FEDORA-2011-8003, FEDORA-2011-8020, FEDORA-2011-8028, HPSBMU02797, HPSBMU02799, HPSBUX02697, HPSBUX02777, javacpujune2011, MDVSA-2011:126, openSUSE-SU-2011:0633-1, openSUSE-SU-2011:0706-1, PSN-2012-08-686, PSN-2012-08-687, PSN-2012-08-688, PSN-2012-08-689, PSN-2012-08-690, RHSA-2011:0856-01, RHSA-2011:0857-01, RHSA-2011:0860-01, RHSA-2011:0938-01, RHSA-2011:1087-01, RHSA-2011:1159-01, RHSA-2011:1265-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT100591, SSRT100854, SSRT100867, SUSE-SA:2011:030, SUSE-SA:2011:032, SUSE-SA:2011:036, SUSE-SU-2011:0632-1, SUSE-SU-2011:0807-1, SUSE-SU-2011:0863-1, SUSE-SU-2011:0863-2, SUSE-SU-2011:0966-1, SUSE-SU-2011:1082-1, TPTI-11-06, VIGILANCE-VUL-10722, VMSA-2011-0013.1, ZDI-11-182, ZDI-11-183, ZDI-11-184, ZDI-11-185, ZDI-11-186, ZDI-11-187, ZDI-11-188, ZDI-11-189, ZDI-11-190, ZDI-11-191, ZDI-11-192, ZDI-11-199.

Description of the vulnerability

Several vulnerabilities were announced in Java JRE/JDK. The most severe vulnerabilities lead to code execution.

An attacker can use a vulnerability of 2D (ICC profile), in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48137, CVE-2011-0862, TPTI-11-06, ZDI-11-183, ZDI-11-184, ZDI-11-185, ZDI-11-186, ZDI-11-187, ZDI-11-188, ZDI-11-189, ZDI-11-190, ZDI-11-191]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48148, CVE-2011-0873]

An attacker can use a vulnerability of AWT, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48143, CVE-2011-0815]

An attacker can use a vulnerability of Deployment (IE Browser Plugin), in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48134, CVE-2011-0817, ZDI-11-182]

An attacker can use a vulnerability of Deployment (Java Web Start), in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48138, CVE-2011-0863, ZDI-11-192]

An attacker can use a vulnerability of HotSpot, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48139, CVE-2011-0864]

An attacker can use a vulnerability of Soundbank Decompression, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48149, CVE-2011-0802, ZDI-11-199]

An attacker can use a vulnerability of Sound, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48145, CVE-2011-0814]

An attacker can use a vulnerability of Swing, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48142, CVE-2011-0871]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-48133, CERTA-2011-AVI-336, CVE-2011-0786]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-48135, CVE-2011-0788]

An attacker can use a vulnerability of Java Runtime Environment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-48136, CVE-2011-0866]

An attacker can use a vulnerability of 2D, in order to obtain information. [severity:2/4; BID-48140, CVE-2011-0868]

An attacker can use a vulnerability of NIO, in order to create a denial of service. [severity:2/4; BID-48141, CVE-2011-0872]

An attacker can use a vulnerability of Networking, in order to obtain information. [severity:2/4; BID-48144, CVE-2011-0867]

An attacker can use a vulnerability of SAAJ, in order to obtain information. [severity:2/4; BID-48146, CVE-2011-0869]

An attacker can use a vulnerability of Deserialization, in order to alter information. [severity:1/4; BID-48147, CVE-2011-0865]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2011-1926

Cyrus IMAP: command injection with STARTTLS

Synthesis of the vulnerability

Even when the IMAP client checks the TLS certificate of the messaging server, an attacker can inject commands in the session.
Impacted products: Debian, Fedora, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: data reading, data creation/edition, data flow.
Provenance: intranet client.
Creation date: 03/05/2011.
Identifiers: 3424, CVE-2011-1926, DSA-2242-1, DSA-2258-1, FEDORA-2011-7193, FEDORA-2011-7217, MDVSA-2011:100, openSUSE-SU-2011:0800-1, RHSA-2011:0859-01, SUSE-SU-2011:0767-1, SUSE-SU-2011:0776-1, SUSE-SU-2011:0776-2, SUSE-SU-2011:0791-1, VIGILANCE-VUL-10617.

Description of the vulnerability

An attacker can be a Man-in-the-Middle between a IMAP client and its server, in order to inject IMAP commands. Clients which use TLS detect this attack when they check the signature with the TLS certificate provided by the server.

When the IMAP protocol is encapsulated in a TLS session (RFC 2595), the client starts the IMAP session in text mode, then enters the STARTTLS command, which starts a TLS tunnel, where the IMAP session restarts.

However, if an attacker sends a IMAP command after the STARTTLS, it is in the buffer of the IMAP session. When the session restarts, attacker's command is thus the first to be interpreted. This error is due to the reception buffer which is not emptied before restarting the IMAP session.

Even when the IMAP client checks the TLS certificate of the messaging server, an attacker can therefore inject commands in the session.

This vulnerability is a variant of VIGILANCE-VUL-10428.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2011-1590 CVE-2011-1591 CVE-2011-1592

Wireshark: three vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Wireshark can be used by a remote attacker to create a denial of service or to execute code.
Impacted products: Debian, Fedora, Mandriva Linux, NLD, OES, OpenSolaris, openSUSE, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Wireshark.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 18/04/2011.
Identifiers: 5209, 5754, 5793, BID-47392, CERTA-2003-AVI-004, CVE-2011-1590, CVE-2011-1591, CVE-2011-1592, DSA-2274-1, FEDORA-2011-5529, FEDORA-2011-5569, MDVSA-2011:083, openSUSE-SU-2011:0599-1, openSUSE-SU-2011:0602-1, RHSA-2012:0509-01, SUSE-SU-2011:0604-1, SUSE-SU-2011:0611-1, VIGILANCE-VUL-10571, VU#243670, wnpa-sec-2011-05, wnpa-sec-2011-06.

Description of the vulnerability

The Wireshark program captures and displays network packets. Protocols are decoded by dissectors. They are impacted by several vulnerabilities.

On Windows, an attacker can stop the NFS dissector. [severity:1/4; 5209, CVE-2011-1592]

An attacker can stop the X.509if dissector. [severity:1/4; 5754, 5793, CVE-2011-1590]

An attacker can generate a buffer overflow in the DECT dissector, in order to execute code. [severity:2/4; CVE-2011-1591, VU#243670]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2011-0285

MIT krb5: denial of service of kadmind in schpw

Synthesis of the vulnerability

An attacker can send a malicious password change query to MIT krb5 kadmind, in order to stop it.
Impacted products: Fedora, Mandriva Linux, MIT krb5, NLD, OES, openSUSE, RHEL, SLES.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 12/04/2011.
Revision date: 14/04/2011.
Identifiers: 621726, BID-47310, CERTA-2011-AVI-222, CVE-2011-0285, FEDORA-2011-5343, FEDORA-2011-5345, MDVSA-2011:077, MITKRB5-SA-2011-004, openSUSE-SU-2011:0348-1, RHSA-2011:0447-01, SUSE-SR:2011:007, VIGILANCE-VUL-10539.

Description of the vulnerability

The MIT krb5 kadmind service listens on port 749.

The process_chpw_request() function of the src/kadmin/server/schpw.c file processes password change queries. However, when kadmind receives a malformed query, a pointer is not initialized, and an invalid memory free occurs.

An attacker can therefore send a malicious password change query to MIT krb5 kadmind, in order to stop it.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2011-0996

dhcpcd: shell command injection

Synthesis of the vulnerability

An attacker owning a malicious DHCP server can return a special hostname, in order to inject a shell command in dhcpcd.
Impacted products: NetBSD, NLD, OES, openSUSE, Slackware, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet server.
Creation date: 08/04/2011.
Identifiers: BID-47272, CVE-2011-0996, openSUSE-SU-2011:0342-1, openSUSE-SU-2011:0352-1, openSUSE-SU-2011:0385-1, SSA:2011-210-02, SUSE-SR:2011:007, SUSE-SR:2011:008, VIGILANCE-VUL-10530.

Description of the vulnerability

The dhcpcd program is a daemon of a DHCP client which queries a DHCP server, in order to obtain an IP address and a computer name.

However, a malicious or corrupted DHCP server can return a computer name like:
  beginName`command`endName
  beginName;command;endName
As dhcpcd does not filter special shell characters, the shell command received from the server is run on the client.

An attacker owning a malicious DHCP server can therefore return a special hostname, in order to inject a shell command in dhcpcd.

This vulnerability is the same as VIGILANCE-VUL-10522 which impacts ISC dhclient.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2011-1574

libmodplug: buffer overflow via ReadS3M

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious S3M file with an application linked to libmodplug, in order to execute code on his computer.
Impacted products: Debian, Fedora, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES, Unix (platform) ~ not comprehensive, VLC.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 08/04/2011.
Identifiers: 20110407-0, CERTA-2003-AVI-001, CERTA-2011-AVI-196, CVE-2011-1574, DSA-2226-1, FEDORA-2011-5204, MDVSA-2011:085, openSUSE-SU-2011:0350-1, RHSA-2011:0477-01, SUSE-SR:2011:007, VideoLAN-SA-1104, VIGILANCE-VUL-10529.

Description of the vulnerability

The STM (Scream Tracker Music) and S3M (Scream Tracker Music version 3) formats are composed of:
 - a header
 - instruments
 - voices/patterns
 - samples (often used in loops)

The libmodplug library supports the S3M format. It is for example used by sound applications such as PyModPlug, UModPlayer and VideoLAN.

However, libmodplug does not check if the number of instruments (nins) and patterns (npat) is superior to their storage size. A buffer overflow thus occurs in the CSoundFile::ReadS3M() function of src/load_s3m.cpp.

An attacker can therefore invite the victim to open a malicious S3M file with an application linked to libmodplug, in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2011-0465

xrdb: shell command injection

Synthesis of the vulnerability

An attacker owning a malicious DHCP server or using XDMCP can use a special hostname, in order to inject a shell command in xrdb.
Impacted products: Debian, Fedora, Mandriva Linux, NetBSD, NLD, OES, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SLES, Unix (platform) ~ not comprehensive, XOrg Bundle ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: intranet client.
Creation date: 06/04/2011.
Identifiers: CERTA-2011-AVI-191, CVE-2011-0465, DSA-2213-1, FEDORA-2011-4871, FEDORA-2011-4879, MDVSA-2011:076, openSUSE-SU-2011:0298-1, RHSA-2011:0432-01, RHSA-2011:0433-01, SSA:2011-096-01, SUSE-SA:2011:016, VIGILANCE-VUL-10524.

Description of the vulnerability

The xrdb program manages the access to X graphical resources.

However this program does not filter special shell characters contained in the computer name, before using this name in a shell command run by root. For example, an attacker can use a computer name like:
  beginName`command`endName
  beginName;command;endName

In order to exploit this vulnerability, the attacker can define a malicious name for the computer:
 - via DHCP : attack similar to VIGILANCE-VUL-10522 ou VIGILANCE-VUL-10530
 - via XDMCP (X Display Manager Control Protocol) : attack by changing the client name

An attacker owning a malicious DHCP server or using XDMCP can therefore use a special hostname, in order to inject a shell command in xrdb.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2011-0997

ISC dhclient: shell command injection

Synthesis of the vulnerability

An attacker owning a malicious DHCP server can return a special hostname, in order to inject a shell command in ISC dhclient.
Impacted products: XenServer, Debian, BIG-IP Hardware, TMOS, Fedora, ISC DHCP, Mandriva Linux, NetBSD, NLD, OES, openSUSE, RHEL, Slackware, SLES, Unix (platform) ~ not comprehensive, ESX.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet server.
Creation date: 06/04/2011.
Identifiers: BID-47176, CERTA-2011-AVI-190, CERTA-2011-AVI-637, CERTA-2011-AVI-638, CTX130325, CVE-2011-0997, DSA-2216-1, DSA-2217-1, ESX400-201110001, ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110406-SG, ESX400-201110408-SG, ESX400-201110409-SG, ESX400-201110410-SG, FEDORA-2011-0848, FEDORA-2011-4897, MDVSA-2011:073, NetBSD-SA2011-005, openSUSE-SU-2011:0320-1, openSUSE-SU-2011:0321-1, RHSA-2011:0428-01, RHSA-2011:0840-01, SOL13219, SSA:2011-097-01, SUSE-SR:2011:007, SUSE-SR:2011:008, VIGILANCE-VUL-10522, VMSA-2011-0009.1, VMSA-2011-0010, VMSA-2011-0010.1, VMSA-2011-0010.2, VMSA-2011-0010.3, VMSA-2011-0012, VMSA-2012-0005, VU#107886.

Description of the vulnerability

The ISC dhclient program queries a DHCP server, in order to obtain an IP address and a computer name.

However, a malicious or corrupted DHCP server can return a computer name like:
  beginName`command`endName
  beginName;command;endName
As dhclient does not filter special shell characters, the shell command received from the server is run on the client.

An attacker owning a malicious DHCP server can therefore return a special hostname, in order to inject a shell command in ISC dhclient.

This vulnerability is the same as VIGILANCE-VUL-10530 which impacts dhcpcd.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2006-7244 CVE-2009-5063

libpng: denial of service via png_write_iCCP

Synthesis of the vulnerability

An attacker can invite the victim to convert a JPEG image to PNG with an application linked to libpng, in order to create a denial of service.
Impacted products: libpng, NLD, OES, openSUSE, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 22/03/2011.
Identifiers: CVE-2006-7244, CVE-2009-5063, openSUSE-SU-2011:0915-1, SUSE-SU-2011:0916-1, SUSE-SU-2011:0919-1, VIGILANCE-VUL-10480.

Description of the vulnerability

The libpng library is used by applications creating or manipulating PNG (Portable Network Graphics) image files.

The ICC (International Color Consortium) profile defines color variations needed by each device in order to display identical colors. Some image types, such as JPEG or PNG, can contain ICC profiles

When a JPEG image containing an ICC profile is converted to PNG, the png_write_iCCP() function is called to write ICC data. However, this function does not check if the profile size is negative, which stops the application.

An attacker can therefore invite the victim to convert a JPEG image to PNG with an application linked to libpng, in order to create a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about OES: